Page 1

Page 2

▶ This commentary is based on the Personal Information Protection Act, enforcement ordinances, enforcement rules and standard guidelines
It was published for the purpose of presenting the interpretation standards of the notice.
▶ Please inquire with the Ministry of Government Administration and Home Affairs for specific authoritative interpretation of laws and regulations.
wish.

Page 3

Contents

Contents

Chapter 1: General Provisions
[Article 1] Purpose ………………………………………………………………………………………………………………………………………… …………………………………………………………………………………………………………………………………………
[Article 2] Definition ………………………………………………………………………………………………………………………………………… ……………………………………………………………………………………………………………………………………
[Article 3] Personal information protection principle ………………………………………………………………………………………………………………………………………… ····················27
[Article 4] Rights of data subjects ………………………………………………………………………………………………………………………………………… ··········································· 30
[Article 5] Responsibilities of the State, etc. ………………………………………………………………………………………………………………………………………… ···········································································34
[Article 6] Relationship with other laws ………………………………………………………………………………………………………………………………………… 35

Chapter 2 Establishment of Privacy Policy, etc.
[Article 7] Personal Information Protection Committee ………………………………………………………………………………………………………………………………………… ················································41
[Article 8] Functions, etc. of the Protection Committee ………………………………………………………………………………………………………………………………………… ...46
[Article 8-2] Personal Information Infringement Factor Evaluation ………………………………………………………………………………………………………………………………………… ...49
[Article 9] Basic plan ………………………………………………………………………………………………………………………………………… …………………………………………………………………………………………………………………………………………………………………………………………………
[Article 10] Implementation plan ………………………………………………………………………………………………………………………………………… ··························································· 53
[Article 11] Request for data submission, etc. ………………………………………………………………………………………………………………………………………… ································································ 54
[Article 12] Personal Information Protection Guidelines ………………………………………………………………………………………………………………………………………… ····························································· 57
[Article 13] Promotion and support of self-regulation ………………………………………………………………………………………………………………………………………… ...60
[Article 14] International Cooperation ………………………………………………………………………………………………………………………………………… ···························································· 64

Chapter 3 Processing of Personal Information
Section 1 Collection, use, provision of personal information, etc.
[Article 15] Collection and use of personal information ………………………………………………………………………………………………………………………………………… ······························································69
[Article 16] Restrictions on collection of personal information ………………………………………………………………………………………………………………………………………… ················86
[Article 17] Provision of personal information ………………………………………………………………………………………………………………………………………… ·········································· 90
[Article 18] Restrictions on the use and provision of personal information for purposes other than the purpose ························································· 100
[Article 19] Restrictions on the use and provision of personal information by the person provided ………………………………………………………………………………………………………………………………………………………………… 114
[Article 20] Notification of collection sources, etc. of personal information collected from other than the information subject ····116
[Article 21] Destruction of personal information ………………………………………………………………………………………………………………………………………… 120
[Article 22] How to obtain consent ………………………………………………………………………………………………………………………………………… ································································127

Page 4

Contents

Section 2 Restrictions on processing of personal information
[Article 23] Restrictions on processing of sensitive information ………………………………………………………………………………………………………………………………………… ········137
[Article 24] Restrictions on processing of uniquely identifiable information ………………………………………………………………………………………………………………………………………… 144
[Article 24-2] Restrictions on processing of resident registration numbers ………………………………………………………………………………………………………………………………………………………………………….
[Article 25] Restrictions on installation and operation of image information processing equipment ……………………………………………………………………………………………………………………………… 152
[Article 26] Restrictions on processing of personal information due to entrustment of business ……………………………………………………………………………………………………………………………………………………...
[Article 27] Restrictions on transfer of personal information due to business transfer, etc. ……………………………………………………………………………………………………………………………………………………………………………………………………
[Article 28] Supervision of personal information handlers …………………………………………………………………………………………………………………………………………………………………………………

Chapter 4 Safe Management of Personal Information
[Article 29] Obligation to take safety measures ………………………………………………………………………………………………………………………………………… ·········································································· 201
[Article 30] Establishment and disclosure of personal information processing policy ·········································································· 218
[Article 31] Designation of personal information protection manager ………………………………………………………………………………………………………………………………………………………………………………………………
[Article 32] Registration and disclosure of personal information files ……………………………………………………………………………………………………………………………………………………………………………………
[Article 32-2] Personal Information Protection Certification ………………………………………………………………………………………………………………………………………… ······245
[Article 33] Personal information impact assessment ………………………………………………………………………………………………………………………………………… ···············262
[Article 34] Personal information leakage notice, etc. ………………………………………………………………………………………………………………………………………… ··289
[Article 34-2 ] Imposition of Penalty Surcharges, etc. ………………………………………………………………………………………………………………………………………… ········297

Chapter 5 Guarantee of Rights of Data Subjects
[Article 35] Access to personal information ………………………………………………………………………………………………………………………………………… ······················303
[Article 36] Correction/deletion of personal information ………………………………………………………………………………………………………………………………………… ·····························311
[Article 37] Suspension of processing of personal information, etc. ………………………………………………………………………………………………………………………………………… ····316
[Article 38] Methods and procedures for exercising rights, etc. ············································································································ 320
[Article 39] Liability for damages ………………………………………………………………………………………………………………………………………… ··························································· 327
[Article 39-2] Claims for statutory damages ………………………………………………………………………………………………………………………………………… ...334

Chapter 6 Personal Information Dispute Mediation Committee
[Article 40] Establishment and composition of the Personal Information Dispute Mediation Committee, etc. ············································································································································· 341
[Articles 41, 42] Guarantee of member status, etc. ……………………………………………………………………………………………………………………………………………… ············································································································································································ 346
[Articles 43-48] Application for and Effect of Dispute Mediation, etc. ···························································· 348

Page 5

Contents

[Article 49] Collective Dispute Mediation ………………………………………………………………………………………………………………………………………… ····························································· 353
[Article 50] Mediation procedures, etc. ………………………………………………………………………………………………………………………………………… ··························································358

Chapter 7 Personal Information Class Action
[Articles 51~53] Subject and jurisdiction of personal information class action lawsuit ··························································· 363
[Articles 54, 55] Application for litigation permission and requirements for permission, etc. ·········································································································· 367
[Article 56] Effect of Final Judgment ………………………………………………………………………………………………………………………………………… ····················370
[Article 57] Application, etc. of the Civil Procedure Act ………………………………………………………………………………………………………………………………………… ···················371

Chapter 8 Supplement
[Article 58] Partial exclusion of application ………………………………………………………………………………………………………………………………………… ······················377
[Article 59] Prohibited acts ………………………………………………………………………………………………………………………………………… ···························································································································· 384
[Article 60] Confidentiality, etc. ………………………………………………………………………………………………………………………………………… ··························································· 387
[Article 61] Suggestion of opinions and recommendations for improvement ………………………………………………………………………………………………………………………………………… ······390
[Article 62] Report of infringement, etc. ………………………………………………………………………………………………………………………………………… ...392
[Article 63] Data Submission Request and Inspection ………………………………………………………………………………………………………………………………………… ····394
[Articles 64~66] Corrective measures, accusations and disciplinary recommendations, etc. ·························································································· 399
[Article 67] Annual Report ………………………………………………………………………………………………………………………………………… ………………………………………………………………………………………………………… 405
[Article 68] Delegation and entrustment of authority ………………………………………………………………………………………………………………………………………… ·····················406
[Article 69] Agenda for public officials when penalty provisions are applied ……………………………………………………………………………… 408

Chapter 9 Penalties
[Articles 70 to 73] Penalty …………………………………………………………………………………………………………………… ………………………………………………………………………………………………………………………………………… ·························································· 411
[Article 74] Condemnation provisions …………………………………………………………………………………………………………………………………… ………………………………………………………………………………………………………………………………………… ············································································································ 415
[Article 74-2 ] Confiscation, additional collection, etc. ………………………………………………………………………………………………………………………………………… ································································· 417
[Article 75] Fine for negligence ………………………………………………………………………………………………………………………………………… ············································································ 418
[Article 76] Special Cases for Application of Regulations on Fines for Negligence …………………………………………………………………………………………………………………………

Addendum / 429

Page 7
6

The first chapter

gun
Chick

Chapter 1: General Provisions

Article 1 [Purpose
Article 2 Definition
Article 3 Privacy Principles
Article 4 Rights of data subjects
Article 5 Responsibilities of the State, etc.
Article 6 Relationship with other laws

Page 9
8

The first chapter

Article 1 purpose

gun
Chick

Article 1 (Purpose) This Act stipulates matters related to the processing and protection of personal information.

law

It aims to protect freedom and rights, and furthermore, to realize individual dignity and value.

Article 1 (Purpose) This Decree provides necessary information regarding matters entrusted by the Personal Information Protection Act and its implementation.
Enforcement Decree
The purpose is to define matters.
Article 1 (Purpose) This rule is in accordance with the matters entrusted by the Personal Information Protection Act and the enforcement ordinance of the same Act.
enforcement rules
The purpose is to stipulate necessary matters for its implementation.
Article 1 (Purpose) Article 1 (Purpose) This guideline is Article 12 of the 「Personal Information Protection Act」 (hereinafter referred to as the “Act”)
standard guidelines
Standards for the processing of personal information in accordance with paragraph 1, types of personal information infringement, and preventive measures
The purpose is to stipulate detailed matters related to, etc.
Notification of standards for measures to ensure the safety of personal information
Article 1 (Purpose) This standard applies to Articles 23 (2) and 24 of the 「Personal Information Protection Act」 (hereinafter referred to as the “Act”).
In accordance with Articles 21 and 30 of the Enforcement Decree of the Act (hereinafter referred to as the “Spirit”) such as paragraphs 3 and 29,
When the personal information controller processes personal information, personal information is lost, stolen, leaked, forged,
Technical, administrative and physical necessary to secure safety so that it is not tampered with or damaged
notice

The purpose of this is to set the minimum standards for safety measures.
Notice on Personal Information Impact Assessment
Article 1 (Purpose) This notice includes Article 33 of the 「Personal Information Protection Act」 (hereinafter referred to as the “Act”) and 「Personal Information」
Designation and influence of evaluation agencies pursuant to Article 38 of the Enforcement Decree of the Protection Act (hereinafter referred to as “the Enforcement Decree”)
The purpose is to set detailed standards for evaluation procedures, etc.

1. Background and History of Law Enactment
autumn law enactment background
With the advancement of the information society and the increase in the economic value of personal information, the collection of personal information and
As the use becomes more common, the principles of personal information processing in line with the international level, covering the public and private sectors
etc., and strengthen the remedies for damage caused by personal information infringement to protect the privacy of the people.
It is intended to protect the rights and interests of personal information.

3

Page 10
Explanation of personal information protection laws and guidelines and announcements

B Law History

2011.3.29., enactment of the law (Act No. 10465)

There was a discussion about enacting a general law for personal information protection that covers both the public and private sectors, and the 17th
In the National Assembly, Rep. Roh Hoe-chan (Democratic Labor Party, April 11), Lee Eun-young (Uri Party, 05.7), Lee Hye-hoon (Grand National Party,
05.12) and three 'personal information protection laws (drafts)' were proposed by lawmakers, but were discarded after the expiration of the term of the 17th National Assembly.
In the 18th National Assembly, two personal information protection laws (drafts) were passed: Lee Hye-hoon (08.8.8) and Byun Jae-il (08.10.27).
It was proposed by lawmakers, and on November 28, 2008, the government (draft) of the Personal Information Protection Act was submitted to the National Assembly. '09 February
On the 20th, the Administrative Safety Committee of the National Assembly merged the three legislative bills and the government bill and proposed it, followed by a public hearing,
After passing through the bill review subcommittee, it was decided at the plenary session on March 11, 2011, and was implemented on September 30 of the same year.

2014.3.24, partially amended (Act No. 12504)

Article 1 (Purpose) states, “This Act is intended to protect privacy, etc. from the collection, leakage, misuse, and abuse of personal information.
In order to promote the rights and interests of the people and further realize the dignity and value of individuals,
The purpose of this Act is to prescribe matters related to
For the purpose of protecting individual freedom and rights, and further realizing individual dignity and value
to do.” was amended.
Add “linkage, interlock” to the definition of “processing” in Article 2, No. 2, and Article 6 (Relationship with other laws)
“For personal information protection, the 「Act on Promotion of Information and Communications Network Utilization and Information Protection, etc.」
Except as otherwise provided for in other laws, such as the Act on Use and Protection
In case of special provisions in other laws regarding the protection of personal information,
Except as otherwise provided for in this Act.”

2013.8.6., partially amended (Act No. 11990)

In spite of the leakage and abuse of a large number of resident registration numbers, large corporations, etc.
In principle, resident registration is required for all personal information controllers because civil and criminal responsibilities are not properly imposed.
The processing of numbers is prohibited, and a fine of not more than 500 million won is imposed in case the resident registration number is lost, stolen, leaked, altered, or damaged.
It is possible to impose and collect a significant amount that can be recognized as a violation of laws and regulations related to personal information protection.
If there is a reason, it should be clearly stated so that the representative or responsible executive can be recommended to be disciplined.
While preventing leakage of resident registration number, companies take responsibility for protecting personal information such as resident registration number.
made to do it

4

Page 11

Article 16 (Restriction on Collection of Personal Information) Paragraph 2 “The personal information controller shall obtainThethe
consent of the information subject to collect personal information.
first chapter
In the case of collection, be aware that you may not agree to the collection of personal information other than the minimum required information.
gun

You must specifically inform and collect personal information.” and delete Article 24 (2) and (4).

Chick

Instead, Article 24-2 (Restrictions on processing of resident registration numbers) was newly established.

2015.7.24. Partial revision (Act No. 13423)

In the wake of the personal information leak of credit card companies in January 2014, the personal information protection committee belonging to the president was responsible for and coordinated
To supplement the operational deficiencies of the current law, such as strengthening functions and preparing a basis for designation of a personal information protection certification body,
Reinforcing damage relief for personal information leakage by introducing a punitive damage compensation system and a statutory damage compensation system,
Confiscate and collect criminal proceeds from illegal distribution of personal information, and obtain personal information through fraudulent methods.
Sanctions on crimes against personal information, such as new penalties for those who provide it to others for profit, etc.
level has been enhanced.

2016.3.29. Partial revision (Act No. 14107)

When the personal information controller processes sensitive information, it is specified to take necessary measures to ensure safety;
The Minister of the Interior and Home Affairs shall check whether the personal information controller handling unique identification information has taken measures to ensure safety.
Regulations to ensure safety have been strengthened, such as regular inspections.
In addition, the scope of laws and regulations that can collect resident registration numbers are defined by the Act, the Presidential Decree, the National Assembly rule, the Supreme Court rule, and the Constitution.
It is limited to the Court Rules, the National Election Commission Rules, and the Board of Audit and Inspection Rules, and the status of enactment and revision of the relevant laws, etc.
The use of resident registration numbers is more strictly managed and included in the personal information protection annual report.
was made to control.
A personal information controller who meets the standards prescribed by the Presidential Decree shall collect personal information from other than the information subject.
In the case of collection and processing, the information subject was notified of the source of collection and the purpose of processing.
In addition, the regulations related to the installation of information boards for image information processing devices have been raised to the law, and the personal information processing policy
Some deficiencies were supplemented, such as adding items to be included.

5

Page 12
Explanation of personal information protection laws and guidelines and announcements

2. Purpose of the law
The legislative purpose of this Act is to protect the freedom and rights of individuals by setting matters concerning the processing and protection of personal information.
It is to protect and further realize the dignity and value of the individual. Accordingly, the collection and use of personal information,
Basic principles of personal information processing, including provision of personal information, processing procedures and methods of personal information, restrictions on processing of personal information, personal information
Management and supervision for the safe processing of information, rights of information subjects, and remedies for infringement of personal information rights, etc.
is stipulated for
In the first sentence of Article 10 of the Constitution, which stipulates the dignity and value of human beings and the right to pursue happiness, the Constitutional Court
Based on the derived general moral rights and privacy and freedom protected by Article 17 of the Constitution.
According to the regulations, the 'right to self-determination of personal information' is guaranteed as a basic right even under the Korean Constitution.
watching.
The right to self-determination of personal information refers to when, to whom, to what extent information about oneself is known, and to what extent.
The right of the data subject to decide for himself whether or not to allow the data subject to be used, that is, the data subject
It refers to the right to control and decide for yourself in relation to disclosure and use.

Reference 1 Article 10 of the Constitution of the Republic of Korea
All citizens have dignity and value as human beings and have the right to pursue happiness. The state is the inviolability of the individual
We have an obligation to affirm and guarantee basic human rights.

Reference 2 Article 17 of the Constitution of the Republic of Korea
All citizens shall not be infringed on the confidentiality and freedom of their privacy.

6

Page 13

The first chapter

Article 2 Justice

gun
Chick

Article 2 (Definition) The meanings of terms used in this Act are as follows.
1. “Personal information” means information about a living individual, including name, resident registration number, and video
Information that can identify an individual through
(including those that can be easily combined with other information, even if they are not recognizable)
say
2. “Processing” means collection, creation, linkage, interlocking, recording, storage, retention, processing, editing, search,
Printing, correction, restoration, use, provision, disclosure, destruction, and other similar
say action.
3. “Data subject” means a person who can be identified by the processed information, and
refers to the person who is the subject of
4. “Personal information file” means according to certain rules so that personal information can be easily retrieved.
law

It refers to a collection of personal information that is systematically arranged or composed.
5. “Personal information controller” means to operate personal information files for the purpose of business
or public institutions, corporations, organizations and individuals that process personal information through others
say etc.
6. “Public institution” means any of the following institutions:
end. Institutions that handle administrative affairs of the National Assembly, the courts, the Constitutional Court, and the National Election Commission;
Central administrative agencies (including those belonging to the President and those belonging to the Prime Minister) and their
Affiliated institution, local government
I. Other national institutions and public organizations prescribed by Presidential Decree
7. “Image information processing device” means continuously installed in a certain space and
A device that records images or transmits them through wired/wireless networks as prescribed by Presidential Decree.
device that determines
Article 2 (Scope of Public Institutions ) In subparagraph 6 (b) of Article 2 of the 「Personal Information Protection Act」 (hereinafter referred to as the “Act”)
The term "institution prescribed by Presidential Decree" means the institution falling under each of the following subparagraphs:
1. The National Human Rights Commission of Korea under Article 3 of the National Human Rights Commission Act;
2. Public institutions under Article 4 of the Act on the Management of Public Institutions;

3. Local public corporations and regional corporations under the Local Public Enterprises Act;
Enforcement Decree
4. A special corporation established under the Special Act;
5. Schools established in accordance with the Elementary and Secondary Education Act, the Higher Education Act, and other Acts;
Article 3 (Scope of Image Information Processing Equipment) “Devices prescribed by Presidential Decree” in Article 2, No. 7 of the Act
Refers to the following devices:
1. Closed circuit television: A device falling under any of the following items

7

Page 14
Explanation of personal information protection laws and guidelines and announcements

end. You can take pictures or use a camera that is continuously installed in a certain space.
The captured video information is transferred to a specific place through a transmission path such as a wired/wireless closed circuit.
transmitting device
I. Recording and recording of video information filmed or transmitted pursuant to item (a);
Device
2. Network camera: Video information captured by a device that is continuously installed in a certain space is displayed.
The person who installs and manages the device collects,
A device that allows processing such as storage

As the 「Personal Information Protection Act」 is a general law on the protection of personal information, there are no special restrictions on people, places, etc.
Although it is generally applied without any information, it is difficult to regulate all information related to an individual. therefore
To eliminate the blind spots of personal information protection and prevent excessive regulation of personal privacy
It was intended to determine the subject of protection and the scope of discipline at an appropriate level.

No. 1

Privacy
1. “Personal information” means information about a living individual, such as name, resident registration number, and image.

law

Information that can identify an individual through
Even if it does not exist, it includes information that can be easily identified by combining it with other information).

1. Personal information (Article 2 subparagraph 1)
That should be jeongboyi on individuals 'living'
According to the Personal Information Protection Act, personal information is information about a 'living' natural person, so it may be a death or disappearance declaration, etc.
Information about a person who is considered dead under the relevant laws and regulations cannot be regarded as personal information. but,
Even if it is information of the deceased, information that can identify the relationship with the bereaved family is personal information of the bereaved family.

8

Page 15

I must be 'personal' information

The first chapter

gun
Chick
The subject of personal information must be a natural person, and information about a corporation or organization does not fall
under personal information.

does not Therefore, the name of the legal entity or entity, the address of its location, the representative contact information (e-mail address or phone number);
Contact information for each job, sales performance, etc. do not fall under personal information. In addition, the business name of the sole proprietor, the business
Address, phone number, business registration number, sales amount, tax payment, etc. are information related to the operation of the business, and in principle,
It does not apply to personal information.
However, information about a corporation or organization as well as information about individuals, including representatives,
The name, resident registration number, home address, personal contact information, and photo of the person in charge of the job can be used to identify individuals.
Depending on individual circumstances or contexts, the information contained in the information may be treated as personal information, not limited to information on corporations, etc.
have.
In principle, information about non-human objects does not fall under personal information. However, such things
Information indicating the manufacturer or owner is personal information. For example, a specific building or
If the owner of the apartment is a natural person, the address of the building or apartment does not identify the specific owner.
If used, it is personal information.
'Information about an individual' does not necessarily mean that it has to be information about only one specific person.
Information about two or more persons is the information of each person. If you post a group photo on social media, the video information of the photo is
It corresponds to the personal information of all the people in the photo, and the doctor keeps the medical records for the psychological treatment of a specific child.
If the child's parental behavior is included in the preparation, the medical record is stored in the personal information of both the child and the parent.
corresponds to However, statistically converted '○○ company average' so that it cannot be recognized that it is information about a specific individual.
Salary' and 'the employment rate of ○○ college graduates' do not fall under personal information.
As such, the appropriateness of personal information may be evaluated differently depending on specific circumstances. For example, 'mobile
There are precedents that consider the last 4 digits of a phone number to be personal information, but this does not affect the possibility of combining with other information.
Considering the possibility of personal identification, it is regarded as personal information. If any other combinable information is
If there is only the last 4 digits of the mobile phone number without
something to do.
judicial precedent
Last 4 digits of mobile phone number
Daejeon District Court Nonsan Branch (2013 Kodan 17 judgment), regarding 「The last 4 digits of a mobile phone number」, “Only with the last 4 digits of a mobile phone number
In some cases, it is possible to identify who the phone number user is, and in particular, a certain personal relationship with the phone number user
It is more likely to be the case with people who have been with them, and even if the last 4 digits of a mobile phone number are the only
Other information (birthday, anniversary, home phone number, family phone number) that is relevant to the last 4 digits, even if not identifiable
number, existing call history, etc.) can be easily combined with the phone number to find out who the user is.”
It is judged that it falls under the personal information stipulated in subparagraph 1 of Article 2 of the Protection Act.

9

Page 16
Explanation of personal information protection laws and guidelines and announcements

The contents, the form of 'information', etc. There is no limit
There are no special restrictions on the content and form of information, so all information that can identify an individual is personal information.
can be That is, the form or processing method such as digital form or handwritten form, automatic processing or manual processing, and
Regardless, they may all fall under personal information.
If it is related to the data subject, information about 'objective facts' such as height, age, weight, or information about the person
All 'subjective evaluation' information such as opinions of third parties can be personal information. Also, the information must
Inaccurate or false information that is not 'fact' or 'proven'
Information can be personal information.

It must be information that can 'identify' an individual
The meaning of 'recognizable' means that there is a possibility that the information will be reasonably used from the standpoint of the 'processor'.
If an individual can be identified in consideration of the available means, it is personal information. In addition to those currently processing
Persons who are scheduled to be processed in the future according to provision, etc. are also included. Here, 'processing' means Article 2 of the Personal Information Protection Act.
Collection, creation, linkage, interlocking, recording, storage, retention, processing, editing, retrieval, output, correction of personal information pursuant to subparagraph 2;
Restoration, use, provision, disclosure, destruction, and other similar acts.
On the other hand, unique identification information such as resident registration number cannot identify the individual who is the information subject only with that information.
However, in the case of date of birth, there may be multiple people born on the same day, so
The date of birth by itself does not constitute identification of an individual.

It also includes information that can be 'easy to combine' with other information to identify an individual.
The meaning of 'easy to combine' means that there must be 'availability' of the information to be combined, and 'combination possibility' is not.
means to be high.
'Availability' refers to the legally required information for combining two or more types of information.
It means that you must be able to access and obtain it, including information obtained through illegal methods such as hacking.

can't see doing it
'Combinability' means that cost or effort should not be unreasonably involved, taking into account the current level of technology.
means that the combination is virtually impossible or unreasonable in light of the current level of technology.
If it is accompanied by a level of cost or effort, it cannot be considered as easy to combine.
Therefore, information that is unlikely to be shared or disclosed should be considered as not likely to be obtained legally.

10

Page 17

In general, if you need a computer that is so expensive that it is difficult for business operators to purchase, it is easy to combine.
The first chapter
must be seen as difficult.
gun
Chick

Note 1 EU Data Protection Regulation (GDPR)
'Personal information' is defined as 'personal information that is any information related to an identified or identifiable natural person, that is, a data subject'.
(article4(1) 'personal data' means any information relating to an identified or identifiable natural
person data).
GDPR recital 23(a) states that 'to determine identifiability, a manager or any other person
All means reasonably expected to be used for direct or indirect identification shall be considered. individual
A possible description at the time the information is processed in order to determine whether it is reasonably expected to be used to identify
All objective factors such as time and cost of identification should be taken into account, taking into account the development of the level and technology.'
is explaining

Note 2 Polish Privacy Law
Poland's data protection law states that 'if identification requires an unreasonable amount of time, money and manpower,
It should not be regarded as enabling information'.

judicial precedent
Whether information formed in public life or information that has already been disclosed is applicable to personal information
Personal information is a matter that characterizes the identity of an individual, such as an individual's body, beliefs, social status, status, etc.
It means any information that enables identification, and is not necessarily limited to information belonging to the private domain of an individual, but is not limited to public information.
It also includes personal information that has been formed in life or has already been disclosed (Supreme Court 2016.03.10. 2012da105482 judgment)

2. Applicable Law
「Personal Information Protection Act」 and 「Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (hereinafter referred to as “Information and Communications Network Act”)
The concept of personal information is stipulated, and the 「Act on the Use and Protection of Credit Information (hereinafter referred to as the “Credit Information Act”)」
It regulates the concepts of personal credit information and personally identifiable information.
In the Personal Information Protection Act and the Information and Communications Network Act, the concept of personal information is expressed slightly differently in the law.
However, in terms of legal interpretation, the content is substantially the same. Personal information as defined in both laws is a living individual.
It is information that can identify an individual, and that information alone cannot identify a specific individual.
Even if there is no information, information that can be easily combined with other information is included.
Meanwhile, personal credit information and personally identifiable information under the Credit Information Act are subject to the Personal Information Protection Act and the Information and Communications Network Act.
It is not different from the concept of personal information. According to the current Credit Information Act, personal credit information is 'individually identifiable'.
Although it is not explicitly required that it be 'information with
It is reasonable to view that it is not included in the information. In addition, personally identifiable information is the name and address of the surviving individual.

11

Page 18
Explanation of personal information protection laws and guidelines and announcements

and resident registration number, passport number, driver's license number, alien registration number, domestic residence report number, etc.
information that can be

Article 2 (1) 6 “personal information” means information about living individuals, such as name, resident registration number, etc.
Information such as codes, letters, voices, sounds, and images that can identify a specific individual by
Information and Communications Network Act
If a specific individual cannot be identified by itself, but can be easily identified by combining it with other information,
including that information).
Article 2 Subparagraph 1 “Credit information” means when determining the creditworthiness of the counterparty in commerce, such as financial transactions.
It refers to information prescribed by Presidential Decree as necessary information in each of the following items:
end. Information that can identify a specific subject of credit information
I. Information that can determine the transaction details of the credit information subject
All. Information that can determine the creditworthiness of the subject of credit information
la. Information that can determine the credit transaction capacity of the subject of credit information
hemp. Other information similar to items (a) through (d)
Article 2 Subparagraph 2 “personal credit information” refers to when determining an individual's creditworthiness and credit transaction ability among credit information.
Refers to information prescribed by Presidential Decree as necessary information.
Credit Information Act
Article 34 (1) Credit information provision and user information required to identify individuals as prescribed by Presidential Decree
Articles 32 and 33 shall apply mutatis mutandis to the provision and use of specified information.
In Article 29 of the Enforcement Decree of the Credit Information Act, “information prescribed by the Presidential Decree” in Article 34 of the Act means the
It refers to information that can identify an individual, such as name, address, number in each of the following subparagraphs, gender, and nationality.
1. Resident registration number under Article 7 (3) of the Resident Registration Act;
2. Passport number under Article 7 (1) 1 of the Passport Act;
3. License number of a driver's license under Article 80 of the Road Traffic Act;
4. Alien registration number under Article 31 (4) of the 「Immigration Control Act」
5. Domestic residence report numberOriginal
under Article
text7 (1) of the 「Act on Immigration and Legal Status of Overseas Koreans」

2. 「여권법」 제7조제1항제1호에 따른 여권번호
Contribute a better translation

No. 2

process
2. “Processing” means collection, creation, linkage, interlocking, recording, storage, retention, processing, editing, search,

law

Printing, correction, restoration, use, provision, disclosure, destruction, and other similar acts
say
1. “Personal information processing” means collecting, creating, linking, interworking, recording, storing, retaining, processing,

standard guidelinesEditing, retrieving, printing, correcting, restoring, using, providing, disclosing, destroying, or otherwise
refers to similar actions.

12

Page 19

1. Treatment (Article 2, Subparagraph 2)

The first chapter

gun

In order to use personal information, from collection and creation to linkage, linkage, record, storage, retention, processing, editing,
Chick
It goes through various processing processes such as search, output, correction, recovery, use, provision, disclosure, and destruction. a series of these
As a concept encompassing the process, the 「Personal Information Protection Act」 uses the term processing.
Processing includes 'all other similar acts' in addition to the acts specified in the definition, which include
Transmission, delivery, transfer, viewing, inquiry, correction, supplementation, deletion, sharing, preservation, shredding, etc. of personal information may be included.
have.
However, the act of simply passing, transmitting or passing the personal information being processed by another person is prohibited.
does not apply to processing. For example, a postal delivery service provider or Internet service provider may
It is only responsible for the delivery or transmission, and at this time, the delivery or transmission of the postal delivery service provider, etc.
The act is not considered the processing of personal information.

2. Applicable Law
The “Information and Communications Network Act” is not a definitional provision, but Article 25 (Consignment of personal information processing).
Linkage, linkage, record, storage, retention, processing, editing, retrieval, output, correction, restoration, use, provision, disclosure, destruction,
Other similar actions are defined as processing.
On the other hand, the ｢Credit Information Act｣ does not include input, storage, processing, editing, retrieval, deletion, and output of credit information using a computer.
Provision of credit information through methods such as delivery, mail, and transmission is also included in the concept of 'processing'.

Article 25 ① Information and communication service provider and the user's personal information in accordance with Article 24-2 (1) therefrom
The person who has been provided (hereinafter referred to as “information and communications service provider, etc.”) shall transmit the user’s personal information to a third party.
Collection, creation, linkage, interlocking, recording, storage, retention, processing, editing, retrieval, output, correction, restoration, use,
Information and Communications
Network
Act and other similar acts (hereinafter referred to as “processing”);
to provide, disclose,
destroy,
In the case of entrusting business (hereinafter referred to as “personal information processing consignment”), all of the following
Users must be informed and consent must be obtained. Even if any of the following matters are changed
Also the same. (hereinafter omitted)

“Processing” of Article 2, No. 13 means an act falling under any of the following items:
end. Entering, storing, processing, editing, searching, deleting, or outputting credit information using a computer;
Credit Information Act
I. Providing credit information to others by delivery, mail, or transmission
All. Other acts similar to items (a) or (b)

13

Page 20
Explanation of personal information protection laws and guidelines and announcements

No. 3

data subject
3. “Data subject” means a person who can be identified by the processed information, and

law

refers to the person who is the subject of

1. Data subject (Article 2, Subparagraph 3)
A data subject is a person who can be identified by the information being processed and is the subject of the information.
say It can also be said to be the subject of the exercise of rights under this Act. Becoming a data subject protected by this Act
First, it must be a person who can be identified by the information being processed, and secondly, the legal entity or organization
It must be a living person, not a person, and third, it must be a person who is the subject of the processed information.
As long as he is a living person, anyone can become a data subject, regardless of nationality or status. In other words
Foreigners who do not have Korean nationality may also receive information if personal information is processed in accordance with this Act.
It can be a subject, consumers, workers, students, teachers, military personnel, public officials, patients, suspects, prisoners, administrative measures
Anyone, including the target person, can become the subject of information protected by this Act on an equal footing.

2. Applicable Current Law
The “Personal Information Protection Act” and the “Credit Information Act” define the subject of the information as a person identified by the information.
While it is stipulated as a 'subject of information', the ｢Information and Communications Network Act｣ is the subject of protection that uses information and communications services.
It is defined as a person (user), and it is limited to those who are in a relationship to use the service.

Article 2, subparagraph 4 “user” means a person who uses information and communications services provided by information and communications service providers.
Information and Communications Network Act
say
Article 2 Subparagraph 3 “Credit Information Subject” refers to a person identified by the processed credit information, and the subject of the credit information
Credit Information Act
say one who becomes

14

Page 21

No. 4

The first chapter

personal information file

gun
Chick

4. “Personal information file” means according to certain rules so that personal information can be easily retrieved.

law

It refers to a collection of personal information that is systematically arranged or composed.

Individuals who are systematically arranged or organized according to certain rules so that personal information can be easily retrieved
It means a collection of information. That is, an individual's name, unique identification information, ID, etc. can be indexed or searched.
It refers to a set that is systematically arranged and structured so that it can be easily searched by value.
A personal information file is generally a database (DB) composed in an electronic form.
In many cases, there are also handwritten documents that are indexed for systematic search and browsing.
Included.
For example, customer information data structured so that companies can search and use the customer’s name, ID, etc.
Base, medical record files written for patients in hospitals, and various administrative measures managed by public institutions
History files, etc. may be included. However, in a simple set of documents containing personal information
If it is just and is not structured so that it can be systematically arranged and searched, it is stored in the personal information file.
may not be applicable.

No. 5

personal data controller
5. “Personal information controller” means to operate personal information files for the purpose of business

law

or public institutions, corporations, organizations and individuals that process personal information through others
say etc.
2. “Personal information controller” means personal information files under subparagraph 4 of Article 2 of the Act for the purpose of business.

standard guidelinesAll public institutions that process personal information for operation, business operators, associations,
Non-profit organizations such as alumni associations, organizations, individuals, etc.

1. Personal information controller (Article 2 subparagraph 5)
The beneficiaries of this law are basically data controllers. This is a personal information file for business purposes.
Public institutions, corporations, organizations,
businesses and individuals.

15

Page 22
Explanation of personal information protection laws and guidelines and announcements

The personal information controller is distinguished from the 'personal information handler'. The personal information controller is a public entity that processes personal information.
It means an institution, business entity, organization, etc., but the personal information handler is under the direction and supervision of the personal information controller.
It refers to employees, part-time workers, etc. who process personal information.

That should work for the purpose of
In order to become a personal information controller, you must process personal information 'for business purposes'. pure
The person who collects, uses, and provides personal information for personal or housekeeping activities is the personal information controller.
no. For example, to store contact information, e-mail address book, etc.
This case does not apply to the personal information controller.
'Business' means any business or business that is continuously engaged based on one's occupational or social status.
It means that it has nothing to do with whether there is a reward or whether it is for profit, and it is not possible to continue or repeat an act even once.
If you have a doctor, you can see it as a job.
On the other hand, since work must be based on one's job or social status, in order to guide the meeting to acquaintances,
The act of collecting phone numbers and e-mail addresses or the act of distributing wedding invitations to announce marriage is prohibited.
It's not for business purposes.
ReferenceThe concept of 'work' in case law
• Work in the case of obstruction of business refers to the work or business that is continuously engaged based on one's occupational or social status.
means all things, regardless of whether the work is the main or ancillary work, even if it is a one-time
It is something that is done continuously to some extent in itself, or it is done continuously in one's occupational or social status.
This applies even if it is made in close and inseparable relation to the original performance of the business.
(Refer to the Supreme Court's 2004. 8701 judgment on April 15, 2005, etc.) .
• In the case of occupational negligence and personal injury, work is a position in a person's social life,
When it comes to office work, where safety consideration is an obligation because the job itself has risks.
Of course, it will also include duties that are obligatory to prevent danger to human life and body.
(Refer to Supreme Court's decision of 88° 1273 sentenced on October 11, 1988, and judgment of 2002°1342, sentenced on May 31, 2002, etc.) .
• In the case of business embezzlement, 'business' means not only according to laws and contracts, but also according to customs or in fact, regardless of whether it is
It refers to the office work according to the position of repeating the same act (Sentenced by Supreme Court 2006. 4. 27. 2003do 135) .

I should be to operate a personal information file
Collecting, using, and providing personal information does not mean that everyone becomes a personal information controller.
In order to become a personal information controller under the 「Personal Information Protection Act」, in order to operate personal information files,
Only the person who processes the data becomes the personal data controller.

16

Page 23

In addition to the EU Personal Information Protection Directive, the 「Personal Information Protection Act」 of the UK andTheJapan
is not all personal information.
first chapter
constitutes, is intended to, or is intended to constitute part of a particular filesystem;
gun

It is stipulated that the same law applies only to personal information.

Chick

If even one-time memos or documents are considered personal information processing, the law covers even minor acts of individuals.
regulation, which leads to unreasonable consequences. Accordingly, the collection, use and provision of personal information
The person who imposes obligations such as consent and protection measures for personal information is the person who operates the personal information file.
It was intended to ensure the purpose and effectiveness of the regulation by limiting it.

Everyone must process personal information on their own or through another person
The personal information controller may process personal information on its own, but may also process personal information through others.
can be processed That is, without directly collecting, processing, editing, using, providing, or transmitting personal information.
Even if it is processed through another person, such as a trustee, an agent, a performance assistant, etc.
corresponds to

D It must be a public institution, corporation, organization, individual, etc.
As the 「Personal Information Protection Act」 is a general law for the protection of personal information, personal information is collected, used, provided, etc.
The concept of 'personal information controller' has been broadly defined so that it can be applied to all persons who process it. target of application
Limiting it to a specific purpose or industry is not in line with the purpose of enacting the law to eliminate blind spots in personal information protection.
because it doesn't match.
Personal information controllers include public institutions, for-profit and non-profit corporations, for-profit and non-profit organizations, and individuals.
Unlike the existing Public Institutions Personal Information Protection Act and the Information and Communications Network Act, both the public and private sectors are included.
For-profit companies such as corporations, as well as non-profit organizations such as alumni associations and clubs are included. 1 person per person
This includes cases where personal information is processed for the purpose of business, such as business operators and individual activists.
However, here, 'individual' is 'a person who processes personal information for the purpose of his/her business', so 'public institution,
For-profit and non-profit corporations, for-profit and non-profit organizations, and individuals
'Individuals in existence' do not correspond to personal information controllers. Article 28 (1) of the Act provides for executives and employees, dispatched workers, part-time
A person who processes personal information under the direction and supervision of a personal information controller, such as a worker, is called a 'personal information handler'
is defining

17

Page 24
Explanation of personal information protection laws and guidelines and announcements

2. Applicable Law
The 「Information and Communications Network Act」 stipulates “information and communication service providers” as the offenders of the law. This is “Telecommunication
By using the telecommunication service of the telecommunication service provider for the purpose of profit and the telecommunication service provider pursuant to the “Business Act”
A person who provides information or mediates the provision of information. By limiting it to a case for profit,
There is a conceptual difference from a personal information controller that does not distinguish between for-profit and non-profit.
The 「Credit Information Act」 defines “credit information providers and users” as the offenders of the law. This is for commerce
A person who provides or receives credit information to another person and uses it for his/her own business and a person equivalent thereto
As such, it is also different from the personal information controller under the 「Personal Information Protection Act」.
The term “information and communications service provider” in Article 2, subparagraph 3 means telecommunication under subparagraph 8 of Article 2 of the Telecommunications Business Act.
Information and Communications
Network
Providing information
byAct
using the telecommunication service of a telecommunication business operator for the purpose of profit with the business operator;
A person who mediates the provision of information.
Article 2 Subparagraph 7 “Credit Information Provision/User” refers to the person’s business department for commercial transactions such as financial transactions with customers.
Provide other people with credit information obtained or created in connection with it, or provide credit information from others
Credit Information Act
A person who receives the provision and uses it for his/her own business and other persons equivalent thereto, as prescribed by Presidential Decree.
say the ruler

3. Q&A
The person who processes (storage, correct, restore, etc.) personal information provided by the personal information controller is the personal information controller

Q

(including overseas material companies)?

A

A person who collects personal information through other people is also a personal information controller, and
The person who processes the provided personal information is also a personal information controller.

No. 6

Public institutions
6. “Public institution” means any of the following institutions:
end. Institutions that handle administrative affairs of the National Assembly, the courts, the Constitutional Court, and the National Election Commission;

law

Central administrative agencies (including those belonging to the President and those belonging to the Prime Minister) and their affiliates
Institutions, local governments
I. Other national institutions and public organizations prescribed by Presidential Decree

18

Page 25

The first chapter

Article 2「Personal Information Protection Act」 (hereinafter referred to as the “Act”) In subparagraph 6 (b) of Article 2, “by Presidential Decree”
The term “determined institution” means an institution falling under each of the following subparagraphs:

gun
Chick

1. The National Human Rights Commission of Korea under Article 3 of the National Human Rights Commission Act;
Enforcement2.
Decree
Public institutions under Article 4 of the Act on the Management of Public Institutions;
3. Local public corporations and regional corporations under the Local Public Enterprises Act;
4. A special corporation established under the Special Act;
5. Schools established in accordance with the Elementary and Secondary Education Act, the Higher Education Act, and other Acts;
3. “Public institution” means subparagraph 6 of Article 2 of the Act and the Enforcement Decree of the Personal Information Protection Act (hereinafter referred to as “the Enforcement”)
standard guidelines
Refers to the institution under Article 2.

1. Public Institutions (Article 2, Subparagraph 6)
Korea's 「Personal Information Protection Act」 separates the public and private sectors according to the legislative practices of member states of the European Union.
Adopt a single legalism that applies the same principle of personal information protection under one law without distinction,
have. However, there are a few different rules for public institutions.
< Regulations set differently for public institutions >
Articles with increased obligations

Provisions with eased obligations

▪The legal basis, purpose, and use of personal information other than▪Expand
the purpose
the reasons for collection and use of personal information without the consent of the information subject
Obligation to disclose scope, etc. (Article 18 (4))

(Article 15 (1) 3)

▪Public hearings, briefings, etc. when installing and operating image ▪Expansion
information of
processing
reasons for
equipment
use and provision of personal information other than the purpose
Obligation to collect opinions (Article 25 (3))

(proviso to Article 18 (2))

▪Consignment of business related to installation and operation of image
▪Establishment
information of
processing
personal equipment
information processing policy and relaxation of disclosure obligations
Reinforcement of procedures and requirements (Article 25 (8))

(Article 30 (1))

▪Personal information file registration and disclosure obligation (Article
▪Restrictions
32)
on the right to request access to personal information and expansion of reasons for refusal
(Article 35 (4) 3)
▪Obligation to conduct personal information impact assessment (Article 33)
the reasons
for refusal
of the right to request suspension of personal information processing
▪ Separate information for the convenience of exercising the right to ▪Expand
request access
to personal
information
(Article 37 (2) 3)
Provision of a single window (Article 35 (1))
▪Applicability of laws to personal information processed in accordance with the Statistical Act
Partial exclusion (Article 58 (1) 1)

19

Page 26
Explanation of personal information protection laws and guidelines and announcements

< Classification of public institutions >
National Assembly - National Assembly Office, National Assembly Library, etc.
National Assembly, Court, Constitutional Court,
Court - Court Administration Office
of the Central Election Commission
administrative affairs processing agencyConstitutional Court - Constitutional Court Secretariat
National Election Commission - Secretariat of the National Election Commission

Ministries , ministries, offices, etc. under the “ Government Organization Act ”

zero
zero
group

central administrative agencies and President's agency
its affiliated institution

tube

Prime Minister's agency
Affiliation of the above institution

local government

Institutions affiliated with local governments

Institutions prescribed by Presidential Decree among other national and public organizations

a constitutional institution
Institutions that handle administrative affairs of the National Assembly, the courts, the Constitutional Court, and the National Election Commission refer to the National Assembly, respectively.
Secretariat, National Assembly Library, National Assembly Legislative Investigation Office, National Assembly Budget Policy Office, Court Administration Office, Constitutional Court Secretariat, Central Election Office
Management Committee Secretariat, etc. In the existing 「Public Institutions Personal Information Protection Act」, the definition of public institutions
Constitutional institutions were excluded, but the National Assembly, the courts, the Constitutional Court, the National Election Commission, etc.
Since the amount and frequency of personal information is not small, the 「Personal Information Protection Act」 added constitutional agencies to public institutions.

B. Central administrative agencies and their affiliated organizations
Central administrative agencies include central administrative agencies (ministries, ministries, agencies) pursuant to Article 2 (2) of the “Government Organization Act” and Article 5 of the same Act.
Consensus system is included.
Central administrative agencies include those belonging to the President and those belonging to the Prime Minister. As a presidential institution
There are the Board of Audit and Inspection, National Intelligence Service, and the Korea Communications Commission.
There are the Fair Trade Commission, the Financial Services Commission, and the Anti-Corruption and Civil Rights Commission.

20

Page 27

Since the agencies belonging to the central administrative agency are also public institutions, the central administrative agency
is responsible for the performance of the affairs under its jurisdiction.
The first chapter
Special local administrative agencies (regional application, local tax office, etc.) established and operated for the purpose of Article 3 of the “Government Organization Act”;
gun

Institutions affiliated with Article 4 (test research institutions, education and training institutions, cultural institutions, medical institutions,
manufacturing institutions, advisory institutions, etc.)
Chick
included in public institutions.
In accordance with Article 3 of the National Human Rights Commission Act, the National Human Rights Commission of Korea shall, in accordance with subparagraph 1 of Article 2 of the Enforcement Decree,
It is included in the “institutions prescribed by Presidential Decree among institutions and public organizations”.

Multi- local government
A local government is a part of the national territory under the state as a component, and the residents in that district are subject to law.
It refers to an organization that has the authority to govern within the specified scope. Local governments are self-governing
It is a public organization that has been granted a part of administrative authority by the state as an entity, and in accordance with Article 3 (1) of the 「Local Autonomy Act」
It is also a public corporation.
As for the types of local governments, first of all, metropolitan governments (special cities, metropolitan cities,
There are special self-governing cities, provinces, and special self-governing provinces) and basic self-governing bodies (si, Guns, Gus), and there are special
There are local governments (local government associations).
In addition, as administrative agencies belonging to local governments, self-governing police agencies, firefighting agencies, education and training institutes, health care institutes,
There are test research institutes and small and medium-sized enterprises (SMEs) guidance agencies (Article 113 of the 「Local Autonomy Act」), and others
Business offices (Article 114 of the Local Autonomy Act), branch offices (Article 115 of the Local Autonomy Act), administrative agencies that have agreements (“Local Autonomy Act”)
Article 116), advisory organizations such as councils and committees (Article 116-2 of the Local Autonomy Act) also belong to local governments.
included in the administrative body. In addition, gu, eup, myeon, and dong, which are not autonomous districts, are administrative agencies subordinate to local governments.
Yes (Article 117 of the Local Autonomy Act).
On the other hand, in order to divide the affairs related to education, science and physical education of local governments, the
In accordance with the Act, separate institutions such as the Board of Education (Article 4), the Superintendent of Education (Article 18), and lower education administrative agencies (Article 34)
have.

D Public institutions under Article 4 of the 「Act on the Management of Public Institutions」
Refers to an institution designated in accordance with Article 4 of the 「Act on the Management of Public Institutions」, and public corporations (market-type public corporations,
Quasi-market-type public corporations), quasi-governmental institutions (fund management-type quasi-governmental institutions, entrusted execution-type quasi-governmental institutions), and other public institutions
are separated In accordance with Article 6 of the same Act, the Minister of Strategy and Finance shall appoint a public institution within one month after the start of each fiscal year.
Designate a new designation, cancel designation, or change the classification and announce it (Ministry of Strategy and Finance)
Refer to 'Public Institutions Management Information System-www.alio.go.kr' operated by the company).

21

Page 28
Explanation of personal information protection laws and guidelines and announcements

Ma Regional Corporation and Regional Industrial Complex
Local government’s water supply business, industrial water supply business, track business, automobile transportation business, local toll road business,
In order to efficiently perform sewerage projects, housing projects, land development projects, etc., in accordance with the 「Local Public Enterprise Act」
Established local corporations (Article 49) and regional corporations (Article 76) are also public institutions.

(b) A special corporation established under the Special Act;
Special corporations established by special laws are also included in public institutions. A special corporation is usually a
In order to carry out projects to achieve national policy or public interest, special laws other than civil and commercial laws or
It refers to a non-profit corporation established under special regulations. specially for the purpose of establishing and regulating the corporation
Not only corporations established by enacted laws, but also in the provisions of special laws as a relative meaning to civil and commercial laws.
It may also include legal entities established under the
It is not limited to a corporation established under a law specially enacted for the purpose of establishing and regulating the corporation.
Even if they do not, they receive financial support from the state or local governments directly or indirectly,
It should become the subject of the attribution of administrative rights and obligations by carrying out
It must be under the control of the state or municipality.
As such, not all corporations become special corporations just because they are established on the basis of the special law.
It should be evaluated individually by comprehensively considering the purpose and operating conditions. To become a special corporation
At least installation according to special laws, financial support from the state or local government, entrusted processing of national or local government affairs,
In fact, it must have essential elements such as domination of the state or local government and the performance of functions of public or public interest.

four-level school
Schools established in accordance with the 「Elementary and Secondary Education Act」, 「Higher Education Act」 and other laws are also public institutions.
are treated Schools established in accordance with the Elementary and Secondary Education Act include elementary schools and civic schools, middle schools and high schools,
There are high schools and technical schools, broadcasting and communication high schools, special schools, various schools, alternative schools, foreign schools, etc.
Schools established in accordance with the Higher Education Act include universities, industrial colleges, colleges of education, junior colleges, and distance colleges (Broadcasting College,
There are colleges of communication, broadcasting and communication colleges, cyber colleges), technical colleges, graduate colleges, and various schools.
Schools at each level established under other laws include Air Force Aviation Science High School (「Air Force Aviation Science High School Establishment Act」),
Military Academy, Naval Academy, Air Force Academy (「Academy Establishment Act」), National Defense University (「National Defense University Establishment Act」),
3rd Army Academy (「Establishment Law of 3rd Army Military Academy」), Armed Forces Nursing Academy (「Establishment of Armed Forces Nursing Academy」), Police College
(「Police College Establishment Act」), Ulsan University of Science and Technology (「Regarding the establishment and operation of Ulsan National University of Science and Technology」

22

Page 29

Law”), Korea University of Agriculture and Fisheries (“Korea University of Agriculture and Fisheries Establishment Act”), College
of Technology Law, National Information Graduate School (“National Information Graduate School”)
The first chapter
Establishment Act”), and Graduate School of Law (“Act on the Establishment and Operation of Graduate Schools of Law”).
gun
Chick

Meanwhile, law graduate schools established in accordance with the 「Act on the Establishment and Operation of Law Schools」 are subject to the 「Higher Education Act」.
It is affiliated with a university according to the law, so whether the personal information controller is a law school, or a law school
There may be disputes over interpretation as to whether the university was established or not. However, the Graduate School of Law requires admissions, administration,
Considering that graduates' circumstances and academic affairs are under the control of the university, the Law School is
Although it is a 'school established under other laws', the university is not an independent personal information controller.
It is reasonable to interpret it as a processor.

No. 7

Image information processing device
7. “Image information processing device” means continuously installed in a certain space and

law

A device that records images or transmits them through wired/wireless networks as prescribed by Presidential Decree.
device that determines
Article 3 The term “device prescribed by Presidential Decree” in subparagraph 7 of Article 2 of the Act means any of the following devices:
1. Closed circuit television: A device falling under any of the following items
end. You can take pictures or use a camera that is continuously installed in a certain space.
The captured video information is transferred to a specific place through a transmission path such as a wired/wireless closed circuit.

transmitting device
Enforcement Decree
I. Recording and recording of video information filmed or transmitted pursuant to item (a);
Device
2. Network camera: Video information captured by a device that is continuously installed in a certain space is displayed.
The person who installs and manages the device collects,
A device that allows processing such as storage
8. “Image information processing device” means a device that is continuously installed in a certain space and

It is a device that shoots images or transmits them through wired/wireless networks.
Refers to closed circuit television and network cameras according to Article 3 of the Decree.
9. “Personal image information” means personal information among image information captured and processed by image information processing devices.
standard guidelines

Information that can identify the individual as a video related to portrait, behavior, etc.
say

10. “Image information processing equipment operator” means image information processing in accordance with each subparagraph of Article 25 (1) of the Act
A person who installs and operates equipment.
11. “Public places” means unspecified or multiple places such as parks, roads, subways, shopping malls, parking lots, etc.
A place where access or passage is not restricted.

23

Page 30
Explanation of personal information protection laws and guidelines and announcements

1. Image information processing device (Article 2, No. 7)
Since the uses and types of devices that can shoot and process video are very diverse, the 「Personal Information Protection Act」
The scope of image information processing devices is limited by the need for personal information protection and the real benefit of the regulation.
is determining
Subparagraph 7 of Article 2 of the Act states that image information processing devices are 'continuously installed in a certain space to protect people or things.
A device prescribed by Presidential Decree as a device for capturing images, etc. or transmitting them through a wired/wireless network.
is defining

continuously installed in a certain space
Image information processing equipment under this Act must be installed in a 'fixed space'. For example, inside buildings, on roads,
It means that an image information processing device must be installed based on a certain space such as a park. Also,
Since image information processing equipment includes only those installed in a certain space, the shooting range is also constant.
It is limited to photographing a space or area.
In addition, image information processing equipment subject to the regulation of this Act is image information processing equipment that is installed 'continuously'.
means only the device. Here, the meaning of continuous installation is that the image information processing device is to some extent fixed and permanent.
(恒久的) means that it is installed for the purpose of operating.
For example, a personal camcorder, digital camera, etc. can be used to determine the shooting space and shooting target range.
Taking images while switching is not included in the category of image information processing equipment under this Act.
Even if a personal imaging device is installed in a certain space to shoot an image, it is
Unless it is intended for permanent operation, it is also not an image information processing device under this Act.
However, the meaning of 'a certain space' does not necessarily mean a 'fixed place'. If mobility
Even if there is a space, if the installation location and shooting range of the shooting device are limited
It falls under this Act as an image information processing device.
For example, CCTV installed inside commercial vehicles such as buses and taxis is installed in a certain space inside the vehicle.
Since it is installed and filming a certain passenger boarding space, it falls under the image information processing device under this Act.
On the other hand, like a so-called 'vehicle black box', it is installed inside the vehicle and
In the case of a device that takes a picture, the subject and scope of the picture fluctuate from time to time, so
Not applicable.
One thing to note is that it is not possible to photograph an individual through a device other than an image information processing device under this Act.
The video information processing device regulation under Article 25 of this Act does not apply to the act, but in some cases, the
Other privacy provisions or provisions of other laws may apply.

24

Page 31

For example, in order to operate personal information files for business purposes, the personal information controller

The first chapter

In the case of filming, the regulations on collection and use of personal information under this Act may apply.
gun
Chick

Also, an act of taking pictures of another person's body against their will, which may cause sexual desire or shame.
etc. can be punished according to the Act on Special Cases concerning the Punishment of Crimes of Sexual Violence, etc.
Reference「Act on Special Cases concerning Punishment, etc. of Crimes of Sexual Violence」
Article 14 (Photography using a camera, etc.) ① Sexual desire using a camera or other mechanical device with similar functions

Alternatively, photographing the body of another person that may cause shame, or distributing, selling, renting, or distributing the photographed material
A person who provides or publicly exhibits or screens shall be punished by imprisonment with labor for not more than five years or by a fine not exceeding ten million won.
② Even if the filming in Paragraph 1 does not go against the will of the subject at the time of the filming, it is against the will of the person to be filmed after death.
A person who distributes, sells, leases, provides, or publicly exhibits or screens filmed material shall be punished by imprisonment for not more than three years or not more than five million won.
be fined
③ For the purpose of profit, the filmed in Paragraph 1 shall be used in accordance with Article 2 (1) 1 of the 「Act on Promotion of Information and Communications Network Utilization and Information Protection, etc.」
A person who spreads information using an information and communications network (hereinafter referred to as “information and communications network”) shall be punished by imprisonment with labor for not more than 7 years or by a fine not exceeding 30 million won.
face

I shoot images of people or things
According to social norms, the concept of 'filming' can be seen to include audio and sound recording. But
Video information processing devices such as CCTV are continuously installed in a certain place and are located within the shooting range.
Since everything is filmed, if audio and sound are recorded on the image information processing device,
There is a possibility that conversations and the like will be recorded.
However, the act of recording and listening to undisclosed conversations between others is subject to Article 3 of the 「Communication Secrets Protection Act」.
will violate Therefore, 'photographing' of the image information processing device according to the 「Personal Information Protection Act」 is purely image only.
It is limited to filming, and audio/sound recording is not included.
On the other hand, when considering the legislative purpose of the 「Personal Information Protection Act」, the term 'thing' here
It should be interpreted limitedly to things that have a certain relationship with people. For example, a telescope installed in an observatory
Although it is continuously installed in a certain space to photograph outer space (objects), the subject of the photograph is a person and
Since it is difficult to see that the person is in a certain life relationship, the image information processing device according to this Act
not included.

Transmitting all the captured information through wired/wireless network
A device that not only shoots images of people and objects, but also transmits the captured information through wired and wireless networks.
It is included in the concept of image information processing equipment. In fact, the image information processing device simply shoots images.

25

Page 32
Explanation of personal information protection laws and guidelines and announcements

Rather, the method of transmitting the photographed screen and reading and utilizing it according to the purpose of installation is widely used.
have. This includes monitoring by transmitting the shooting screen through a closed network, such as closed circuit television (CCTV).
In this case, in all cases where the image is transmitted and viewed using the Internet network, such as a network camera, etc.
Included.

A device prescribed by Presidential Decree
There are many different types of image information processing devices that can take pictures of people and objects. use of these devices
If all are strictly regulated, social life and economic activities may be restricted, so the
Only those prescribed by Presidential Decree are recognized as the types of image information processing devices. In Article 3 of the Enforcement Decree,
The types of image information processing devices are defined as follows.

< Type of image information processing device >
Kinds

Contents
Using a camera that is continuously installed in a certain space, you can shoot images or

closed circuit television

It can be transmitted through a transmission path such as a wired/wireless closed circuit or recorded/recorded on a storage medium.
device to make
Wired/wireless video information collected with a filming device that is continuously installed in a certain space

network camera

In order to be able to process reception, operation, storage, etc. from anywhere through the Internet
device to do

26

Page 33

The first chapter

Article 3 Privacy Principles

gun
Chick

Article 3 (Personal Information Protection Principle) ① The personal information controller clearly states the purpose of processing personal information.
to the extent necessary for the purpose, and only the minimum amount of personal information legally and fairly
should be collected.
② The personal information controller shall appropriately personalize the personal information to the extent necessary for the purpose of processing personal information.
Information must be processed, and it must not be used for any other purpose.
③ The personal information controller shall process personal information to the extent necessary for the purpose of processing personal information.
Accuracy, completeness and up-to-dateness shall be ensured.
④ The personal information controller shall have the right of the information subject according to the processing method and type of personal information, etc.
law

Personal information must be managed safely in consideration of the possibility of infringement and the degree of risk.
⑤ The personal information controller discloses matters related to the processing of personal information, such as the personal information processing policy
and the rights of the information subject, such as the right to request access, shall be guaranteed.
⑥ The personal information controller shall manage personal information in a way that minimizes the invasion of privacy of the information subject.
should be dealt with
⑦ The personal information controller shall use anonymity if it is possible to process personal information anonymously.
should be able to be processed.
⑧ The personal information controller shall fulfill the responsibilities and obligations stipulated in this Act and related laws and regulations.
Efforts shall be made to gain the trust of the data subject by observing and practicing it.
Article 4 (Personal Information Protection Principle) ① The personal information controller must clearly specify the purpose of personal information processing.
to the extent necessary for the purpose, and only the minimum amount of personal information legally and fairly
should be collected.
② The personal information controller shall appropriately personalize the personal information to the extent necessary for the purpose of processing personal information.
Information must be processed, and it must not be used for any other purpose.
③ The personal information controller shall process personal information to the extent necessary for the purpose of processing personal information.
Accuracy and up-to-dateness must be maintained, and in the process of processing personal information,
Or, it must be prevented from being changed or damaged by negligence.
④ The personal information controller shall have the right of the information subject according to the processing method and type of personal information, etc.
Considering the possibility of infringement and the degree of risk, appropriate management and technical

standard guidelines
and physical protection measures to safely manage personal information.
⑤ The personal information controller discloses matters related to the processing of personal information, such as the personal information processing policy
In order to ensure the rights of the information subject, such as the right to request access, reasonable procedures and
method, etc., should be prepared.
⑥ The personal information controller shall legally conduct personal information to the extent necessary for the purpose of processing personal information.
Even when processing information, in a way that minimizes the invasion of privacy of the data subject
Information must be processed.
⑦ The personal information controller works anonymously, even if the personal information is legally collected.
If the purpose can be achieved, personal information should be processed anonymously.
⑧ The personal information controller shall comply with and practice the responsibilities and obligations stipulated in the relevant laws and regulations.
By doing so, efforts should be made to gain the trust of the data subject.

27

Page 34
Explanation of personal information protection laws and guidelines and announcements

Article 3 of the Act reflects internationally accepted principles in relation to the processing of personal information.
The personal information protection principle of Article 3 is the 「OECD Privacy 8 Principles」 enacted in 1980 and the legislation of EU member states.
Reference was made to the “EU Personal Information Protection Directive” (1995), which is the standard, and Korea was decisive in the enactment process.
The APEC Privacy Principles (2004), which played a role, were also considered. Other protection of personal information by law
The 「Personal Information Protection Act」 of the UK, Sweden, Canada, Hong Kong, Australia, New Zealand, etc., which describes the principles in detail
referenced.
The privacy principle is a declarative norm and does not in itself directly bind the controller.
However, it provides guidelines for actions to the personal information manager, and provides policy-making and law enforcement
It provides standards and, for the judiciary, provides the theoretical basis for interpretation of the law and at the same time provides the
blocks the blanks

< Comparison between OECD 8 Privacy Principles and Personal Information Protection Principles >
OECD 8 Principles of Privacy

Privacy Principles
▪Collection of minimum information necessary for the purpose (paragraph 1)

▪Collection restriction principle (1st principle)▪Processing in a way that minimizes invasion of privacy (Section 6)
Principle of Anonymity (Section 7)
Principle of information accuracy (2 principles)
▪Ensure accuracy, completeness and up-to-dateness within the purpose of processing (paragraph 3)
Principle of Clarification of Purpose (Three Principles)
▪ Clarification of the purpose of processing (paragraph 1)
▪The principle of restriction of use (4 principles)
▪Process lawfully within the scope of the purpose, and prohibit use for other purposes (Section 2)
▪The principle of securing safety (5 principles)▪Safe management in consideration of the possibility of infringement of rights (paragraph 4)
Principle of Disclosure of Treatment Policy (6▪Disclosure
Principles) of personal information processing policy, etc. (Section 5)
Principles of data subject participation (7 principles)
▪Securing the rights of information subjects, such as the right to request access (paragraph 5)
▪ Principle of Responsibility (8 Principles)

▪Efforts to comply with personal information controller's responsibility and secure trust (paragraph 8)

In accordance with the principle of personal information protection, the personal information controller has a specific and clear purpose for collecting personal information.
Personal information that is not directly necessary for the achievement of a specified purpose shall not be processed.
For example, a laundry service provider may use a service to notify the completion of laundry or to deliver laundry.
We may collect the customer's name, address, and phone number, but for other purposes, we may
It is the principle that unnecessary information should not be collected or used.
In order to ensure the accuracy, safety and up-to-dateness of personal information, the personal information controller shall

28

Page 35

Accurate information is provided through the process of checking the input contents in advance, and requesting access and correction
of personal information.
The first chapter
A procedure or method for input shall be prepared, and if error information is found, it cannot be corrected or deleted.
gun

Procedures should also be in place. In addition, in the process of processing personal information, personal information handlersChick
Or, you must fulfill your duty of care so that personal information is not altered or damaged by negligence.
The personal information controller shall ensure that the personal information of the information subject is not lost, stolen, leaked, altered or damaged.
Security measures must be taken to secure, and the personal information provided by the information subject must be used for what purpose and in what way.
It must be disclosed and what measures are being taken to protect personal information. Also
Procedures for requesting access to, correction and deletion of the personal information provided by the information subject shall be established.
In addition, the personal information controller prevents the personal information collected from being exposed or misused by others.
Personal information must be handled in a way that minimizes invasion of privacy, and specific business characteristics must be respected.
Anonymization of personal information, such as removing or replacing personal identifiers from personal information data records
If possible, anonymization should be done in a form that does not identify a specific individual.

29

Page 36
Explanation of personal information protection laws and guidelines and announcements

Article 4 Rights of data subjects
Article 4 (Rights of Information Subjects ) In relation to the processing of their personal information , the information subject must
have the right
1. The right to receive information on the processing of personal information
2. The right to choose and decide whether to consent to the processing of personal information, the scope of consent, etc.
law

3. Check whether or not personal information is processed and access personal information (issuance of a copy)
include hereinafter the same)
4. Right to request suspension, correction, deletion and destruction of personal information
5. Relief for damage caused by the processing of personal information in a prompt and fair manner
right to receive

1. History
The rights of data subjects stipulated in Article 4 of the Act have been established through precedents and legislative precedents in each country.
According to the 「EU Privacy Directive」, data subjects have the right to be provided with information, the right to access their personal information,
The right to request correction, deletion, or closure of inaccurate information, the right to refuse the processing of personal information, and the right to direct sales of personal information.
You have the right to refuse to be used, and the right not to be disadvantaged only by automatically processing information. our country
The 「Information and Communications Network Act」 also stipulates the right to withdraw consent, the right to request access, and the right to request correction, and the former 「Public Institutions」
The Personal Information Protection Act also recognizes the information subject's right to request access and to request correction and deletion.
The Constitutional Court of Korea recognizes the so-called 'right to self-determination of personal information' or 'right to self-control of personal information'.
have. The Constitutional Court stated, “The above basic rights and constitutional principles
Since it would be impossible to completely include some of them, it would be impossible to
It seems undesirable to limit it to one or two, rather, the right to self-determination of personal information
It is an independent fundamental right based on an ideological basis, which should be regarded as a fundamental right not specified in the Constitution.
', the privacy and freedom of privacy under Article 17 of the Constitution, Article 10 of the Constitution, the first sentence of human rights.
General moral rights based on dignity, worth, and the right to pursue happiness, together with the above provisions, our Constitution
Based on the ideological basis of the rules of liberal and democratic basic order or the principle of popular sovereignty and the principle of democracy,
The right to self-determination of personal information is recognized as an independent basic right that is not specified. (Constitutional Court 2005.05.26,
99 Heonma 513, Book of Cases, Vol. 17, Vol. 1, 668)

30

Page 37

The first chapter

ReferenceRight to self-determination of personal information

gun
General moral rights derived from the first sentence of Article 10 of the Constitution, which stipulates the dignity and value of human beings and the
right to pursue happiness, and Article 17 of the Constitution.
Chick

The right to self-determination of personal information guaranteed by the confidentiality and freedom of privacy is
It is the right of the data subject to decide for himself whether or not to be known and used. That is, the subject of personal information

The right to self-determination regarding disclosure and use. Personal information subject to the protection of the right to self-determination of personal information
Matters that characterize an individual's personality, such as body, belief, social status, status, etc., that can identify the individual's identity.
It can be said to be any information that enables
It includes, but is not limited to, personal information that has been formed in public life or that has already been disclosed. In addition, such personal information
In principle, all acts such as investigation, collection, storage, processing, and use fall under restrictions on the right to self-determination of personal information.
(Constitutional Court Judgment: 2005. 5. 26. 99 Heonma 513, etc., Gazette 105, 666, 672)

In addition, regarding the right to personal information, the Supreme Court held that the Armed Forces Security Command followed civilians,
In the case of collecting and managing personal information through telephoto use and interrogation collection, “Happiness of Article 10 of the Constitution”
The right to pursue and the provisions of Article 17 of the Constitution on the privacy and freedom of personal life do not prevent an individual's private life activities from being protected from others.
In addition to the passive right not to be infringed on or to reveal privacy, today's highly informational
In order to ensure the active right to autonomously control information about oneself in modern society,
will be” (Sentenced on July 24, 1998, judgment of 96da42789).
As such, the right to self-determination of personal information is protected from the right to privacy, freedom, and pursuit of happiness under the Constitution.
It is the consistent position of the Korean courts and the Constitutional Court that it is an independent fundamental right. Privacy
Both the right to privacy and the right to pursue happiness, which are the right to self-determination, are closely related to the expression of personality.
It is a fundamental right, and in the realm of justice, it should be seen as a kind of personal right. realistically raised
Even in litigation regarding infringement of personal information, the plaintiff is most likely to argue that the right to personal information is
It is seeking compensation for mental damage on the premise that it is a type of alimony, and the court also orders the payment of alimony.
However, we cannot ignore the reality that personal information is circulated or used for economic and social activities.
Then, the right to self-determination of personal information protects one's personal information rather than purely protecting personal interests.
In the sense of controlling so that it is not used for profit without permission, it also protects property interests incidentally.
It can be called a special right of personality.

2. Contents of Rights
the right to be provided with information about the processing of personal information
The information subject collects personal information about the purpose and scope of processing such as collection, use, and provision of personal information.
You have the right to be provided by the processor. Accordingly, the personal information controller shall be responsible for the purpose of collection, use and provision of personal information;
It is obligated to notify the scope, etc., and to establish and disclose the personal information processing policy.

31

Page 38
Explanation of personal information protection laws and guidelines and announcements

The right to choose and decide whether to agree or not, the scope of consent, etc.
The core of the right to self-determination of personal information is that the information subject has the actual control over the personal information processing of the personal information controller.
to have control. Give the information subject the right to choose whether to process personal information and the scope of consent
Even if given, if the personal information controller in fact compels consent, the rights of the data subject will not be formalized.
For this reason, comprehensive consent is prohibited.

C. The right to check the processing of personal information and request access
The information subject determines who has how much of his/her personal information and how it is used, provided, and managed
We guarantee the right to access your personal information so that you can check it. The right to request access is that of the personal information controller.
It also performs a function to prevent indiscriminate collection, use, and provision of personal information.

Called right to stop the treatment, correction, deletion and destruction of personal information
In order to prevent damage caused by incorrect personal information processing by the personal information controller,
The right to request suspension, correction, or deletion of inaccurate information is guaranteed. In addition, personal information leakage
In order to prevent damage, etc. and to prevent misuse, the purpose of processing personal information is achieved.
You may request that your personal information be destroyed when it is no longer necessary to keep it.

The right to receive relief from damage in a prompt and fair manner
In the event of damage caused by the collection, use, provision, etc. of personal information, the information subject must follow a prompt and fair procedure.
Accordingly, they have the right to receive appropriate compensation in proportion to the seriousness of the damage. to ensure this right
The Personal Information Protection Act includes the conversion of the burden of proof, the dispute mediation system and the collective action system to stop infringement of rights, and the
A system of punitive damages is introduced.

3. Restriction of Rights
The rights of data subjects are not absolute rights that cannot be restricted. According to Article 37 (2) of the Constitution,
The freedom and rights of the people are limited to cases where it is necessary for national security, maintenance of order, or public welfare.
may be restricted by law. In general, the rights of data subjects are for defense, police, investigation, trial, tax, etc.
It may be restricted if it is related to the exercise of public power or conflicts with the basic rights of others.

32

Page 39

However, the investigation, storage, provision, and disclosure of personal information conducted by public authorities is subject
to the rights of the information subject.
The first chapter
It can be said that it is a restriction on the subject matter, so the restriction must be authorized by law. However, individual
gun

Even if there is a law that allows the processing of information, the law must be based on the principle of the rule of law.

Chick

The principle of clarity must be followed.
In limiting the rights of the information subject, the subject, purpose, subject and
It is desirable to make the legal basis more clear by stipulating the scope, etc. in detail in the law, but
Depending on the type and nature of personal information, the method and content of information processing, etc., the degree of the requirement for clarity of the authorized law may vary.
It changes.
Legislation restricting the right to self-determination of personal information includes 「Criminal Procedure Act」, 「National Intelligence Service Act」, 「Statistics Act」, 「Electronics Act」
Government Act”, “Public Service Ethics Act”, “Medical Act”, “Road Traffic Act”, “National Health Insurance Act”, “Information Disclosure of Public Institutions”
Act" and the like.

33

Page 40
Explanation of personal information protection laws and guidelines and announcements

Article 5 Responsibilities of the State, etc.
Article 5 (Responsibilities of the State, etc.) ① The State and local governments shall collect, misuse,
By preventing harm caused by abuse and indiscriminate monitoring and tracking,
Policies to promote privacy protection should be devised.
② In order to protect the rights of data subjects under Article 4, the State and local governments
Necessary measures such as improvement should be prepared.

law

③ The State and local governments shall not accept unreasonable social practices regarding the processing of personal information.
Respect, promote, and promote autonomous personal information protection activities of personal information controllers in order to improve
should support
④ The State and local governments may enact laws or ordinances on the processing of personal information or
In case of amendment, it shall be in conformity with the purpose of this Act.

1. Take measures to protect human dignity and privacy
The state and local governments protect human dignity and personal privacy from misuse and abuse of personal information.
In order to protect personal information, the status of personal information processing shall be checked and necessary policies shall be established and implemented.

2. Preparation of necessary measures such as improvement of laws and regulations
The State and local governments are responsible for revising necessary laws to protect the rights of data subjects.
A policy should be prepared and implemented.

3. Promotion and support for self-regulation of personal information protection
In order for personal information protection systems and practices to be established in society as a whole, self-regulation of personal information controllers is necessary.
must be activated. To this end, the state and local governments voluntarily protect personal information of personal information controllers.
Respect, promote and support activities to improve unreasonable social practices regarding personal information processing and
We have a responsibility to create a social environment in which information can be safely processed.

4. Enactment and amendment of laws and ordinances to meet the purpose of this Act;
The State and local governments must comply with laws or ordinances related to personal information processing, and guidelines and announcements from relevant ministries.
When enacting or revising, it protects individual freedom and rights and furthermore, the realization of individual dignity and values.
The purpose of this Act shall be met.

34

Page 41

The first chapter

Article 6 Relationship with other laws

gun
Chick

law

Article 6 (Relationship with other laws) There are no special provisions in other laws regarding the protection of personal information.
Except where otherwise provided, the provisions of this Act shall apply.

Article 5 (relationships with other instructions) of disability jurisdiction areas of the central administrative agencies and Privacy
standard guidelines
In the case of establishing related personal information protection guidelines, they must conform to these guidelines.

1. Characteristics of the Personal Information Protection Act
If there are other individual laws other than this Act with respect to the protection of personal information, the relationship between this Act and the individual laws
it is stipulated Since the 「Personal Information Protection Act」 has the general nature of personal information protection,
Where there are special provisions in the Act, the provisions of that Act shall take precedence. This is the field
taking into account the specificity.
Currently, 「Information and Communications Network Act」, 「Credit Information Act」, 「Act on Protection and Use of Location Information」, 「Electronic Commerce」
Regulations on the processing and protection of personal information in a number of individual laws, such as the Act on Consumer Protection in
are leaving Therefore, it is necessary to review the application of each article prior to the Personal Information Protection Act.
In general, countries that have a general law on the protection of personal information
There are very few examples of individual laws. This confuses the personal information controller and prevents the harm of overlapping regulations.
because there may be From a legislative perspective, personal information that is different from this law for a specific industry or field
If the handling principle and standard are necessary, it is only for that reason that there are exceptions or special rules in the relevant law.
It would be preferable

2. Standards for application of law
Those who are subject to individual laws such as the 「Information and Communications Network Act」 are not exempted from the application of this Act.
Anyone who processes personal information is subject to the provisions of this Law. provided, however, that this Act
If there are special regulations different from the contents, the provisions of the applicable laws shall take precedence.
However, just because an individual law has provisions that are different from the contents of this Act, the provisions of that individual law are unconditionally
It does not take precedence. The application of this Act, taking into account the purpose, purpose, content, etc. of the individual Act as a whole
When it is recognized that the intention to exclude is clear, or when the provisions of this Act are applied as it is, this Act and individual Acts
The provisions of individual laws only apply when there is a contradiction between them, an unreasonable situation or a distorted result.
applies.

35

Page 42
Explanation of personal information protection laws and guidelines and announcements

For example, if an information and communications service provider subject to the 「Information and Communications Network Act」 operates a person information site,
In the relationship between the information subject related to a specific person registered on the site and the information and communication service provider,
The 「Personal Information Protection Act」, not the 「Information and Communications Network Act」, is applied. This means that the 「Information and Communications Network Act」
It only regulates the relationship between the provider and the user, and the information and communication service provider and the personal information contained in the site
This is because the relationship with the subject is not regulated.
The 「Personal Information Protection Act」 is a general law that is common and average for the economy and society regarding personal information processing.
As it reflects the level of demand, the provisions of other laws strengthen the level of protection than the provisions of this Act.
Of course, even if the level of protection is relaxed more than the provisions of this Act,
ordinance takes precedence.
As there are special provisions in other 'laws', the provisions of that law take precedence over this law.
If there are special provisions other than this Act, such as enforcement ordinances, enforcement regulations, ordinances, etc. other than laws,
The enforcement ordinance, etc., does not take precedence. In such a case, of course, this Act shall take precedence. but,
If the enforcement ordinance, etc. is entrusted by law, the enforcement ordinance, etc. shall take precedence.

case

Commercial law takes precedence

In the 「Personal Information Protection Act」, it is only possible to obtain separate consent from the information subject or if there are special provisions in other laws, etc.
Personal information may be provided to a third party (Articles 15 (1) and 18 (2)). For the welfare of workers, the company
In the case of a group insurance that is collectively insured, the company must provide the employee's personal information to the third party insurer.
In accordance with the 「Personal Information Protection Act」, separate consent from the employee must be obtained.
However, the 「Commercial Act」 in Article 731 (1) in relation to the life insurance of another person states, “In an insurance contract in which the death of another person is an insurance accident,
At the time of concluding an insurance contract, the written consent of the other person must be obtained.”
In case of group insurance established by concluding one insurance contract with the insurer with all or part of the members as the insured

In accordance with Article 735-3 (1) of the 「Commercial Act」, “in accordance with the rules of the organization, a life insurance contract with all or part of the members as the insured
Article 731 does not apply in the case of a contract.” In case of accident insurance, in accordance with Article 739 of the Commercial Act,
Since the regulations on life insurance apply mutatis mutandis, in order to conclude a group accident insurance contract, the worker’s consent to the conclusion of the insurance contract is required.
If there is a substitute agreement, the written consent of the worker is not required.
Therefore, if there is an agreement that includes matters related to the conclusion of a group insurance contract, the company collects the information without the consent of the worker.
The 「Commercial Act」, which stipulates that personal information can be provided to a third party that is an insurance company, applies.
The meaning of the agreement in Article 735-3 of the 「Commercial Act」 is that it is not necessary to subscribe to group insurance regardless of its form, such as collective agreements, employment rules, and articles of incorporation.
It corresponds to an agreement within the organization regarding
It should contain the purport that the representative can conclude a contract collectively for the members (Supreme Court 2006.4.27.
sentencing 2003da60259 judgment). For example, there is a provision regarding the purchase of life insurance in the employment rules, and the payment of insurance benefits is
If there is a provision for the payment of death compensation and the employee has signed and sealed it, it can be substituted for the insured's consent.
will be. However, the agreement does not include matters related to the conclusion of a group insurance contract, but merely stipulates severance pay and death consolation pay.
In this case, the written consent of the worker is required.

36

Page 43

3. Relationship with other laws

The first chapter

gun

The 「Personal Information Protection Act」 is a general law and applies to the relationship between all personal informationChick
controllers and data subjects.
However, the relationship between information and communications service providers and users of information and communications services under the 「Information and Communications Network Act」, and 「Credit
In the relationship between a credit information service provider and a credit information subject under the “Information Act”, there are no special provisions in the relevant Act.
If so, follow those rules.
Image information processing device, impact assessment, restriction on processing of uniquely identifiable information and sensitive information, collective dispute mediation system, rights
Only in the 「Personal Information Protection Act」 such as group action for infringement, notification of the source of personal information collected from other than the information subject
Of course, the “Personal Information Protection Act” applies to the stipulated content.
However, if the same content is otherwise stipulated, the individual law applies, so the 「Personal Information Protection Act」
Consent matters for collection and use pursuant to Article 15 (2) depend on the relationship between information and communication service providers and users.
Article 22 (1) of the 「Information and Communications Network Act」 applies. consent in the matter
The matters are the purpose of collection and use, the items of personal information to be collected, and the period of retention and use of personal information.
Meanwhile, in other laws, a system similar to the person in charge of personal information protection under Article 31 of the 「Personal Information Protection Act」
If it is, you can designate it in accordance with the applicable law, and protect personal information in accordance with the 「Personal Information Protection Act」
There is no need to separately designate a responsible person. For example, in accordance with the 「Information and Communications Network Act」, the person in charge of personal information protection
If a person in charge of managing credit information has been designated or designated in accordance with the Credit Information Act, separate personal information
There is no need to designate a guardian. However, the personal information protection officer stipulated in the 「Personal Information Protection Act」
tasks must be performed at the same time.

37

Page 45
44

Chapter 2
Privacy Policy
establishment, etc.
Article 7 Personal Information Protection Committee
Article 8 Functions, etc. of the Protection Committee
Article 8-2 Evaluation of Personal Information Infringement Factors
Article 9 Master plan
Article 10 Implementation plan
Article 11 Request for data submission, etc.
Article 12 Personal Information Protection Guidelines
Article 13 Promotion and support of self-regulation
Article 14 International Cooperation

Page 47
46

Article 7 Personal Information Protection Committee
The second chapter
Article 7 (Personal Information Protection Committee) ① To deliberate and decide on matters related to personal
information protection

dog
The Personal Information Protection Committee (hereinafter referred to as the “Protection Committee”) shall
be established under the jurisdiction of the President. protect

The committee shall independently carry out the work that falls under its authority.
② The Protection Committee shall be composed of no more than 15 members, including one chairperson
However, the standing members are appointed as public officials in political service.
③ The chairperson is a non-public official from among the members and is appointed by the President.
④ A member shall be appointed by the President or a person falling under any of the following

sign
tablet
see
see
and
one
arc
tablet
book
of

standing member.

Number
lip
subparagraphs:
Etc

commission In this case, 5 of the members are elected by the National Assembly, and 5 are elected by the Chief Justice of the Supreme Court.
Appoints or commissions the nominees, respectively.
law

1. A person who has been recommended by a civil society organization or consumer organization related to personal information protection;
2. A person who has been recommended by a business organization composed of personal information controllers;
3. Other persons with extensive knowledge and experience in personal information
⑤ The term of office of the chairperson and members shall be three years, but they may be reappointed only once.
⑥ The meeting of the Protection Committee shall be held by the chairperson as deemed necessary or by at least one quarter of the members
The chairperson shall convene upon request.
⑦ The Protection Committee decides with the attendance of a majority of the enrolled members and the consent of a majority of the members present.
⑧ A secretariat shall be established in the Protection Committee to support the affairs of the Protection Committee.
⑨ In addition to the matters stipulated in paragraphs 1 through 8, the organization and operation of the Protection Committee
Necessary matters shall be prescribed by Presidential Decree.
Article 4 (Exclusion, Rejection, Evasion of Members) ① Personal Information Protection Committee under Article 7 (2 ) of the Act (hereinafter referred to as "Personal Information Protection Committee")
(referred to as the “Protection Committee”), the members of the
They cannot participate in deliberation and decision-making.
1. A member or a member's spouse, blood relative within the fourth degree, a person who is a relative within the second degree, or his/her
Matters that have an interest in the organization or organization to which the person belongs
2. Matters in which a member testifies, makes a statement or makes an appraisal, or is involved as an agent;

3. A member or a public institution, corporation, or group to which the member belongs provides advice, etc.
Enforcement Decree
Matters that have an interest in those who have
② A person who has a direct interest in matters deliberated and decided by the Protection Committee shall be referred to in Paragraph (1).
If there is a reason for exclusion, or where it is difficult to expect fairness of deliberation and resolution,
A member may apply for challenge of the member to the Protection Committee by stating the reason.
In this case, the chairperson decides whether to challenge.
③ Members may voluntarily evade deliberation and resolution in cases falling under paragraphs 1 or 2
have.

41

Page 48
Explanation of personal information protection laws and guidelines and announcements

Article 5 (Expert Committee) ① The Protection Committee shall conduct deliberation and resolution under Article 8 (1) of the Act.
In order to review professionally in advance, the protection committee
committee”) may be established.
② In case of establishing an expert committee pursuant to Paragraph 1, each expert committee shall include one chairperson.
It shall be composed of not more than 10 members, but the members of the expert committee shall be from among the following persons.
Appointed or commissioned by the Chairman of the Protection Committee with the consent of the Protection Committee, and
The chairperson is appointed by the chairperson of the protection committee from among the members of the expert committee.
1. Member of the Protection Committee
2. Relevant public officials of central administrative agencies in charge of personal information protection-related affairs;
3. Persons with extensive expertise and experience in personal information protection
4. Belongs to an organization or business association related to personal information protection, or receive recommendations from such organization
recipient
③ The meeting of the expert committee shall be held with the attendance of a majority of the enrolled members, and the members present
Decisions are made by a majority vote.
Article 6 (Disclosure of Intent) The intentions of the Protection Committee shall be made public. However, the Chairman of the Protection Committee
It may not be disclosed if deemed necessary.
Article 7 (dispatch of officials, etc.) protection committee that it deems necessary for the performance of their duties
In this case, it may request a public institution to dispatch its public officials or executives and/or employees.
Article 8 (Organization and Capacity, etc.) In addition to the matters stipulated in this Decree, the organization and capacity of the Protection Committee, etc.
Matters necessary for this shall be separately determined by Presidential Decree.
Article 9 (Attendance Allowance, etc.) Members who attend meetings of the Protection Committee or Special Committee, Article 8 of the Act
In accordance with paragraph (2), a person who has attended the protection committee and a person who has attended the expert committee
Allowances, travel expenses, and other necessary expenses may be paid within the scope. However, public officials
This is not the case in case of attendance directly related to the affairs under his/her jurisdiction.
Article 10 (Detailed Rules for the Operation of the Protection Committee, etc.) In addition to the matters stipulated by the Act and this Decree, the Protection Committee
Matters necessary for the composition and operation of the expert committee, etc., shall be passed through the resolution of the protection committee.
It is determined by the rules of the Protection Committee.

1. Background of the Protection Committee
In order to ensure the independence of decision-making in the personal information protection policy, a Protection Committee under the jurisdiction of the President is established.
have. The establishment of an independent and professional personal information supervisory body is the most important aspect of the operation of the personal information protection system.
It is a key element and safety device.

42

Page 49

The reason that an independent supervisory body is emphasized in the personal information protection system is that a large amount of personal information
that can professionally evaluate and check the personal information processing activities of government agencies or large companies that process
Because you need a device. Accordingly, the 「Personal Information Protection Act」 changes the affiliation of the Protection Committee to that of the President.
The second chapter

In addition, the Protection Committee is allowed to independently carry out the work that falls under its authority.

dog
sign
tablet
see
see
arc
tablet
book
of

2. Composition and operation of the Protection Committee
A. Composition of the Protection Committee

Number
lip
Etc

1) Composition: No more than 15 members, including 1 chairperson and 1 standing member.
2) Chairperson: Appointed by the president from among non-public officials, and represents and protects the Protection Committee
Supervise the work of the committee.
3) Standing member: Recognized as a public official in political service, and assists the chairperson in the operation of the protection committee's meetings.
In addition, if the chairperson is unable to perform his/her duties due to unavoidable reasons, he/she shall act on his/her behalf.
4) Members: Appointed or commissioned by the President, 5 members elected by the National Assembly, 5 members elected by the Chief Justice of the Supreme Court
The nominee must be appointed or commissioned, respectively.
5) Term of office: The term of office of the chairperson and members is three years, but re-appointment is possible only for the first time.
6) Qualifications of members: personal information to utilize the participation of stakeholders from various fields and professional experience and knowledge
Persons recommended by civil society groups and consumer groups related to protection, and business groups consisting of personal information controllers
It is limited to those who recommend and those who have extensive knowledge and experience in personal information.

B Protection Committee Secretariat
A secretariat shall be established in the Protection Committee to support the affairs of the Protection Committee.

Operation of the Protection Committee
Matters necessary for the organization and operation of the Protection Committee other than those provided for in this Act shall be prescribed by Presidential Decree.
As prescribed by the Presidential Decree, the establishment and operation of expert committees, the dispatch, organization and capacity of public officials, etc.;
It stipulates matters related to attendance allowance, etc., and other necessary matters are to be determined by the rules of the Protection Committee.
is delegating

43

Page 50
Explanation of personal information protection laws and guidelines and announcements

La Expert Committee
The Protection Committee establishes a specialized committee for each field to professionally review matters for deliberation and resolution in advance.
can be put Each expert committee shall be composed of no more than 10 members including one chairperson, but the protection committee
Members, related public officials of central administrative agencies in charge of personal information protection, personal information protection
A person with extensive professional knowledge and experience, belonging to an organization or business group related to personal information protection, or
Among those who have been recommended by the organization, the chairperson of the protection committee appoints them with the consent of the protection committee, or
The expert committee chairperson is appointed by the protection committee chairperson from among the expert committee members.

3. Convocation and resolution of the Protection Committee
autumn meeting convening
A meeting of the protection committee is held when the chairperson deems it necessary or at the request of at least a quarter of the members of the committee.
In such cases, the chairperson calls In addition, the Protection Committee is a meeting of the president, chairperson, and two or more members.
A meeting shall be held to deliberate and decide on matters.

Or meeting decision
The Protection Committee decides with the attendance of a majority of the enrolled members and the consent of a majority of the members present.

The meetings public
In principle, the will of the Protection Committee is made public. However, if the Protection Committee deems it necessary
In some cases, it may not be disclosed.

La jecheok, avoid, avoid
Members are excluded from deliberation and resolution on matters falling under any of the following subparagraphs:
① A member or a member's spouse, blood relative within the fourth degree, or a person who is a relative within the second degree, or to which that person belongs
Matters that have a stake in an institution or organization
② Matters in which a member testifies, makes a statement or makes an appraisal, or is involved as an agent

44

Page 51

③ A member or a person to whom the member's public institution, corporation, or group is providing advice, etc.
Things of interest
A person who has a direct interest in matters deliberated and decided by the Protection Committee shall be referred to the members
deliberation and resolution.
The secondfor
chapter
dogthis case
If there are circumstances that make it difficult to expect fairness, you may file a challenge request by writing down the reason. in
sign
tablet
see
see
arc
tablet
book
of

The chairperson decides whether to evade.
When a member falls under any of the above reasons, he/she may voluntarily evade the deliberation and resolution.

Number
lip
Etc

45

Page 52
Explanation of personal information protection laws and guidelines and announcements

Article 8 Functions of the protection committee, etc.

Article 8 (Functions, etc. of the Protection Committee ) (1 ) The Protection Committee deliberates and decides on the following matters:
1. Matters concerning the evaluation of personal information infringement factors under Article 8-2;
1 of 2. A master plan under Article 9 and an implementation plan under Article 10
2. Matters concerning the improvement of policies, systems and laws related to personal information protection
3. Matters concerning the coordination of opinions among public institutions regarding the processing of personal information;
4. Matters concerning the interpretation and operation of laws and regulations related to the protection of personal information;
5. Matters concerning the use and provision of personal information under Article 18 (2) 5;
6. Matters concerning the results of impact assessment under Article 33 (3);
7. Matters concerning the presentation of opinions under Article 61 (1);
8. Matters concerning the recommendation of measures under Article 64 (4);
9. Matters concerning the publication of the results of processing under Article 66;
10. Matters concerning the preparation and submission of the annual report under Article 67 (1);
law

11. In relation to the protection of personal information, the president, the chairperson of the protection committee, or two or more members
Matters to be sent to this meeting
12. Other matters deliberated and resolved by the Protection Committee pursuant to this Act or other Acts and subordinate statutes
② The Protection Committee shall, if necessary for deliberation and resolution of each subparagraph of Paragraph 1,
Each of the measures may be taken.
1. Relevant public officials, persons with expertise in personal information protection, or civil society organizations
and listening to opinions from related businesses
2. Request for data submission or fact inquiry to related organizations, etc.
③ Relevant institutions, etc., who have received a request under paragraph (2) 2, may not do so unless there are special circumstances.
must respond
④ When the Protection Committee deliberates and decides on matters referred to in Paragraph (1) 2, it shall notify the relevant agencies.
improvement can be recommended.
⑤ The Protection Committee may check whether the recommendations under paragraph (4) have been implemented.

Article 9-2 (Procedures, etc. for Recommendation for Improvement of Policies, Systems and Laws) ① The Protection Committee shall comply with Article 8 (4) of the Act.
In the case of recommending the improvement of policies, systems and laws to related organizations, the contents and reasons
Enforcement Decree
should be notified together.
② The Protection Committee shall check the implementation of the recommendations under Article 8 (5) of the Act.
You can request the relevant agencies to submit data on the results of the implementation of the recommendations.

46

Page 53

1. Protection Committee Function
A. Matters for deliberation and resolution by the Protection Committee

The second chapter

Although there are some differences in the functions emphasized by each country, the personal information supervisory
(ombudsmen), auditors, consultants, consultants, negotiators, policy advisors
It functions as a policy adviser, enforcer, etc.

dog
sign
bodiestablet
of each
see
see
arc
tablet
book
of

country are mainly composed of the Ombudsman.

The protection committee in Korea does not have many functions to directly enforce policies in accordance with laws and regulations, but
Number
lip

It has the function of deliberation and resolution on systems and laws.

Etc

< Comparison of functions and roles between the Protection Committee, the Ministry of Government Administration and Home Affairs, and the central administrative agencies >
Personal Information Protection Committee
(deliberation/decision function)

Ministry of Government Administration and Home Affairs
(Execution and general functions)

▪Establishment of standard personal information protection guidelines
▪ Matters regarding the evaluation of personal information infringement factors
▪Policies to promote and support self-regulation
▪Basic plan and implementation plan
▪International cooperation related to personal information protection
▪ Matters concerning the improvement of policies, systems and laws
▪Whether the security measures for unique identification information are observed regularly
▪ Matters for coordination of opinions between public institutions
Research
▪ Matters concerning the interpretation and operation of laws and regulations
▪Establishment and recommendation of guidelines for personal information processing policy
▪ Matters concerning the use and provision of personal information other than the purpose
▪Personal information file registration reception and status disclosure
▪ Matters concerning the results of the impact assessment
▪Operation of personal information protection certification system
▪ Matters concerning the presentation of opinions on laws and ordinances
▪Personal information impact assessment management and operation
▪ Regarding the recommendation to suspend personal information processing and to stop infringement
▪Operation of personal information leakage reporting system
matters
▪Establishment and operation of personal information viewing window
▪Results of disciplinary action, accusation, corrective action, and imposition of a fine for negligence
Investigation of violations of the law, recommendations and orders for correction, fines,
Matters concerning publication
Imposition of fines, etc.
▪ Matters concerning the preparation and submission of the annual report
▪Personal information protection related laws and ordinances, processing status, etc.
▪The president, chairperson, and two or more members attend the meeting
Suggestion of opinions and recommendations for improvement
beating, etc.
▪Operation of reporting system for personal information infringement
central administrative agency
(Enforcement work according to the area under jurisdiction and individual laws)
▪Submission of plans for each sector to prepare the master plan (→ Protection Committee)
▪Establishment and submission of an implementation plan in the field under its jurisdiction (→ Protection Committee)
▪Submit the performance of implementation plan in the field under its jurisdiction (→ Protection Committee)
▪Evaluation of improvement promotion of laws and regulations in the field of jurisdiction
▪Promoting and supporting self-regulation in the field under its jurisdiction
Investigation of violations of the law, order to recommend correction, and imposition of fines (if there is a separate law)
▪Efforts to comply with the purpose of this Act of laws and ordinances, etc.

47

Page 54
Explanation of personal information protection laws and guidelines and announcements

B Request to hear opinions and submit data, etc.
The Protection Committee shall, if necessary to deliberate and decide on matters under its jurisdiction, related public officials, experts, and civil society
Opinions can be heard from organizations and related business operators, and data submitted or facts to related organizations, etc.
You can ask for an inquiry. The head of the relevant agency who has received such a request for data submission or fact inquiry
If there is no circumstance, you must respond.

C. Recommendation for improvement of policies and systems and the right to check implementation
The Protection Committee is concerned with the improvement of policies, systems, and laws related to personal information protection (Article 8 (1)).
In the case of deliberation and resolution on the matters referred to in subparagraph 2)', it may recommend improvement to the relevant agencies. In this case
The contents and reasons shall be notified together. and to check the implementation of these recommendations.
For this purpose, it is possible to request the relevant agencies to submit data on the results of the implementation of the recommendations.
In order to more effectively respond to personal information infringement incidents, the
This system was introduced by amending the Personal Information Protection Act on July 24, 2015 to strengthen its functions.

48

Page 55

Article 8-2

Assessment of personal information infringement factors
Article 8-2 (Evaluation of Factors for Infringement of Personal Information) ① The head of a central administrative
The second chapteragency enacts or
dog through revision
In the case of introducing or changing policies or systems accompanying the processing of personal information
sign

You must request an evaluation of personal information infringement factors from the Protection Committee.
tablet
see

law

② When the Protection Committee receives a request under paragraph (1), infringement of personal information
see
under the relevant laws and regulations
arc
tablet statutes for improvement.
Analyze and review factors, and notify the head of the competent agency under the relevant Acts and subordinate
book
of

can recommend.

Number

③ Matters necessary for the procedure and method of evaluation of personal information infringement factors
lip pursuant to Paragraph 1 shall be
Etc

determined by Presidential Decree.

Article 9-3 (Personal Information Infringement Factor Evaluation Procedure, etc.) ① The head of the central administrative agency is Article 8-2 of the Act
In accordance with Paragraph 1, requesting evaluation of factors for infringement of personal information (hereinafter referred to as “evaluation of factors of infringement”);
In this case, a request for evaluation of personal information infringement factors including the following
included) must be submitted to the Protection Committee.
1. The handling of personal information introduced or changed through laws and regulations (including draft laws)
Purpose and main contents of accompanying policies and systems
2. In accordance with each subparagraph of Paragraph 2 in accordance with the introduction or change of policies and systems accompanying the processing of personal information
Self-analysis of personal information infringement factors
3. Personal information protection measures in accordance with the introduction or change of policies and systems accompanying the processing of personal information
② When the Protection Committee receives a request under paragraph (1), it shall comply with each of the following subparagraphs:
Consideration should be given to evaluating the factors of infringement and reporting the result to the head of the relevant central administrative agency.
do.
1. Necessity of personal information processing
Enforcement Decree
2. Adequacy of guaranteeing the rights of the subject of personal information
3. Safety of personal information management
4. Other matters necessary for the evaluation of infringing factors
③ When the head of a central administrative agency receives a recommendation under Article 8-2 (2) of the Act, he/she
Efforts should be made to implement the recommendations, such as reflecting the contents in the relevant laws and regulations. but,
If it is difficult to follow the recommendations of the Protection Committee, the reason is notified to the Protection Committee.
shall.
④ When the Protection Committee evaluates infringing factors, the data necessary for the evaluation of infringing factors
etc. may be requested from the head of the relevant central administrative agency.
⑤ The Protection Committee shall be responsible for the evaluation of infringing factors such as detailed standards and methods for the evaluation of infringing factors.
Guidelines can be established and notified to the head of the central administrative agency.
⑥ The Protection Committee advises related experts if necessary to conduct an evaluation of infringement factors.
can do back

49

Page 56
Explanation of personal information protection laws and guidelines and announcements

The head of a central administrative agency may have policies or policies accompanying personal information processing through enactment or revision of relevant laws and regulations.
In case of introducing or changing the system, it is necessary to request the Protection Committee to evaluate the factors of personal information infringement.
When the Protection Committee receives such a request, 'i) the need to process personal information, ii) the
adequacy of protection of rights, iii) safety of personal information management, and iv) other matters necessary for evaluation of infringing factors.
Consideration should be given to evaluating the factors of infringement and reporting the results to the head of the relevant central administrative agency. center
When the head of an administrative agency receives a notification of such a recommendation, he/she makes a recommendation, such as reflecting the content in the relevant laws and regulations.
Efforts should be made to implement the contents. However, if it is difficult to follow the recommendations of the Protection Committee,
The reason must be notified to the Protection Committee.
On the other hand, when the Protection Committee evaluates infringing factors,
It can be requested from the head of the central administrative agency, and if necessary to conduct an evaluation of the factors of infringement,
You can seek advice from experts.

50

Page 57

Article 9 master plan
The second chapter

Article 9 (Basic Plan) ① The Protection Committee shall protect personal information and guarantee the rights and interests of information subjects.
dog

Every three years, the basic plan for personal information protection (hereinafter referred to as the “basic plan”)
sign is reviewed by the relevant central administrative agency.

2. Improvement of systems and laws related to personal information protection

tablet
see
see
arc
tablet
book
of

3. Measures to prevent infringement of personal information

Number
lip

4. Activation of self-regulation for personal information protection

Etc

It is established in consultation with the chief.
② The basic plan shall include the following matters.
1. Basic goal and direction of personal information protection
law

5. Vitalization of personal information protection education and publicity
6. Fostering professional manpower for personal information protection
7. Other matters necessary for the protection of personal information
③ The National Assembly, the courts, the Constitutional Court, and the National Election Commission
included) can establish and implement a basic plan for the protection of personal information.
Article 11 (Establishment of basic plan procedures) ① Personal Protection Commission pursuant to Article 9 Every three years the law
The basic plan for information protection (hereinafter referred to as the “basic plan”) in the year preceding the year in which the three years begin
It must be established by December 31st.
② When the Protection Committee prepares a basic plan pursuant to Paragraph 1, the relevant central administration
By sector reflecting mid- to long-term plans and policies related to personal information protection from the head of the institution

Enforcement Decree
The plan can be submitted and reflected in the master plan. In this case, the Protection Committee
of the relevant central administrative agency regarding the goals, implementation direction, and guidelines for the preparation of plans for each sector.
should be consulted with the chief.
③ When the basic plan is finalized, the Protection Committee shall notify the head of the relevant central administrative agency without delay.
should be notified

In order to comprehensively and systematically promote personal information protection policies at the pan-government level,
Establish and implement a basic plan for personal information protection every three years, and based on the basic plan, develop an annual implementation plan every year.
established and implemented.

1. Who prepares the master plan
According to the amendment of the 「Personal Information Protection Act」 on July 24, 2015, the Protection Committee, not the Minister of Government Administration and Home Affairs, has a relationship
In consultation with the head of the central administrative agency, the basic goal and direction of personal information protection in all areas of society,
A basic plan including improvement of the legal system and measures to prevent infringement was established.

51

Page 58
Explanation of personal information protection laws and guidelines and announcements

Constitutional institutions such as the National Assembly, the courts, the Constitutional Court, and the National Election Commission
The institution (including its affiliated institution) may establish and implement a basic plan for the protection of personal information on its own.
making it possible

2. Preparation of the master plan
When the protection committee prepares a basic plan, the head of the relevant central administrative agency receives information related to personal information protection.
Plans for each sector that reflect mid- to long-term plans and policies can be submitted and reflected in the basic plan. in this case
The Protection Committee is the central government of the relationship with regard to the goals of the master plan, the direction of its implementation, and guidelines for the preparation of plans for each sector.
It should be consulted with the head of the administrative agency.
Meanwhile, the Protection Committee must be established by December 31 of the year preceding the year in which the basic plan begins.
Deliberation and resolution must be completed by that date. In addition, when the basic plan is finalized, the Protection Committee will
The head of the relevant central administrative agency shall be notified.

3. Contents of the master plan
The master plan presents the basic goal and direction of personal information protection in a broad framework, and
Measures to improve laws and systems, measures to prevent infringement of personal information, measures to activate self-regulation for personal information protection, personal information
In the medium term, it is necessary to protect education and publicity measures, to foster professional manpower, and to protect personal information.
A perspective plan should be included.

52

Page 59

Article 10 Implementation plan
The second chapter
Article 10 (Implementation Plan) ① The head of a central administrative agency shall protect personal information
every year in accordance with the basic plan.

dog
Prepare an implementation plan for the protection committee and submit it to the protection committee for deliberation
and resolution of the protection committee

law

sign
tablet
see
② Matters necessary for the establishment and implementation of the implementation plan shall be prescribed
see by Presidential Decree.
arc
tablet
book
Article 12 (Establishment of the Implementation Plan procedures) ① Protection Committee and then the following
year to December
of

must be implemented through

31 of each year,

Prepare guidelines on how to prepare an implementation plan, etc., and send it to the head of the relevant central
Numberadministrative agency.
lip

should be notified

Etc

② The head of the relevant central administrative agency may implement the basic plan in the following year in accordance with the guidelines in paragraph (1).
Enforcement Decree
You must prepare an implementation plan for the area under your jurisdiction and submit it to the Protection Committee by the end of February every year.
do.
③ The Protection Committee shall deliberate and review the implementation plan submitted pursuant to paragraph 2 by April 30 of that year.
must decide

1. The person who prepares the implementation plan
Each year, the head of the relevant central administrative agency may be connected with the personal information protection master plan for the following areas under his/her jurisdiction.
Prepare an implementation plan for the year.

2. Procedures for preparing an implementation plan
A. Establishment and distribution of guidelines
The Protection Committee prepares guidelines on how to write an implementation plan for the following year by December 31 of each year.
The head of the relevant central administrative agency shall be notified. The heads of relevant central administrative agencies have jurisdiction until the end of February every year.
An implementation plan for the next year related to the field should be prepared and submitted to the Protection Committee. Submission deadline is the end of February.
One is to ensure that the implementation plan is aligned with the budget for the following year.

B. Deliberation and resolution of the Protection Committee
When the implementation plan is submitted to the Protection Committee, the Protection Committee convenes a meeting and by April 30 of that year
Deliberation and decision-making procedures must be followed. The implementation plan is finalized only after deliberation and resolution by the Protection Committee.

53

Page 60
Explanation of personal information protection laws and guidelines and announcements

Article 11 Request for data submission, etc.
Article 11 (Request for Submission of Data, etc.) ① In order to establish the basic plan efficiently, the Protection Committee
Personal information controllers, heads of related central administrative agencies, heads of local governments, and related institutions and organizations
of data on the status of compliance with laws and regulations of the personal information controller and the status of personal information management, etc.
Submission or statement of opinion may be requested.
② The Minister of the Interior and Home Affairs shall, if necessary for the promotion of personal information protection policy and performance evaluation, etc.
Personal information controllers, heads of related central administrative agencies, heads of local governments, and related institutions and organizations
law

Investigations can be conducted to understand the level of personal information management and the actual situation.
③ The head of the central administrative agency is responsible for the effective establishment and promotion of the implementation plan.
You may request the personal information controller to submit data pursuant to Paragraph 1, etc.
④ A person who has been requested to submit data under paragraphs 1 through 3 may have special circumstances.
If not, you must follow it.
⑤ Necessary matters such as the scope and method of data submission under paragraphs 1 through 3, etc.
determined by Presidential Decree.
Article 13 (Scope and Method of Request for Submission of Data, etc.) ① The Protection Committee shall comply with Article 11 (1) of the Act.
Submission of data or statement of opinion, etc. related to the following matters to the personal information controller
can request
1. Management and video of personal information and personal information files processed by the relevant personal information controller
Matters concerning the installation and operation of information processing devices
2. Matters concerning the designation of a person in charge of personal information protection under Article 31 of the Act;
3. Matters concerning technical, administrative, and physical measures to ensure the safety of personal information;
4. Regarding the status of information subject's perusal, requests for correction, deletion, and suspension of processing of personal information, and the current status of measures;

matters
Enforcement Decree
5. For the establishment and promotion of other basic plans, such as matters concerning the observance of the Act and this Decree
What you need
② When the Protection Committee requests submission of data or statement of opinion pursuant to paragraph (1),
By limiting the scope to the minimum necessary for the efficient establishment and promotion of the basic plan,
should demand
③ In accordance with Article 11 (3) of the Act, the head of a central administrative agency provides a personal information controller in the field under his/her jurisdiction.
Paragraphs 1 and 2 shall apply mutatis mutandis in the case of requesting the submission of data. In this case, “protect
“Committee” as “head of central administrative agency” and “Article 11 (1) of the Act” as “Article 11 (3) of the Act”
see.

54

Page 61

To establish and promote the basic plan for personal information protection and implementation plan more accurately and efficiently
In order to do so, information regarding the personal information controller's compliance with laws and regulations on personal information protection, personal information management status, etc.
Requests for submission of materials and statements of opinion are allowed.

The second chapter

dog
sign
tablet
see
see
arc
tablet
book
of

1. Subjects of data submission, opinion statement, etc.
( a) Request for data, etc. necessary for the establishment and implementation of the basic plan

Number
lip

In order to establish the basic plan effectively, the Protection Committee monitors the status of compliance with laws and regulations
of personal information controllers.
Etc
You may request the submission of data or statement of opinion on the status of personal information management. These demands are
① Personal information controller, ② Head of a related central administrative agency, ③ Head of local government, ④ Related institutions and organizations, etc.
do about A related organization is a business in which part or all of the business is related to the processing or protection of personal information.
It refers to business associations or consumer organizations that are conducting the business. Submission of these materials or statements of opinion, etc.
The person requested shall comply therewith, unless there are special circumstances.

B. Request for data necessary for establishment and implementation of an implementation plan
In order to efficiently establish and promote the implementation plan, the head of a central administrative agency may use personal information in the field under his/her jurisdiction.
Submission or submission of data on the personal information controller's compliance with laws and personal information
A statement of opinion may be requested. A person who is requested to submit such data or to state an opinion, etc. may have special circumstances.
If not, you must follow it.

The survey conducted for the Minister of Government Administration and Home Affairs, such as the promotion of policies, performance evaluation
The Minister of the Interior and Home Affairs shall manage personal information if necessary for the promotion of personal information protection policy and performance evaluation.
Investigations can be conducted to understand the level and actual situation. These investigations include ① personal information controller, ② relationship
For the heads of central administrative agencies, ③ the heads of local governments, and ④ related organizations and organizations. these investigations
The person requested shall comply therewith, unless there are special circumstances.

2. Scope and method of submitted data, etc.
Data that may be requested by the protection committee and the head of a central administrative agency for the establishment of a master plan and an implementation plan;
Details regarding the scope and method of statements, etc. are entrusted to the Presidential Decree. under Article 63 of this Act;

55

Page 62
Explanation of personal information protection laws and guidelines and announcements

Clear the distinction between investigation of illegal acts, etc., and excessively arbitrarily requesting data submission or statement of opinion.
The scope of data and statements that can be requested not to be exercised is specified in the Enforcement Decree. data submission,
Specific procedures and methods for requesting statements of opinion, etc. shall be in accordance with the Framework Act on Administrative Investigations.
Requests for data for the establishment of the master plan are i) personal information and personal information processed by the personal information controller.
Matters concerning the management of information files and the installation and operation of image information processing devices ii) Personal information pursuant to Article 31 of the Act
Matters concerning the designation of a person in charge of protection, iii) Technical, administrative, and physical measures to ensure the safety of personal information
Measures related to measures, iv) information subject access, requests for correction, deletion, and suspension of processing of personal information, and the status of measures
v) Other matters necessary for the establishment and promotion of the basic plan, such as matters concerning the observance of laws and this Decree
is a matter When requesting submission of these materials or a statement of opinion, the basic plan is efficiently established and
Requests shall be limited to the minimum range necessary for promotion. This is when the implementation plan is established
The same applies to data submission, etc.

✤ Distinction between Articles 11 and 63 ✤
· Article 11 of the Act (request for data submission, etc.): For policy establishment or system improvement of the basic personal information protection plan and implementation plan
of personal information controllers, such as the current status of collection, use and provision of personal information and the status of technical and administrative protection measures for personal information;
Investigation of data and statistics on the processing status and management status, etc. that can be requested regardless of whether it is illegal or not
say
· Law Article 63 (such as data submission requirements and inspection): ex post, such as if there is suspicion of illegal facts found or
Administrative investigation necessary for execution and supervision.
※ If the violation is recognized through a violation report, media report, or fact-finding investigation, it is necessary to take measures for administrative regulation such as a correction order or imposition of a fine for negligence.
talking about investigation

56

Page 63

Article 12 Personal Information Protection Guidelines
The second chapter

Article 12 (Personal Information Protection Guidelines) ① The Minister of Government Administration and Home Affairs shall
dog
sign
tablet
guidelines”) and encourage the personal information controller to comply with it.
see
see
② The head of the central administrative agency is responsible for handling personal information in the areaarcunder his/her jurisdiction
tablet
Personal information protection guidelines can be established and the personal information controller can bebook
encouraged to comply.
of

Standard personal information protection guidelines (hereinafter referred to as “standard

law

in accordance with the standard guidelines.

③ The National Assembly, the courts, the Constitutional Court, and the National Election Commission shall

Number
lip

Including) personal information protection guidelines can be established and implemented.

Etc

The personal information protection guidelines under this Act are the standard personal information protection guidelines set by the Minister of the Interior and Safety, and the central
Refers to the personal information protection guidelines for each area under the jurisdiction determined by the head of an administrative agency, etc.

1. Characteristics of personal information protection guidelines
The Personal Information Protection Guidelines are designed to grant legislative supplementary rights to the Minister of the Interior and Safety, central administrative agencies, and constitutional agencies.
it is for Since this law is a general law on the protection of personal information, it covers all fields and industries in detail.
can't be regulated In addition, depending on the environment or risk level of the work in which the personal information controller is engaged, the
Although the scope and method of treatment and the level of protection required may vary, this law
It is defined as general and abstract contents centering on elements and requirements.
Therefore, specific processing standards and protective measures for personal information protection are determined by considering the characteristics of each sector and industry.
must be supplemented individually. Most of the countries that have adopted the general rule of law
Similarly, granting the personal information supervisory authority the right to supplement legislation through the enactment and distribution of guidelines and guides,
have. If both the personal information processing technology and the environment are regulated by law, it is difficult to reflect the reality and
This is because it can become a regulation that is neglected or out of touch with reality.
As it has specified the necessary matters within the scope of this Act, personal information may be processed in accordance with the guidelines.
In this case, it will be recognized as legitimate personal information processing. Conversely, handling of personal information that is in violation of the guidelines is subject to this Act
You will be treated as a breach of personal data processing.
ReferenceSubject to which the standard guidelines apply, and whether it is possible to impose penalties and fines for negligence in case of violation
The target of the standard guidelines is the personal information controller, and in case of violation of the matters specifically entrusted by the law,
Penalties and fines may be imposed.

57

Page 64
Explanation of personal information protection laws and guidelines and announcements

2. Establishment and recommendation of standard privacy guidelines
The personal information controller shall faithfully comply with all obligations given by this Act and individual laws, and
What protection measures should be taken in accordance with what processing procedures and methods to ensure safe use and protection
Standard personal information protection guidelines (hereinafter referred to as “standard guidelines”)
Since the standard guidelines are commonly applied across all fields, they can be called general guidelines or common guidelines.
can

3. Personal information protection guidelines for each area under jurisdiction
A. Enactment and recommendation of personal information protection guidelines
Guidelines for each sector are determined and implemented by the head of a central administrative agency or constitutional agency for each sector under their jurisdiction. central administration
When the head of an institution sets guidelines for each field, the standard guidelines established by the Minister of the Interior and Safety shall be followed.
It should be clearer and faithful to the characteristics of each field by taking into account regulations and preventing duplicate regulations from occurring.
do. According to the division of duties of the Government Organization Act or the Individual Organization Act, the field under the jurisdiction is spread across two or more ministries.
In some cases, the relevant ministries may jointly establish guidelines.
The standard guidelines provide the personal information controller with a practical code of conduct that has secured specific validity.
It is intended to induce and encourage voluntary compliance with laws and ensure fairness in law enforcement, so
Although it may serve as a criterion for interpretation and examination, it should not be abstract and multi-dimensional content that leaves room for interpretation again.
On the other hand, constitutional institutions such as the National Assembly, the courts, the Constitutional Court, and the National Election Commission
Regulations for each field of the relevant institution (including its affiliated institution) to be determined and implemented on their own;
have. In this case, it may be determined by referring to the standard guidelines established by the Minister of the Interior and Safety.

B. Contents of Privacy Policy
Personal information protection guidelines include standards for handling personal information, types of personal information infringement, prevention of personal information infringement, etc.
Specific instructions should be included.
First, when the personal information controller collects, uses, provides, and destroys personal information, it must comply with the requirements set by law.
Criteria and examples for judging suitability should be presented.
Second, under specific conditions and circumstances, the actions or omissions of the personal information controller constitute personal information infringement.
Criteria and examples for judging whether or not

58

Page 65

Third, the protection measures or implementation to be followed by the personal information controller to prevent infringement of personal information rights
The contents of the measures include the steps of processing of personal information, the scale of processing of personal information, the frequency of use of personal information, and the
Purpose of personal information, retention period of personal information, risk of processed personal information, to process personal information
The second chapter

Each technology introduced should be presented in detail.

dog
sign
tablet
see
see
arc
tablet
book
of
Number
lip
Etc

59

Page 66
Explanation of personal information protection laws and guidelines and announcements

Article 13 Promotion and support of self-regulation
Article 13 (accelerate and support the self-regulation) of Government Administration Minister of autonomous individual personal information consumer
In order to promote and support information protection activities, the necessary policies under each of the following subparagraphs shall be prepared.
do.
1. Education and publicity on personal information protection
law

2. Fostering and supporting organizations and organizations related to personal information protection
3. Support for the introduction and implementation of the personal information protection certification mark
4. Support for the establishment and implementation of voluntary agreements of personal information controllers
5. Other necessary to support the voluntary personal information protection activities of the personal information controller
matters
The (promote and support the self-regulation) 14 Government Administration Minister method according to claim 13 (2) of the individual call

Enforcement Decree
In order to promote autonomous personal information protection activities of the information controller, within the budget
You can provide necessary support to organizations or organizations related to personal information protection.

Article 5 of the Act is the responsibility of the state, etc. to improve unreasonable social practices regarding personal information processing.
It is stipulated to respect, promote and support the autonomous personal information protection activities of personal information controllers.
Article 13 embodies the obligations of Article 5. Personal information processing is not just for one field, but for all
Since it is carried out every day in the economic and social sphere, the purpose of this Act cannot be achieved by legal enforcement alone.
It is impossible without the voluntary efforts of the personal data controller and data subjects.
In order to more effectively achieve the purpose of this law, personal information
It is necessary to create an environment in which the processor and data subject can voluntarily protect personal information. Privacy
When the processor recognizes the need for personal information protection and fulfills its responsibilities, data subjects
When you recognize your rights and take the lead in protecting your rights, your personal information will be used more safely and
could be protected.
To this end, the Minister of the Interior and Home Affairs shall formulate the following policies:

1. Education and publicity on personal information protection
In order for voluntary personal information protection activities to take place, the need for protection of personal information, cases of damage, and use
A deep understanding of personal information protection laws and technologies is required along with awareness of customs and environment.
In this regard, the Minister of the Interior and Home Affairs may not be able to conduct voluntary personal information protection activities of personal information controllers.
It was designed to provide necessary education, publicity, and related support.

60

Page 67

2. Fostering and supporting organizations, organizations, etc. related to the protection of personal information;
For the safe use of personal information, it is also necessary to protect the rights of the data subject himself. Privacy

The second chapter

In order to foster related institutions and organizations, the Minister of the Interior may foster and support organizations within budgetary limits.

dog
sign
tablet
In this regard, the Ministry of Government Administration and Home Affairs promotes autonomous personal information protection
activities of personal information controllers and
see
see
In order to support, 「Regulations on the designation of self-regulating organizations for personal information protection, etc. (Ministry
of Public Administration and Home Affairs Notice
arc
tablet
2916.8.9. enactment, implementation)” was prepared. This regulation is a self-regulation related to personal information protection.
book
of
Designation of organizations, establishment of self-regulatory councils, work of self-regulating organizations, support for self-regulating
organizations, etc.

No. 2016-31,

Number
lip

It contains the following, and the main contents are as follows.

Etc

First, it stipulates the establishment and operation of the self-regulation council. The Minister of Government Administration and Home Affairs said 'i) Self-regulation
Review of designation and cancellation of designation of organizations, ii) Review of self-regulation rules, iii) Self-regulation of personal information protection
Review of plans and activities, iv) necessary for personal information protection activities of other self-regulating organizations, etc.
A personal information protection self-regulation council may be established for related work. The council is the Ministry of Government Administration and Home Affairs, personal information
The Protection Committee, the Ministry of Health and Welfare, and the Ministry of Land, Infrastructure and Transport are composed of public officials, specialized institutions and experts.
Second, it regulates the designation, cancellation of designation, and addition of designation of self-regulating organizations. Self-regulatory organizations
It is designated and confirmed by the Minister of Government Administration and Home Affairs after being reviewed by the Self-Regulation Council. Self-regulatory organizations have personal information
'Personal information protection education and promotion activities' and 'personal information protection self-regulation regulations'
It must be carried out, and other personal information self-inspection and consulting, and personal information protection management system
Efforts shall be made to perform tasks related to installation and operation.
Third, support for self-regulating organizations is stipulated. The Minister of Government Administration and Home Affairs is 'i) Personal information protection specialists
Dispatch, support for self-inspection, ii) Specialized personal information protection training, awareness-raising training, iii) Web vulnerability check, security
Technical support such as provision of tools, iv) provision of personal information protection-related information, etc.
We can support you with the things you need to do your job.

3. Introduction and implementation of personal information protection certification mark
The personal information protection certification mark is granted to the personal information controller who handles personal information legally and safely.
It is a kind of safety mark. For personal information controllers who have acquired the certification mark, secure processing of personal information
Because it is trustworthy, the certification mark can promote personal information protection activities of companies or institutions.
In order to secure the transparency and reliability of the certification system, the Minister of Government Administration and Home Affairs handles personal information of personal information controllers.
and ‘personal information’ to verify whether a series of measures related to protection comply with this Act, etc.
Protection certification system' was introduced to clarify the legal basis for designation and revocation of designation of a certification body.
(Act Article 32-2).

61

Page 68
Explanation of personal information protection laws and guidelines and announcements

4. Support for the establishment and implementation of the voluntary code
The personal data controller knows best about the processing of his or her personal data. for the processing
What is the most appropriate level of personal information collection and use, and what are the risks associated with the collection and use of personal information?
Because we are well aware of what measures are required to handle personal information more safely
The personal information controller has decided on its own rules or code of conduct and is obliged to abide by it.
The self-regulation may be established by the personal information controller alone or at the association level, or a personal information protection organization
Alternatively, it may be enacted jointly with the competent government department. In Japan, the Personal Information Protection Act was enacted in 2003.
We are activating self-regulation by designating an authorized personal information protection organization.

5. Support for other self-regulatory activities
In addition to the matters listed above, the Minister of the Interior and Home Affairs is responsible for the sharing of personal information infringement information and the personal information leakage inspection system.
Autonomous personal information protection of personal information controllers such as development and dissemination, development and dissemination of personal information protection solutions
Necessary policies should be prepared to support the activities. In this regard, small and medium-sized enterprises (SMEs) with insufficient investment capacity
The 'Personal Information Protection Technical Support Center' has been installed and operated for business operators.

6. Similar Legislative Cases
Article 44-4 of the “Information and Communications Network Act” provides for information and communications service providers to protect users of information and communications services.
It stipulates matters related to the establishment and implementation of the organization's code of conduct. Self-regulation in many other laws
There are similar legislative examples that place emphasis on regulations.
< Regulations related to self-regulation under the current law >
law name

Condolences
Article 44-4 (Self-regulation) Information and communications service provider organizations protect users, ensure safety, and

「Information and Communications
Actions
Network
of information
Act」 and communication service providers to provide reliable information and communication services
You can set a code and implement it.
Article 15 (Voluntary Agreement) ① Franchisees or business organizations whose members are affiliates
“Affiliate business transaction
In order to maintain fair trade order in the franchise business, the rules may be voluntarily established.
Act on Fairness”
have.

62

Page 69

law name

Condolences
Article 14 (Voluntary Code of Indication and Advertisement) ① Businesses, etc. shall not conduct acts that violate Article 3 (1).
The“autonomous
second chapter
In order to prevent voluntary labeling and advertising, regulations and standards, etc. (hereinafter referred to as

rules”) can be established.
② The voluntary code must be suitable to prevent acts that violate Article 3 (1),
Displaying, advertising, or providing information to consumers without justifiable reasons
should not be limited.
Article 14-2 (Autonomous Review Organization for Labeling and Advertising, etc.) ① Article 3 (1)
“Indications and advertisements
Act on Fairness”

or whether it violates the voluntary agreement, etc. (regardless of its name, whether display or advertisement

dog
sign
tablet
see
see
arc
tablet
book
is of
Number
lip

Or it refers to the act of judging whether the voluntary code is violated. hereinafter the same)

A person who operates an organization to prevent labeling and advertising (hereinafter referred to as “voluntaryEtc
review organization, etc.”)
A report may be made to the Fair Trade Commission as prescribed by Presidential Decree. entrepreneurs, etc.
This Act shall be enforced even if corrections are made according to the results of deliberation and processing by the autonomous deliberation body, etc.
Consumers and competition only by correcting the self-review body, such as repeating violations
This shall not apply if it is judged that it is difficult to prevent damage to the business operator.
Article 11 (Voluntary Regulation of Media Products Harmful to Juveniles) ① Producers, publishers, and distributors of media products
「Youth Protection Act」

Alternatively, organizations related to media products can autonomously determine whether or not they are harmful to youth.
You can request confirmation of the contents from the Youth Protection Committee or each deliberation agency.

63

Page 70
Explanation of personal information protection laws and guidelines and announcements

Article 14 International Cooperation
Article 14 (International Cooperation) ① The government is committed to improving the level of personal information protection in an international environment.
law

Necessary measures should be prepared for this.
② The government shall ensure that the rights of the information subject are not infringed by the transfer of personal information abroad.
Relevant measures should be prepared.

This Article stipulates that international transfer and provision of personal information is common due to increased trade between countries and increased exchange of human resources.
In reality, Korea's level of personal information protection has been raised to that of advanced countries in line with international trends.
by improving and promoting international partnerships that are being processed or leaked abroad.
It stipulates the duty of the government to make efforts to protect the personal information of Koreans.
In particular, the European Union is a country that does not have a personal information protection system established above its own level.
International cooperation is essential as the transfer of personal information is restricted. Accordingly, the protection of personal information is between Korea and the EU.
It forms part of the Free Trade Agreement (FTA) and is reflected in the Korea-US Free Trade Agreement (draft). after
Privacy is expected to be a major issue in international multilateral or bilateral agreements.

For example, by attracting data centers of foreign companies to Korea, it has become a hub country for international information storage and management.
Personal information protection in the country to emerge or to attract various international organizations and multinational corporations
The system needs to be well publicized to the international community.
To this end, the government will ① promote cooperative relations with international organizations, foreign governments, and foreign institutions; ② personal information protection international
Promotion of enactment and revision of norms, ③ discovery of new issues and joint investigation and research, ④ international protection of personal information
Support for the promotion of standardization, ⑤ Sharing of information to respond to international personal information protection issues, ⑥ International individuals
It is necessary to actively promote projects such as the formation and operation of cooperation windows or consultative bodies for information protection.
< International organizations and organizations related to personal information protection >
Organization/group name

Character

International Conference of Data (ICDPPC)
Protection and Privacy Commissioners)

International Assembly

International Working Group on Data (IWGDPT)

International Assembly

Protection in Telecommunication)

Organization for Economic Cooperation and Development (OECD) Information Security and Privacy Working Party (WPISP)
international organization
Information Security and Privacy)
Asia Pacific Economic Cooperation (APEC) Electronic Commerce Operation Group (ECSG)
Steering Group)

international organization

64

Page 71

Organization/group name

Character

European Data Protection Supervisor (EDPS)

international organization
The second chapter

EU Data Protection Working Party (WP29)

International Assembly

Asia Pacific Privacy Authorities (APPA)

dog
sign
tablet
see
see
arc
tablet
book
of

Regional Council (APAC)

Electronic Privacy Information Center (EPIC)

private organization

Global Privacy Enforcement Network (GPEN)

international organization

Number
lip
Etc

65

Page 73
72

Chapter 3 Processing of Personal Information
Section 1 Collection, use, provision of personal information, etc.
Article 15 Collection and use of personal information
Article 16 Restriction on collection of personal information
Article 17 Provision of personal information
Article 18 Restrictions on the use and provision of personal information for purposes other than the purpose
Article 19 Restrictions on the use and provision of personal information
Article 20 Collection of personal information collected from other than the information subject
Notice of source, etc.
Article 21 Destruction of personal information
Article 22 How to obtain consent

Section 2 Restrictions on processing of personal information
Article 23 Restrictions on processing of sensitive information
Article 24 Restrictions on processing of uniquely identifiable information
Article 24-2 Restrictions on processing of resident registration numbers
Article 25 Restrictions on installation and operation of image information processing devices
Article 26 Restrictions on processing of personal information according to business entrustment
Article 27 Restrictions on transfer of personal information due to business transfer, etc.
Article 28 Supervision of personal information handlers

Page 75
74

Section 1 Collection, use, provision of personal information, etc.
Article 15 Collection and use of personal information
Article 15 (Collection and Use of Personal Information )
If applicable, personal information may be collected and used within the scope of the purpose of collection.
can do.
1. When the consent of the data subject has been obtained
2. If there are special provisions in the law or it is unavoidable to comply with the legal obligations
3. When it is unavoidable for a public institution to carry out its jurisdiction as stipulated in laws and regulations,
etc.
The third chapter
4. When it is unavoidably necessary for the conclusion and execution of a contract with the data subject
5. The information subject or his/her legal representative is in a state where he/she is unable to express
In the case where prior consent cannot be obtained due to

dog
sign
tablet
his/her
intentions
see
see
of

In case it is deemed necessary for the immediate benefit of life, body, or property
law

or his/her address is unknown

wife
Lee

6. It is clearly necessary to achieve the legitimate interests of the personal information controller.

In case of taking precedence over the rights of the data subject. In this case, the legitimate interests of the personal information controller and
It is limited to cases where there is considerable relevance and does not exceed a reasonable range.
② When the personal information controller obtains consent under paragraph (1) 1, the following matters
The data subject must be informed. Even if any of the following items are changed
This must be informed and consent must be obtained.
1. Purpose of collection and use of personal information
2. Items of personal information to be collected
3. Period of retention and use of personal information
4. In case of the fact that you have the right to refuse consent and there are disadvantages due to refusal of consent
the content of the disadvantage
Article 6 (Collection and Use of Personal Information ) ① “Collection” of personal information means the name,
In addition to receiving personal information such as address and phone number, all
It refers to the acquisition of personal information in the form of
② The personal information controller may collect personal information in each of the following cases, and
It can be used within the scope of the purpose.
standard guidelines
1. In case of prior consent from the information subject
2. The law specifically states or permits the collection and use of personal information;
if any
3. Acts impose specific obligations on the personal information controller, and
It is impossible to fulfill the obligation without collecting and using personal information, or
If it is significantly difficult

69

Page 76
Explanation of personal information protection laws and guidelines and announcements

4. Without the collection and use of personal information by public institutions, the business under the jurisdiction of laws, etc.
If it is impossible or significantly difficult to carry out
5. Without collecting and using personal information, a contract is concluded with the information subject and the
When it is impossible or significantly difficult to fulfill the obligations according to the contents
6. The information subject or his/her legal representative is in a state where he/she is unable to express his/her intentions or his/her address is unknown
In the case where prior consent cannot be obtained due to reasons such as
(referring to all other persons except the subject)
If it is deemed necessary for
7. The personal information controller shall obtain legitimate interests pursuant to laws and regulations or contracts with data subjects.
In cases where it is necessary to achieve it and it clearly takes precedence over the rights of the data subject.
However, in this case, the collection and use of personal information is not limited to the legitimate interests of the personal information controller and
It is limited to cases where it is relevant and does not exceed a reasonable range.
③ The personal information controller directly receives a business card or a similar medium (hereinafter referred to as
When personal information is collected by receiving a “business card, etc.”)
In light of the circumstances, etc., only within the scope recognized that there was an intention to consent according to social norms.
Available.
④ The personal information controller shall be responsible for the public media or place such as the Internet homepage (hereinafter referred to as the “Internet
In the case of collecting personal information on the website, etc.), the consent of the information subject
Consent according to social norms in light of clearly indicated or displayed content on the Internet homepage, etc.
It can be used only within the scope recognized by the doctor.
⑤ In the case of personal information controller, the information subject, who is the counterpart to the contract, conducts legal acts through an agent.
Or, in the case of an expression of intent, the representative's authority is only for the purpose of confirming the representative's authority.
Personal information may be collected and used.
⑥ When a worker and an employer conclude a labor contract, payment of wages in accordance with the Labor Standards Act;
Personal information is not disclosed without the consent of workers for education, certificate issuance, and worker welfare provision.
can be collected and used.
Article 14 (If prior consent of the information subject cannot be obtained) Personal information controller Article 15 of the Act
In accordance with Paragraph 1 Item 5 and Article 18 Paragraph 2 Item 3 of the Act, individuals without prior consent of the information subject
In the case of collection, use, or provision of information, the processing of personal information shall be terminated when the cause is resolved.
You must immediately stop collecting, using, or using personal information without prior consent from the information subject.
The fact that it was provided, the reason for it, and the history of use shall be informed.

Personal information 'collection' means not only receiving information such as name, address, and phone number directly from the information subject;
Rather, it refers to the acquisition of all types of personal information about the data subject (Standard Guideline Article 6). individual
In principle, information is collected directly from the data subject, but if necessary, state agencies, credit rating agencies, etc.

70

Page 77

Collected from third parties or from public sources such as the Internet, newspapers and magazines, phone books, directory, etc.
can also be collected. In addition, even if the personal information controller does not directly collect personal information in the course of business processing,
There are many cases where it is produced or created.
ReferenceExamples of personal information collection and use
· Acquisition of personal information incidentally by receiving a business card
· Acquisition of personal information of the information subject from a third party other than the person
· Acquisition of personal information from public information such as Internet searches, directory, phone book, magazine, or newspaper article
· In addition to personal information obtained from the information subject or a third party or other sources, the personal information controller
when creating
The third chapter

dog
sign
tablet
see
see
of

If you make it too difficult to collect and use personal information, it seems to help protect privacy.
However, in reality, it does not help to protect privacy, but only shrinks economic activity and increases costs.
and may impair the provision of public services. On the other hand, excessive collection and use of personal information

wife

If it is relaxed, the personal information protection system becomes meaningless. Therefore, the privacy of the data subject is best
Lee
In order to protect, the protection and use of personal information must be balanced and harmonized.

1. When personal information can be collected and used
According to the OECD Privacy Guidelines, the minimum amount of personal information must be collected within the scope of the purpose of use.
It only stipulates that personal information can be collected and used, and the standards and cases where it can be collected and used are separately specified.
there is not On the other hand, the “EU Personal Information Protection Directive” specifically specifies cases where personal information can be collected and used.
are enumerating Korea's 「Personal Information Protection Act」 is modeled after EU guidelines, but rather than EU guidelines
Overall, the requirements are strengthened. The 2016 EU Personal Information Protection Act (GDPR) also
It follows EU guidelines.

In case the information subject's consent is obtained (No. 1)
The personal information controller may collect personal information when consent is obtained from the information subject.
As an expression of voluntary consent of the information subject to the collection and use of personal information by the personal information controller
(Signature and seal, oral, website consent, etc.) It must be possible to clearly confirm whether or not consent is given.
In order to receive the service, the information subject directly writes his or her name in the document such as the subscription application,
By stamping, handwriting, or clicking the 'I agree' button on the Internet website screen, etc.
You can express your consent. The personal information controller is responsible for providing information on the collection of personal information over the phone.
consent can be obtained.

71

Page 78
Explanation of personal information protection laws and guidelines and announcements

However, since the problem of burden of proof may arise in the future, it is possible to record the conversation with the consent of the information subject.
have. When obtaining consent from the information subject, it is easy for the information subject to determine what personal information is being collected and why.
It must be clearly recognized, and consent must be obtained in the manner stipulated in Article 22.
Therefore, the consent of the data subject in this Act means explicit consent.
※ Examples of consent
· In the case of signing and sealing the ｢Personal Information Usage Agreement｣ when issuing a movie theater membership card
· If you check the consent to collection and use of personal information when registering as a member of the Internet website of a public institution

When the personal information controller obtains the data subject's consent, the data subject must clarify the content and meaning of the consent.
In order to know in advance: ① Purpose of collection and use of personal information, ② Items of personal information to be collected, ③ Personal information
Retention and use period, ④ The fact that you have the right to refuse consent and there are disadvantages due to refusal of consent
The details of the disadvantage must be informed (Section 2). The retention and use period must be specified and notified in detail.
However, if the period of retention and use cannot be specified, it is used to determine the period of retention and use.
Can you tell me the standards? In this case, the reason for not being able to notify the retention and use period is that the personal information controller
must prove This is to ensure that data subjects can judge and decide whether to consent according to their free will.
it is for
On the other hand, in connection with the act of exchanging business cards, business cards or similar media directly from the information subject
(hereinafter referred to as “business card, etc.”), in the case of collecting personal information by providing the business card, etc.
In light of the social norms, it can be used only within the scope recognized that there was an intention to consent. (Standard Guidelines
Article 6 Paragraph 3). For example, a data subject visits a car dealership to purchase a car and
In the case of a business card, the employee did not consent to the provision of information related to the purchase of a vehicle, etc.
You can use the contact information listed on the business card for this.
However, even in this case, do not provide the personal information of the information subject to a third party or use it for other purposes.
In order to do this, the consent of the data subject must be obtained. That is, in the example above, the employee of the car dealership
In order to use the customer's information for unrelated purposes, the customer's consent is required.
Even if the information subject collects and uses his/her personal information in public media, such as the Internet homepage, etc.
Either express an explicit intention to consent, or if the intention to consent is expressed in light of the nature of the website and the content of the post.
If it is recognized that there was, the personal information of the information subject can be collected and used without consent (Article 6 of the Standard Guidelines)
Section 4).
For example, in order to sell a product on an internet second-hand trading site, the information subject must explain and
If you provide your own phone number, this means that you can use your phone number for the purpose of trading the product.
It can be considered as an expression of consent.

72

Page 79

In addition, if the company phone number or e-mail of the employee in charge is listed on the website of a public institution, it is
For purposes related to the work the employee is responsible for, the employee's phone number and e-mail may be collected and used.
can
However, preferential loans for office workers and publicity are provided to employees through the phone number or e-mail posted on the website.
Event information should not be provided, and for this, consent from the information subject must be obtained.
judicial precedent
Collection and provision of Internet person information service and disclosed personal information
The content of the act claimed to infringe or limit the personal legal interest of the right to self-determination of personal information has already been determined by the will of the information subject.
In the case that the disclosed personal information was collected or provided for profit without his/her consent, such information processing
The personal legal interests of the data subject that may be infringed by the act and the legal interests of the data controller, etc. that can be protected
by the act
The third chapter
clash over one legal relationship.

dog
sign
In this case, whether the information subject is a public entity, the public nature and public interest of personal information, the scope of the originally
disclosed subject, and the
tablet
see
The relevance and necessity of the purpose, procedure, and form of use, the nature and content of benefits that may be infringed by the processing of personal information, etc.
see
of and the information processing
Considering the circumstances comprehensively, the benefits that can be obtained from the protection of personal rights related to personal information
wife
Lee

In other words, the 'right to know' of the information controller and the 'right to know' of the information receiver and expression

By comparing and quantifying the values ​of freedom, the freedom of business of the information processor, and the economic efficiency of society as a whole, which
The final illegality of the information processing act must be judged according to whether the profit can be evaluated as superior,
It cannot be said that the information processing act is illegal simply because the information controller has a profit-making purpose.
(Supreme Court 2016. 8. 17. Decision 2014da235080)

If there are special provisions in the law or it is unavoidable to comply with statutory obligations
1) If there are special provisions in the law
The law must specifically require or allow the collection and use of personal information. collection and use
If the subject and scope of personal information that can be used is vague, it cannot be said to be a special regulation. special in law
Since there must be regulations, it should not be stipulated in the Enforcement Decree or Enforcement Regulations unless there is a basis for delegation in the law.
In general, collection and use according to the provisions of the law are collected and used from a third party rather than from the information subject.
It often means use. In this case, the law only requires or permits collection and use.
Even if the obligation to provide the other party (third party) is not stipulated, the third party will not disclose personal information without the consent of the information subject.
(Supreme Court 2012Da105482 judgment, 2016.3.10. sentencing). However, providing personal information
Even if a third party provides the personal information of the information subject as there are special provisions in other laws, the information subject or
If there is a risk of unfairly infringing on the interests of a third party, the request for provision may be rejected.

73

Page 80
Explanation of personal information protection laws and guidelines and announcements

judicial precedent
Provision of communication data
Paragraphs 3 and 4 of Article 54 (current Article 83) of the Old Telecommunication Business Act apply to communication data corresponding to information about the user's personal information.
Regarding the case, the telecommunications service provider is allowed to provide it only with a written request from the investigation agency.
In order to expedite and prevent other crimes, the court’s permission or
Without a warrant from a judge, communication data is provided by a written request called a data provision request form from an investigation agency that describes certain matters.
It should be considered that they were allowed to cooperate with the investigation. (Supreme Court 2016.3.10. 2012Da105482 decision)

<Example of 'when there are special provisions in the law'>
name of law

Condolences
Article 31 (Rights of Legal Representative) ① Information and communication service providers, etc. from children under the age of 14

In order to obtain consent for the collection, use and provision of personal information, the consent of the legal representative must be obtained.
「Information and Communications Network Act」
In this case, the information and communications service provider shall provide the child with the necessary
Minimum information such as the name of the legal representative may be requested.
Article 40 (Prohibited Matters of Credit Information Companies, etc. ) A credit information company, etc. shall not engage in any of the following acts.
No, unless it is a credit information company, etc., the act of the main sentence of subparagraph 4 is a business or the act of subparagraph 5
it should not be done
「Credit Information Act」
4. Finding out the whereabouts and contact information of a specific person (hereinafter referred to as “location, etc.”) or commerce such as financial transactions
Investigating private life outside of relationships. However, a credit information company licensed for debt collection
In the case of finding out the whereabouts, etc. of a specific person in order to carry out the business, or in accordance with other laws and regulations
This is not the case when it is permitted to find out the whereabouts, etc. of a specific person.
Article 176 (Insurance Premium Rate Calculation Institutions) ( 10 ) Insurance premium rate calculators are required to calculate the net insurance premium rates.
violation of traffic laws, such as drunk driving, in cases where it is necessary for the insurance company's insurance payment business
or a driver's license (a construction machine operator's license under the main sentence of Article 26 (1) of the 「Construction Machinery Management Act」)
「Insurance Business Act」
include Hereinafter, the same shall apply in Article 177) of the institution that holds personal information
Calculation of the net premium to be applied by the insurance company to the policyholder by receiving the information from the head of the insurance company
Or it can be used for insurance payment business.
Article 14 (Perusal of Medical Records, etc.) ① Insurance companies, etc. shall receive from medical institutions in accordance with Article 12 (2).
Upon receipt of a claim for medical treatment fees for automobile insurance, the relevant medical institution is requested to peruse the related medical records.
can claim
② A specialized examination institution entrusted with examination, etc. pursuant to Article 12-2 shall provide data necessary for examination, etc.
You can request it from a medical institution.
③ In the case of Paragraph 1 or 2, the medical institution shall comply therewith unless there is a justifiable reason.

"car

Damage Compensation Guarantee
Act of receiving a claim for payment of insurance money, the insurance company, etc. shall, as prescribed by Presidential Decree, the National Police Agency, etc.
④ In case
A traffic accident investigation agency may be requested to inspect the traffic accident related investigation records. in this case
A traffic accident investigation agency, such as the National Police Agency, shall make it perusal, unless there are special circumstances.
⑤ A person who is engaged in, or has been engaged in, an insurance company, etc. or a specialized examination institution shall be subject to paragraphs (1) through (4).
Confidentiality of another person who has become aware of it through the perusal of medical records or traffic accident related investigation records.
should not be leaked.

74

Page 81

name of law

Condolences
Article 11-2 (Request for Submission of Data, etc.) ① The director of a regional military manpower office makes a military service judgment in relation to the military service judgment inspection
For a medical examination doctor, a medical examination specialist for military service, or a physical examination pursuant to Article 12-2;
Dispatched military doctors, etc., who are deemed necessary for the identification of diseases or mental and physical disorders.
In cases, the head of a medical institution under the "Medical Act", the head of the National Health Insurance Corporation under the "National Health Insurance Act";

「Military Service Act」
Medical records and treatment of persons subject to military service determination examination with respect to the head of a school under the Elementary and Secondary Education Act
You may be asked to submit related records, school records, etc. In this case, submit
The person requested shall comply with the request unless there is a special reason.
② Anyone who discloses or discloses information or data on persons subject to military service judgment inspection acquired pursuant to paragraph (1);
It shall not be used for purposes other than military service judgment inspection, such as divulging or providing it to others.
The third chapter
Article 21 (Review, etc. of Records) ③ Medical personnel may receive information from other medical personnel in accordance with Article 22 or 23.

dog
When a request has been made to confirm the contents of the medical record or to send an opinion on the patient's medical
treatment progress,
sign
tablet
see
see
of

In this case, it must be sent with the consent of the patient or the patient's guardian. However, the patient
In case of unconsciousness, emergency patient, or patient who cannot obtain consent because there is no guardian
In this case, it may be sent without the consent of the patient or the patient's guardian.

wife

Article 22 (Medical Records, etc.) ① Each medical person shall have a medical record, a midwifery record, a nursing record,
Lee and other information.
「Medical Law」

Keep records related to medical treatment (hereinafter referred to as “medical record book, etc.”), and the main symptoms of the patient;
Matters and opinions on medical practices prescribed by Ordinance of the Ministry of Health and Welfare, such as diagnosis and treatment, in detail.
It must be recorded and signed.
② A medical person or establishment of a medical institution shall have medical records, etc. [Electronic medical records under Article 23 (1)
(including the energizing elec- tronic 醫務記錄). Hereinafter, the same shall apply in Article 40 (2)] as prescribed by Ordinance of the Ministry of Health and Welfare.
should be preserved accordingly.
③ A medical person prepares a medical record, etc. falsely, or intentionally writes additional information in a different way from the truth.
must not be modified.

2) In case it is unavoidable to comply with statutory obligations
In cases where certain obligations are imposed on the personal information controller under the Act, the personal information controller
It refers to a case in which personal information must be collected and used inevitably in order to fulfill its obligations. in law
It includes not only the obligations under the Act, but also the obligations under the Enforcement Decree and the Enforcement Rules.
'In unavoidable cases' means fulfilling the obligations imposed by laws and regulations without collecting personal information.
It is impossible or it is significantly difficult for the personal information controller to perform its obligations using other methods.
means the case.
Duty to recall defective products imposed on business operators (“Consumer Framework Act”), identity verification in accordance with various laws, or
Age verification obligation (「Information and Communications Network Act」, 「Youth Protection Act」, 「Public Office Election Act」, 「Real-name financial transaction and confidentiality
Act”, “Seafarers Act”, “Rules on the Establishment, Organization, and Distinguished Service of Court Guards, etc.”)
The collection and use of personal information for the purpose of compliance with laws and regulations is an example.

75

Page 82
Explanation of personal information protection laws and guidelines and announcements

In this regard, intentionally manipulating or exaggerating traffic accidents for the purpose of unfairly receiving compensation for damages.
After causing an accident, requesting direct negotiations with the aggressor driver
There may be cases where you do not provide your personal information.
In this case, the insurance company shall be liable for the victim's consent without the victim's consent pursuant to Article 15 (1) 2 of the 「Personal Information Protection Act」.
Personal information can be collected and used, and this means that in Article 719 of the Commercial Act, the insurer of a liability insurance contract is the insured.
If you are liable for compensation to a third party due to an accident during the insurance period, you are responsible for compensating for it.
In cases where it is unavoidable to comply with these statutory obligations (consent to the collection and use of personal information of victims)
Refusal) The insurance company allows the collection and use of the victim's personal information without the victim's consent.
Because.
Note 1 When identification is required according to laws and regulations
· 「Information and Communications Network Act」 Article 44-5: Identification of bulletin board users
· Article 82-6 of the Public Official Election Act: Confirmation of real names on bulletin boards and chat rooms of Internet media companies
· 「Act on Real Name Financial Transactions and Confidentiality」 Article 3: Real Name Verification for Real Name Financial Transactions
· ｢Rules on the Establishment, Organization, and Distinguished Services of Court Guards｣ Article 5: Court Guards must receive a resident registration card
Or, the identity of the person entering and leaving the building must be confirmed by other identification documents.
· Background check in accordance with the Seafarers Act
· In other cases, when public institutions identify the complainant to handle complaints received

Note 2 When age verification is required according to laws and regulations
· Article 16 of the Juvenile Protection Act: If you wish to sell, rent, or distribute media harmful to juveniles, confirm the age of the other party.
should
· Article 26 of the Juvenile Protection Act: Providers of Internet games (game products provided in real time through information and communications networks) are under the age of 16
Internet games shall not be provided to youths between 0 am and 6 am
· Article 29 of the Juvenile Protection Act: The owner of a business harmful to juveniles must confirm the age when hiring an employee,
It is necessary to check the age of the person who enters and prevent juveniles from entering or using the establishment.
· Protection system for minors under the Civil Act: Korean courts only recognize active deception by minors as “manipulative practices” and
It is decided that the other party claiming the existence must prove it, so it is necessary to prove the existence of a person who does business with a minor.
Businesses need to check whether they are underage by more aggressive means, such as ID verification.

Note 3 Compliance with the obligations of the insurer under laws
The insurer of a liability insurance contract compensates if the insured is liable for compensation to a third party due to an accident during the insurance period.
There is a responsibility (Article 719 of the Commercial Act). Therefore, if it is unavoidable to fulfill the liability for compensation under the insurance contract, information
It is possible to collect and use personal information without the consent of the subject.

76

Page 83

C. When it is unavoidable for a public institution to carry out its affairs prescribed by laws and regulations.
In the case of public institutions, even if there is no legal provision that explicitly permits the collection of personal information
The relevant laws and regulations are stipulated in the relevant laws, and personal information is inevitably stored in order to carry out the duties under its jurisdiction.
In cases where there is no choice but to collect personal information, the collection of personal information is permitted without the consent of the information subject.
In fact, 'performance of duties stipulated by laws and regulations' does not apply to 'observance of obligations under laws and regulations' stipulated in subparagraph 2.
Although it may be considered to be included, it is necessary to clarify the difference between compliance with the law and the performance of duties under the jurisdiction.
has been separately stipulated for
'Responsibilities prescribed by laws, etc.' are defined in the ｢Government Organization Act｣, organization ordinances and organization rules for each institution, and individual organization laws, etc.
The third chapter

In addition to the affairs prescribed by the jurisdiction, “Resident Registration Act”, “National Tax Framework Act”, “Medical Act”, “National Health Insurance Act”, etc.
dog
sign
tablet
see
see
of

In the case of local governments, the authority and duties granted by laws and ordinances, etc.
it means.

wife in laws and regulations.
'In case of unavoidable circumstances' means that personal information is not collected and given to the relevant public institution
Lee

It is impossible to exercise the authority or to perform the obligations, or to perform the business under the jurisdiction by using other methods.
This means that it is extremely difficult.
ReferenceExamples of tasks under the jurisdiction of public institutions
· The Ministry of Human Resources and Innovation has established Article 22-3 of the “Government Organization Act”, “Organization of the Ministry of Personnel Management and its affiliated organizations” and “The Ministry of Human Resources and Innovation and its affiliated organizations”.
In accordance with the Enforcement Regulations of the Organizational System, we collect and use public officials’ personnel related files for the management of personnel, ethics, service, pension, etc. of public officials.
or the establishment and operation of a national talent database system
· In accordance with Article 14 of the National Health Insurance Act, the National Health Insurance Corporation collects and uses medical treatment details for insurance benefit management, etc.
Occation

D In case it is unavoidably necessary for the conclusion and implementation of a contract with the data subject
Until the collection of personal information is unavoidably accompanied for the conclusion and execution of a contract with the information subject
Requiring the consent of the data subject will greatly impede economic activities and only cost the data subject to obtain consent.
personal information that is unavoidably necessary for the conclusion or performance of a contract is
It allows personal information to be collected without notice or consent.
'Contracting' also includes the stage of preparation for the conclusion of the contract. For example, in real estate transactions, the conclusion of a contract
This is the case in which prior investigation and confirmation of the owner of the real estate, the relationship of rights, etc. However, the contract
In case of non-contract, the collected personal information must be immediately destroyed.

77

Page 84
Explanation of personal information protection laws and guidelines and announcements

ReferenceExample of contract conclusion
· In order to conclude a contract, an insurance company collects information on a subscriber’s automobile accident history and whether he or she has subscribed to other similar insurance.
Occation
· When information is collected and used to evaluate the creditworthiness of the counterparty before the conclusion of a transaction
· The company collects and uses information such as resumes, graduation certificates, and transcripts of applicants before entering into a labor contract with job applicants.
Occation

'Performance of contract' means not only the performance of main obligations such as delivery and delivery of goods or performance of services, but also
It also includes the fulfillment of ancillary obligations such as gift delivery, point (mileage) management, and after-sales service obligations.
ReferenceCases of contract performance
· In case of collecting address and contact information in order to deliver the product ordered by the customer
· In case of requesting address and contact information in order to send the prize to the winner during the sweepstakes event
· When the shopping mall agrees to pay points when ordering and collects order information

In the case of concluding a contract through an agent, it is necessary to determine whether a legitimate authority of representation has been granted.
As a matter of fact, personal information of an agent may be collected and used for the purpose of confirming the authority of representation (standard guidelines).
Article 6 (5). In general, the power of attorney contains the name, address, and phone number of the agent.
Collecting and using personal information of an agent for verification is inevitable for legal acts such as contract signing.
In order to simply check whether the agent is an agent, personal information of the agent can be collected and used.
However, unique identification numbers such as resident registration numbers cannot be collected in accordance with Articles 24 and 24-2 of the Personal Information Protection Act.
Limited.
For the purpose of providing work to the employer and the employer paying wages for it
When a labor contract is concluded, the collection and use of personal information of employees in order to fulfill the labor contract is prohibited.
As it is absolutely necessary, the employer must comply with the labor contract, such as the payment of wages and the provision of welfare specified in the contract.
Personal information may be collected and used without the consent of workers for implementation.
Jurisprudence also shows that the right to control self-information held by workers who have obligations under the labor contract is not limited to the general public.
It is judged that the right of self-information control over public institutions is more limited (Daejeon District Court 2007.
6. 15. 2007 Kahab 527 decision).
However, in a labor relationship, workers are in a position of weakness compared to the employer, so the personal information of workers is
More importantly, it needs to be protected. Therefore, even if the consent of the worker is not obtained, the labor contract
When concluding, it is desirable to inform the employees of the collection and use of personal information through the employment contract.
(Purpose of employee personal information collection, collection items, matters pertaining to employee reading/processing suspension/correction/deletion, etc., retention period,
Procedures for processing employee information after retirement, etc.).

78

Page 85

E When it is necessary for urgent life, body, or property benefits
The information subject or his/her legal representative is in a state where he/she is unable to express his/her intention, or due to an unknown address, etc.
In the case where consent cannot be obtained, it is clear that the data subject or a third party's imminent life, body, or property interests
Personal information may be collected without the consent of the information subject even if it is deemed necessary for this purpose.

1) Unable to express intention
Due to mental weakness, traffic accident, surgery (including medical practice that makes it difficult to express intention), etc.
Those who cannot express their intentions, are isolated in disasters such as typhoons, floods, fires, or
It refers to a case where it is impossible to ask the intention of the data subject because it is detained in the water.

2) If prior consent cannot be obtained
It is limited to cases where consent cannot be obtained in advance due to unavoidable reasons such as unknown address,

The third chapter

dog
sign
tablet
see
see
phone
failure,
of

or e-mail blocking.

wife
Lee

Even if the information subject or legal representative does not answer the call after making several calls,
This is a case where prior consent cannot be obtained if there is no time to wait. However, the data subject or
It is difficult to obtain consent because the legal representative is far away or simply refusing consent.
This does not apply to cases where prior consent cannot be obtained on the basis of facts alone.
If the urgent situation in which prior consent cannot be obtained is resolved, the personal information controller will

Approval must be obtained (Standard Guide Article 7). The personal information controller does not collect personal information without the prior consent of the information subject.
Even in the case of collection or use, if the cause is resolved, the processing of personal information must be immediately stopped.
The information subject must be informed of the fact that personal information is collected or used without prior consent, the reason and details of use
do. In the case of continuing to use the personal information of the information subject after the urgent reason has been resolved,
The consent of the subject must be obtained.

3) If it is clearly for the benefit of the information subject, etc.
The purpose of collection and use of personal information is clearly to protect the life, body, and property interests of the information subject or a third party.
it should be for In the event that it is beneficial but can also be a loss, without the consent of the data subject
Personal information cannot be collected.
The problem is when it is clearly beneficial to a third party but detrimental to the data subject. in this case
Personal information collection without consent is possible only when the interests of a third party are superior to those of the information subject.
will have to In particular, the property interests of a third party cannot outweigh the life and bodily interests of the information subject.
there should be no

79

Page 86
Explanation of personal information protection laws and guidelines and announcements

4) Imminent life, body, and property interests
Life, body, and property benefits must be imminent. that can obtain the consent of the information subject or legal representative
If there is sufficient time or other means to protect the interests of life, body, and property,
It cannot be said to be in a state of urgency.
ReferenceExamples of imminent profits
· Collecting personal information such as contact information, address, and location information to rescue people who are missing or isolated due to distress, flood, etc.
Occation
· In the event of a fire in the apartment, the mobile phone number of the child or parent is collected in order to save the child in the house.
Occation
· Collecting personal information for medical treatment such as surgery for patients who are unconscious or in critical condition
· The bank temporarily suspends the transfer of funds because the customer appears to have been caught in a phone scam (voice phishing) and tells the customer the truth.
If you want to confirm

F. When it is necessary to achieve the legitimate interests of the personal information manager
It is clearly necessary to achieve the legitimate interests of the personal information controller.
Personal information may be collected without the consent of the data subject even if it takes precedence over rights. Collect in this case
The personal information to be provided must be reasonably related to the legitimate interests of the personal information controller and
The range must not be exceeded.

1) The legitimate interests of the personal information controller
In the case of investigating and securing evidence for fee collection and settlement, debt collection, filing and proceeding, etc.
CCTV for the purpose of preventing the leakage and theft of trade secrets and the safety of facilities in the workplace where access is controlled
There must be a legitimate interest of the personal information controller under the law, such as installation.
< Examples of legitimate interests of personal information controllers >
· A business operator creates and manages personal information such as customer service usage details and billing details for fee settlement and debt collection
if
⇒ For billing, you must pay the customer's product order history, service usage history, communication confirmation data, etc.
Data is generated for calculation and billing, and it is to receive a fair price according to the performance of the contract.
Must be able to collect
※ Even if it is not information such as name and resident registration number directly provided by the information subject, the information generated by the business operator is also 'collected' of personal information.
corresponds to the act

· In preparation for litigation or disputes with customers, the business operator collects fee settlement data, customer complaints, and response data.
In case of collection and management
⇒ If you continue to file a complaint even though it has already been resolved, the history of filing complaints and response records, etc.

80

Page 87

When recording and storing data, in the event of complaints about fee settlement and billing, the service usage history that can prove this
If consent is obtained in advance when generating and managing evidence for
· In case of installing and operating CCTVs in company entrances (entrances), elevators, corridors, etc. for theft prevention and facility safety
⇒ Unlike offices, entrances, elevators, and hallways are less likely to infringe on workers' privacy, while preventing theft,
It can be said that there is a need and justification because the effect of facility safety is large.

2) Clearly take precedence over the rights of the data subject
Even if it is for the legitimate interest of the personal information controller, the privacy of the data subject is excessively
Personal information cannot be collected without the consent of the information subject in case of infringement or other interests.
The third chapter

In addition, the interests of the personal information controller must clearly outweigh the rights of the data subject. In the EU dog
sign

In accordance with the principle of profit parity, the interests of the data subject and the interests of the personal information controller
are compared and balanced.
tablet
see
see precedence.
In Korea, collection of personal information is permitted only when the interests of the personal information controller clearly take
of
wife
Lee

ReferenceClarity Judgment Example
For reasons such as business efficiency and protection of trade secrets, the company monitors employees' work processing and Internet access.

It is difficult to see that the installation of the system clearly takes precedence over the rights of the data subject, so in this case, according to the labor-management agreement,
It is desirable to process or notify the staff or go through the consent process.

3) collection within a reasonable range with significant relevance
that the legitimate interests of the data controller exist and that they clearly take precedence over the rights of the data subject;
Even if the relevant personal information is not related to the legitimate interests of the personal information controller or to a reasonable extent
should not be exceeded.

For the operation of a company- friendly organization
When the social group collects and uses the personal information of the member for the operation of the social group, the information subject
There is no need to obtain consent (Article 58 (3)). Fellowship organizations are online and offline, volunteer,
The members of the group based on common interests or goals such as hobbies, politics, religion, etc.
A gathering for the purpose of fostering harmony.
In the sense that the purpose of a friendship group is to promote friendship among internal members, an external group expression of intention or external
It is distinguished from political parties, religious groups, and the media, which assume influence. for the operation of a friendly organization
Matters are: ① Name, contact information, and common interests set forth in the rules of the friendship group for membership of the friendship group;
Personal information related to the goal, ② Payment status of expenses necessary for maintaining friendship, such as membership dues of social groups

81

Page 88
Explanation of personal information protection laws and guidelines and announcements

matters related to, ③ the member's participation in the activities of the social group and the contents of the activities, ④ other matters
For mutual friendship and harmony among members of a social group, members want to inform other members
It refers to matters related to birthdays, tastes, and family's ae-gyeongsa.

2. Relationship with other laws
Regarding the collection of users' personal information pursuant to Article 22 of the Information and Communications Network Act, the Information and Communications Network Act takes precedence.
In relation to the collection of personal information under the 「Credit Information Act」, the Personal Information Protection Act applies, but
Principles of collection and investigation of Korea (Article 15) and requests for access and provision of credit information to public institutions (Article 23)
Exceptions follow.

Article 22 (the collection of personal information, such as Subscribe used) ① Telecommunications service providers are personal information of the user
In the case of collection for use, the user must be informed of all matters in each of the following subparagraphs and consent is obtained.
should get The same shall also apply where he/she intends to change any of the following matters:
1. Purpose of collection and use of personal information
2. Items of personal information to be collected
3. Period of retention and use of personal information
Information and Communications Network Act
② The information and communications service provider shall comply with Paragraph 1 in any of the following cases:
Users' personal information may be collected and used without consent.
1. Personal information necessary to fulfill a contract for the provision of information and communications services, economically and
When it is clearly difficult to obtain ordinary consent for technical reasons
2. In case it is necessary for the settlement of charges for the provision of information and communication services;
3. If there are special provisions in this Act or other Acts
Article 15 (Principles of Collection, Investigation and Processing) ① Credit information companies, credit information collection agencies and credit information provision
Users (hereinafter referred to as “credit information companies, etc.”) may collect, investigate and process credit information.
In this case, the purpose of collection, investigation and processing within the scope of work stipulated by this Act or the articles of incorporation is clearly stated
In accordance with this Act and the 「Personal Information Protection Act」, the minimum
Credit information shall be collected, investigated and processed using reasonable and fair means within the scope
do.
② When a credit information company, etc. collects personal credit information, it must obtain the consent of the credit information subject.
should get However, this is not the case in any of the following cases:
Credit Information Act 1. If there are special provisions in the law or it is unavoidable to comply with the legal obligations
2. Inevitably for the conclusion and execution of commercial transactions, such as financial transactions, with the subject of credit information.
if necessary
3. The credit information subject or his/her legal representative is in a state in which he/she is unable to express his/her intention or his/her address is unknown;
In the case where prior consent cannot be obtained due to
In case it is deemed necessary for the immediate benefit of life, body, or property
4. It is clearly necessary to provide credit information and to achieve the legitimate interests of users;
In case of taking precedence over the rights of the credit information subject. In this case, the credit information provision/user's legitimate
It is limited to cases where it is significantly related to profits and does not exceed a reasonable range.

82

Page 89

The (reports such as credit information) of Article 22 2 credit check company credit information usage range, utilizing period, providing
Subjects, etc. shall be reported to the Financial Services Commission as prescribed by Presidential Decree.
Article 23 (Request for Provision of Credit Information to Public Institutions, etc.) ① Delete
② The state, local government, or public organization prescribed by Presidential Decree (hereinafter referred to as the
(referred to as “public institution”) to the head of the credit information subject to determine the creditworthiness and credit transaction capacity of the credit information subject.
When a request for provision of credit information prescribed by Presidential Decree as necessary credit information is requested, the request shall be met.
Notwithstanding the following laws, the head of the public institution who received the information
can provide In this case, standards and procedures for providing information shall be prescribed by Presidential Decree.
1. 「Act on Information Disclosure of Public Institutions」
2. 「Personal Information Protection Act」
3. 「National Health Insurance Act」
4. 「National Pension Act」

The third chapter

5. 「Korea Electric Power Corporation Act」
6. 「Resident Registration Act」
③ The credit information collection agency shall store credit information provided by public institutions pursuant to
Credit information prescribed by Ordinance may be provided to users.

dog
sign
tablet
paragraph
see
see
of

(2) to the President.

④ Credit information collection agency or users of credit information pursuant to Paragraph 3 to credit information provider/users
wife
Lee

In the case of providing personal credit information provided by a public institution pursuant to paragraphs 2 and 3,

As prescribed in Article 32 (3), the credit information provider/user receives credit information from the individual concerned.
It should be checked whether consent has been obtained for provision and use.
⑤ Users of credit information who have been provided with credit information pursuant to Paragraph 3 shall share the information with others.
should not be provided.
⑥ A person who requests the provision of credit information pursuant to Paragraph 2 may receive a viewing fee or
You have to pay fees, etc.
⑦ Credit information companies, etc. shall not be used for official purposes prescribed by the relevant laws and regulations by the heads of public institutions.
In the case of a written request for the provision of credit information for this purpose, the credit information may be provided.
Article 24 (Use of computerized resident registration information data) ① Credit information concentrating institutions and those prescribed by Presidential Decree
A credit information provider/user shall be a member of the Ministry of Government Administration and Home Affairs in any of the following cases:
Request the Minister to provide data on computerized resident registration information pursuant to Article 30 (1) of the Resident Registration Act;
can In this case, the Minister of the Interior and Home Affairs in receipt of the request shall comply with the request unless there is any special reason.
must follow
1. Deposits, insurance money, etc. whose prescription of extinction has been completed pursuant to Article 64 of the Commercial Act, etc.
Notifying the original right holder of the relevant deposit and insurance money in case of payment
if for
2. Transactions such as when a financial transaction contract expires, becomes invalid, or causes a change in the contract, such as termination;
In case of notifying matters affecting the rights and obligations of the other party
② In the case of a request for electronic resident registration information data pursuant to paragraph (1), the Chairman of the Financial Services Commission
must be reviewed
③ Article 30 of the 「Resident Registration Act」 in cases where it has been reviewed by the Chairman of the Financial Services Commission pursuant to paragraph (2)
It shall be deemed to have passed the examination by the head of the relevant central administrative agency under paragraph (1). Processing procedure, usage fee
Or, fees, etc. shall be governed by the 「Resident Registration Act」.

83

Page 90
Explanation of personal information protection laws and guidelines and announcements

3. Penalties for violations
violation

penalty

A person who collects personal information in violation of the collection and use standards
A fine of not more than 50 million won
(Violation of Article 15 (1))
Violation of duty to notify information subject (violation of Article 15 (2))

(Article 75 (1) 1)
A fine of not more than 30 million won
(Article 75 (2) 1)

4. Q&A
Using the list of customers who have previously applied for the sweepstakes, a promotional email to inform the launch of a new product is sent.

Q

Is there any problem with sending it?
Through the giveaway event, consent is obtained only for the purpose of using the event, and consent is not obtained for 'product advertisement'.

A

Otherwise, the personal information cannot be used for advertising purposes, such as sending out product release information e-mails.
However, it is possible to obtain a separate consent for the purpose of promotion.

Personal information is stored through business cards, phone books, and public Internet websites provided by the information subject.

Q

In the case of collection, do I need to obtain the consent of the data subject pursuant to Article 15 (1) 1 of the Act?
Collecting personal information by receiving a business card or a similar medium directly from the information subject

A

In this case, the information subject clearly expresses his/her intention to consent or if not, provides a business card, etc.
In light of the circumstances, etc., it can be used only within the extent that it is recognized that there was an intention to consent according to social norms.
In addition, even if personal information is collected through a phone book or a public Internet website,
The intention of the information subject to publish or allow the posting of personal information on the Internet website, etc.
In light of clearly indicated or displayed content on the Internet homepage, etc., the will to consent is
It should be used within the range recognized as having been there.

Q

In the sense that personal information that requires the consent of the data subject can be changed in the future, the government subject may
List all items that need to be agreed upon at the time, and list other similar or similar items.
Is it permissible to use the term 'etc' in the sense of subscribing?
The 「Personal Information Protection Act」 requires that only the minimum amount of personal information necessary to collect personal information is collected.

A

If you use the term 'etc' to allow additional personal information to be received, it will be indiscriminate collection of personal information.
As there is a possibility that it may lead to the following, list specific personal information items to be collected when the information subject consents.
You must not use 'etc.', and if new personal information is required for future work, you must obtain separate consent.
do.

84

Page 91

Q

When hiring employees, personal information obtained through resumes, etc. is “contracted with the information subject and
In case it is unavoidably necessary for the implementation”, consent is required for the collection and use.
Can it be considered exempt?
According to Article 27 of the 「Enforcement Decree of the Labor Standards Act」, the business operator must register the employee's name, resident registration number, and family allowance.

A

Matters starting with the calculation and other matters pertaining to working conditions must be recorded in the wage book, which
This applies to cases stipulated by law. In the case of other information, the personal information of prospective job seekers is also collected,
In relation to use, in accordance with Article 15 (1) 4 of the Act (when necessary for the conclusion and implementation of a contract)
The consent of the prospective person may be waived.
However, basically, information about employees is not only for the purpose of contract signing, but also for welfare, union management, entrustment, etc.
Because there is a lot of room for use for the purpose and there is room for collecting sensitive information,

The third chapter

The purpose and period of use of personal information by the company, including recruitment, shall be clearly stated and notified to the target person.
dog
sign
tablet
see
see
of

it is preferable

If the lessee submits a global agreement to the bank for a jeonse loan, the global agreement includes the lessee’swife

Q

Lee
It contains not only information but also the personal information of the lessor, at this time the bank collects and
collects the personal information of the lessor.

Do I need to obtain consent for use?

A

In cases where the bank may collect the personal information of the lessor specified in the contract without the consent of the lessor
ⅰ When it is unavoidable to comply with special provisions of laws or statutory obligations
iii In cases where prior consent of the information subject is difficult, the immediate interests of the third party's life, body, and property
if necessary for
iv When it is necessary to achieve the legitimate interests of the personal information controller (which takes precedence over the rights of the information subject)
case) is limited.
When a bank enters into a jeonse loan contract, it is necessary to check whether the lease agreement has been genuinely established.
It is necessary to check the personal information of the lessor through the global agreement for this purpose.
It corresponds to the legitimate interests of the processor (bank). In other words, the Jeonse loan is based on the rental deposit under the lease agreement.
By setting collateral, the personal information of the lessor is used to determine whether the lease contract is false.
The collection has a significant bearing on the legitimate interests of the bank (such as loan collection) and to a reasonable extent.
cannot be considered to have been exceeded. In addition, the bank's Jeonse loan has no damage to the lessor,
The personal information of the lessor is also processed only for the purpose of verifying the authenticity of the lease contract.
Therefore, the lessor's right to privacy is less likely to be infringed.
Accordingly, the Bank shall not disclose the personal information of the lessor without consent pursuant to Article 15 (1) 6 of the Personal Information Protection Act.
However, even in this case, in accordance with Article 24-2 of the Personal Information Protection Act,
Collection is limited.

85

Page 92
Explanation of personal information protection laws and guidelines and announcements

Article 16 Restriction on collection of personal information
Article 16 (Restriction on Collection of Personal Information ) ① The personal information controller shall comply with any subparagraph of Article 15 (1).
In the case of collection of personal information, the minimum amount of personal information necessary for the purpose is collected.
should be collected. In this case, the burden of proof that the minimum personal information collection is personal information
The processor bears
② When collecting personal information with the consent of the information subject, the personal information controller

law

The fact that you may not agree to the collection of personal information other than the minimum information
You must specifically notify and collect personal information.
③ The personal information controller is responsible for collecting personal information other than the minimum information required by the information subject.
If you refuse to provide goods or services to the information subject on the ground that you do not agree,
No.

1. Minimum collection principle
When collecting personal information of information subjects for the purpose of each subparagraph of Article 15 (1), it is necessary to
You must collect only the minimum amount of personal information within the scope. Collecting and storing personal information more than necessary
If there is, there is a risk of personal information being leaked at any time by hacking, etc.
Because there is a risk of abuse.
It is possible to collect and use information other than the minimum necessary information with the voluntary consent of the information subject.
Information other than the minimum necessary information is referred to as the minimum necessary information, making it mandatory or essential
Consent must not be compelled to consent. In this case, the personal information controller needs the information
It must be demonstrated that the information is minimal.
ReferenceExample of minimum information
· Names, addresses, and phone numbers (home and mobile phone numbers) collected by the shopping company to deliver products to customers are required.
It can be said that it is the minimum personal information, but it is the minimum to request personal information that is not related to delivery, such as occupation and date of birth.
out of scope of information
· Information on the career, major, qualifications, etc. of a job applicant can be said to be the minimum information for judging work ability.
Information on family relationships, marital status, and original records (original records) is beyond the scope of the minimum information.

86

Page 93

2. Burden of burden of proof
The burden of proof that it is the minimum personal information is borne by the personal information controller. That is, the personal information controller collects
The personal information controller loses if it cannot prove that the personal information is the minimum personal information.

3. Notice of right to refuse consent
When the personal information controller collects personal information with the consent of the information subject, it is necessary for the purpose
Notify in detail the fact that you may not agree to the collection of personal information other than the minimum information.

The third chapter

Personal information must be collected. To be specific, it means that certain information is the minimum information necessary. dog
sign

Whether or not the information is the minimum required should be classified and notified so that the information subject can easily
recognize it, and
tablet
see
see
of

For information other than the minimum information, freely without interfering with the use of goods or services
It means you have to let them know you can refuse consent.

wife
Lee

For example, the personal information controller is responsible for providing the minimum amount of personal information necessary to provide goods or services.
Personal information necessary for publicity, marketing, etc. shall be classified and notified to the information subject, and for the latter,
Inform the data subject that they can refuse consent and obtain consent.

4. Prohibition of refusal to provide goods, etc.
Provide goods to the information subject for not agreeing to the collection of personal information other than the minimum required information
or refuse to provide services. The provision of services also includes membership registration. In the case of paid
Of course, the same is true for free. This is to prevent forced consent to the collection and use of personal information.
will be. Therefore, if you refuse to consent to optional information while obtaining the consent of the data subject,
It is possible to inform that the use of the service may be restricted.

5. Penalty Regulations
violation

penalty

Because you do not agree to the collection of information other than essential information
A fine of not more than 30 million won
A person who refuses to provide goods or services
(Article 75 (2) 2)
(Violation of Article 16 (3))

87

Page 94
Explanation of personal information protection laws and guidelines and announcements

6. Relationship with other laws
The ｢Information and Communications Network Act｣ specifies the minimum necessary personal information collection principle and prohibits refusal to provide services.
As a result, information and communications service providers must comply with the “Information and Communications Network Act” in relation to the collection of users’ personal information.
are subject to
Since the “Credit Information Act” does not provide explicit provisions on refusal to provide services,
It is processed in accordance with the 「Personal Information Protection Act」. However, in the Credit Information Act, the collection, investigation and processing of credit information
In certain cases, there are exceptions.
Restrict collection, investigation and processing in accordance with

Article 23 (Restrictions on Collection of Personal Information, etc.) ② Information and communication service providers
In this case, it is necessary to collect the minimum information necessary to provide information and communication services.
Information and Communications Network Act
Refusal to provide the service for not providing personal information other than the minimum information
it should not be done
Article 15 (Principles of Collection, Investigation and Processing) ① Credit information companies, credit information collection agencies and credit information provision
Users (hereinafter referred to as “credit information companies, etc.”) may collect, investigate and process credit information. in this case
The purpose of collection, investigation and processing shall be clarified within the scope of work stipulated by this Act or the articles of incorporation;
In accordance with this Act and the Personal Information Protection Act, reasonable and
Credit information shall be collected, investigated and processed using fair means.
Article 16 (Restriction on Collection, Investigation and Processing) ① Credit information companies, etc. collect and investigate the following information
it should not be done
1. Information on national security and confidentiality
Credit Information Act
2. Company trade secrets or original research and development information
3. Personal political thoughts, religious beliefs, and other personal information not related to credit information
4. Uncertain personal credit information
5. Information prohibited from collection under other laws
6. Other information prescribed by Presidential Decree.
② When a credit information company, etc. collects, investigates, or provides information about an individual's disease to others
The consent of the relevant individual under Article 32 (1) must be obtained in advance, and only for the purpose prescribed by Presidential Decree.
You should use that information.

88

Page 95

7. Q&A
Q

What is the minimum scope of personal information necessary for the purpose of collection?

A

The “minimum necessary personal information” collected by the service provider considers the characteristics of the service.
It is limited to information that is absolutely necessary to provide.
For example, in the case of an Internet shopping mall, the name required for the establishment of a contract, product delivery, and payment;
This may include a phone number, address, bank account number, or credit card number.
The burden of proof that the minimum amount of personal information is collected is borne by the personal information controller.
The third chapter

Q

dog
If the consent of the information subject is obtained, the collection of personal information beyond the minimum
range necessary for the purpose is prohibited.
sign

can it be allowed?

A

Personal information beyond the minimum range necessary for the purpose is optional information, and consent is
It must be obtained and collection is possible if the data subject consents. However, other than the minimum

tablet
see
see
of
obtained

by separating it from essential information.

wife
necessaryLee
information

Refusal to provide goods or services to the information subject on the grounds that they do not agree to the collection of personal information
In case of violation, a fine of not more than 30 million won is imposed.
The burden of proof that the minimum amount of personal information is collected is borne by the personal information controller.

89

Page 96
Explanation of personal information protection laws and guidelines and announcements

Article 17 Provision of personal information
Article 17 (Provision of Personal Information) ① The personal information controller shall be responsible for any of the following:
In this case, the personal information of the information subject may be provided to a third party (including sharing; hereinafter the same shall apply).
can
1. When the consent of the data subject has been obtained
2. Within the scope of the purpose for which personal information was collected pursuant to Article 15 (1) 2, 3 and 5;
When providing personal information
② When the personal information controller obtains consent under paragraph (1) 1, the following matters
The data subject must be informed. Even if any of the following items are changed
law

This must be informed and consent must be obtained.
1. Persons to whom personal information is provided
2. Purpose of use of personal information by the person receiving personal information
3. Items of personal information to be provided
4. Period of retention and use of personal information by the person receiving personal information
5. In case of the fact that you have the right to refuse consent and there are disadvantages due to refusal of consent
the content of the disadvantage
③ When the personal information controller provides personal information to a third party abroad,
The information subject must be informed of the following information and consent must be obtained, and the content that violates this law must be
Contracts for overseas transfer of personal information shall not be concluded.
Article 7 (Provision of Personal Information) ① “Provision” of personal information means the storage medium of personal information or individual
Physical transfer of printed materials or booklets containing information or
transfer, granting third parties access to personal data, personal data controllers and third parties
It refers to any act that results in the transfer or joint use of personal information, such as information sharing.
② “Third party” in Article 17 of the Act means collecting and retaining the information subject and personal information about the information subject.

standard guidelines
It means any person except the personal information controller who has
(limited to those within the scope of agency) and the trustee pursuant to Article 26 (2) of the Act are excluded.
(hereinafter the same).
③ The personal information controller transmits personal information to the information subject pursuant to Article 17 (2) 1 of the Act.
In the case of notifying the recipient, the name (in the case of a corporation or organization, its name) and
You must also provide your contact information.

1. Meaning of providing personal information to third parties
Provision of personal information refers to the transfer of control and management rights of personal information to a third party other than the personal information controller.
it means. That is, not only in the case of delivering media or handwritten documents that store personal information, but also in the DB system.

90

Page 97

In the case of sharing personal information by allowing access to the
Included.
On the other hand, in the case of providing sensitive information and unique identification information to a third party, Articles 23, 24 and 24-2
must follow

2. Differences between use, entrustment of processing tasks, and business transfer
The difference between the use of
The third chapter

Use of personal information means transfer of control and management rights of personal information within the personal information
dog
controller (institution, organization, corporation, etc.)
On the other hand, the provision of personal information means the use of personal information for one's own purpose without
of personal information to a third party other than the information processing consignee) and the information subject (including

sign
tablet
see
see information
the
of

subject's agent)

wife
It refers to the transfer of control and management rights. Therefore, other departments within the same personal information controller
Lee

If it is used for a different purpose, it is not a provision, but a use other than the intended purpose.

B. Differences from consignment of processing tasks
In both business entrustment and provision of personal information to a third party, personal information is transferred to another person (third party) or jointly
It is the same in terms of processing. However, in the case of 'business entrustment', the work of the personal information controller is
Although personal information is transferred to a third party (trustee) for the purpose of processing
The difference is that personal information is transferred for purposes and interests. In addition, in the case of consignment, personal information
Although it is managed and supervised by the processor, the third party is responsible for the provision of personal information after the personal information is provided.
Personal information is processed under the following conditions, and the management and supervision rights of the personal information controller do not reach.

The difference between the transfer of business, etc.
Transfer/merger of business (Article 27) is similar to 'provision' in that personal information is transferred to a third party.
However, the transfer/merger of business does not change the form of business using the personal information, only
It is different from 'providing' in that only the subject of management changes. Accordingly, regarding the transfer and merger of business,
Article 27 of this Act provides a separate provision, and provisions related to provision do not apply.

91

Page 98
Explanation of personal information protection laws and guidelines and announcements

3. When provision to a third party is possible
In case the information subject's consent has been obtained
When the personal information controller obtains consent for the provision to a third party, the information subject must understand the content and meaning of the provision.
For clarity, ① the name of the person receiving the personal information (in the case of a corporation or organization, the name);
② Purpose of use of personal information by the recipient, ③ Items of personal information to be provided ④ Personal information of the recipient
Retention and use period, ⑤ The fact that the right to refuse consent exists and there are disadvantages due to refusal of consent
should inform you about it. Even if there is a change in any of the matters to be notified, the information subject
The change must be notified again and consent must be obtained.

'Person who receives personal information' means the name or trade name of the person who is provided with personal information, so financial institutions, government institutions, etc.
Likewise, information should not be provided comprehensively in such a way that it is difficult for the information subject to know the recipient, and the recipient should not
In the case of multiple persons, each name or trade name is notified, and if the purpose, item, period, etc.
For each recipient, the purpose, item, period, etc. shall be notified to each recipient. In this case, the personal information controller
It is desirable to inform the recipient's contact information as well.
In this way, since the recipient must be specified, in fact, in Korea, the database
Marketing (collecting and storing a large amount of personal information with the consent of the information subject,
Selling or renting personal information, or keeping the personal information database held by others up to date
Service that updates or advertises other people's products) can be said to be prohibited.
< Related Violations >
• XX Bookstore is not responsible for receiving personal information in the membership application form because of the frequent change of partner companies due to the nature of its business.
Personal information is provided/shared with various partner companies without notifying the person (name of partner company) and purpose of provision of personal information”
• XX Mart is holding the “Opening Commemorative Sweepstakes Event”, and the information of customers who applied for the Sweepstakes is shared with partner life insurance companies.
Provided to affiliates without consent to the fact that it is provided and subscribed to 「Free Holiday Accident Insurance」

B. There are special provisions in the law or it is inevitable to comply with the legal obligations.
In the case of providing personal information within the scope of the purpose of collection
1) Special provisions of the law
'If there are special provisions in the law' means that the law specifically requires the use of personal information or
cases where it is allowed. Therefore, the electoral list for the candidates for public office of the mayor of a city/gun/gu
Issuance (Article 46 of the Public Official Election Act), the policyholder's violation of the traffic law against the insurance company by the insurance rate calculation agency

92

Page 99

In the case of provision of personal information (Article 176 of the Insurance Business Act), etc., the personal information controller may
information may be provided to interested parties.
Referencepublic office election law
Article 46 (Issuance of Copies of List) ① The head of a Gu/Si/Gun is a candidate [candidate for proportional representative National Assembly member and proportional representative local council member]
(referring to proportional representative City/Do council members and proportional representative autonomous Gu/Si/Gun members. Hereinafter the same shall apply) Candidates are excluded], Election Secretary
(excluding the election secretary for proportional representative National Assembly election and proportional representative local council member election) or the head of the election liaison office
When there is an application, a copy of the prepared electoral list or absentee list or a copy of electronic data shall be provided for each candidate.
Each copy must be delivered to the applicant within 24 hours.
② An application for issuance of a copy of the electoral roll or absentee list or electronic data copy pursuant to paragraph (1) shall be submitted during the election period.
It must be made in writing to the head of the relevant Gu/Si/Gun by the start date.
The third chapter

dog
sign
tablet
see
see
of

2) Compliance with statutory obligations

In cases where certain obligations are imposed on the personal information controller under the Act, the personal information controller
wife
Lee

It refers to a case in which personal information is inevitably collected and used to fulfill its obligations. in law

It includes not only the obligations under the Act, but also the obligations under the Enforcement Decree and the Enforcement Rules.
'In unavoidable cases' means fulfilling the obligations imposed by laws and regulations without collecting personal information.
In cases where it is impossible or it is significantly difficult for the personal information controller to perform its obligations using other methods
it means.
In the event that personal information is collected and used in cases where it is unavoidable to comply with legal obligations,
Personal information may be provided within the scope of the purpose. List of instructors, etc. of those who intend to establish and operate an academy
Obligation to register with the Superintendent of Education (Article 6 of the 「Act on the Establishment and Operation of Private Academy and Extracurricular Teaching」), income
Obligation of the payer to withhold tax and report on the status of the withholding tax on the withholding person (Article 127 of the Income Tax Act)
and Article 128), etc., is an example of observance of obligations under laws and regulations.
ReferenceIncome Tax Law
Article 127 (Obligation of Withholding Tax) (1 ) In Korea, income falling under any of the following subparagraphs shall be paid to a resident or non-resident in Korea.
A person who makes a payment (limited to a person prescribed by Presidential Decree, such as a business operator, in the case of a person who pays income under subparagraph 3):
Income tax on the resident or non-resident shall be withheld in accordance with the provisions of this Section.
1. Interest income
2. Dividend income
3. Business income prescribed by Presidential Decree (hereinafter referred to as “business income subject to withholding tax”);
4. Earned Income. However, income falling under any of the following items is excluded.
end. Earned income received from foreign organizations or United Nations forces stationed in Korea (excluding the US military)
I. Earned income received from non-residents or foreign corporations (excluding domestic branches or domestic business offices) located abroad.
However, income falling under any of the following is excluded.
1) Domestic place of business of a non-resident under Article 120 (1) and (2) and Article 94 (1) and (2) of the 「Corporate Tax Act」

93

Page 100
Explanation of personal information protection laws and guidelines and announcements

Income recognized as necessary expenses or deductibles when calculating the amount of domestic source income of a domestic place of business of a foreign corporation
2) According to Article 156-7, among the wage and salary income received from foreign corporations (excluding domestic branches or domestic business offices) located abroad
Income of dispatched workers subject to withholding income tax
5. Pension Income
6. Other Income. However, income falling under any of the following items is excluded.
end. Income under subparagraph 8;
I. Penalty and compensation under Article 21 (1) 10 (applicable only to cases where the down payment is replaced with a penalty or compensation);
All. Income under Article 21 (1) 23 or 24;
7. Retirement Income. Provided, That when a person with wage and salary income falling under any of the items of subparagraph 4 retires,
income is excluded.
Article 128 (Payment of Amount of Withholding Tax) (1 ) A withholding agent shall pay income tax withheld withholding tax in the month following the month in which the date of collection belongs.
Payment must be made to the tax office having jurisdiction over withholding tax, the Bank of Korea, or the post office by the 10th, as prescribed by Presidential Decree.
do.

Is a public organization is inevitable collected to perform the duties prescribed Jurisdiction Act, etc.
In the case of providing personal information within the scope of the purpose of collection
In the case of public institutions, personal information is frequently collected in order to carry out the duties prescribed by laws and regulations.
You need to provide it to a third party. In the case of public institutions, explicitly to collect personal information
Even if there is no legal regulation that allows
In the event that personal information is unavoidably collected for
collection is allowed.
'Responsibilities prescribed by laws and regulations' refer to the ｢Government Organization Act｣, organization/organization rules for each institution, and individual organization laws, etc.
In addition to the affairs prescribed by the jurisdiction, “Resident Registration Act”, “National Tax Framework Act”, “Medical Act”, “National Health Insurance Act”, etc.
In the case of local governments, the authority and duties granted by the relevant laws and regulations, and the duties stipulated in the ordinance, etc.
it means. In the case of local governments, various licensing affairs, report acceptance, welfare work, management/supervision, etc.
In practice, it is often necessary to provide personal information to a third party because
can
When a public institution provides personal information to a third party to perform its duties,
Whether there are unavoidable reasons should be carefully considered. 'In case of unavoidable circumstances', personal information is not provided.
Without this, it is impossible to exercise the authority or fulfill the obligations granted to the relevant public institution by laws, etc.
It means a case in which it is significantly difficult to perform the duties under the jurisdiction by using other methods. Especially
In order for public institutions to handle whistleblowers and civil complaints, the personal information of the complainant may be provided to a third party.
Be careful when In order to easily resolve civil complaints, the personal information of the complainant is disclosed to the complainant or
Providing it to the complainant is difficult to see as an unavoidable necessity.

94

Page 101

D. When it is necessary for urgent life, body, or property interests
The information subject or his/her legal representative is in a state where he/she is unable to express his/her intention, or if the address is unknown, prior consent
It is clearly necessary for the immediate life, body, and property interests of a third party.
If it is recognized and personal information has been collected, personal information may be collected without the consent of the information subject within the scope of the purpose of collection.
may be provided to a third party. Traffic accidents that urgently require medical treatment such as surgery by the city office or police station
This includes providing the patient's contact information to a medical institution.
< Comparison of standards for collection and use of personal information and standards for provision >
standard

Collection and use (Article 15) Provision (Article 17)

· When consent of the data subject is obtained

Collection and use possible

· In order to comply with special regulations or statutory obligations

within the scope of the purpose of
Collection and use possible
available

In case of unavoidable

available

The third chapter

dog
sign
collectiontablet
see
see
of

withinetc.
the scope of the purpose of collectionwife
· In order for public institutions to perform tasks under their jurisdiction as prescribed by laws and regulations,
Collection and use possible
Lee
In case of unavoidable
available
· Inevitably for the conclusion and execution of contracts with data subjects
In case of accompanying

not available
Collection and use possible
(Requires consent of the data subject)

· When the information subject or his/her legal representative is unable to express his/her intention
In the case where prior consent cannot be obtained due to an unknown address, etc.
within the scope of the purpose of collection
Collection and use possible
Obviously, the imminent loss of life, body or property of the data subject or a third party
available
If it is deemed necessary for profit

not available
· Necessary to achieve the legitimate interests of the personal information controller
Collection and use possible
In cases where it clearly takes precedence over the rights of the data subject
(Requires consent of the data subject)

4. Restrictions on overseas offerings and transfers
A. Provision of personal information to an overseas third party
When the personal information controller intends to 'provide' personal information to a third party abroad, ①
The name of the person (in the case of a corporation or organization, its name), ② Purpose of use of the recipient’s personal information, ③
Items of personal information ④ Recipient’s personal information retention and use period, ⑤ The right to refuse consent
Notify the information subject of all facts and the contents of disadvantages (limited to cases where there are disadvantages) due to refusal of consent
Consent must be obtained (the former part of paragraph 3).

95

Page 102
Explanation of personal information protection laws and guidelines and announcements

B. Overseas transfer of personal information
No contract regarding the overseas transfer of personal information shall be concluded in violation of this Act.
It can be said that this is the minimum measure to prevent the transfer of personal information abroad to avoid the application of this Act.
can
The concept of overseas transfer is broader than that of overseas provision. In addition to providing personal information to third parties abroad,
Overseas relocation also includes cases where personal information is moved abroad to entrust the processing of personal information to a third party abroad.
In the case of entrustment, it is not necessary to obtain the consent of the information subject, but it must comply with the regulations on entrustment of processing (Article 26).
ReferenceCases of overseas relocation by type
· Third-party provision type: When an overseas travel business operator provides customer information to a foreign partner, the multinational corporation’s
When the customer information collected by the branch is transferred to the U.S. headquarters
· Overseas consignment type: Establish a subsidiary in China, where labor costs are cheap, and use the domestic customer database to conduct call center business (customer response business).
In case of proxy
· Direct collection type: When an overseas Internet shopping mall operator directly collects personal information of domestic consumers abroad

5. Penalty Regulations
violation

penalty

Personal information to a third party without the consent of the information subject
Imprisonment for not more than 5 years or a fine not exceeding 50 million won
The person who provided it and the person who received it knowing the circumstances
(Article 71 No. 1)
(Violation of Article 17 (1) 1)
Violation of the duty to notify the data subject

A fine of not more than 30 million won

(Violation of Article 17 (2))

(Article 75 (2) 1)

6. Relationship with other laws
According to the “Information and Communications Network Act,” in principle, the provision of personal information to a third party is restricted only with the consent of the user.
However, it is allowed in exceptional cases where there are special provisions in the fee settlement or laws.
(Article 24-2). On the other hand, regarding the overseas transfer of personal information, the contract is fulfilled and the user convenience is improved.
When transferring personal information abroad, irrespective of the form of the transfer (provided, consigned, stored)
etc.) require the user's consent (Article 63).
Meanwhile, the Credit Information Act stipulates on the provision of personal credit information,
Information users and providers must comply with the Credit Information Act.

96

Page 103

Article 24 2 (such as providing the consent of the individual information) ① Telecommunications service providers are personal information of the user
In order to provide to a third party, except in cases falling under Article 22 (2) 2 and 3, any of the following
All matters must be informed to the user and consent must be obtained. Any of the following matters
The same shall apply where it is changed.
1. Persons to whom personal information is provided
2. Purpose of use of personal information by the person receiving personal information
3. Items of personal information to be provided
4. Period of retention and use of personal information by the person receiving personal information
② A person who has received personal information of a user from an information and communications service provider pursuant to Paragraph 1 shall
Personal information is not provided to a third party unless there is a user's consent or there are special provisions in other laws.
It shall not be used for any purpose other than the purpose for which it was provided or provided.
③ The information and communications service provider, etc. under Article 25 (1) must agree to the provision under paragraph
(1)chapter
and
The third
When obtaining consent to entrust the processing of personal information under Article 25 (1),

dog
sign
tablet
see
see
etc.
of

It must be obtained separately from consent to the collection and use of personal information,
You must not refuse to provide services for any reason.

Article 63 (Protection of Overseas Transfer Personal Information) ① Information and communication service providers,
Information and Communications Network Act
No international contract shall be concluded containing matters in violation of this Act.
wife
Lee

② Information and communications service providers, etc. provide users' personal information abroad (including the case of inquiry);
In order to entrust processing and storage (hereinafter referred to as “transfer” in this Article), the consent of the user must be obtained. but,
Necessary for the implementation of the contract for the provision of information and communication services and the enhancement of user convenience, etc.
In some cases, all matters under each subparagraph of paragraph (3) shall be disclosed pursuant to Article 27-2 (1) or by e-mail, etc.
In the case of notification to users in accordance with the method prescribed by Presidential Decree,
The consent process may not be followed.
③ In order to obtain consent under paragraph (2), the information and communications service provider, etc. must in advance the following matters:
All must be notified to the user.
1. Items of personal information transferred
2. The country to which the personal information is transferred, the date and time of the transfer and the transfer method
3. The name of the person to whom the personal information is transferred (in the case of a corporation, the name and contact information of the person in charge of information management)
say)
4. Purpose of personal information use and retention and use period of the person to whom the personal information is transferred
④ Information and communications service providers, etc. may transfer personal information abroad with consent under paragraph 2;
In such cases, protective measures shall be taken as prescribed by Presidential Decree.
Article 32 (Consent to Provision and Use of Personal Credit Information) ① Provision of Credit Information and Users of Personal Credit Information
In the case of providing the information to another person, as prescribed by Presidential Decree, the credit information subject
Whenever personal credit information is provided in any of the following ways,
consent must be obtained However, the accuracy and accuracy of personal credit information within the previously agreed purpose or scope of use
This is not the case in order to keep up-to-date.
1. Written
Credit Information Act
2. An electronic document with a certified electronic signature under subparagraph 3 of Article 2 of the Electronic Signature Act (the Framework Act on Electronic Transactions);
Refers to electronic documents under subparagraph 1 of Article 2)
3. In consideration of the provision of personal credit information and the purpose of provision, the stability of consent to provide information and
A method of inputting personal passwords through wired and wireless communication that can ensure reliability
4. A method of notifying the individual of consent through wired or wireless communication and obtaining consent. In this case, I

97

Page 104
Explanation of personal information protection laws and guidelines and announcements

Securing evidence, such as voice recording of whether or not consent, the content of consent, and the individual's response
must be maintained, and a post-notification procedure as prescribed by Presidential Decree is followed.
5. Other methods prescribed by Presidential Decree.
② A person who intends to receive personal credit information from a credit inquiry company or credit information collection agency
In any subparagraph of Paragraph (1), from the relevant credit information subject, as prescribed by Presidential Decree.
Each time you receive personal credit information in the appropriate way, you agree individually (for the purpose of consenting previously)
or to maintain the accuracy and freshness of personal credit information within the scope of use)
should get In this case, a person who intends to receive personal credit information will receive credit information when inquiring about personal credit information.
When the rating may be downgraded, it shall be notified to the relevant credit information subject.
③ In the event that a credit inquiry company or a credit information collection agency provides personal credit information pursuant to Paragraph 2,
Whether the person who intends to receive the relevant personal credit information has obtained consent under paragraph (2) shall be determined by Presidential Decree.
It should be checked as determined.
④ When the credit information company, etc. obtains consent in relation to the provision and use of personal credit information,
As prescribed by Presidential Decree, essential agreements and other optional items for the provision of services
After explaining the terms of consent separately, consent must be obtained for each. In this case, the required consent is
Relevance to the provision of services must be explained, and the optional consent is not to agree to the provision of information.
You should be aware that you can.
⑤ The credit information company, etc., on the grounds that the subject of credit information does not agree to the optional consent
The provision of services to the subject of credit information shall not be refused.
⑥ When a credit information company, etc. provides personal credit information, in any of the following subparagraphs:
Paragraphs 1 through 5 shall not apply if applicable.
1. Intensive management and utilization of a credit information company with another credit information company or a credit information collection agency;
if provided for
2. In order to entrust the processing of credit information pursuant to Article 17 (2) as necessary for the performance of the contract;
if provided
3. Transferring all or part of rights and obligations due to business transfer, division, merger, etc.
When providing personal credit information
4. Claims collection (applicable only to the collection of collection claims), purpose of authorization/permission, and corporate creditworthiness
Provided to a person who uses it for purposes prescribed by Presidential Decree, such as judgment, acquisition of securities, etc.
Occation
5. When provision is made in accordance with a court order to submit or a warrant issued by a judge
6. An emergency, such as when a serious risk to the life or body of the victim is expected due to the crime
In the case where there is no time to receive a judge's warrant under subparagraph 5 under the circumstances, the prosecutor
or upon the request of a judicial police officer. In this case, the prosecutor who has been provided with personal credit information
A warrant shall be requested from the judge without delay, and the judicial police officer shall apply to the prosecutor
A warrant must be requested by request, and the warrant must be filed within 36 hours of receiving personal credit information.
If the issuance is not received, the personal credit information provided shall be destroyed without delay.
7. For questioning, inspection or investigation pursuant to the Tax-Related Act, the head of the competent government agency shall write in writing.
When requesting or requesting the provision of tax data that is obligated to submit in accordance with the Tax Act
If provided according to
8. In accordance with international agreements, etc., personal credit information possessed by a financial company is not disclosed to a foreign financial supervisory authority.
if provided
9. Acts of disorder in financial order prescribed by Presidential Decree, oligopoly shareholders of companies, and related persons such as the largest investor;
When providing information that can determine creditworthiness

98

Page 105

10. In case of providing in accordance with other laws
⑦ A person who intends to provide or receives personal credit information to another person pursuant to each subparagraph of Paragraph 6
As prescribed by Presidential Decree, the facts and reasons for the provision of personal credit information shall be identified in advance.
The credit information subject must be informed. However, if there are unavoidable reasons prescribed by Presidential Decree,
It may be notified or disclosed later through the posting on the Internet website or other similar methods.
have.
⑧ As a credit information provider/user who provides personal credit information to others pursuant to paragraph (6) 3
A person prescribed by Presidential Decree shall be subject to matters prescribed by Presidential Decree, such as the scope of credit information to be provided.
Approval from the Financial Services Commission is required.
⑨ A person who has been provided with personal credit information with approval under paragraph 8
Separately from the personal credit information of the current credit information subject as determined by the Committee,
should be managed

The third chapter
⑩ When a credit information company, etc. provides personal credit information, as determined and publicly notified by the Financial Services Commission

Accordingly, the identity of the person receiving personal credit information and the purpose of use shall be confirmed.
⑪ The credit information provider/user who has provided personal credit information must obtain individual consent in
If there is a dispute as to whether or not it was received, it must be proved.

dog
sign
tablet pursuant
advance
see
see
of

to paragraph (1).

wife
Lee

7. Q&A
Integrate member information DB such as hotel, travel, shopping mall sites within the same group and log in with one ID

Q

We are going to introduce a so-called 'family site' system that makes this possible. Being an affiliate within the same group
So, is there no need for customer consent?
· The third party protects all corporations, organizations, etc., except for the business operator that has collected personal information from customers.

A

This means that even affiliates within the same group may have separate separate groups for different purposes of collection and use of personal information.
If it is a corporation, it is a third party.
· Therefore, even between group affiliates, do not provide or share personal information under the name of a family site.
In order to do this, it is necessary to inform the third party of the provision and obtain consent.

99

Page 106
Explanation of personal information protection laws and guidelines and announcements

Article 18 Restrictions on the use and provision of personal information for purposes other than the purpose
Article 18 (Restrictions on the use and provision of personal information for purposes other than the purpose) ① The personal information controller shall store personal information in Article 15.
Use in excess of the scope under paragraph (1) or use the scope under Article 17 (1) and (3)
It must not be provided to a third party in excess.
② Notwithstanding Paragraph 1, the personal information controller shall be responsible for any of the following:
In this case, when there is a risk of unfairly infringing the interests of the information subject or a third party
Except for this, personal information may not be used for purposes other than the intended purpose or provided to a third party.
have. However, the cases of subparagraphs 5 through 9 are limited to the case of public institutions.
1. In case of obtaining separate consent from the information subject
2. If there are special provisions in other laws
3. The information subject or his/her legal representative is in a state where he/she is unable to express his/her intention, or his/her address
In cases where prior consent cannot be obtained due to ignorance, etc., the information subject or a third party
In case it is deemed necessary for the immediate benefit of life, body, or property
4. In cases where it is necessary for the purpose of statistical preparation and academic research, etc.,
If you provide personal information in an unrecognizable form
5. If personal information is not used for purposes other than the intended purpose or if it is not provided to a third party,
In cases where it is impossible to perform the duties under the jurisdiction of other laws, the
In case of deliberation and resolution

law

6. To provide to foreign governments or international organizations for the implementation of treaties and other international agreements;
if necessary for
7. When it is necessary for the investigation of a crime and the establishment and maintenance of public prosecution
8. Where it is necessary for the court's judicial performance
9. Where it is necessary for the execution of punishment, probation, and protective measures;
③ When the personal information controller obtains consent under paragraph (2) 1, the
information should be communicated to the data subject. To change any of the following
In any case, this must be informed and consent must be obtained.
1. Persons to whom personal information is provided
2. Purpose of use of personal information (in case of provision, it refers to the purpose of use of the recipient)
3. Items of personal information used or provided
4. Period of retention and use of personal information (in the case of provision, the period of retention and use of the recipient is
say)
5. The fact that you have the right to refuse consent and there are disadvantages due to refusal of consent
In this case, the details of the disadvantage
④ Public institutions shall collect personal information in accordance with Paragraph 2 (2) through (6), (8) and (9).
In the case of using it for a purpose other than the intended purpose or providing it to a third party, the use or

100

Page 107

Necessary matters concerning the legal basis, purpose and scope of provision shall be prescribed by Ordinance of the Ministry of the Interior and Safety.
It shall be published in the Official Gazette or on the Internet website as prescribed.
⑤ The personal information controller shall use the personal information for the purpose of any of the subparagraphs of paragraph (2).
In the case of providing personal information to a third party for other purposes, the purpose of use,
Restriction on the method of use and other necessary matters, or the safety of personal information
It shall be requested to prepare necessary measures to secure it. In this case, the request
The person shall take necessary measures to ensure the safety of personal information.
Article 15 (Management of Use of Personal Information for Other Purposes or Provision to Third Parties) Public institutions are subject to Article 18 of the Act
In accordance with each subparagraph of Paragraph 2, personal information is used for purposes other than
the intended purpose, or it is transmitted to a third party.
The third chapter
In the case of provision, the following matters are prescribed by Ordinance of the Ministry of Government Administration
and Home Affairs.
dog
sign

The use of personal information for purposes other than the intended use and third party provision shall be recorded
and managed in the ledger.
tablet
see
see
of

1. Name of personal information or personal information file used or provided
2. The name of the user organization or the receiving organization

wife
Lee

Enforcement Decree
3. Purpose of use or purpose of being provided
4. Legal basis for use or provision
5. Items of personal information used or provided
6. Date, frequency or duration of use or provision
7. Forms of use or provision
8. Requested to impose restrictions or take necessary measures pursuant to Article 18 (5) of the Act;
In case the content

Article 2 (The purpose of the non-use of personal information by public bodies or third party providing the announcement) Public
The institution uses personal information for purposes other than the intended purpose or provides it to a third party (hereinafter referred to as “other purpose
"Use, etc."), Article 18 of the 「Personal Information Protection Act」 (hereinafter referred to as the "Act")
In accordance with Paragraph 4, within 30 days from the date of using personal information for other purposes,
The information should be published in the Official Gazette or on the Internet website. In this case, the Internet homepage
When posting, it shall be published continuously for more than 10 days, but on the day of publication, use other than the intended purpose is prohibited.
It must be within 30 days of the first date.
enforcement rules
1. Date of non-purpose use, etc.
2. Legal basis for non-purpose use, etc.
3. Purpose of use other than the purpose
4. Items of personal information used for other purposes, etc.
Article 3 (Books and Document Formats Related to Personal Information Protection) ① Article 18 (2 ) of the Act and 「Personal Information
Non-purpose use of personal information pursuant to Article 15 of the Enforcement Decree of the Protection Act (hereafter referred to as the “Spirit”);
The third-party ledger is the same as Attachment No. 1 form.

101

Page 108
Explanation of personal information protection laws and guidelines and announcements

Article 8 (Use and Provision of Personal Information for Other Purposes) ① The personal information controller shall comply with Article 18 (2) of the Act.
If personal information is provided to a third party for a purpose other than the intended purpose, the
Restrict the purpose of use, method of use, period of use, form of use, etc., or
Documents (including electronic documents) to prepare specific measures necessary to ensure safety
do. hereinafter the same) shall be requested. In this case, the person who received the request shall take measures accordingly.
and inform the personal data controller who provided the personal data of this fact in writing.
② A person who provides personal information to a third party for purposes other than the purpose pursuant to Article 18 (2) of the Act
standard guidelines
Responsible relationship between the person receiving the personal information and measures to ensure the safety of personal information
it should be clear
③ The personal information controller transmits personal information to the information subject pursuant to Article 18 (3) 1 of the Act.
In the case of notifying the recipient, the name (in the case of a corporation or organization, its name) and
You must also provide your contact information.
④ The personal information controller transmits personal information to a third party in accordance with Article 18 (2) 4 of the Act
In the case of providing it in a form that cannot identify a specific individual even when combined with other information,
should be provided

1. Prohibition of use and provision of personal information for purposes other than the purpose (paragraph 1)
The personal information controller notifies the information subject of the purpose of use and provision, and the scope of consent or this Act or
You must not use or provide personal information outside the scope permitted by other laws and regulations.
Can not be done.
Note 1 Use cases other than the purpose
· Marketing promotion materials such as education are sent to public officials without prior consent to the e-mail account address issued for business purposes.
Occation
· When a public official in charge of tax inquires about tax payment information about a person who is litigating with himself/herself and uses it for litigation
· The personal information collected for the purpose of product delivery is used to promote the company's separate products and services without prior consent.
· Personal information entered in order to apply for customer satisfaction surveys, promotional events, and sweepstakes is not processed by the company without prior consent.
Used to send advertisements for discount sales event information
· The personal information collected by the A/S center to handle customer complaints and complaints is used for advertising of its new products
· After collecting for DB marketing beyond the purpose of disclosure in light of the nature and purpose of disclosure, etc.
act of using

102

Page 109

Reference 2 Examples of provision other than the purpose
· If the public official in charge of welfare card at the community center does not consent to the provision of personal information (for publicity and marketing, etc.) of the welfare card applicant,
if not) is provided to the private tutoring company without the consent of the information subject
· The customer information collected by the home shopping company to deliver the ordered product is not transferred to the affiliated condominium company without the consent of the information subject.
used to send promotional materials for condominium sales

2. Exceptions to the prohibition of use and provision for purposes other than the purpose (paragraph 2)
Article 18 (2) 1 through 9 of this Act provide for the use of personal information for purposes other than the

The third chapter

Exceptional reasons that may be provided are stipulated. However, even in this case, the interests of the information subject or a dog
third party
When there is a risk of unfair infringement, personal information may be used for purposes other than the intended purpose or
cannot provide

sign
totablet
a third
see
see
of

party.

wife

On the other hand, the reasons for subparagraphs 5 through 9 are the use of personal information processed by public institutions
Lee for other purposes, or
It is limited to cases where it is provided to a third party.

If there is a separate consent of the information subject (No. 1)
If personal information is used or provided beyond the purpose of collection, consent to the processing of other personal information and
Separate consent for use and provision for purposes other than the purpose must be obtained.

In case there are special provisions in other laws (No. 2)
If there are special regulations on the use and provision of personal information for purposes other than the purpose of other laws,
Use and provision for purposes other than those intended are permitted.
As it is limited to the 'law', if there are related regulations only in the Enforcement Decree or Enforcement Rules,
Use or provision for other purposes is not permitted. However, there is a basis for delegation in the law, and accordingly, the Enforcement Decree
If there are provisions related to provision, it is allowed. In addition, in relation to the use and provision for purposes other than the
Since it is limited to 'there is a case', a case that is comprehensively stipulated such as 'fulfillment of obligations under the law' is also not allowed.

103

Page 110
Explanation of personal information protection laws and guidelines and announcements

ReferenceExamples of special provisions in other laws
· Investigations and questions by tax officials under Article 170 of the Income Tax Act
· Request for data from the Board of Audit and Inspection under Article 27 of the Board of Audit and Inspection Act
· Request to provide data from the Minister of Veterans Affairs in accordance with Article 77 of the Act on Courtesy and Support for Persons of National Merit, etc.
· Request for data provision from the Commissioner of the Military Manpower Administration pursuant to Article 81 (2) of the Military Service Act
· The Anti-Corruption and Anti-Corruption and Civil Rights Commission of the Anti-Corruption and Civil Rights Commission under Article 42 (1) and (3) of the Act on the Establishment and Operation of the Anti-Corruption and Civil Rights Commission;
Request for data submission, etc.

C. Purpose of statistical preparation and academic research (No. 4)
It is limited to cases where personal information is provided by processing a specific individual into an unrecognizable form. provided
Although a person may be able to identify a particular individual, the recipient will be able to identify the particular individual even with reasonable efforts.
Provided “personal information in a form that does not identify a specific individual” if it has been processed so that it cannot be identified
applicable. From the point of view of the person providing it, it is still possible to identify it, so it is still
do. EU GDPR requires personal data as necessary for public interest, scientific and historical research and statistical purposes.
Adequate safeguards for the rights and freedoms of data subjects, including pseudonymisation, in accordance with the principle of minimum processing;
In the case of intoxication, processing without the consent of the data subject is permitted. However, even in this case, if possible
It must be processed in such a way that the data subject cannot be identified (Article 89 EU GDPR).
The purpose of provision is as long as it is for statistical preparation or academic research, and the result should be sent where and for what purpose.
There are no restrictions on whether to use it. In other words, the result is not only the purpose of public policy establishment of public institutions, but also the
It can also be used for the purposes of market analysis, business strategy establishment, new product development, and service improvement.

If personal information is not used for purposes other than the intended purpose or if it is not provided to a third party,

la

In cases where it is impossible to perform the duties under the jurisdiction of other laws, the
In case of deliberation and resolution (No. 5)
Use or provision for purposes other than the purpose is prohibited in order for public institutions to carry out the affairs under their jurisdiction as stipulated by other laws.
There are times when it is unavoidable. Unconditional use and provision of personal information for the purpose of performing duties under its jurisdiction
If allowed, there is a lot of potential for abuse, so it is subject to deliberation and resolution by the Protection Committee. Enforcement Decree
It must not be the work under the jurisdiction specified in the enforcement regulations, but must be the work stipulated in the 'law'.
do. However, in cases where there is a basis for delegation in the Act and the relevant duties are stipulated in the Enforcement Decree and Enforcement Regulations
allowed

104

Page 111

E. Implementation of treaties and other international agreements by public institutions (No. 6)
Article 6 of the 「Constitution」 states that treaties concluded and promulgated under the Constitution and generally accepted international laws are not related to domestic laws and regulations.
stipulated to have the same effect. A treaty is a written agreement between countries.
Whether it is a treaty or a “convention, agreement, convention, declaration, or protocol” other than a treaty, regardless of its name,
If it is an agreement in writing, it becomes a treaty. Where a treaty has the same effect as domestic law and conflicts with relevant provisions
The general view is that the principle of preferential application of special laws applies. The special law provides for a certain person

Since the effect is effective with respect to time and place, at the time of concluding a treaty, the parties to the treaty
Since it must be considered that there is a consensus to apply the provisions as they are, there is no special legal requirement for the treaty.
position can be recognized. Therefore, in treaties or international agreements that have the effect of law,

The third chapter

If use or provision is stipulated, in order to implement these treaties, etc., even without the consent of the data subject

dog
sign
tablet
see
see
of

Personal information may be used or provided for other purposes.

wife
Lee

F) Investigation of crimes by public institutions and the establishment and maintenance of prosecution (No. 7)
In order for the personal information controller to provide the personal information it possesses for purposes other than the purpose of collection and use,
There are special provisions in other laws or the consent of the data subject must be obtained. That is, personal information other than public institutions
In principle, the processor must comply with the provisions of the Criminal Procedure Act, etc., even for the purpose of criminal investigation.
Therefore, only personal information can be requested.
However, in the case of public institutions, it is necessary for the investigative institution to conduct criminal investigations, indictment, and maintenance.
In this case, the personal information may be provided without the separate consent of the information subject. This is for the convenience of criminal investigation.
For personal information held by public institutions, use or use for other purposes without the consent of the information subject.
in order to be able to provide
< Necessity of exceptions and limitations for criminal investigation, indictment and maintenance >
· When the 「Personal Information Protection Act」 is applied to criminal procedures such as criminal investigation, indictment and maintenance, and execution of punishment, confidentiality of investigation is lost.
If it is leaked or the information subject's request for information disclosure or correction, etc., causes an obstacle to investigation, preventing and punishing crimes will be impossible.
There are concerns.
· When the investigation is completed and a prosecution is filed, the information subject can freely browse the investigation record in the court and collect his or her information.
It is possible to confirm, and in the case of a non-prosecution disposition, the information subject can view his or her information through a request for information disclosure.
Therefore, in relation to criminal procedures, even if the 「Personal Information Protection Act」 does not apply,
It should be seen that there is nothing neglected.
· However, even in the case of criminal investigation, there is a risk of unfairly infringing the interests of the information subject or a third party.
In this case, personal information cannot be used for purposes other than the intended purpose or provided to a third party.

105

Page 112
Explanation of personal information protection laws and guidelines and announcements

Investigation is an investigation of a criminal in order to determine whether or not to institute and maintain a prosecution by clarifying whether a crime is suspected or not.
It refers to the activities of investigative agencies (prosecutors, judicial police officers) that discover and secure and collect and preserve evidence. the investigation
In general, it is usually done before the indictment is filed, but after the indictment is filed, to maintain the public prosecution or to maintain the public prosecution
Investigations to determine whether or not
According to the Criminal Procedure Act, when it is believed that there is a suspicion of a crime, the public prosecutor shall examine the criminal, the facts of the crime and evidence.
(Article 195), and under the direction of a public prosecutor, a judicial police officer who recognizes that there is a suspicion of a crime
In this case, the investigation begins and proceeds on the criminal, the facts of the crime and the evidence (Article 196). The investigation is
It is initiated by subjective charges, and the clues to the investigation that are the cause of the investigation are accusation, accusation, surrender, complaint, crime
Reports, arrests of current offenders, autopsy of deceased persons, unsuspecting inspections, articles, rumors, etc.
Investigations are voluntary and compulsory investigations are exceptionally permitted only in cases stipulated by law.
(「Criminal Procedure Act」 Article 199). The voluntary investigation includes inquiry into public offices, etc. (Article 199 (2) of the Criminal Procedure Act);
Interrogation of the suspect (Articles 200 and 241 or less of the Criminal Procedure Act), investigation of a third party other than the suspect (“Criminal Procedure Act”)
Litigation Act, Article 221 (1) sentence 1), commissioning of appraisal, interpretation, and translation (Article 221 (2) of the Criminal Procedure Act), etc.
Since this principle of voluntary investigation does not mean the principle of freedom of voluntary investigation, voluntary investigation is also
It can be called a legitimate investigation only when the necessity and relevance are recognized.
In particular, personal information is not included in the data requested by public offices or inquiring into public offices for arbitrary investigation.
If included, possible personal information privacy by interpreting “when necessary for criminal investigation” more strictly
Decision-making rights should not be infringed upon.
If it is not based on a warrant, there are circumstances to suspect that the suspect has committed a crime, and
Personal information should be provided in a very limited way only when it can be recognized that there is a relationship,
Comprehensive consideration of all circumstances, such as the type and severity of the crime, and the degree of disadvantage to the information subject
Only in cases where the purpose of the investigation cannot be achieved without the use of personal information
will have to provide
In this regard, the 「Credit Information Act」 sets the basis for providing personal credit information in a warrant issued by the court,
In the case of an urgent matter when there is no time to obtain a warrant, the prosecutor shall issue a warrant after receiving personal information.
If a warrant is not received within 36 hours, the personal credit information provided shall be destroyed.
have. Therefore, the investigative agency has to deal with credit information companies that are public institutions under the 「Personal Information Protection Act」.
When requesting the provision of personal credit information, in principle, it must be based on a warrant.

Execution of judicial affairs of private courts (No. 8)
The court shall order correction of personal information held by public institutions for the smooth execution of the trial.
Data can be used or provided for other purposes without the consent of the data subject through an order to submit data.

106

Page 113

O type (刑
刑) and custody, enforcement of protective disposable (ninth)
For the smooth execution of sentences, probation (protective probation, treatment probation), and protective measures,
The use or provision of personal information for purposes other than the purpose is permitted.

3. Method of consent to use and provision for purposes other than the purpose (paragraph 3)
The agreement separate
The third chapter

When obtaining consent from the data subject for use and provision for purposes other than the intended purpose, separate from the initial consent
consent must be obtained Consent for use or provision for purposes other than the intended use or provision outside the scope
As it is consent to the provision, it is usually made in accordance with new needs that arise after the original consent.
It should be seen that it cannot be received together with the initial consent for the processing of personal information.

dog
ofsign
the original
tablet
see
see
of

consent

wife
Lee

B Notice when obtaining consent
In order to use the collected personal information outside the scope of the purpose of collection, it is necessary to obtain the consent of the information subject.
In this case, ① the purpose of use of personal information, ② items of personal information to be used, ③ period of retention and use of personal information;
④ The fact that the person has the right to refuse consent and matters concerning the disadvantages resulting from refusal of consent shall be notified. let me know
Even when there is a change in the matters, it must be notified again and consent must be obtained.
In order to provide the personal information being collected and used to a third party outside the scope of the purpose of collection and use,
The consent of the information subject is required, in this case ① The name of the person receiving the personal information (in the case of a corporation or organization,
Name), ② Purpose of use by the recipient, ③ Items of personal information provided, ④ Personal information of the recipient
Retention and use period, ⑤ The fact that you have the right to refuse consent and the disadvantages caused by refusal of consent to the information subject
should inform Even when there is a change in the information to be notified, it must be notified again and consent must be obtained.

4. Disclosure of use and provision for other purposes (paragraph 4)
If a public institution uses personal information for any other purpose or provides it to a third party, within one month
Regarding the legal basis for use or provision other than the purpose, the date, purpose, and item of use or provision, the Official Gazette or the Internet
It must be published and announced on the website. However, if the consent of the information subject is obtained, criminal investigation and prosecution
This is not the case when personal information is used or provided for other purposes for maintenance and maintenance.

107

Page 114
Explanation of personal information protection laws and guidelines and announcements

5. Protective measures in case of provision for purposes other than the intended purpose (paragraph 5)
The personal information controller shall use personal information for purposes other than the intended purpose in any of the cases falling under each subparagraph of Paragraph 2.
In the case of providing personal information to a third party, the purpose of use, method of use, and other
To restrict necessary matters or to prepare necessary measures to secure the safety of personal information;
must request In this case, the person receiving the request shall take necessary measures to ensure the safety of personal information.
shall. The safety of personal information between the person providing personal information and the person receiving the personal information
This is to clarify the relationship of responsibility.
When the personal information controller provides personal information to a third party for other purposes, the person receiving the personal information
In order to safely process personal information, certain restrictions are placed on the purpose of use, method of use, etc. or according to Article 29.
It shall be requested to take measures to ensure safety according to the requirements. The personal information controller shall be notified at the time of provision or
If necessary, the purpose of use, method of use, period of use, and form of use to the person receiving personal information after providing it
etc. or to prepare specific measures necessary to secure the safety of personal information;
Requests must be made in documents (including electronic documents; hereinafter the same shall apply). In this case, the person receiving the request
take action and notify the data controller who provided the personal data of this fact in writing (Standard Guidelines)
Article 8 Paragraph 1).

< Comparison of regulatory level of personal information by stage >
division

Collection, use and provision standards

· Do not unreasonably infringe upon the interests of data subjects or third parties.

common standard

It is possible to use and provide for other than the purpose only to the extent that it is not

· When consent of the data subject is obtained

agree

Standards for use and provision for other purposes

· In case of obtaining separate consent from the data subject

⇒ Collection, use and provision possible
· There are special provisions in the law or

(All personal information controllers)
· When there are special provisions in other laws

In case it is unavoidable to comply with the obligation(All personal information controllers)

legal regulations

⇒ Within the scope of collection and its purpose
Available/provided

· For public institutions to perform their duties
· If personal information is not used or provided for any other purpose,
Public institutions
In case of unavoidable
Inability to perform the business under the jurisdiction of other laws
undertaking
⇒ Within the scope of collection and its purpose
In some cases, after deliberation by the Protection Committee
Perform
Available/provided
case (applicable only to public institutions)
· Inevitably for the performance of the contract
In case of accompanying
contract performance
⇒ Within the scope of collection and its purpose
Available (not available)

108

Page 115

division

Collection, use and provision standards

Standards for use and provision for other purposes

· The life, body, or property of the data subject or a third
· The
party
information subject or his/her legal representative cannot express his/her intentions.
data subject

In case it is deemed necessary for profit

or

If you are in a non-existent state or if your address is unknown

When it is difficult to obtain the prior consent of the information
In a case where
subject
it is not possible to receive it, the data subject or

third party

⇒ Collection and use within the scope of the purposeFor the immediate benefit of life, body, and property of a third party

profit

available

When deemed necessary (all personal information controllers)

· Achieving the legitimate interests of the personal information controller
Privacy

It is clearly necessary for the data subject

processor's

If it takes precedence over the right

profit

⇒ Collection and use within the scope of the purpose

The third chapter

Yes (not available)
dog
sign
tablet
see
see
of

· For purposes such as statistical preparation and academic research

Statistics and academia

When providing a specific individual in a non-identifiable form

Research purpose

(All personal information controllers)
· For the implementation of treaties and other international agreements,

international agreement

wife
foreignLee
governments

or if necessary to provide to international organizations

implementation

(applies to public institutions only)
· Necessary for the investigation of crimes and the filing and maintenance of prosecution

criminal investigation, etc.

case (applicable only to public institutions)
· In case it is necessary for the court's judicial performance

trial

(applies to public institutions only)
· When necessary for the execution of punishment and probation

brother-in-law
Execution

(applies to public institutions only)

On the other hand, in the case of processing sensitive information and uniquely identifiable information, Articles 23, 24 and
As Article 24-2 applies as a special regulation, there is no separate treatment for sensitive information and unique identification information.
Consent or an explicit basis of legislation is required.

6. Relationship with other laws
The “Information and Communications Network Act” and the “Credit Information Act” each exceed the purpose of collecting personal information.
As it is stipulated that the use is prohibited, information and communication service providers and credit information users/providers, etc.
If personal information is used or provided for other purposes, it must be processed accordingly. However, under the “Information and Communications Network Act”
User information, personal information other than personal credit information under the “Credit Information Act” is subject to the provisions of the “Personal Information Protection Act”.
are subject to

109

Page 116
Explanation of personal information protection laws and guidelines and announcements

Article 24 (Restriction on Use of Personal Information) Information and communications service providers shall comply with the proviso to Articles 22 and 23 (1).
The purpose of collecting collected personal information from the user or the purpose specified in each subparagraph of Article 22 (2)
It must not be used for any other purpose.
Article 24 2 (such as providing the consent of the individual information) ① Telecommunications service providers are personal information of the user
In order to provide to a third party, except in cases falling under Article 22 (2) 2 and 3, any of the following
All matters must be informed to the user and consent must be obtained. Any of the following matters is changed
Information and Communications Network Act
The same shall also apply to cases where it is hardened.
1. Persons to whom personal information is provided
2. Purpose of use of personal information by the person receiving personal information
3. Items of personal information to be provided
4. Period of retention and use of personal information by the person receiving personal information
Article 32 (Consent to Provision and Use of Personal Credit Information) ① Provision of Credit Information and Users of Personal Credit Information
In the case of providing the information to another person, as prescribed by Presidential Decree, the credit information subject
Whenever personal credit information is provided in any of the following ways,
consent must be obtained However, the accuracy and accuracy of personal credit information within the previously agreed purpose or scope of use
This is not the case in order to keep up-to-date.
1. Written
2. An electronic document with a certified electronic signature under subparagraph 3 of Article 2 of the Electronic Signature Act (the Framework Act on Electronic Transactions);
Refers to electronic documents under subparagraph 1 of Article 2)
3. In consideration of the provision of personal credit information and the purpose of provision, the stability of consent to provide information and
A method of inputting personal passwords through wired and wireless communication that can ensure reliability
4. A method of notifying the individual of consent through wired or wireless communication and obtaining consent. In this case, whether
Evidence must be secured and maintained, such as a voice recording of the consent and the individual's response to it.
and go through a post-notification procedure as prescribed by Presidential Decree.
5. Other methods prescribed by Presidential Decree.
② A person who intends to receive personal credit information from a credit inquiry company or credit information collection agency
In any subparagraph of Paragraph (1), from the relevant credit information subject, as prescribed by Presidential Decree.
Credit Information Act
Each time you receive personal credit information in the appropriate way, you agree individually (for the purpose of consenting previously)
or to maintain the accuracy and freshness of personal credit information within the scope of use)
should get In this case, a person who intends to receive personal credit information will have a credit rating when inquiring about personal credit information.
When a decrease is possible, the relevant credit information subject shall be notified of this.
③ In the event that a credit inquiry company or a credit information collection agency provides personal credit information pursuant to Paragraph 2,
Whether the person who intends to receive the relevant personal credit information has obtained consent under paragraph (2) shall be determined by Presidential Decree.
It should be checked as determined.
④ When the credit information company, etc. obtains consent in relation to the provision and use of personal credit information,
As prescribed by Presidential Decree, essential agreements and other optional items for the provision of services
After explaining the terms of consent separately, consent must be obtained for each. In this case, the mandatory agreement is
The relevance to the provision must be explained, and the optional consent may not agree with the provision of information.
It should be noted that there is
⑤ The credit information company, etc. shall receive credit information on the grounds that the subject of the credit information does not agree to the optional consent.
The provision of services to the data subject shall not be refused.
⑥ When a credit information company, etc. provides personal credit information and falls under any of the following subparagraphs:
In this case, Paragraphs 1 through 5 shall not apply.

110

Page 117

1. Intensive management and utilization of a credit information company with another credit information company or a credit information collection agency;
if provided for
2. In order to entrust the processing of credit information pursuant to Article 17 (2) as necessary for the performance of the contract;
if provided
3. Transferring all or part of rights and obligations due to business transfer, division, merger, etc.
When providing personal credit information
4. Debt collection (applicable only to the collection of collection claims), the purpose of authorization/permission, determination of the creditworthiness of the company;
Where securities are provided to a person who uses them for the purpose prescribed by Presidential Decree, such as the acquisition of securities;
5. When provision is made in accordance with a court order to submit or a warrant issued by a judge
6. In urgent situations, such as when a serious risk to the life or body of the victim is expected due to the crime
In cases where there is no time to receive a warrant issued by a judge under subparagraph 5, a public prosecutor or judicial
Provided upon request by a police officer. In this case, the prosecutor who has been provided with personal credit information
will
The third chapter
A warrant shall be requested from a judge, and a judicial police officer shall apply to the public prosecutor and obtain a warrant upon request of the public prosecutor.
dog

You must file a claim, and you must not receive a warrant within 36 hours of receiving your personal credit information. sign
If not, the personal credit information provided must be destroyed without delay.
7. For questioning, inspection or investigation pursuant to the Tax-Related Act, the head of the competent government

tablet
see
see
agency
shall
of

When requesting or requesting the provision of tax data that is obligated to submit in accordance with the Tax Act

write in writing.

wife
Lee

If provided according to

8. In accordance with international agreements, etc., personal credit information possessed by a financial company is not disclosed to a foreign financial supervisory authority.
if provided
9. Acts of disorder in financial order prescribed by Presidential Decree, oligopoly shareholders of companies, and related persons such as the largest investor;
When providing information that can determine creditworthiness
10. In case of providing in accordance with other laws
⑦ A person who intends to provide or receives personal credit information to another person pursuant to each subparagraph of Paragraph 6
As prescribed by Presidential Decree, the facts and reasons for the provision of personal credit information must be confirmed in advance.
The data subject must be informed. However, if there are unavoidable reasons prescribed by Presidential Decree,
It may be notified or disclosed later through posting on the Internet website or other similar methods.
⑧ As a credit information provider/user who provides personal credit information to others pursuant to paragraph (6) 3
Regarding matters prescribed by Presidential Decree, such as the scope of credit information to be provided by a person prescribed by Presidential Decree,
It must be approved by the Financial Services Commission.
⑨ A person who has been provided with personal credit information with approval under paragraph 8
Separate management from personal credit information of current credit information subjects as determined by the committee
shall.
⑩ When a credit information company, etc. provides personal credit information,
Accordingly, the identity of the person receiving personal credit information and the purpose of use shall be confirmed.
⑪ Whether the credit information provider/user who provided personal credit information has obtained individual consent in advance pursuant to Paragraph 1?
If there is a dispute over whether or not there is, it must be proved.
Article 33 (Use of Personal Credit Information) Personal credit information includes financial transactions requested by the credit information subject.
It shall be used only for the purpose of determining whether to establish and maintain a commercial relationship. but,
This is not the case in any of the following cases:
1. In the manner specified in each subparagraph of Article 32 (1), an individual may use the method for purposes other than those set forth in the main body of this Article
If you agree to use for other purposes
2. Personal credit information directly provided by an individual (including credit information resulting from transactions with the individual);
When using for the purpose for which it was provided (for the purpose of introducing products and services or recommending the purchase of them)

111

Page 118
Explanation of personal information protection laws and guidelines and announcements

Except when used)
3. In the case of each subparagraph of Article 32 (6)
4. Other cases prescribed by Presidential Decree that are equivalent to the provisions of subparagraphs 1 through 3.
Article 34 (provided in the individual identification information, the use) available credit information, the user is needed to identify the individual
Articles 32 and 33 shall apply mutatis mutandis to the provision and use of information prescribed by Presidential Decree as information.

7. Penalty Regulations
violation

penalty

A person who uses personal information for other purposes or provides it to a third party; and
imprisonment of not more than 5 years; or
Knowing the circumstances, personal information for profit or fraudulent purposes
A fine of not more than 50 million won
recipient
(Article 71, subparagraph 2)
(Violation of Article 18 (1) and (2))

Violation of the duty to notify the data subject
(Violation of Article 18 (3))

A fine of not more than 30 million won
(Article 75 (2) 1)

8. Q&A
A plastic surgeon takes pictures of the plastic surgery results of plastic surgery patients and puts them on the hospital website's 'Success Cases of Plastic Surgery'

Q

Is there any problem with posting?

A

In order to use a photo of a patient's plastic surgery result for publicity purposes in a hospital, the 'picture taken by the hospital'
The information subject (patient) must be clearly informed of the fact that it is being published for 'publicity purposes' and consent must be obtained.
If the collected personal information is arbitrarily used for publicity purposes without a separate notice and consent process, it is
It falls under the 'act of using personal information for purposes other than the purpose'.

Q

Are there any problems with marketing using public information such as school yearbooks and reunion lists?

A

So-called 'public personal information' can only be used within the purpose for which it was originally disclosed. For example, reunion
In principle, the list can be used for mutual contact and friendship among the members.
It cannot be used for marketing activities without the consent of the member.

112

Page 119

Q

I received a request from the police station to submit the member's personal information for investigation. your consent
Can I provide member information to the investigation agency without it?

A

· In principle, in order for a business operator to provide a customer's personal information to a third party, the customer's consent is required.
However, if there are special provisions in the law, personal information may be provided without consent.
· 「Criminal Procedure Act」, 「Communication Secret Protection Act」, 「Telecommunication Business Act」, etc.
For investigation purposes, you may submit related materials if requested through the procedures stipulated by applicable laws.
The provision of personal information is permitted without the customer's own consent.
(Example: Procedures pursuant to Article 215 (confiscation, search, verification) of the Criminal Procedure Act)
· However, even if personal information is provided in accordance with relevant laws for criminal investigation,
You must provide a minimum amount of personal information.

The third chapter

dog
sign
tablet
see
see
of
wife
Lee

113

Page 120
Explanation of personal information protection laws and guidelines and announcements

Article 19 Restrictions on the use and provision of personal information
Article 19 (Restriction on Use and Provision of Persons Provided with Personal Information )
The person to whom the information is provided shall not use personal information except in any of the following cases.
law

It shall not be used for purposes other than the purpose for which it was provided or provided to a third party.
1. In case of obtaining separate consent from the information subject
2. If there are special provisions in other laws

1. Legislative purpose
If the person to whom the personal information is provided can process the personal information without restrictions, it is a personal information leak.
Or, there is a high risk of infringing on the rights of information subjects, such as illegal distribution. Therefore, the personal information provided
It is also necessary to place restrictions on the use and provision of such persons.

2. Receiver
It is limited to those who have been provided with personal information from the personal information controller. Therefore, personal information processing
This provision does not apply to the entrusted trustee.

3. Prohibition of use or provision of personal information other than the purpose of the person to whom it is provided
The person to whom the personal information has been provided may use or use the personal information for a purpose different from the purpose for which it was provided.
It must not be provided to a third party. The person providing personal information and the person receiving personal information
It is desirable to specify the purpose of providing and receiving personal information through
The name of the recipient (in the case of a corporation or organization, its name), ② the purpose of use of the recipient, ③
Items of personal information, ④ the period of retention and use of personal information by the recipient, ⑤ the fact that the recipient has the right to refuse consent
and the disadvantage of refusal of consent to the data subject.

3. Exceptions
In exceptional cases, where separate consent has been obtained from the data subject or there are special provisions in other laws
Use the personal information for purposes other than the purpose for which it was provided, or send it to a third party outside the scope of the purpose of collection and use.
can provide

114

Page 121

4. Relationship with other laws
As other laws do not have regulations related to 'restriction on the use and provision of personal information by persons provided with personal information',
Information and communications service providers, credit information users/providers, etc. shall collect personal information from personal information controllers in accordance with this Act.
If provided, personal information is not stored unless there is a separate consent of the information subject or special provisions in other laws.
You must not use it for any purpose other than the purpose for which it was provided or provide it to a third party.

5. Penalty Regulations
The third chapter

violation

penalty

A person who uses personal information for other purposes or provides it to a third party; and
imprisonment of not more than 5 years; or
Knowing the circumstances, but for profit or dishonest purposes
A fine of not more than 50 million won
Persons to whom personal information has been provided
(Article 71, subparagraph 2)
(violation of Article 19)

dog
sign
tablet
see
see
of
wife
Lee

115

Page 122
Explanation of personal information protection laws and guidelines and announcements

Article 20 Notification of collection sources, etc. of personal information collected from other than the information subject
Article 20 (Notification of sources, etc. of collection of personal information collected from other than the information subject) ① Personal information
When the processor processes personal information collected from other than the information subject, the
Upon request, all information in each of the following subparagraphs shall be immediately notified to the information subject.
1. Sources of personal information collection
2. Purpose of processing personal information
3. The fact that you have the right to request the suspension of processing of personal information under Article 37
② Notwithstanding Paragraph 1, the type and size of personal information processed, the number of employees and the scale of sales
A personal information controller who meets the standards prescribed by Presidential Decree in consideration of
When personal information is collected and processed from a person other than the information subject pursuant to paragraph (1) 1
law

All matters under each subparagraph of Paragraph 1 shall be notified to the information subject. However, the personal information controller
If the collected information does not include personal information that can be notified to the information subject, such as contact information,
In this case it is not so.
③ In the case of notification pursuant to the main text of Paragraph 2, the time, method and procedure of notifying the subject of information, etc.
Necessary matters shall be prescribed by Presidential Decree.
④ The main text of paragraphs 1 and 2 shall not apply to any of the following cases.
No. However, it is limited to cases where it clearly takes precedence over the rights of the data subject under this Act.
1. Personal information for which notification is requested is not included in any of the subparagraphs of Article 32 (2).
If it is included in the applicable personal information file
2. There is a risk of harming the life or body of another person due to the notice, or
If there is a risk of unfairly infringing on property and other interests
Article 15-2 (Personal Information Collection Source, etc. Subject, Method, Procedure) ① In the main sentence of Article 20 (2 ) of the Act
“Personal information controller who meets the standards prescribed by the Presidential Decree” means any of the following
One of the personal information controllers.
1. Sensitive information pursuant to Article 23 of the Act on more than 50,000 information subjects (hereinafter referred to as “sensitive information”)
(hereinafter referred to as “uniquely identifiable information”) pursuant to Article 24 (1) of the Act.
one who handles
2. A person who processes personal information about 1 million or more data subjects

Enforcement Decree
② The personal information controller falling under any of the subparagraphs of Paragraph 1 shall be subject to Article 20 Paragraph 1 of the Act.
Information in each subparagraph can be easily identified by the information subject, such as in writing, by phone, by text message, or by e-mail.
You must notify the information subject within 3 months from the date of receiving the personal information in this way.
However, with respect to the matters under Article 17 (2) 1 through 4 of the Act, the same Article (1)
Accordingly, personal information is periodically collected at least twice a year within the scope of obtaining the consent of the information subject.
In the case of receiving and processing personal information, the information must be processed within 3 months from the date of receiving the personal information.
From the date on which the subject is notified or consent is obtained, the information subject is notified at least once a year
should inform

116

Page 123

③ When the personal information controller falling under any of the subparagraphs of Paragraph 1 is notified pursuant to Paragraph 2
In accordance with Article 21 or Article 37 (4) of the Act, the relevant personal information may be destroyed in each of the following subparagraphs:
It should be stored and maintained until
1. Facts notified to data subjects
2. When it was announced
3. How to notify
Article 9 (Notice sources, such as collecting personal information) ① Privacy parties from other information subject
When processing the collected personal information, the request of the information subject shall be met unless there is a justifiable reason.
All matters under Article 20 Paragraph 1 of the Act to the data subject within 3 days from the date of
should inform However, this is not the case in any of the following cases:

The third chapter

1. Personal information for which notification is requested is not in any of the subparagraphs of Article 32 (2)
of the Act.
dog
sign
tablet
see
see
of

standard guidelines If it is included in the applicable personal information file
2. There is a risk of harming the life or body of another person due to the notice, or
If there is a risk of unfairly infringing on property and other interests

wife

② The personal information controller shall comply with the request of the information subject pursuant to Lee
the preamble of paragraph 1 in accordance with the proviso to paragraph 1.
In case of refusal, 3 days from the date of the request of the information subject unless there is a justifiable reason
The grounds and reasons for the refusal shall be notified to the data subject within the period.

1. Legislative purpose
The legislative purpose of Article 20 (1) is to collect personal information from public sources or to collect personal information from a third party other than the person himself/herself.
In the case of collection and processing, it is impossible to notify the information subject of the purpose of collection and use.
As there are many cases, the source is notified when the data subject requests it. However, the data subject
From my point of view, my personal information is collected from a publicly disclosed source or from a third party other than myself.
In the case of collection, it is practically difficult to know these facts. Therefore, Paragraph 2 of the same Article is the Presidential Decree
of personal information collected from other than the information subject to a large amount of personal information controller that meets the standards set forth
Informing the data subject of the source, the purpose of processing and the fact that he/she has the right to request the suspension of processing of personal information
was made to inform

2. Meanings other than data subjects
Personal information collected from other than the information subject includes information provided by third parties, newspapers, magazines, and the Internet.
This includes information that is publicly available and collected. For example, if a person DB operator is a school/institution website
This is the case in which personal information is collected through data disclosed to the public. but by itself
Produced or generated information is excluded.

117

Page 124
Explanation of personal information protection laws and guidelines and announcements

3. Notice period and notice
If there is a request from the information subject

Notification of the source of collection, etc. may be made at the request of the information subject. If there is a request from the data subject
① The source of collection of personal information, ② Purpose of processing, ③ The right to request suspension of processing of personal information in accordance with Article 37
It must be notified 'immediately (within 3 days from the date of receipt of the request)'. Therefore, the personal information controller
The source of collection of personal information must be managed.

I am a bulk personal information controller
Personal information controller i) Sensitive information according to Article 23 of the Act with respect to 50,000 or more data subjects or the Act
A person who processes uniquely identifiable information under Article 24 (1) or ii) 1 million or more data subjects
In the case of any of the persons processing personal information, even if there is no request from the information subject, ① collection
source, ② purpose of processing, ③ fact that you have the right to request suspension of processing of personal information in accordance with Article 37
You must notify the data subject within 3 months of receiving personal information. In this case, in writing, by phone, by text message,
You must notify the information subject in a way that can be easily identified by e-mail, etc.
(Including timing and method) The information must be managed until it is destroyed.
However, in Article 20 (2), personal information is provided with the consent of the information subject pursuant to Article 17 (1) 1 of the Act.
As it applies only to personal information collected from the personal information controller, it is not subject to the Information and Communications Network Act or the Credit Information Act.
Personal information collected from a person who provided personal information with consent in accordance with
It does not apply to information. In addition, information such as contact information is included in the information collected by the personal information controller.
If personal information that can be notified to the subject is not included, there is no need to notify.

4. Reason for refusal of notice
The personal information subject to notification is stored in the personal information file falling under any subparagraph of Article 32 (2).
If included, the personal information controller may not notify you. However, information under Article 20 (1)
In the event of refusal of the subject's request, the personal information controller shall provide the grounds and reasons for the refusal.
Notification must be made within 3 days from the date (Standard Guideline Article 9 Paragraph 2). than the rights of data subjects under this Act.
Only in cases where there is a clear priority.
In addition, there is a risk of harming the life or body of another person due to the notice, or
Even when there is a risk of unreasonably infringing on interests, the personal information controller may reject the information subject's request for notice.

118

Page 125

can For example, when an investigative agency informs the suspect of the identity of the informant or witness, the
You may refuse to disclose the source of personal information because it may be risky. provided, however, that information pursuant to this Act
It is limited to cases where it clearly takes precedence over the rights of the subject.

5. RELATIONSHIP TO OTHER LAWS
The “Information and Communications Network Act” and the “Credit Information Act” provide information to the information subject when collecting personal information from other than the information subject.
As it does not stipulate the obligation to notify the source of collection, the 「Personal Information Protection Act」
are subject to

The third chapter

dog
sign
tablet
see
see
of

6. Penal provisions
violation

wife
Lee

penalty

The source and purpose of the collection of personal information, and the purpose of the processing of personal information to the data subject
A fine of not more than 30 million won
A person who fails to inform that he/she has the right to request suspension
(Article 75 (2) 3)
(Violation of Article 20 (1) and (2))

7. Q&A
Q

When trying to create a person DB using personal information of professors, etc. disclosed on the university website, etc.
What should I do?
So-called 'public personal information' can only be used within the purpose for which it was originally disclosed. For example, reunion

A

If it is a list, it can be used only for mutual communication and friendship of the members, and the consent of the member is required.
It cannot be used for unobtained marketing activities, etc.
Professor’s personal information disclosed on the university website, etc. will be used for academic research, advice, writing activities, and contributions.
It seems that it is premised on the fact that it is not necessary to obtain consent from the data subject to collect personal information.
However, if requested by the information subject, the source of personal information, the purpose of processing, and personal information
You must inform them that you have the right to request the cessation of processing.

119

Page 126
Explanation of personal information protection laws and guidelines and announcements

Article 21 Destruction of personal information
Article 21 (Destruction of personal information ) ① The personal information controller shall process the personal information after the retention period has elapsed.
When the personal information becomes unnecessary, such as when the purpose is achieved, the personal information will be deleted without delay.
should be destroyed However, this shall not apply if it is required to be preserved in accordance with other laws and regulations.
No.
② When the personal information controller destroys personal information in accordance with Paragraph 1, it cannot be restored or reproduced.

law

measures should be taken to prevent
③ Without the personal information controller destroying personal information in accordance with the proviso to paragraph 1,
If it is necessary to preserve the relevant personal information or personal information file with other personal information
It should be stored and managed separately.
④ Matters necessary for the method and procedure for destruction of personal information shall be prescribed by Presidential Decree.
Article 16 (Method of Destruction of Personal Information ) ① The personal information controller shall destroy personal information in accordance with Article 21 of the Act.
In the case of destruction, it shall be done by a method according to the classification of each of the following subparagraphs.

1. In the case of an electronic file: Permanently deleted in a way that cannot be restored
Enforcement Decree
2. In the case of records, printed materials, writing, or other recording media other than those in subparagraph 1: Shred or incinerate
② Details regarding the safe destruction of personal information pursuant to Paragraph 1 shall be made by the Minister of the Interior and Safety.
determined and announced
Article 10 (Methods and Procedures for Destruction of Personal Information )
elapsed time, achievement of the purpose of processing personal information, abolition of the service, termination of business, etc.
When personal information becomes unnecessary, within 5 days thereafter, unless there is a justifiable reason
The personal information must be destroyed.
② 'Method that cannot be restored' in Article 16 (1) 1 of the Decree refers to the current level of technology.
Measures to make it impossible to restore destroyed personal information at an appropriate cost in accordance with social norms
say how
③ The personal information controller shall record and manage matters concerning the destruction of personal information.
standard guidelines
④ The person in charge of personal information protection shall check the destruction result after the destruction of personal information.
⑤ Regarding the destruction of personal information files by public institutions among personal information controllers, Article 55 and
Article 56 shall apply.
Article 11 (Preservation of personal information in accordance with laws and regulations) ① The personal information controller must comply with the proviso to Article 21 (1) of the Act.
In the event that personal information must be preserved without destroying it in accordance with laws and regulations,
It shall be stored and managed separately by physical or technical means.
② In the case of storing and managing personal information separately in accordance with paragraph 1, the personal information processing policy
to store and manage the relevant personal information or personal information files based on laws and regulations through
It should be made available to the data subject.

120

Page 127

Leakage and misuse of personal information if it continues to be retained even after the purpose for which it was collected has been achieved
As the possibility increases, by destroying personal information when it is no longer necessary
This is to keep your personal information safe.
If the personal information controller notifies the personal information retention period and obtains consent, when determining the retention period
Permanently if the purpose of retention is clearly to be permanently retained; otherwise, to the minimum necessary
should be decided In this case, the burden of proving that it is a necessary period is borne by the personal information controller (personal information
Protection Act Article 16).

1. Timing of destruction

The third chapter

The personal information controller shall destroy the
do. “When personal information becomes unnecessary”

dog
sign
tablet unnecessary.
personal information without delay when the personal information becomes
see
see
means that the purpose of processing personal information has been achieved
or the
of

wife
Abolition, business termination, etc. are included. Accordingly, the personal information controller shall be responsible for the achievement
of the processing purpose or
Lee

If the service or business is terminated, personal information must be destroyed within 5 days unless there is a justifiable reason.
(Article 10 Paragraph 1 of the Standard Guideline). Whether there is a need to preserve personal information should be objectively determined.
It should not be interpreted arbitrarily.
Referencewhen it becomes unnecessary
· Elapse of the retention period for which the personal information controller initially notified and obtained consent
· Achieving the purpose of collection, use, and provision of which consent is obtained or recognized by laws and regulations
· Extinction of the legal basis for personal information processing due to membership withdrawal, expulsion, termination of contractual relationship, withdrawal of consent, etc.
· Closing or liquidation of personal information controller
· Expiration of the payment completion date or the statute of limitations on bonds

2. Destruction method
When personal information is destroyed, it must be completely destroyed in a form that cannot be restored or reproduced.
Personal information recorded electromagnetically on hard disk, CD/DVD, USB memory, etc.
It cannot be recovered by deleting it in a technical way that cannot be played back or by destroying the medium in a physical way.
If it is in the form of a printout such as paper, it must be physically crushed or
The personal information must be completely destroyed by incineration.
In this case, the personal information controller must destroy the personal information in a way that cannot be restored, for example,
Even if electronically recorded personal information is deleted, if restoration technology is applied,

121

Page 128
Explanation of personal information protection laws and guidelines and announcements

There is a possibility that the information will be recovered. Therefore, in order to literally apply the 'impossible method'
It can be quite costly. To this end, the standard guideline is based on the societal belief that 'a method that cannot be restored'.
It refers to a method that requires an appropriate cost at the current level of technology (Article 10 Paragraph 2 of the Standard Guideline).

3. Destruction procedure
The personal information controller shall record and manage the destruction of personal information. purpose of holding
Destruction of achieved personal information is a legal obligation and penalties are imposed in case of violation.
It must be carried out under the responsibility of the person in charge of personal information protection, and the person in charge of personal information protection must confirm the destruction result.
(Article 10, Paragraph 4 of the Standard Guidelines).

4. Exceptions to the obligation to destroy
The personal information controller shall not destroy personal information in exceptional cases 'when it is required to be preserved in accordance with other laws and regulations'.
you don't have to If the personal information controller intends to preserve personal information without destroying it, the legal
The rationale should be clear.
Personal information of consumers who have already paid the bill because personal information can be preserved until the period of expiry of the bond
information should not be preserved. Without the consent of the member for credit management of credit card users
It is also a violation of the duty of destruction to preserve the personal information of the withdrawing member for a certain period of time. As a retention period in other laws
If the specified period has expired, it must be destroyed without delay.
When the personal information controller notifies the personal information retention period and obtains consent, when determining the retention period
The retention period must be set to the minimum required, and the burden of proof is borne by the personal information controller.
< Legislative examples stipulating the duty to preserve >
"electronic commerce
① Records on display and advertisement: 6 months
in etc.
② Records on contract or subscription withdrawal: 5 years
consumer protection
③ Records on payment and supply of goods: 5 years
Act” Article 6 and
④ Records on consumer complaints or dispute resolution: 3 years
Concurrent Enforcement Decree Article 6

① Data confirming communication facts in accordance with subparagraph 11 (a) through (d) and (f) of Article 2 of the Act: 12 months
「 Communication Secret Protection Act」
」
② Among the above data, communication confirmation data, which is data related to intercity/local phone service: 6 months
Article 15-2 and
③ Communication confirmation data (computer communication or Internet) pursuant to Article 2, Subparagraph 11 (e) and (g) of the Act
Concurrent Enforcement Decree Article 41
Log record data, access tracking data that can confirm the location of information and communication devices): 3 months

122

Page 129

① Patient list: 5 years
② Medical record book: 10 years
③ Prescription: 2 years
④ Surgical record: 10 years
⑤ Record
of examination findings: 5 years
「 Medical Act」
」 Enforcement
Rules
⑥ Radiography and its opinion: 5 years

Article 15

⑦ Nursing record: 5 years
⑧ Midwifery record book: 5 years
⑨ A copy of the medical certificate, etc. (The medical certificate, death certificate, and autopsy report, etc. shall be kept separately)
: 3 years

The third chapter

5. Preservation method of personal information required by law
If the personal information controller preserves the personal information without destroying it in accordance with laws and

dog
sign
tablet
see
see
regulations,
of

the personal information

wife

Alternatively, personal information files should be stored and managed separately from other personal information. UndestroyedLee
information is existing
If it is mixed with personal information, for example, when sending an e-mail to members, the
As in the case of sending together, the risk of use, leakage, or misuse of personal information for purposes other than the purpose of personal information increases.
rules to prevent this. Undestroyed information is solely for the purpose of keeping it under other laws
It should be managed so that it can be processed only within the scope.

6. Relationship with other laws
As the 「Information and Communications Network Act」 stipulates on the destruction of personal information of information and communication service users,
Destruction of users' personal information is subject to the 「Information and Communications Network Act」, but in the 「Information and Communications Network Act」
For matters not stipulated, the 「Personal Information Protection Act」 shall be followed.
As the 「Credit Information Act」 does not provide for the destruction of personal credit information, the 「Personal Information Protection Act」
follow However, if a credit information company or credit information concentrating institution goes out of business, the information held shall be destroyed.
Therefore, in relation to this, it is in accordance with the provisions of the relevant notice.
Article 29 (destruction of the individual information) ① Telecommunications service providers and the like corresponding to each of the following either favor
In this case, the personal information must be destroyed without delay so that it cannot be recovered or reproduced. However, other
This is not the case where personal information must be preserved in accordance with the law.
1. Consent has been obtained pursuant to Article 22 (1), the proviso to Article 23 (1) or Article 24-2 (1) and (2);
Information and Communications Network Act
The purpose of collection and use of personal information or the relevant purpose specified in each subparagraph of Article 22 (2) has been achieved.
Occation
2. Consent has been obtained pursuant to Article 22 (1), the proviso to Article 23 (1) or Article 24-2 (1) and (2);

123

Page 130
Explanation of personal information protection laws and guidelines and announcements

When the period of retention and use of personal information has expired
3. In the case of collection and use without the consent of the user pursuant to Article 22 (2), Article 27
When the period of retention and use of personal information pursuant to Paragraph 2 (2) 3 has expired
4. When the business is closed
② Information and communication service providers, etc. shall not use information and communication services for a period of one year.
Destruction of personal information, etc. as prescribed by Presidential Decree to protect users' personal information
Take the necessary action. However, for the period, other laws and regulations or requests from users
In case otherwise specified, it shall be followed.
③ Information and communications service providers, etc. shall be responsible for the destruction of personal information 30 days before the expiration of the period under Paragraph 2.
Fact, expiration date of period and items of personal information to be destroyed, etc. by e-mail
Users shall be notified in a manner prescribed by Presidential Decree, such as
Article 21 (Processing of Information Retained upon Closing of Business) When a credit information company or credit information concentration institution intends to close its business,
Retained information shall be disposed of or destroyed as determined and publicly notified by the Financial Services Commission.
Article 20 2 (Retention of personal credit information, etc.) ① provide credit information, such as user-commerce related financial transactions
(excluding employment relationship; hereinafter the same shall apply) from the date of termination to the deadline determined and publicly notified by the Financial Services Commission
Reinforcing access rights so that the personal credit information of the credit information subject can be safely protected, etc.
It shall be managed as prescribed by Presidential Decree.
② Credit information provision/users are subject to a maximum of 5 years from the date on which commercial transactions such as financial transactions are terminated.
(If the purpose of information collection and provision has been achieved before the relevant period, from the date the purpose is achieved
Within 3 months), the personal credit information of the subject of credit information must be deleted from the management target.
However, this is not the case in each of the following subparagraphs.
Credit Information Act1. In case it is unavoidable to fulfill obligations under other Acts;
2. When it is deemed necessary for the immediate benefit of an individual's life, body, or property;
3. Other personal credit, such as for payment of deposits and insurance money, and to prevent insurance fraudsters from re-subscribing
Cases prescribed by Presidential Decree as it is necessary to preserve information
③ Credit information provision and user retention of personal credit information in accordance with the proviso to paragraph 2
In this case, by Presidential Decree, such as separating it from the personal credit information of the current credit information subject.
It must be managed as determined.
④ Credit information provision/users using personal credit information stored separately in accordance with paragraph (3)
In this case, the credit information subject must be notified.
⑤ Types of personal credit information under paragraphs 1 and 2, management period, method and procedure for deletion, financial transactions, etc.
The standards, etc. of the date on which the commercial relationship is terminated shall be prescribed by Presidential Decree.

Whether Article 21 of the 「Personal Information Protection Act」 applies to information and communications service providers

Interpretation

(Ministry of Law 15-0641, 2015.11.20., civil petitioner)

In order to view a law or regulation as a special law or a special regulation with respect to another law or regulation,
There is an explicit regulation that excludes the regulation, or the two laws and regulations contradict or conflict with each other for the same subject, so
Only when there is a relationship where a specific law takes precedence over other laws and is applied exclusively to a specific area, person, act, etc.
will do However, in Article 29 (1) of the Information and Communications Network Act, information and communications service providers, etc. must agree to their collection and use.
Even when the period of retention and use of the received personal information has expired (subparagraph 2), if personal information must be preserved in accordance with other laws,
It is only stipulated not to destroy the personal information, but to protect the personal information of the person who has canceled the information and communication service use contract.

124

Page 131

As there are no regulations regarding the storage and management of the relevant personal information separately as a measure for
Article 29 (1) and Article 21 (3) of the 「Personal Information Protection Act」 do not overlap and contradict or conflict with each other.
There is no legal basis for considering Article 29 Paragraph 1 of the Information and Communications Network Act as a special provision for Article 21 Paragraph 3 of the 「Personal Information Protection Act」.
In addition, in Article 29 Paragraph 2 of the Information and Communications Network Act and Article 16 of the Enforcement Decree of the same Act, the contract for the use of information and communications services is temporarily suspended.
Even the user's personal information is destroyed or separated and stored and managed.
The personal information of a person who no longer needs to keep the personal information by the information and communications service provider, etc. shall be destroyed or stored separately.
Interpretation of management as unnecessary is to protect personal information so that information and communication services can be safely used.
It brings unreasonable results that do not fit the purpose of the Information and Communications Network Act and the 「Personal Information Protection Act」. same as above
In summary, the personal information of the person who has canceled the information and communication service use contract shall not be destroyed in accordance with Article 85-3 (2) of the Framework Act on National Taxes.
In cases where the information and communications service provider (mobile communications business operator) has to preserve the information without noticing it, in accordance with Article 21 (3) of the Personal Information Protection Act,
The personal information should be stored and managed separately from other users' personal information.
The third chapter

dog
sign
tablet
see
see
of

7. Penalty Regulations
violation
Non-destruction of personal information
(Violation of Article 21 (1))
If personal information is not stored and managed separately
(Violation of Article 21 (3))

wife
Lee

penalty
A fine of not more than 30 million won
(Article 75 (2) 4)
A fine of not more than 10 million won
(Article 75 (3) 1)

8. Q&A
We are trying to destroy the personal information of members who have withdrawn from the shopping mall, but some members have

Q

Non-payment or product A/S period remaining. What to do in this case?
A business operator must destroy personal information within 5 days when the purpose of collection and use of personal information has been achieved.

A

However, in exceptional cases, personal information must be preserved in accordance with other laws.
It can be preserved without destroying it.
For example, in the Act and Enforcement Decree on Consumer Protection in Electronic Commerce, payment and goods
As records about supply are kept for 5 years, such as inquiries, non-payment of charges, A/S, etc.
If applicable, personal information can be kept for 5 years in accordance with the same Act.

125

Page 132
Explanation of personal information protection laws and guidelines and announcements

Q

We held a prize lottery event for customers of discount mart, and after the event ended,
How do I process the application form?
If the sweepstakes event has ended and the announcement of the winners and the delivery of prizes are all over, after that,

A

Unless you have obtained separate consent for the period of retention and use of personal information, personal information is recorded within 5 days.
The application form must be destroyed.

There is no separate membership withdrawal menu on our website, and through bulletin board application or e-mail

Q

We are accepting and processing applications for withdrawal. A member posted a message on the bulletin board requesting membership withdrawal three times.
I left it, but I couldn't handle it because I was busy with other work. What is the problem?

A

The business operator withdraws consent to the collection, use, provision, etc. of the personal information of the information subject, or
In case of request for inspection or provision of information, necessary measures shall be taken within 10 days.
In the case of an online membership withdrawal application, such as an inquiry, a withdrawal system must be established or the person in charge
As it can be checked and processed immediately, the request for withdrawal from membership 3 times without any justifiable reason can be requested for more than 10 days.
Any delay constitutes failure to take necessary action “without delay”.

126

Page 133

Article 22 How to obtain consent
Article 22 (Method of Obtaining Consent) ① The personal information controller shall be responsible for the processing of personal information under this Act.
of information subjects (including legal representatives under paragraph 5; hereafter the same shall apply in this Article);
When consent is obtained, each consent is classified and the information subject clearly recognizes it
You must inform them to do so and obtain consent from each.
② The personal information controller shall be subject to Article 15 (1) 1, 17 (1) 1, 23 (1) 1
and to obtain the consent of the data subject for the processing of personal information pursuant to Article 24 (1) 1.
In this case, information can be processed without the consent of the data subject for the purpose of signing a contract with the data subject.
It is necessary to distinguish between personal information and personal information that requires the consent of the information subject. In this case, without consent
The third chapter

The burden of proof that it is personal information that can be processed is borne by the personal information controller.
③ The personal information controller shall not promote or recommend the sale of goods or services to
law

In order to obtain consent for the processing of personal information for
It must be informed and consent must be obtained.

dog
the sign
data
tablet
see
see
of

subject.

wife

④ The personal information controller shall determine the matters to which the information subject can selectively
consent in accordance with Paragraph (2).
Lee
It means that you do not agree or that you do not consent under Paragraph (3) and Article 18 (2) 1.
The provision of goods or services to the data subject shall not be refused for any reason.
⑤ The personal information controller shall comply with this Act in order to process personal information of children under the age of 14.
When consent is required, the consent of the legal representative must be obtained. In this case the court
The minimum information necessary to obtain the consent of the representative is not applicable without the consent of the legal representative.
It can be collected directly from children.
⑥ In addition to the matters stipulated in Paragraphs 1 through 5, detailed information obtained with the consent of the data subject
The necessary matters regarding the method and the content of the minimum information pursuant to Paragraph 5 are the
It is prescribed by Presidential Decree in consideration of the collection media, etc.
Article 17 (Method of Obtaining Consent) ① The personal information controller shall be responsible for the processing of personal information in accordance with Article 22 of the Act.
In respect of this, you must obtain the consent of the information subject in any of the following ways:
do.
1. A document with the contents of consent is issued directly to the information subject, or by mail or fax
Method of delivery and obtaining consent signed or sealed by the data subject
2. Notifying the information subject of consent over the phone and confirming the intention to consent
Way
Enforcement Decree
3. Inform the information subject of consent over the phone and provide the information subject with an Internet address, etc.
After confirming the consent through the
How to confirm the intention to consent to
4. Post the contents of consent on the Internet website, etc. and ask the information subject to indicate whether or not they consent
How to
5. By sending an e-mail with the contents of consent,
How to receive e-mail

127

Page 134
Explanation of personal information protection laws and guidelines and announcements

6. Other consent methods similar to those provided for in subparagraphs 1 through 5.
How to inform the content and confirm the intention to consent
② The personal information controller receives information from the data subject in Article 18 (2) 1 and 22 (3) of the Act.
In accordance with the provisions of Article 22 (2) of the Act,
In order to obtain consent, the information subject must be aware of the fact that he or she can choose whether to consent.
In order to clearly confirm it, it is separated from matters other than those that can be selectively agreed to.
should be indicated
③ In accordance with Article 22 (5) of the Act, the personal information controller shall be the legal representative of children under the age of 14.
In order to obtain consent, the name and contact information of the legal representative directly from the child
information can be collected.
④ The head of the central administrative agency is for each personal information controller in his/her jurisdiction among the consent methods under paragraph (1).
Regarding the appropriate consent method in consideration of the nature of the business, the type of business and the number of data subjects
The standards are the personal information protection guidelines under Article 12 (2) of the Act (hereinafter referred to as “personal information protection guidelines”).
) and recommend to the personal information controller to obtain consent in accordance with the standards.
have.
Article 12 (How to get consent) ① Privacy principal characters of information with respect to the processing of personal data
When consent is obtained, personal information that can be processed without the consent of the information subject and the
Personal information that requires consent must be classified, and the consent of the information subject is the individual who requires consent.
information only. In this case, the burden of proving that it is personal information that can be processed without consent is the individual
The data controller bears the responsibility.
② The personal information controller shall notify the information subject in any of the following cases:
The matters under each subparagraph of Article 18 (3) of the Act shall be notified and consent shall be obtained.
1. In the case of collection and use of personal information, in accordance with Article 15 (1) 2 to 6 of the Act
If not applicable
2. In order to use or provide personal information for purposes other than the purpose of collection pursuant to Article 18 (2) of the Act
if
standard guidelines
3. In accordance with Article 22 (3) of the Act, to promote or sell goods or services to data subjects
If you would like to recommend
4. In cases where it is necessary to process unique identification information other than resident registration number, the unique identification information required by law
If there is no basis for processing
5. In case sensitive information is processed and there is no basis for processing sensitive information in laws and regulations
③ If the personal information controller intends to process personal information under each subparagraph of Paragraph 2,
The data subject must be explicitly informed that he or she can choose to consent or refuse consent.
④ Personal information controller without the consent of the information subject pursuant to Article 15 (1) 2 to 6 of the Act
In the case of collecting personal information, information such as the legal basis for collecting personal information
Efforts should be made to inform the subject.
⑤ The personal information controller shall obtain consent by telephone in accordance with Article 17 (1) 2 of the Decree.
In this regard, when recording the contents of a call, the information subject must be informed of the recording.

128

Page 135

⑥ In order for the personal information controller to operate a friendly organization, in any of the following subparagraphs:
In the case of collecting relevant personal information, personal information is collected without the consent of the information subject.
Available.
1. The name, contact information, and common management stipulated in the bylaws of the friendship organization for membership in the friendship organization
Personal information related to the audit or goal
2. Matters concerning the payment status of expenses necessary for the maintenance of friendship, such as membership dues of a friendship organization;
3. Matters concerning the participation of members in the activities of the social group and the details of the activities;
4. For mutual friendship and harmony among members of other social groups, members give to other members
Matters related to birthdays, tastes, and family's Aekyungsa that you want to know
⑦ In the event that the personal information controller prepares a consent form to obtain the consent of theThedata
thirdsubject,
chapter
The 「Guidelines for writing consent form for collection and provision of personal information」 must be complied
with.
dog
sign
Article 13 (Consent of Legal Representative) ① In accordance with Article 17 (3 ) of the Decree , the personal
information controller
tablet

When collecting the representative's name and contact information, the child's identity, contact information,see
and legal
You must indicate the reason for wanting to collect the name and contact information of the representative.

see
of

wife

② The personal information controller shall store the personal information of the legal representative collected
Lee pursuant to Article 22 (5) of the Act.
It must be used only for the purpose of obtaining the consent of the legal representative, and the consent of the legal representative
5 days from the date of collection if there is a refusal or if the consent of the legal representative is not confirmed
must be destroyed within

The data subject has the right to decide and choose whether to consent to the processing of personal information, but
In practice, the consent of the data subject is often compulsory, so it is important to guarantee the data subject's right to self-determination of personal information.
For this purpose, the method of consent is specified by law.

1. Classification of consent matters: Prohibition of comprehensive consent (paragraph 1)
When the personal information controller obtains the information subject's consent for the processing of personal information, each
Separately, inform the data subject so that they can clearly recognize each consent, and each consent must be obtained.
do. In accordance with the Personal Information Protection Act, the collection and use consent (Article 15 (1)
Subparagraph 1), consent to provision to a third party (Article 17 (1) 1), consent to provision to an overseas third party (Article 17 (3)), for marketing purposes
There are consent to processing (Article 22 (3)) and consent of a legal representative (Article 22 (5)).
For reference, the 「Personal Information Protection Act」, in particular, provides information subjects that require more careful decision-making.
For matters, make sure that you decide whether to agree or not with a clear understanding of the contents and meaning of consent.
Separate consent is required to distinguish it from ordinary consent. Even at this time, the personal information controller
You must take measures and obtain consent to indicate whether you agree or not separately from the purpose of other personal information processing.

129

Page 136
Explanation of personal information protection laws and guidelines and announcements

do. If you need to obtain separate consent separately from other consent, consent to use and provision for purposes other than the purpose (Article 18)
Paragraph 2 (1)), restrictions on the use and provision of personal information (Article 19 (1)), consent to the processing of sensitive information (Article 23)
Paragraph 1 (1)), consent to processing unique identification information (Article 24 (1) 1), etc. are applicable. For example, unique identification information
When collecting (excluding resident registration number), “consent to collection, use, and provision of unique identification information” must be given to health information.
When collecting information related to health information (sensitive information), separate “consent to collection, use, and provision of health information (sensitive information)”.
The purpose, etc. must be notified and consent must be obtained.

2. Classification of matters requiring consent and matters that can be handled without consent (Section 2)
The personal information controller is responsible for personal information that does not require the consent of the information subject and individuals who require the consent of the data subject.
Information should be separated. For personal information that does not require the consent of the information subject, the conclusion and performance of the contract
information necessary to comply with laws and regulations, and urgent protection of life, body, and property interests.
This includes information necessary for the purpose of personal information processing and information necessary to achieve the legitimate interests of the personal information controller.
In this case, consent is not required. The burden of proving that consent is not required lies with the personal information controller.
(Standard Guidelines Article 12 Paragraph 1).
On the other hand, information necessary for product advertising and sales, information necessary for customer tendency analysis, and unique identification information
(Excluding resident registration number), the consent of the information subject is required for the collection and use of sensitive information and VIP member registration information.
need. On the other hand, it is divided into personal information that requires the consent of the information subject and personal information that does not require consent.
In such a case, when the personal information controller intends to obtain consent for the former, the latter
The data subject must be informed. This applies only to personal information that the data subject has consented to processing.
Misunderstood that information processing takes place and receive only incomplete information about the processing of personal information.
in order not to
ReferenceValidity of Agreement to Terms and Conditions
In the event that the agreement to the terms and conditions and the processing of personal information is received at one time, the information subject is subject to his/her personal information
Because there is a risk of not being aware of the details of the processing and it may be difficult for the information subject to exercise his/her choice
Consent to the processing of information must be obtained separately from consent to the terms and conditions.

3. How to consent to marketing advertisements (paragraph 3)
When obtaining consent for the processing of personal information for the purpose of soliciting or promoting the sale of products, the information subject
The fact that it is used for sales solicitation or publicity must be distinguished from other consent so that the data subject can clearly recognize it.
You must notify them and then obtain consent.

130

Page 137

4. Prohibition of refusal to provide goods and services (paragraph 4)
Consent to the data subject to process optional information (paragraph 2), consent to direct marketing (paragraph 3), other purposes
Because of refusal to consent to use and provision (Article 18 (2) 1), the personal information controller
or refuse to provide essential services. Also, you do not agree to the collection of personal information.
Refusal to provide goods or essential services for any reason is also prohibited (Article 16(2)). But
Rejection based on reasonable grounds is possible.
ReferenceExamples of Reasonable Reasons
· Suspension of service provision if you do not agree to information provision and sharing while integrating affiliate customer information DB
It is illegal, but refusal of a free long-term parking ticket for 5 years to customers who have consented to provide and share information
It's not illegal.
· It is illegal to refuse to issue a credit card or to become a member of the shopping mall because you do not agree to receive advertisement
It is not illegal to not give points or miles that are only awarded to mail recipients.

The third chapter

dog
sign
tablet
emails.see
see
of

wife system.
· If it is impossible to purchase goods or services without registering as a member, it is a violation of the minimum collection principle or a membership
Lee

Otherwise, it is not illegal if there is a reasonable reason that it is practically difficult to sell goods or services (Internet banking, etc.).

5. Consent of the legal representative on behalf of the child (paragraph 5)
In the case of children under the age of 14, there is a lack of awareness of the importance or risk of personal information, and information collection
Due to the lack of ability to assess the authenticity of the purpose, reckless information collection targeting children is prohibited.
To prevent this, a legal representative is required to obtain consent on behalf of the minor.
A legal representative is a person who has become an agent in accordance with the provisions of the law without his/her will, and
Persons with parental authority (Articles 909, 911, 916, and 920 of the Civil Act), guardians (Articles 931 through 936 of the Civil Act);
This includes the property manager of an absentee appointed by the court (Articles 22 and 23 of the Civil Act).
In order to obtain the consent of the legal representative, it is necessary to know the name and contact information of the legal representative.
The minimum information (name and contact information) required to obtain the consent of the representative is not obtained without the consent of the legal representative.
It can be collected directly from the child. In this case, the child's identity, contact information, and court
The reason for wanting to collect the name and contact information of the agent shall be informed (Standard Guideline Article 13 Paragraph 1). Also
The personal information of the legal representative collected from the child shall be used only for the purpose of obtaining consent.
In the case where the intention to refuse is confirmed and 3 days have elapsed without confirmation of consent, the
Personal information must be destroyed (Standard Guideline Article 13 Paragraph 2).

131

Page 138
Explanation of personal information protection laws and guidelines and announcements

6. Detailed consent method in consideration of personal information collection media, etc.
The consent of the data subject is not limited to some specific methods, but the privacy of the data subject is protected.
In order to do this, the fact that the data subject has actually consented must be able to be clearly confirmed. Therefore, personal information
For the convenience of the processor, after sending an e-mail asking for consent in bulk,
In the absence of such a method, it is not appropriate to consider it as consent.
The Personal Information Protection Act provides detailed consent acquisition methods in consideration of the personal information collection medium, etc. in the Presidential Decree.
By delegating it, it is possible to present standards for appropriate methods of obtaining consent according to specific circumstances.
Accordingly, in the Presidential Decree, as a detailed method of obtaining consent, ①
Issued directly to the subject or delivered by mail or fax, and signed or sealed by the data subject.
How to obtain consent, ② Inform the information subject of consent over the phone and express consent
How to confirm, ③ Inform the information subject of consent over the phone and provide the information subject with an Internet address, etc.
After confirming the consent through the
How to confirm, ④ Post the contents of consent on the Internet homepage, etc. and ask the information subject to indicate whether or not consent is given
How to do this, ⑤ By sending an e-mail with the contents of consent,
Listed as a method of receiving e-mail, and agree to other methods similar to the above 5 methods
It is stipulated that the contents can be notified and the expression of consent can be confirmed. This includes electronic documents
How to notify the information subject of consent and the information subject to receive an electronic signature, a text message from a personal phone number
The same applies to consent using a message and a method to enter a credit card password.

7. Relationship with other laws
Since the “Information and Communications Network Act” and the “Credit Information Act” stipulate how to obtain consent, information and communications services
Providers and credit information use/providers may each obtain consent in accordance with applicable laws and regulations.
However, in the case of obtaining consent from a child under the age of 14 to collect, use, and provide personal information,
The 「Credit Information Act」 does not have any related regulations, so the 「Personal Information Protection Act」 will follow.
According to the 「Information and Communications Network Act」, consent to collection, use and provision of personal information from children under the age of 14 is required.
In the case of receiving the information, the consent of the legal representative must be obtained, and the minimum information of the legal representative is given to the child.
stipulated that it may be requested. Therefore, information and communications service providers, etc. shall comply with the 「Information and Communications Network Act」 in this case.
follow

132

Page 139

Article 24 2 (such as providing the consent of the individual information) ① Telecommunications service providers are personal information of the user
In order to provide to a third party, except in cases falling under Article 22 (2) 2 and 3, any of the following
All matters must be informed to the user and consent must be obtained. Any of the following matters
The same shall apply where it is changed.
1. Persons to whom personal information is provided
2. Purpose of use of personal information by the person receiving personal information
3. Items of personal information to be provided
4. Period of retention and use of personal information by the person receiving personal information
② A person who has received personal information of a user from an information and communications service provider pursuant to Paragraph 1 shall
Personal information is not provided to a third party unless there is a user's consent or there are special provisions in other laws.
It shall not be used for any purpose other than the purpose for which it was provided or provided.
③ The information and communications service provider, etc. under Article 25 (1) must agree to the provision under paragraph (1) and
The third chapter
When obtaining consent to entrust the processing of personal information under Article 25 (1), the individual under Article 22
dog
sign
tablet
see
see
of

It must be obtained separately from consent to the collection and use of information, and because
You must not refuse to provide services.
Article 26-2 (Method of obtaining consent) Article 22 (1), Article 23 (1) proviso, Article 24-2 (1) and (2);

Consent under Article 25 (1), the proviso to Article 26 (3) or Article 63 (2) (hereinafter “personal information collection and

wife

The method of obtaining “consent to use and provision, etc.”) includes the collection medium of personal information, the characteristics
of the industry, and the
Lee
It shall be determined by Presidential Decree in consideration of the number, etc.
Information and Communications
Network
Act
Article 31 (Rights
of Legal
Representative) ① Information and communication service providers, etc. from children under the age of 14
In order to obtain consent for the collection, use and provision of personal information, the consent of the legal representative must be obtained.
In this case, the information and communications service provider shall provide the child with the necessary
Minimum information such as the name of the legal representative may be requested.
“ Enforcement Decree of the Information and Communications Network Act ”
Article 12 (Method of Obtaining Consent) ① Information and communication service providers, etc. obtain consent pursuant to Article 26-2 of the Act.
The method shall be any of the following subparagraphs. In this case, the information and communication service provider, etc. must obtain consent
so that users can clearly recognize and confirm the matters to be done (hereinafter referred to as “consent contents”);
should be indicated
1. How to post consent on an Internet site and allow users to indicate whether they agree or not
2. A document containing the contents of consent is delivered directly to the user, or through mail or facsimile transmission
A method of delivering the consent and having the user sign and seal the consent and then submit it
3. By sending an e-mail with the contents of consent, the e-mail with the intention of consent from the user
How to receive mail
4. Inform the user of consent over the phone and obtain consent or consent to Internet address, etc.
Instructions on how to check the contents and how to obtain consent through a phone call again
② Information and communication service providers, etc. must indicate all consent due to the nature of the personal information collection medium.
If it is difficult, give the user a way to check the contents of consent (Internet address, business phone number, etc.)
guide and obtain consent.
Article 32 (Consent to Provision and Use of Personal Credit Information) ① Provision of Credit Information and Users of Personal Credit Information
In the case of providing the information to another person, as prescribed by Presidential Decree, the credit information subject
Whenever personal credit information is provided in any of the following ways,
Credit Information Act
consent must be obtained However, the accuracy and accuracy of personal credit information within the previously agreed purpose or scope of use
This is not the case in order to keep up-to-date.
1. Written

133

Page 140
Explanation of personal information protection laws and guidelines and announcements

2. An electronic document with a certified electronic signature under subparagraph 3 of Article 2 of the Electronic Signature Act (the Framework Act on Electronic Transactions);
Refers to electronic documents under subparagraph 1 of Article 2)
3. In consideration of the provision of personal credit information and the purpose of provision, the stability of consent to provide information and
A method of inputting personal passwords through wired and wireless communication that can ensure reliability
4. A method of notifying the individual of consent through wired or wireless communication and obtaining consent. In this case, I
Securing evidence, such as voice recording of whether or not consent, the content of consent, and the individual's response
must be maintained, and a post-notification procedure as prescribed by Presidential Decree is followed.
5. Other methods prescribed by Presidential Decree.
② A person who intends to receive personal credit information from a credit inquiry company or credit information collection agency
In any subparagraph of Paragraph (1), from the relevant credit information subject, as prescribed by Presidential Decree.
Each time you receive personal credit information in an applicable way, you agree individually
Except for the case of maintaining the accuracy and up-to-dateness of personal credit information within the purpose or scope of use)
should get In this case, a person who intends to receive personal credit information will receive credit information when inquiring about personal credit information.
When the rating may be downgraded, it shall be notified to the relevant credit information subject.
③ In the event that a credit inquiry company or a credit information collection agency provides personal credit information pursuant to Paragraph 2,
Whether the person who intends to receive the relevant personal credit information has obtained consent under paragraph (2) shall be determined by Presidential Decree.
It should be checked as determined.
④ When the credit information company, etc. obtains consent in relation to the provision and use of personal credit information,
As prescribed by Presidential Decree, essential agreements and other optional items for the provision of services
After explaining the terms of consent separately, consent must be obtained for each. In this case, the required consent is
Relevance to the provision of services must be explained, and the optional consent is not to consent to the provision of information.
It should be noted that this may not be possible.
⑤ The credit information company, etc., on the grounds that the subject of credit information does not agree to the optional consent
The provision of services to the subject of credit information shall not be refused.
⑥ When a credit information company, etc. provides personal credit information, in any of the following subparagraphs:
Paragraphs 1 through 5 shall not apply if applicable.
1. Intensive management and utilization of a credit information company with another credit information company or a credit information collection agency;
if provided for
2. To entrust the processing of credit information pursuant to Article 17 (2) as necessary for the performance of the contract;
if provided for
3. Transferring all or part of rights and obligations due to business transfer, division, merger, etc.;
When providing relevant personal credit information
4. Debt collection (applicable only to the collection of collection claims), the purpose of authorization/permission, determination of the creditworthiness of the company;
Where securities are provided to a person who uses them for the purpose prescribed by Presidential Decree, such as the acquisition of securities;
5. When provision is made in accordance with a court order to submit or a warrant issued by a judge
6. In urgent situations, such as when a serious risk to the life or body of the victim is expected due to the crime
In cases where there is no time to receive a warrant issued by a judge under subparagraph 5, a public prosecutor or judicial
Provided upon request by a police officer. In this case, the prosecutor who has been provided with personal credit information will
A warrant must be requested from the judge, and the judicial police officer must apply to the public prosecutor and
You must request a warrant, and you must file a warrant within 36 hours of receiving your personal credit information.
If the issuance is not received, the personal credit information provided shall be destroyed without delay.
7. For questioning, inspection or investigation pursuant to the Tax-Related Act, the head of the competent government agency shall write in writing.
When requesting or requesting the provision of tax data that is obligated to submit in accordance with the Tax Act
If provided according to

134

Page 141

8. In accordance with international agreements, etc., personal credit information possessed by a financial company is not disclosed to a foreign financial supervisory authority.
if provided
9. Acts of disorder in financial order prescribed by Presidential Decree, oligopoly shareholders of companies, and related persons such as the largest investor;
When providing information that can determine creditworthiness
10. In case of providing in accordance with other laws
⑦ A person who intends to provide or receives personal credit information to another person pursuant to each subparagraph of Paragraph 6
As prescribed by Presidential Decree, the facts and reasons for the provision of personal credit information shall be identified in advance.
The credit information subject must be informed. However, if there are unavoidable reasons prescribed by Presidential Decree,
It may be notified or disclosed later through posting on the Internet website or other similar methods.
⑧ As a credit information provider/user who provides personal credit information to others pursuant to paragraph (6) 3
A person prescribed by Presidential Decree shall be subject to matters prescribed by Presidential Decree, such as the scope of credit information to be provided.
Approval from the Financial Services Commission is required.

The third chapter

⑨ A person who has been provided with personal credit information with approval under paragraph 8

dog

Separately from the personal credit information of the current credit information subject as determined by the Committee, sign
tablet
should be managed
see
see
of

⑩ When a credit information company, etc. provides personal credit information,
Accordingly, the identity of the person receiving personal credit information and the purpose of use shall be confirmed.

wife

⑪ The credit information provider/user who has provided personal credit information must obtain individual consent in advance
Lee pursuant to paragraph (1).
If there is a dispute as to whether or not it was received, it must be proved.

8. Penalty Regulations
violation

penalty

Violation of consent acquisition method

A fine of not more than 10 million won

(Violation of Article 22 (1) through (3))

(Article 75 (3) 2)

A person who refuses to provide goods or services without consent

A fine of not more than 30 million won

(Violation of Article 22 (4))

(Article 75 (2) 2)

A person who does not obtain the consent of the legal representative when processing personal A
information
fine of not of
more
children
than 50
under
million
the age
wonof 14
(Violation of Article 22 (5))

(Article 75 (1) 2)

9. Q&A
Consent to collection and use of personal information when signing a service use contract using a PDA terminal

Q

Is it possible for the customer to sign directly on the PDA terminal in this way?

A

A method of signing through a PDA terminal is also possible. However, in this case, consent at the time of collection of personal information
You must clearly notify the user of the matter and obtain consent. If there are many agreements,
The method of verification (Internet address, etc.) should be provided.

135

Page 142
Explanation of personal information protection laws and guidelines and announcements

Q

Travel agencies usually receive inquiries and reservations by phone, but if personal information is collected over the phone,
The call time is very long to inform all the notices and obtain consent. Obtaining the user's consent
Is there any other way for this?
「Personal Information Protection Act」 is based on each service type such as internet site, written, e-mail, and telephone.

A

The method of obtaining consent is stipulated. If you wish to obtain consent for collection of personal information by phone
Inform the user of consent and obtain consent verbally, or on the Internet with notices
You can use the method of providing an address, etc. and obtaining oral consent later.

The personal information controller pays prizes to the data subject to prevent withdrawal of marketing consent, etc.

Q

A certain amount of consideration (hereinafter referred to as “gifts, etc.”) was paid, and after the information subject received the gift, the marketing consent was given.
In case of withdrawal, is the data subject obligated to return prizes, etc.?

A

After agreeing to marketing and receiving a gift in return for it, only consent to marketing
If it is withdrawn, it cannot be regarded as a contract based on good faith according to social norms. So in this case
You are obligated to return the prize. However, the personal information controller may not receive any prizes, etc. paid when the marketing consent is withdrawn.
It is more preferable to obtain consent by clearly notifying the matters to be returned.

136

Page 143

Section 2 Restrictions on processing of personal information

Article 23 Restrictions on processing of sensitive information
Article 23 (limitation processing of sensitive information) ① The Privacy of thought, belief, trade unions, political parties
Information on membership/withdrawal, political views, health, sex life, etc., and other privacy of the data subject
Information prescribed by Presidential Decree as personal information that is likely to be significantly infringed (hereinafter referred to as “sensitive
information”) should not be processed. provided, however, that any of the following
In this case it is not so.
law

The third chapter

1. Notifying the data subject of each subparagraph of Article 15 (2) or each subparagraph of Article 17 (2);

dog
sign
When consent is obtained separately from consent to the processing of other personal information
tablet
2. In the case of requesting or permitting the processing of sensitive information by laws and regulations see
see
of
② If the personal information controller processes sensitive information in accordance with each subparagraph
of

In accordance with Article 29 to prevent information from being lost, stolen, leaked, forged, falsified or

Paragraph 1, the sensitive information

wife
Lee
damaged.

Measures necessary to ensure safety shall be taken.
Article 18 (Scope of Sensitive Information) In the main part of Article 23 (1 ) of the Act, “by Presidential Decree”
“Information specified” means information falling under any of the following subparagraphs: However, public
In accordance with the provisions of Article 18 (2) 5 through 9 of the Act, any of the following
Enforcement Decree
In the case of processing one type of information, the corresponding information is excluded.
1. Genetic information obtained as a result of genetic testing, etc.
2. Information corresponding to criminal history data under subparagraph 5 of Article 2 of the Act on the Revocation, etc. of Sentences;

Personal information may have a significant impact on the privacy of an individual and further on the safety of an individual's life, body, and property.
All of them should be treated with caution, but especially if they cause social discrimination or significantly violate human rights.
Sensitive personal information that may be infringed should be more strictly protected.

1. Definition of sensitive information
Article 23 lists the types of sensitive information instead of providing a definition of sensitive information. in this law
Sensitive information includes ① ideology and belief, ② membership or withdrawal of a union or political party, ③ political opinion, ④ health, sex life, etc.
information, ⑤ other personal information that is likely to significantly infringe on the privacy of the information subject, as prescribed by Presidential Decree.
information that determines

137

Page 144
Explanation of personal information protection laws and guidelines and announcements

￭ 'ideology/belief' refers to a system of thought formed based on individual values,
It refers to various ideologies, ideological tendencies, religious beliefs, etc.
■ 'Political opinion' is information about a position on a political issue or whether a particular political party supports it.
￭ 'Joining/withdrawing from a trade union or political party' is information on joining or withdrawing from a trade union or political party. must
It does not have to be a legitimate trade union or political party.
￭ 'Information on health and sexual life, etc.' means an individual's past and present medical history, physical and mental disorders
(disability grade, etc.), sexual orientation, etc. Blood type does not apply to this.
￭ 'Personal information that is likely to significantly infringe privacy' refers to the collection and processing of such information.
Refers to those that may infringe on the essential content of the right to privacy guaranteed by the Constitution. interpretive
There was a social consensus that it is necessary to specifically protect sensitive information because there is a lot of room for it.
It was entrusted to the Presidential Decree to regulate the information according to the situation.
< Types of sensitive information under the Enforcement Decree (Article 18 of the Enforcement Decree) >
1. Genetic information obtained as a result of genetic testing, etc.
2. Sentencing/exemption of punishment of a fine or heavier punishment, suspension of sentencing, probation, probation, treatment and probation, probation, invalidation of suspension of sentence, suspension of execution
Offenses such as cancellation, confiscation imposed with a fine or heavier punishment, additional collection, community service order, and sentence or disposition
Career information

However, for sensitive information (genetic information, criminal history information) according to the Enforcement Decree, public institutions
Since it is not considered sensitive information when it is processed for
It can be processed without consent.
- If personal information is not used for purposes other than the intended purpose or if it is not provided to a third party, other laws
In the case where it is impossible to carry out the duties prescribed by the competent authority, and it has undergone deliberation and resolution by the Protection Committee
- Necessary to provide to foreign governments or international organizations for the implementation of treaties and other international agreements
Occation
- When it is necessary for the investigation of a crime and the initiation and maintenance of public prosecution
- In case it is necessary to carry out the judicial affairs of the court
- When it is necessary for the execution of punishment, probation, and protective disposition
Reference「Act on the Revocation of Sentences, etc.」
“Criminal history data” in subparagraph 5 of Article 2 means data on the following items in the investigation data table:
end. Sentence, exemption, and suspension of sentence of a fine or heavier punishment
I. probation, treatment supervision, probation
All. Effect of suspension of sentencing
la. Cancellation of probation
hemp. Sentences or dispositions such as confiscation, additional collection, community service order, attendance order, etc. imposed along with a fine or heavier punishment

138

Page 145

2. Prohibition of processing of sensitive information
In principle, processing of sensitive information is prohibited. Even in major foreign legislative cases, sensitive information (special
information) is prohibited in principle, and there are exceptions, such as when there is explicit consent from the data subject.
Processing is permitted only when the cause is applicable. Article 23 also separates the data subject according to foreign legislative practices.
Only when consent is obtained and the processing of sensitive information is required or permitted by laws and regulations
processing is allowed. As Article 23 is a special regulation regarding the processing of personal information, Articles 15 and 17
and Article 18, etc., shall take precedence over the provisions on the processing of personal information. Therefore, in the case of sensitive information
It can be processed only in cases where there are exceptions stipulated in each subparagraph of Paragraph 1 of Article 23.
The third chapter

￭ In case of obtaining separate consent from the data subject: Article 15 (2) or Article 17 (2)

dog

Informing the data subject and giving consent to the processing of sensitive information separately from consent to the processing
sign
of other personal information
tablet
see
see
of

If consent is obtained
￭ When processing is required by law : List the types of sensitive information in the law and request the processing

wife
Lee

If there is (including cases where there is sensitive information in the court form)
Reference 1 Article 21 (2) of the 「Medical Act」

Article 21 (Review, etc. of Records) ② Notwithstanding the provisions of Paragraph 1, medical personnel may receive other information according to the medical necessity of the same patient.
When a medical institution requests perusal or transmission of a copy of the record, clinical opinion, and treatment history, or when the patient
When requested to provide copies of inspection records and radiographic film, it must be complied with.

139

Page 146
Explanation of personal information protection laws and guidelines and announcements

Reference 2 Form No. 10-3 of the Enforcement Regulations of the Enforcement Regulations of Guns, Swords, Explosives, etc.

■ Enforcement Regulations of the Control Act on Guns, Swords, Explosives, etc. [Annex No. 10-3 Form] <Newly established on February 22, 2011>

Medical history report and personal information use agreement
(front)

※ Mark the following question with a √ in the appropriate [ ] box indicating yes or no, and if yes, write the details.

Registration Number

Date of receipt

processing date

10 days

processing period

(1) You are suffering from schizophrenia, affective disorder, severe personality disorder, and symptoms equivalent thereto.
[ ] Yes [ ] No
Have you ever been treated?
disease name

treatment hospital

Treatment start date

Treatment end date

(if any)

(2) Have you ever been treated for a convulsive disease (epileptic)?

[ ] Yes [ ] No

disease name

treatment hospital

Treatment start date

Treatment end date

(if any)

(3) The fact that you are being treated for drugs, marijuana, psychotropic drugs, alcoholism, etc.
[ ] Yes [ ] No
do you have this?
disease name

treatment hospital

Treatment start date

Treatment end date

(Treatment
if any)

enforcement date
(the fact that the arrest
if any)

enforcement agency

violation

Year Month Day
declarant

(Signature or Seal)

Provincial police chief and police chief Inquiry

Personal Information Use Agreement
In order for the permitting authority to determine whether the reasons for disqualification of the possession of guns under Article 13 of the 「Firearms, Swords, Explosives, Etc. Control Act」, the personal information stored by the National Health Insurance Corporation
I agree to inquire about the treatment history of dementia, schizophrenia, schizoaffective disorder, bipolar affective disorder, recurrent depressive disorder, mental developmental delay, and epilepsy for the past 5 years from the date of consent.

year

consenter

month

Work

(Signature or Seal)

140

Page 147

Reference 3 Article 6 Paragraph 1 of the Enforcement Decree of the Security Observation Act
Article 6 (Report of Persons Subject to Security Inspection Disposition ) (1) Before a person subject to security observation disposition is released from release pursuant to Article 6 (1) of the Act
When making a report, fill out 5 copies of the report stating the matters in each of the following subparagraphs and fill out the prison, juvenile prison, detention center, detention center,
It must be submitted to the head of a military prison or a prison camp (hereinafter referred to as “prison, etc.”).
1. Original register, domicile, residence (actual place of residence; hereinafter the same shall apply), name, date of birth, gender, resident registration number
2. Family and Friendship
3. Occupation, status of the person and his/her family's assets prior to enlistment
4. Education/Career
5. Religion and affiliated groups
6. Military service relationship
7. Expected release date
The third chapter

8. The expected place of residence after release and the expected date of arrival

dog
sign
tablet
see
etc.
see
of

9. Summary of the facts of the crime subject to security observation, court of judgment, date of judgment, name of crime, applicable law, type of sentence, sentence
10. A criminal record other than the relevant crime
11. In cases falling under Article 20 (3) of the Act, the date of decision to provide a residence, the name of the provided social welfare facility,
location

wife
Lee

Reference 4 Article 11-2 of the Military Service Act
Article 11-2 (Request for Submission of Data, etc.) ① In relation to the military service judgment inspection, the head of the regional military manpower office shall include a doctor in charge of military service judgment inspection;
A medical doctor specializing in military service judgment inspection or a medical officer dispatched for a physical examination pursuant to Article 12-2, etc.
If it is deemed necessary for the identification of mental and physical disorders, the head of a medical institution under the 「Medical Act」, the 「National Health Insurance Act」
The head of the National Health Insurance Corporation under the Act, the head of a school under the Elementary and Secondary Education Act, etc.
You may be asked to submit medical records, treatment-related records, and school life records. In this case, submit
The person requested shall comply with the request unless there is a special reason.
② Anyone who discloses or divulges information or data on persons subject to military service judgment inspection acquired pursuant to paragraph (1), or
It shall not be used for purposes other than military service judgment inspection, such as providing it to a person.

As mentioned above, in the case of sensitive information, it can be processed only when there is an exceptional reason as a separate regulation.
For the purpose of stipulating that there should be no such exception, each subparagraph of Article 15 (1) and Article 17 (1)
It cannot be considered that it can be processed just because it meets the requirements under each subparagraph or each subparagraph of Article 18 (2).

3. Relationship with other laws
This Act applies to information and communications service providers under the Information and Communications Network Act and credit information providers and users under the Credit Information Act.
All apply. Therefore, information and communication service providers and credit information providers and users
Sensitive information can be processed only with consent or if there is a legal basis for permission. However, credit information
Providers and users cannot absolutely collect political ideas, etc. in accordance with the 「Credit Information Act」. Also
When collecting and investigating an individual's disease information for insurance premium calculation, the consent of the individual must be obtained.

141

Page 148
Explanation of personal information protection laws and guidelines and announcements

Article 23 (Restrictions on Collection of Personal Information, etc.) ① Information and communication service providers are responsible for their ideas, beliefs, family and relatives.
Personal rights, interests, or privacy, such as relationships, academic background, military history, and other social activities
Personal information that is likely to be clearly infringed shall not be collected. However, in Article 22 (1)
with the consent of the user in accordance with the provisions of the Act or that is specifically permitted as personal information to be collected under other laws.
In this case, personal information may be collected to the minimum extent necessary.
Information and Communications
② When the information
Network Act
and communication service provider collects the user's personal information, the information and communication service provider
The minimum amount of personal information must be collected to the extent necessary for provision.
③ Information and communication service providers do not provide personal information other than the minimum personal information required by users.
The provision of the service shall not be refused on the grounds that it is not provided. necessary in this case
The minimum personal information contains information necessary to perform the essential function of the service.
say
Article 16 (Restriction on Collection, Investigation and Processing) ① Credit information companies, etc. collect and investigate the following information
it should not be done
1. Information on national security and confidentiality
2. Company trade secrets or original research and development information
3. Personal political thoughts, religious beliefs, and other personal information not related to credit information
Credit Information Act
4. Uncertain personal credit information
5. Information prohibited from collection under other laws
6. Other information prescribed by Presidential Decree.
② When a credit information company, etc. collects, investigates, or provides information about an individual's disease to others
The consent of the relevant individual under Article 32 (1) must be obtained in advance, and only for the purpose prescribed by Presidential Decree.
You should use that information.

4. Penalty Regulations
violation

penalty

Violation of sensitive information processing standardsImprisonment for not more than 5 years or a fine not exceeding 50 million won
(Violation of Article 23 Paragraph 1)

(Article 71 (1) 2)

Do not take safety measures to protect sensitive information
to steal, leak, falsify, or steal personal information
damaged or lost

Imprisonment for not more than 2 years or a fine not exceeding 20 million won
(Article 73 subparagraph 1)

(Violation of Article 23 (2))
Safety measures to protect sensitive information
breach of duty
(Violation of Article 23 (2))

A fine of not more than 30 million won
(Article 75 (2) 6)

142

Page 149

5. Q&A
Q

Can any information sensitive to an individual be considered sensitive information other than those prescribed by the Act and the Enforcement Decree?

A

Laws and enforcement ordinances include ideas, beliefs, union (party) membership/withdrawal, political views, health, sex life, genetic information,
Since it is limited to information on criminal history, other information does not fall under sensitive information.

Q

In order to provide rate reduction benefits for the disabled, detailed disability level information is required.
can you do it?

A

Article 4 of the Telecommunications Business Act makes it mandatory for telecommunications business operators to provide
'universal services',
The third chapter
In the Presidential Decree, one of 'universal services' is 'rate reduction service for the disabled and low-income class'.
is stipulated Therefore, in this case, the processing of sensitive information is requested or
If allowed, it is possible to collect disability grade information for the benefit of fee reduction for the disabled.

dog
sign
tablet
see
see
of
wife
Lee

143

Page 150

Explanation of personal information protection laws and guidelines and announcements

Article 24 Restrictions on processing of uniquely identifiable information
Article 24 (Restrictions on Processing of Uniquely Identifiable Information) ① The personal information controller shall comply with the following cases:
Except as identification information given to uniquely distinguish an individual in accordance with laws and regulations,
Information prescribed by Presidential Decree (hereinafter referred to as “uniquely identifiable information”) may not be processed.
1. Notifying the data subject of each subparagraph of Article 15 (2) or each subparagraph of Article 17 (2);
When consent is obtained separately from consent to the processing of other personal information
2. In the case where the law specifically requires or permits the processing of unique identification information
② Delete
③ If the personal information controller processes unique identification information in accordance with each subparagraph of Paragraph 1, the

law

In order to prevent loss, theft, leakage, forgery, alteration or damage of unique identification information, it is prescribed by Presidential Decree.
Measures necessary to secure safety, such as encryption, shall be taken as prescribed.
④ The Minister of Government Administration and Home Affairs shall determine the type and size of personal information processed, the number of employees, and sales.
The personal information controller who meets the standards prescribed by Presidential Decree in consideration of the scale, etc.
In accordance with the Presidential Decree as to whether measures necessary to secure safety have been taken pursuant to paragraph (3).
Investigation shall be carried out on a regular basis as prescribed.
⑤ The Minister of Government Administration and Home Affairs shall appoint a specialized institution prescribed by Presidential Decree under paragraph (4).
may have you conduct an investigation.
Article 19 (Scope of Uniquely Identifiable Information) In parts other than each subparagraph of Article 24 (1 ) of the Act, “by Presidential Decree
“Information specified” means information falling under any of the following subparagraphs: However, public
In accordance with the provisions of Article 18 (2) 5 through 9 of the Act, any of the following
In the case of processing one type of information, the corresponding information is excluded.
1. Resident registration number under Article 7 (3) of the Resident Registration Act;
2. Passport number under Article 7 (1) 1 of the Passport Act;
3. License number of a driver's license under Article 80 of the Road Traffic Act;
4. Alien registration number under Article 31 (4) of the 「Immigration Control Act」

Article 21 (Measures to ensure safety of unique identification information) ① Unique identification pursuant to Article 24 (3 ) of the Act
Enforcement Decree
Article 30 shall apply mutatis mutandis to measures to ensure the safety of information. In this case, “Article 29 of the Act”
“Article 24 (3) of the Act” and “personal information” shall be construed as “uniquely identifiable information”.
② In Article 24 (4) of the Act, “personal information controller that meets the standards prescribed by the Presidential Decree” means
It refers to a personal information controller falling under any of the following subparagraphs:
1. Public institutions
2. A person who processes uniquely identifiable information about 50,000 or more data subjects
③ The Minister of the Interior and Home Affairs shall notify the personal information controller falling under any subparagraph of paragraph (2).
every two years whether measures necessary to secure safety have been taken in accordance with Article 24 (4) of the Act.
It should be investigated more than once.

144

Page 151

④ The investigation under paragraph 3 shall be conducted to the personal information controller falling under any of the subparagraphs of paragraph 2.
This is done in a way that requires submission of necessary data online or in writing.
⑤ In Article 24 (5) of the Act, “specialized institution prescribed by Presidential Decree” refers to an institution falling under each of the following subparagraphs:
say
1. Korea Internet under Article 52 of the 「Act on Promotion of Information and Communications Network Utilization and Information Protection, etc.」
Promotion Agency (hereinafter referred to as “Korea Internet & Security Agency”)
2. Technical and financial capabilities and facilities to conduct investigations pursuant to Article 24 (4) of the Act;
corporations, organizations, or corporations determined and publicly notified by the Minister of the Interior and
Agency
Article 62-2 (Processing of Uniquely Identifiable Information) ① Minister of the Interior and Home Affairs
(Ministry
The third
chapter of Public Administration and Home Affairs pursuant to Article 62 (3))
(including those entrusted with the authority of the Minister) to perform the following affairs
In case of unavoidable circumstances, resident registration number, passport number, driver's license
Data including alien registration number can be processed.

dog
sign
tablet
number,
or
see
see
of

1. Establishment of a system to provide alternative methods for resident registration numbers pursuant to Article
wife 24-2 (4) of the Act
Lee

Affairs related to preparing and supporting various measures
2. Affairs concerning the imposition and collection of penalty surcharges under Article 34-2 of the Act;

3. Affairs related to the work of the Personal Information Infringement Report Center under Article 62 (3) of the Act;
② The Dispute Mediation Committee is responsible for the personal information dispute mediation in accordance with Articles 45 and 47 of the Act.
In cases where it is unavoidable to carry out office work, the resident registration number, passport number, and
Data including the driver's license number or alien registration number can be processed.

Uniquely identifiable information was originally given to individuals for the purpose of public interest, but because of its convenience, the public sector
Of course, it is widely collected and used in the private sector as well. In particular, the leakage and theft of resident registration numbers
Damage caused by it is increasing rapidly. Therefore, to prevent misuse and abuse of unique identification information such as resident registration number,
It is necessary to limit the processing within a certain range so that it can be used faithfully for its original purpose.

1. Definition of unique identification information (paragraph 1)
Unique identification information is identification information given to uniquely distinguish an individual in accordance with laws and regulations as prescribed by Presidential Decree.
information that determines Since it must be granted to individuals by law, companies, schools, etc. belong to
The employee number, student number, etc. given to members cannot be uniquely identifiable information. Also, to corporations or businesses
The corporate registration number and business registration number that are granted cannot be uniquely identifiable information.
According to the 「Personal Information Protection Act」, uniquely identifiable information is abused as a DB matching key in the private sector, resulting in personal privacy.
It is stipulated mainly on information that is highly likely to infringe, but the Enforcement Decree limits the scope of unique identification information

145

Page 152
Explanation of personal information protection laws and guidelines and announcements

Resident registration number, passport number, driver's license number, and alien registration number are set. However, in accordance with the Enforcement Decree
Identification information is not considered unique identification information when a public institution processes it to perform the following tasks.
- If personal information is not used for purposes other than the intended purpose or if it is not provided to a third party, other laws
In the case where it is impossible to carry out the duties prescribed by the competent authority, and it has undergone deliberation and resolution by the Protection Committee
- Necessary to provide to foreign governments or international organizations for the implementation of treaties and other international agreements
Occation
- When it is necessary for the investigation of a crime and the initiation and maintenance of public prosecution
- In case it is necessary to carry out the judicial affairs of the court
- When it is necessary for the execution of punishment, probation, and protective disposition

2. Prohibition of processing of unique identification information (paragraph 1)
In principle, unique identification information cannot be processed. However, in case of obtaining the consent of the information subject separately,
In cases where the processing of uniquely identifiable information is required or permitted by laws and ordinances, the
can However, the processing of resident registration numbers among unique identification information is separately stipulated in Article 24-2.
and this will be described later.
In the case of obtaining separate consent from the information subject, the personal information controller shall be subject to each subparagraph of Article 15 (2) or Article 17.
Inform the information subject of the matters in each subparagraph of Paragraph 2 and separate it from consent to the processing of other personal information
You must obtain consent for the processing of identification information.
In principle, when the law specifically requires or permits processing, the law
It enumerates the types of unique identification information and requests or permits its processing. in 'law'
In addition to the Act, the Enforcement Decree and Enforcement Rules are included, and the attached form or
Forms are also included.
ReferenceArticle 3 of the Enforcement Decree of the Act on Real Name Financial Transactions and Confidentiality
Article 3 (Real Name) The real name in accordance with the provisions of subparagraph 4 of Article 2 of the Act shall be the name according to the classification of each of the following subparagraphs.
1. For individuals: Name and resident registration number written on the resident registration card. However, in the case of overseas nationals, the
Name and passport number (for overseas Koreans who have not been issued a passport,
name and registration number)
2 to 3. omitted
4. For foreigners: Name and registration number listed in the Alien Record Table under the 「Immigration Control Act」. However, foreigners
In the case of a person who has not been issued a registration certificate, the name and number written on the passport or identification card

146

Page 153

In this regard, the duty to verify the identity of the personal information controller or
If the duty to confirm age is imposed, it is 'specifically required to process uniquely identifiable information in laws and regulations.
There is a question as to whether it can be regarded as 'allowed'.
In my opinion, if other laws and regulations merely stipulate the duty to verify identity and age, it is
It is difficult to see that information processing is specifically requested or permitted. Therefore, in this case, identification and age verification
Separate consent for processing of unique identification information for
You must confirm your identity and age.
Reference 1 Article 16 Paragraph 1 of the Juvenile Protection Act
The third chapter
A person who intends to sell, rent, distribute, or provide for viewing, viewing, or use of media products that are harmful to juveniles prescribed by Presidential Decree;

dog
sign
tablet
see
see
of

It is necessary to confirm the age and identity of the other party, and to sell, rent, distribute, view, view, or use the juvenile.
should not be provided

Reference 2 Article 26 Paragraph 1 of the Juvenile Protection Act

wife
Lee

Internet game providers must not provide Internet games to teenagers under the age of 16 from 0 am to 6 am.
No.

Reference 3 Article 44-5 Paragraph 1 of the Information and Communications Network Act
Article 44-5 (Identification of bulletin board users) ① A person who falls under any of the following subparagraphs installs and operates a bulletin board
necessary measures prescribed by Presidential Decree, such as the preparation of methods and procedures for the identification of users of the bulletin board.
(hereinafter referred to as “Identity Verification Measures”) must be taken.
1. State institutions, local governments, public corporations and quasi-governmental institutions under Article 5 (3) of the Act on the Management of Public Institutions;
Local public corporations and regional corporations under the Local Public Enterprises Act (hereinafter referred to as “public institutions, etc.”);
2. Delete

147

Page 154
Explanation of personal information protection laws and guidelines and announcements

Article 24-2

Restrictions on resident registration number processing

Article 24-2 (Restriction on processing of resident registration number) ① Notwithstanding Article 24 (1), the personal information controller
Except for cases falling under any of the following subparagraphs,
can't
1. In the event that the Act specifically requires or permits the processing of resident registration numbers
2. For the immediate benefit of life, body, or property of the data subject or a third party, explicitly
If deemed necessary
3. In cases where it is unavoidable to process resident registration numbers in accordance with subparagraphs 1 and 2, the Ministry of Security and Public Administration
In case of ordinance
② Notwithstanding Article 24 (3), the personal information controller shall be responsible for the loss, theft,
Safely through encryption measures to prevent leakage, forgery, alteration or damage
should be kept In this case, regarding the target of encryption application and the time of application by target, etc.
Necessary matters are prescribed by Presidential Decree in consideration of the size of personal information processing and the impact of leakage.
decide
③ Even if the personal information controller processes the resident registration number in accordance with each subparagraph of Paragraph 1, the information
In the step of registering as a member through the Internet homepage, the subject enters the resident registration number
A method to sign up as a member without using it shall be provided.
④ The Minister of Security and Public Administration shall ensure that the personal information controller can provide the method under paragraph (3).

law

Reorganization of related laws, establishment of plans, establishment of necessary facilities and systems, etc.
Can provide and support.
[Effective Date: 2017.3.30.]
Article 24-2 (Restrictions on Processing of Resident Registration Numbers) ① Notwithstanding Article 24 (1), the personal information controller shall:
The resident registration number cannot be processed except in cases falling under any one of the above.
1. In the Act, the Presidential Decree, the National Assembly Rules, the Supreme Court Rules, the Constitutional Court Rules, the National Election Commission Rules and the Board of Audit and Inspection Rules
In the case of specifically requesting or permitting the processing of resident registration numbers
2. Information that is clearly necessary for the immediate benefit of life, body, or property of the data subject or a third party
Occation
3. In cases where processing of resident registration numbers is unavoidable in accordance with subparagraphs 1 and 2, as prescribed by Ordinance of the Ministry of Security and Public Administration;
Occation
② Notwithstanding Article 24 (3), the personal information controller shall be responsible for the loss, theft, leakage, forgery, alteration, or loss of the resident registration number.
It must be stored safely through encryption measures so that it is not damaged. In this case, encryption applies to
As for necessary matters regarding the application period by subject, etc., it is necessary to determine the size of personal information processing and the impact of leakage.
It shall be determined by Presidential Decree in consideration of
③ Even if the personal information controller processes resident registration numbers in accordance with each subparagraph of Paragraph 1, the information subject is
In the stage of registering as a member through the website, you can become a member without using your resident registration number.
You must provide a way to join.
④ The Minister of Security and Public Administration shall comply with relevant laws and regulations so that the personal information controller can provide the method under paragraph (3).
It can prepare and support all measures such as maintenance, establishment of a plan, and establishment of necessary facilities and systems.

148

Page 155

Article 21-2 (Resident Registration Number Encryption Target, etc.) ① Encryption in accordance with Article 24-2 (2 ) of the Act
Encryption subject to take action is to store resident registration number in an electronic way.
as a personal information controller.
② The period of application of encryption to the personal information controller in Paragraph 1 is as follows.
1. Personal information controller who keeps resident registration numbers for less than 1 million information subjects:
Enforcement Decree
January 1, 2017
2. Personal information controllers who keep resident registration numbers for more than 1 million data subjects:
January 1, 2018
③ The Minister of Government Administration and Home Affairs shall consider encryption under paragraph (1) in consideration of technical and economic feasibility, etc.
Details of measures may be determined and announced.

The third chapter

dog
sign
tablet
see
see
of

1. Prohibition of processing of resident registration number in principle (Article 24-2)

wife
Lee

Regarding the resident registration number among unique identification information, the amendment of this Act on August 6, 2013 (enforced on August 7, 2014)
In principle, processing is prohibited and allowed only in exceptional cases falling under each of the following subparagraphs.
Article 24-2 reinforces the protection of resident registration numbers more than other uniquely identifiable information.
Because it is a regulation enacted to fundamentally prevent secondary damage in the event of misuse and abuse according to the procedure and leakage, residents
The requirements of each subparagraph of Article 24 (1) do not apply to the processing of registration numbers, and Article 24-2 (1)
The requirements of each subparagraph shall apply.
1. In the event that the Act specifically requires or permits the processing of resident registration numbers
2. It is clearly necessary for the immediate benefit of life, body, or property of the data subject or a third party.
If recognized
3. In cases where processing of resident registration numbers is unavoidable in accordance with subparagraphs 1 and 2, as prescribed by Ordinance of the Ministry of Security and Public Administration;
Occation
Therefore, unless you fall under the exceptions set out in each of the above items, your resident registration number is collected and used,
It is prohibited to provide, store, or retain to a third party, which requires consent from the data subject.
The same applies to the case of receiving (if separate consent is obtained like other unique identification information before revision)
It was manageable, but it is no longer possible). In addition, as far as exceptions apply, from the data subject
No separate consent is required.
“In the case where the processing of resident registration numbers is specifically requested or permitted by the law” as stipulated in subparagraph 1,
At least one of the Enforcement Decree and the Enforcement Rules requires the personal information controller to process the resident registration number.
It means that there is a specific regulation that requires or permits. However, from 2017. 3. 30.
Acts that require the processing of resident registration numbers based on the Enforcement Regulations or that may process resident registration numbers;

149

Page 156
Explanation of personal information protection laws and guidelines and announcements

Enforcement rules are excluded from the scope, and laws, presidential decrees, parliamentary rules, supreme court rules, constitutional court rules, central elections
When the management committee rules and the Board of Audit and Inspection rules specifically request or allow the processing of resident registration numbers.
will be limited
The meaning of subparagraph 2 is as detailed in the commentary on Article 15, Paragraph 1, Item 5 of this Act. simply
It is not immediately permitted just because it is for the benefit of the life, body, or property of the data subject, but it is clearly
The processing of the resident registration number must be for the benefit of life, body, and property of the information subject or a third party.
The urgency must be acknowledged. If there is sufficient time available or by other means, life, body,
If you can protect the interests of your property, you are not in an urgent state.

Q

Is it possible to process an employee's resident registration number for the purpose of group insurance?

A

Article 102, Paragraph 5, Item 4 of the Enforcement Decree of the Insurance Business Act states that insurance companies are subject to Article 735-3 (Group Insurance) of the Commercial Act.
Residents of the insured to the extent necessary for the execution of business such as conclusion of group insurance contracts
Regulations so that registration numbers can be processed, group insurance does not require written consent from members
It is an insurance that a group contracts with an insurance company in a lump sum for members who are insured as policyholders,
The company may provide the employee's resident registration number to the insurance company for the purpose of subscribing to group insurance.

2. Relationship with other laws
In the current “Information and Communications Network Act,” Article 23-2 (Membership registration methods other than resident registration numbers),
The introduction of alternative means of resident registration number is mandatory for information and communication service providers that meet the standards.
Therefore, information and communications service providers subject to the 「Information and Communications Network Act」 shall use alternative means of membership registration.
you have to provide
Information and Communications Network Act
Article 23-2 (Restriction on Use of Resident Registration Number) ① Information and communications service providers who fall under any of the following subparagraphs
Except for cases, the user's resident registration number cannot be collected or used.
1. Where it has been designated as an identity verification institution pursuant to Article 23-3;
2. In the case where the law permits the collection and use of the user's resident registration number
3. As a provider of information and communications services where it is inevitable to collect and use users' resident registration numbers for business purposes.
In case the Korea Communications Commission announces
② Even if the resident registration number can be collected and used pursuant to Paragraph 1, 2 or 3, the user's resident registration number
You must provide a method to identify yourself without using it (hereinafter referred to as “alternative means”).

150

Page 157

3. Penalty Regulations
violation

penalty

Violation of standards for processing unique identificationImprisonment
information for not more than 5 years or a fine not exceeding 50 million won
(Violation of Article 24 (1))

(Article 71, subparagraph 4)

Do not take measures to ensure safety to protect uniquely identifiable information
If personal information is not stolen, leaked, altered, or damaged,

Imprisonment for not more than 2 years or a fine not exceeding 20 million won

the lost

(Article 73 subparagraph 1)

(Violation of Article 24 (3))
Violation of obligation to secure safety measures to protect uniquely identifiable information
A fine of not more than 30 million won
(Violation of Article 24 (3))
The person who processed the resident registration number
(Violation of Article 24-2 Paragraph 1)

(Article 75 (2) 6)

The third chapter

A fine of not more than 30 million won
(Article 75 (2) 4-2)

A person who has not taken encryption measures to protect the resident registration number
A fine of not more than 30 million won
(Violation of Article 24-2 (2))
Information subject may not use resident registration number
who did not provide a method

dog
sign
tablet
see
see
of
wife
Lee

(Article 75 (2) 4-3)
A fine of not more than 30 million won

(Violation of Article 24-2 (3))

(Article 75 (2) 5)

151

Page 158
Explanation of personal information protection laws and guidelines and announcements

Article 25 Restrictions on installation and operation of image information processing devices
Article 25 (Restrictions on Installation and Operation of Image Information Processing Equipment) ① Anyone who falls under any of the following subparagraphs
Except for this, no image information processing device shall be installed or operated in a public place.
1. Where specifically permitted by law
2. When necessary for the prevention and investigation of crime
3. When necessary for facility safety and fire prevention
4. When necessary for traffic enforcement
5. When necessary for the collection, analysis and provision of traffic information
② Bath rooms, toilets, sweat rooms, changing rooms, etc. used by unspecified people
Video so that you can see the inside of a place that is likely to significantly infringe on an individual's privacy
Information processing equipment shall not be installed and operated. However, prisons, mental health facilities, etc.
A facility that detains or protects persons based on laws and ordinances prescribed by Presidential Decree.
This is not the case with facilities.
③ The head of a public institution that intends to install and operate an image information processing device pursuant to each subparagraph of paragraph (1);
A person who intends to install and operate an image information processing device pursuant to the proviso to paragraph 2 shall hold a public hearing and briefing session.
Opinions of related experts and interested persons are collected through procedures prescribed by Presidential Decree, such as holding the event.
should converge.
④ A person who installs and operates an image information processing device in accordance with each subparagraph of Paragraph 1 (hereinafter “image information processing”)
law

Device operator”) means that the information in each of the following subparagraphs is
Necessary measures must be taken, such as installing the included signage. However, “military bases and
Military facilities under subparagraph 2 of Article 2 of the Military Facilities Protection Act, subparagraph 13 of Article 2 of the 「Integrated Defense Act」
This shall not apply to national important facilities or other facilities prescribed by Presidential Decree.
1. Purpose and location of installation
2. Shooting range and time
3. Name and contact details of the manager
4. Other matters prescribed by Presidential Decree.
⑤ The operator of the image information processing equipment shall use it for a purpose different from the purpose of installation of the image information processing equipment.
You must not arbitrarily manipulate the image information processing device or illuminate other places, and the recording function is not
Can not use it.
⑥ The video information processing device operator shall ensure that personal information is not lost, stolen, leaked, forged, altered or damaged.
In accordance with Article 29, necessary measures to ensure safety shall be taken.
⑦ An operator of an image information processing device shall, as prescribed by Presidential Decree,
An operation/management policy should be established. In this case, the personal information processing policy under Article 30
may not be determined.
⑧ The operator of the image information processing equipment shall be responsible for the affairs related to the installation and operation of the image information processing equipment.
can be entrusted. However, public institutions may not be responsible for the installation and operation of image information processing equipment.
In the case of entrustment, the procedures and requirements prescribed by Presidential Decree shall be followed.

152

Page 159

Article 22 (Exceptions to Restrictions on Installation and Operation of Image Information Processing Equipment) ① In the proviso to Article 25 (2 ) of the Act
“Facility prescribed by Presidential Decree” means any of the following facilities:
1. Correctional facilities under subparagraph 4 of Article 2 of the Act on the Execution of Punishments and Treatment of Prisoners;
2. Mental medical institutions (accommodation) under subparagraphs 3 through 5 of Article 3 of the Mental Health Act;
Only those equipped with facilities), rehabilitation facilities for mentally ill persons, and mental care facilities
② The head of a central administrative agency is responsible for the personal information controller in the field under his/her jurisdiction in accordance with the proviso to Article 25 (2) of the Act.
In the case of installing and operating an image information processing device in a facility under each subparagraph of Paragraph 1 in accordance with
In order to minimize the invasion of privacy, the necessary details are provided as personal information protection guidelines.
It can be determined and recommended for compliance.
The thirdwith
chaptereach subparagraph of Article 25 (1 ) of the Act,
Article 23 (Collection of opinions when installing image information processing equipment) ① In accordance

dog to any of the following subparagraphs:
The head of a public institution who intends to install and operate an information processing device shall apply

Opinions of relevant experts and interested parties shall be collected through the appropriate procedures.
1. Implementing an administrative notice or hearing opinions under the Administrative Procedure Act;

sign
tablet
see
see
of

2. Targeting local residents directly affected by the installation of the relevant image information processingwife
device
Lee

Briefing session, survey or opinion poll
② A person who intends to install and operate an image information processing device in a facility under the proviso to Article 25 (2) of the Act
Opinions must be collected from the following persons.
1. Relationship Expert
Enforcement Decree
2. Persons who are engaged in the facility, who are detained or protected in the facility;
A person or an interested person such as a person's guardian
Article 24 (Installation of Information Boards, etc.) ① Installation and installation of image information processing equipment in accordance with each subparagraph of Article 25 (1 ) of the Act
The operator (hereinafter referred to as “image information processing equipment operator”) means that the image information processing equipment
In each subparagraph of Paragraph 4 of the same Article, so that the information subject can easily recognize that it has been installed and operated.
A notice board with information should be installed. However, multiple image information processing in the building
When installing the device, make sure that the facility or the entire place is clearly visible, such as at the entrance.
A sign indicating that the image information processing device is installed may be installed.
1. Delete
2. Delete
3. Delete
② Notwithstanding Paragraph 1, image information processing installed and operated by the operator of image information processing equipment
If the device falls under any of the following subparagraphs, instead of installing a guide
Article 25 (4) of the Act on the Internet homepage of the image information processing device operator
can be published.
1. A public institution for the purpose of long-distance filming, speeding/signal violation enforcement, or traffic flow investigation, etc.
In the case of installing an image information processing device and there is little risk of personal information infringement
2. Due to location characteristics, such as when video information processing equipment for forest fire monitoring is installed

153

Page 160
Explanation of personal information protection laws and guidelines and announcements

It is impossible to install a guide board, or even if a guide board is installed, information subjects can easily
If you can't figure it out
③ In accordance with Paragraph 2, it is possible to publish the matters in each subparagraph of Article 25 (4) of the Act on the Internet website.
If not, the operator of the image information processing equipment shall use one or more of the following methods by law.
The matters under each subparagraph of Article 25 (4) shall be disclosed.
1. Business places, sales offices, offices, stores, etc. (hereinafter referred to as “places of business, etc.”) of the operator of image information processing equipment;
How to post in a place that is easy to see
2. Official Gazette (applicable only when the operator of image information processing equipment is a public institution) or image information processing
Special Metropolitan City, Metropolitan City, Do, or Special Self-Governing Province (hereinafter referred to as the “Special Self-Governing Province”)
(referred to as “city/province”) for the promotion of newspapers, etc.
General daily newspapers pursuant to subparagraph 1 (a) and (c) of Article 2 of the relevant Act and subparagraph 2 of the same Article;
How to publish in general weekly newspapers or Internet newspapers
④ In the proviso to Article 25 (4) of the Act, “facility prescribed by Presidential Decree” means
Refers to national security facilities under Article 32 of the 「Security Business Regulations」.
Article 25 (Policy for operation and management of image information processing equipment ) ① The operator of image information processing equipment shall be subject to Article 25 of the Act.
In accordance with paragraph 7, the operation and management policy of image information processing equipment including the following
should be prepared
1. Grounds for installation of image information processing equipment and purpose of installation
2. Number of installed image information processing equipment, installation location, and shooting range
3. The person in charge of management, the department in charge, and the person who has access to video information
4. Recording time, storage period, storage location and processing method of video information
5. Method and place of video information processing equipment operator confirmation
6. Measures to the information subject's request, such as viewing of video information
7. Technical, administrative and physical measures to protect video information
8. Other matters necessary for the installation, operation and management of image information processing devices
② Regarding the disclosure of the image information processing device operation and management policy prepared in accordance with Paragraph 1,
Article 31 (2) and (3) shall apply mutatis mutandis. In this case, “personal information controller” means “image information processing
“Device operator”, “Article 30 Paragraph 2 of the Act” as “Article 25 Paragraph 7 of the Act”, and “Personal Information Processing Policy”
See “Policy for operation and management of image information processing equipment”.
Article 26 (Entrustment of Installation and Operation of Image Information Processing Equipment by Public Institutions) ① Article 25 (8 ) of the Act
In accordance with the proviso, a public institution entrusts affairs related to the installation and operation of image information processing devices.
In this case, it must be a document that contains the contents of each of the following subparagraphs:
1. Purpose and scope of entrusted affairs
2. Restrictions on re-entrustment
3. Matters concerning measures to ensure safety, such as restricting access to video information
4. Matters concerning the inspection of the management status of video information;

154

Page 161

5. Responsibilities such as compensation for damages in case the entrusted party violates the obligation to be complied with
Matters concerning
② In the case of entrusting affairs pursuant to paragraph (1), the provisions of Article 24 (1) through (3) shall apply.
The name and contact information of the person entrusted should be included on the notice board.
Article 27 (image information processing equipment installation and operating instructions), the Minister of Government Administration and Home Affairs and the Law is prescribed in twenty
In addition to matters, standards for installation and operation of image information processing equipment, and entrustment of installation and operation affairs
Video information by establishing standard personal information protection guidelines in accordance with Article 12 (1) of the Act
The operator of the processing equipment may be encouraged to comply.
Article 35 (Scope of Application) This chapter provides information on the installation and operation of video information processing equipment operators in public places.
third
chapter
It is intended for image information processing devices and personal image information processed throughThethis
device.

Article 36 (Guidelines for operation and management of image information processing equipment ) ① Thedog
operation and management guidelines for image information processing equipment
sign
tablet
In case of establishment or modification, it shall be disclosed so that the information subject can easily check
it.
see
see
② In cases where guidelines for operation and management of image information processing devices are prepared,
of

individuals in accordance with Article 30 of the Act

If the information processing policy is not established, or matters related to the installation and operation of wife
image information processing equipment,
Lee

It may be included in the personal information processing policy pursuant to Article 30 of the Act.
Article 37 (Designation of the person in charge of management) ① The operator of the image information processing device shall be responsible for the processing of personal image information.
A person in charge of management must be designated to take charge of all related work.
② The person in charge of management under Paragraph 1 shall be responsible for the duties of the person in charge of personal information protection pursuant to Article 31 (2) of the Act.
In accordance with each of the following subparagraphs:
1. Establishment and implementation of personal image information protection plan
2. Regular investigation and improvement of personal image information processing status and practices
3. Handling of complaints related to processing of personal image information and remedy for damage
standard guidelines
4. Establishment of an internal control system to prevent leakage and misuse/abuse of personal image information
5. Establishment and implementation of personal image information protection education plan
6. Management and supervision of protection and destruction of personal image information files
7. Other duties necessary for the protection of personal image information
③ If a person in charge of personal information protection pursuant to Article 31 of the Act is designated, the personal information
The person in charge of protection may perform the duties of the person in charge of management.
Article 38 (prior comment) such as a further installation according to the installation of a video object change information processing unit
Even in such cases, the opinions of relevant experts and interested parties must be collected in accordance with Article 23 (1) of the Decree.
do.
Article 39 (Installation of Information Board)
In order to make it easier to recognize that the installation and operation are in progress, according to the main sentence of Article 25 (4) of the Act, the following
Necessary measures shall be taken, such as installation of a signboard indicating the matters in each subparagraph.
1. Purpose and location of installation
2. Shooting range and time

155

Page 162
Explanation of personal information protection laws and guidelines and announcements

3. Name or position and contact information of the person in charge of management
4. In the case of entrusting affairs related to the installation and operation of image information processing equipment, the name of the trustee and
Contact
② The information board pursuant to Paragraph 1 shall be placed in a place where information subjects can easily recognize it within the shooting range.
It should be installed so that anyone can easily read it, and image information processing within this range
The device operator can autonomously determine the size and installation location of the guide board.
③ The head of a public institution efficiently manages image information processing devices within or between institutions
Physically and administratively, image information processing devices by use and region are physically and managerially used for information connection, etc.
In the case of integrated installation and operation (hereinafter referred to as 'integrated management'),
Information about the information must be written on the information board under paragraph 1 so that the information subject can easily recognize it.
do.
Article 40 (Restrictions on the use of personal image information, provision of third parties, etc.) ① The operator of the image information processing device
Except for the following cases, personal image information is not used for
It must not be provided to a third party. However, in the case of subparagraphs 5 through 9, public
limited to institutions.
1. When consent is obtained from the data subject
2. If there are special provisions in other laws
3. The information subject or his/her legal representative is in a state where he/she is unable to express his/her intention, or his/her address is unknown
In the case where prior consent cannot be obtained due to
In case it is deemed necessary for the immediate benefit of life, body, or property
4. When it is necessary for the purpose of statistical preparation and academic research, etc., it is necessary to know a specific individual
If personal image information is provided in a form that cannot be viewed
5. Do not use personal image information for any other purpose or provide it to a third party.
Otherwise, it is protected as a case where it is impossible to perform the business under the jurisdiction of other laws.
In case of deliberation and resolution of the committee
6. To provide to foreign governments or international organizations for the implementation of treaties and other international agreements;
if necessary for
7. When it is necessary for the investigation of a crime and the establishment and maintenance of public prosecution
8. Where it is necessary for the court's judicial performance
9. Where it is necessary for the execution of punishment, probation, and protective measures;
Article 41 (Storage and Destruction) ① The operator of the image information processing device shall store the collected personal image information as image information.
When the storage period specified in the processing device operation and management policy expires, it must be destroyed without delay.
do. However, this is not the case if there are special provisions in other laws.
② The image information processing device operator must, depending on the circumstances, make the minimum required to achieve the purpose of retention.
If it is difficult to calculate the period, the retention period shall be within 30 days after the collection of personal image information.
do.

156

Page 163

③ The method of destroying personal image information is as follows:
1. Prints (photos, etc.) with personal image information recorded are shredded or incinerated.
2. Personal image information in the form of electromagnetic files is technically impossible to restore.
How to permanently delete
Article 42 (Record and Management of Use, Provision of Third Party, and Destruction) ① The operator of the image information processing device is an individual
When using video information for any purpose other than collection or providing it to a third party,
The matters in each subparagraph shall be recorded and managed.
1. Name of personal image information file
2. Name of the person (public institution or individual) who used or received it
3. Purpose of use or provision

The third chapter

4. If there is a basis for use or provision under the law, the basis

dog
sign
tablet
see
see
of

5. If the period of use or provision is set, the period
6. Forms of use or provision

② When the image information processing device operator destroys personal image information, the following
wife
Lee

should be recorded and maintained.
1. Name of personal image information file to be destroyed
2. Date and time of personal image information destruction (in the case of automatic deletion with a predetermined period of destruction, etc.)
Period of destruction and when to check whether or not to automatically delete)
3. Person in charge of destruction of personal image information
Article 43 (Consignment of installation and management of image information processing equipment, etc.) ① The operator of image information processing equipment
In accordance with Article 26 (1) of the Decree, administrative affairs related to the installation and operation of image information processing equipment are provided to a third party.
In the case of consignment, the contents of the information can be easily checked at any time by the
Information boards pursuant to Article 24 and image information processing equipment operation and management policies pursuant to Article 27 of the Decree
The name of the trustee shall be disclosed.
② An operator of an image information processing device must install and install an image information processing device in accordance with Article 26 (1) of the Decree.
In the case of entrusting management-related affairs to a third party, the person entrusted with the management
It shall manage and supervise whether information is safely processed.
Article 44 (Request for viewing, etc. by data subject )
To view or confirm the existence of personal image information (hereinafter referred to as “viewing, etc.”), the relevant image
It may be requested from the information processing equipment operator. In this case, the information subject may request access, etc.
Personal image information that can be used includes personal image information taken by the information subject himself and clearly information
It is limited to personal image information necessary for the immediate benefit of the subject's life, body, and property.
② In case the operator of the image information processing device is a public institution, the head of the relevant institution
With a request for viewing and confirmation of existence of personal image information (including electronic documents) in accordance with Form 2
shall.
③ When the operator of the image information processing device receives a request under paragraph (1), without delay

157

Page 164
Explanation of personal information protection laws and guidelines and announcements

Take the necessary action. At this time, the operator of the image information processing device may request access, etc.
Identity such as resident registration card, driver's license, passport, etc.
Certificates must be submitted and verified.
④ Notwithstanding the provisions of Paragraph 3, in the case of any of the following cases, the image information processing device
The operator may reject the request of the information subject to view personal image information, etc. video in this case
The information processing device operator notifies the information subject of the reason for rejection in writing within 10 days
shall.
1. In the case of a serious impediment to criminal investigation, maintenance of public prosecution, or trial execution (limited to public institutions);
2. When personal image information is destroyed after the retention period has elapsed
3. In the event that there exists a justifiable reason to reject the request of the information subject, etc.
⑤ When an operator of an image information processing device takes measures pursuant to paragraphs 3 and 4, the following
The matters in each subparagraph shall be recorded and managed.
1. Name and contact information of the information subject who requested access to personal image information
2. Name and contents of the personal image information file requested by the information subject to read, etc.
3. Purpose of viewing personal image information, etc.
4. In case of refusal to view personal image information, specific reasons for refusal
5. If a copy of personal image information is provided to the information subject, the content and
reason provided
⑥ The information subject shall notify the operator of the image information processing device on his/her personal image information.
In the case of requesting destruction of the personal image information requested to be preserved pursuant to Paragraph 1,
You can only ask for it to be destroyed. The operator of the image information processing device shall
In case of intoxication, the contents shall be recorded and managed.
Article 45 (Personal Image Information Management Ledger) Article 42 (1) and (2) and 44 (5) and (6)
For records and management, use the 'personal image information management ledger' according to Attachment No. 3
can
The (personal video information other than the information Protection of subjects) 46. Video information processing equipment operator Article 44
In the case of taking measures such as reading according to paragraph 2, if a person other than the information subject is
If it is recognizable or there is a risk of invasion of privacy of persons other than the information subject
Protective measures are taken so that personal image information of persons other than the relevant information subject cannot be recognized.
should be taken
Article 47 (measures to ensure safety of the individual image information), the image information processing unit is a private operator
Article 29 of the Act and Article 30 of the Enforcement Decree to prevent loss, theft, leakage, alteration or damage of video information
In accordance with Paragraph 1, the following measures shall be taken to ensure safety.
1. Establishment and implementation of an internal management plan for safe processing of personal image information;
'Small business owners' pursuant to Article 2, Item 4 of the Notification of Standards for Measures to Secure Information Security are managed internally.
You may not have a plan.

158

Page 165

2. Measures to control access to personal image information and restrict access rights
3. Application of technology that can safely store and transmit personal image information (network camera
Encryption measures for safe transmission, password when storing personal image information files
settings, etc.)
4. Measures to keep processing records and prevent forgery and falsification (the date and time of creation of personal image information)
and in case of reading, record and management measures such as purpose of reading, reader, date of reading, etc.)
5. Provision of storage facilities for safe physical storage of personal image information or installation of locking devices
Article 48 (Inspection of Installation and Operation of Personal Image Information Processing Equipment) ① The head of a public institution
In the case of installing and operating information processing equipment, self-inspection of compliance with this guideline is carried out.
The third
chapter year, and Article 34 of the Decree
The results are notified to the Minister of Government Administration and Home Affairs by March 31 of the
following

dog
It must be registered in the system according to paragraph 3. In this case, the following matters should be considered:
sign
tablet
see
see
of

do.
1. Matters listed in the operation and management policy of image information processing equipment
2. Current status of management manager's work

wife
Lee

3. Status of installation and operation of image information processing equipment
4. Current status of collection, use, provision, and destruction of personal image information
5. Current status of management and supervision of consignment and trustee
6. Status of measures for the exercise of rights by data subjects
7. Status of technical, administrative, and physical measures
8. Whether the necessity to install and operate an image information processor continues, etc.
② The head of a public institution is responsible for the installation and operation of image information processing equipment under paragraphs 1 and 3;
After completing the self-inspection, the results shall be disclosed on the website, etc.
③ Operators of image information processing equipment other than public institutions must install and operate image information processing equipment.
If there is a concern about the infringement of the personal image information of the information subject,
Active efforts should be made to prevent infringement of video information.

1. Scope and subject of application
A. Scope of application: Image information processing device
The image information processing equipment that is prohibited or restricted in installation and operation under Article 25 of this Act shall be placed in a certain space.
It is continuously installed to record images of people or objects or to transmit them through wired and wireless networks.
It is limited to devices (Article 2, No. 7). Specifically, closed circuit television (CCTV) and network cameras are
(Article 3 of the Enforcement Decree). A black box that is installed in a vehicle and takes pictures of the outside is continuously located in a certain space.
It cannot be regarded as installed and cannot be regarded as belonging to this category because it is premised on mobility.

159

Page 166
Explanation of personal information protection laws and guidelines and announcements

Reference「Personal Information Protection Act」 Article 2, No. 7
7. “Image information processing device” means continuously installed in a certain space to record images of people or objects, or
It refers to a device prescribed by Presidential Decree as a device for transmission through a wired/wireless network.

I Applicable to: Anyone
Article 25 of this Act applies to 'everyone' who installs and operates image information processing devices in public places.
applies. That is, 'personal information that processes image information to operate personal information files for business purposes'
Anyone who installs and operates an image information processing device, even if it is not a ‘processor’
included in the subject of regulation.

2. Prohibition of installation and operation in 'public places' (paragraph 1)
The meaning of public places
This law applies only to image information processing devices installed and operated in 'public places'. 'Public Places'
To allow an unspecified number of people to enter or use public places such as roads, parks, plazas, and subway stations
Permitted places, that is, places where data subjects are not restricted from accessing or passing through.
Therefore, only specific people or people with specific purposes can enter, or access is strictly controlled.
The place does not correspond to the 'public place' referred to here.
Note 1 Examples of public places
· Public places such as roads, parks, airports, ports, parking lots, playgrounds, subway stations, etc.
· Department stores, hypermarkets, shopping malls, amusement parks (theme parks), etc.
· Public transportation that anyone can ride, such as buses and taxis

Note 2

Judgment on public places

· It is connected to other roads and there is no control or even if a circuit breaker is installed, it is open and closed.
The passages in apartment complexes or university districts, where anyone passes by vehicle, prevent the passage of an unspecified number of people or vehicles.
It is considered a public place for (Supreme Court 2006.1.13. 2005 Do 6986 judgment)
· It is not for a specific commercial building, there is no resident/manager, there is no access blocking device, and it is operated free of charge.
Public parking lots that can be used by an unspecified number of people at any time are open to the passage of an unspecified number of people or vehicles.
see the place (Supreme Court 2005. 9. 15. 2005 Do 3781 Decision)
· To allow free entry and exit by the general public, open places where many people come and go, and free entry of the general public

160

Page 167

Whether a place is open to the public is determined by the structure of the place, the relationship between use and openness and accessibility, and the specific form of governance and management.
Judgment is made in consideration of various circumstances comprehensively (Supreme Court decision 2014, 17290, September 10, 2015).

As Article 25 of this Act regulates only the installation and operation of image information processing devices in public places,
When installing and operating an image information processing device in an undisclosed or purely private place,
There is a question as to whether the principle applies.

1) In case of installing and operating an image information processing device in an undisclosed place
The third chapter

It is unspecified that Article 25 of this Act regulates only image information processing devices installed in 'public places'.
In public places where a large number of people enter and use, the collection (filming) and use of personal image information is
As it is practically impossible to obtain consent, the installation of information boards and collection of opinions in advance

dog
sign
handled
tablet
see
see
of

one by one.

The purpose is to protect the personal information and privacy of an unspecified number of people through protective measures. wife
Lee

Therefore, for image information processing devices installed in undisclosed places, the installer/operator
'Personal information that installs and operates image information processing equipment to operate personal information files for image information
The general principle of Article 15 (collection and use of personal information) of this Act applies only to cases that fall under the ‘processor’.
is judged
That is, the personal information controller who operates personal image information files for the purpose of work
Obtain the consent of those who are permitted to use it (Article 15 (1) 1 of the Act), or install/install the image information processing device
Operation is necessary for the achievement of the legitimate interests of the personal information controller and clearly exceeds the rights of the data subject.
In the case of priority (Article 15 (1) 6 of the Act), etc., by installing an image information processing device in a 'undisclosed place',
Personal image information may be collected and used.
In this case, image information installed with an image information processing device in a place disclosed in this Act, such as the duty to install a notice board
The obligations applicable to the operator of the processing device are not applicable to the operator of the video information processing device in a non-public place.
Although it does not appear to be applicable, the need for protection
In order to clearly inform the operation status of the image information processing equipment as it is large, the information boards etc.
It would be desirable to comply with the installation obligation.
On the other hand, there are separate regulations in other laws for image information processing devices installed in undisclosed places.
If there is, the principles and procedures must be followed.

161

Page 168
Explanation of personal information protection laws and guidelines and announcements

ReferenceArticle 244-2 of the Criminal Procedure Act
Article 244-2 (Video Recording of Suspect Statement) ① The statement of the suspect may be video recorded. In this case, the video recording
The entire process from the start of the investigation to the end of the investigation and the objective circumstances should be video-recorded.
② When the video recording under Paragraph 1 is completed, the original shall be sealed in front of the suspect or his defense counsel without delay.
The suspect must have his or her name sealed or signed.
③ In the case of Paragraph 2, if there is a request from the suspect or his/her defense counsel, the video recording shall be played and watched.
do. In this case, when stating an objection to the content, a document stating the purport shall be attached.

2) In case of installing and operating an image information processing device in a purely private place
In cases where the image information processing device is installed in a purely private space such as an individual's house, this Act
application is excluded. For the purpose of crime prevention (crime prevention), for example, at the gates and entrances of detached houses, row houses, etc.
This is the case when CCTV for surveillance is installed. In this case, the place where the image information processing device is installed
It is not a public place, and the individual who installs and operates the image information processing device is also referred to as the 'personal information controller'.
This law does not apply because it is difficult to see that it is applicable.
<Examples of issues related to the installation and operation of image information processing equipment>
CCTV of taxis and buses

Case 1

CCTV, which is installed inside commercial vehicles such as taxis and buses, and records the boarding space and passengers, is 'constantly in a certain space'.
It is being installed and filmed, and it also satisfies the requirements of an 'open place' in that it is a space where a large number of unspecified passengers board. therefore
CCTV installed inside commercial vehicles is subject to Article 25 of this Act.

Black boxes installed on taxis and buses

Case 2

In the case of a so-called 'black box' installed inside commercial vehicles such as taxis and buses to take pictures of the outside (vehicles, roads, etc.)
Since it is not a photograph of a space, Article 25 of this Act does not apply.
On the other hand, the operating entities of taxis and buses (bus companies, personal taxi drivers, etc.)
As it is difficult to be regarded as a personal data controller “processing data”, the other privacy principles of this Act do not apply. but
In order to respond to traffic accidents at bus and taxi companies, etc., video information recorded with a black box is stored in personal information such as the date and time of the accident and victims.
If it is arranged and organized according to the requirements for easy search, it is a personal information file and is subject to this Act.

Case 3

Black box installed in private car

A privately owned vehicle is not a public place, but a purely private space, and the 'black box' installed here is
does not apply

162

Page 169

Case 4

CCTV installed in buildings such as government offices and corporations

Since many unspecified people enter the civil service room of public offices and the lobby of corporate buildings, the image information processing device installed here
Article 25 of this Law shall apply.
However, inside or outside government buildings where access is strictly controlled and only internal staff or authorized persons are permitted to enter.
Since the internal space of the corporate office is a 'private place', Article 25 of this Act does not apply.
However, in this case, the relevant government office, company, etc. may use “personal image information to operate personal information files for business purposes.
In the case of installing and operating an image information processing device in an internal space for “processing”, other personal information protection principles of this Act
applies. That is, when it is necessary to obtain the consent of the member or to achieve the legitimate interests of the personal information controller, etc.
Only the installation and operation of image information processing equipment is permitted.

Case 5

The third chapter

CCTV installed inside the business site

dog
sign
In some cases, private companies install and operate image information processing devices for the purpose of monitoring the working behavior of tablet
workers.
see
The image information processing device installed inside the workplace may conflict with the employer's right to manage labor and the worker's rightsee
to protect
of

There are concerns.

privacy.

wife
Lee

As a working space where outsiders are restricted from entering is, in principle, a non-public place, Article 25 of this Act does not apply.
Other general privacy principles apply. Therefore, in principle, consent must be obtained from the worker, but
In the case of installing CCTV in a specific place for the purpose of preventing theft of company assets and safety of facilities, etc.

In cases where it is necessary for the achievement of profits and clearly takes precedence over the rights of the data subject (Article 15 (1) 6 of the Act), the
It will be said that the installation and operation of image information processing equipment is possible without consent.
In this regard, in the 「Act on the Promotion of Worker Participation and Cooperation」, worker monitoring equipment such as CCTV
As it is stipulated as a matter for discussion, the scope of CCTV installation for labor monitoring purposes and measures to prevent invasion of privacy are determined by labor and management.
It is stipulated that the installation and operation can be determined by agreement.

B. Exceptional permission for installation of image information processing equipment (each subparagraph of Paragraph 1)
In principle, it is prohibited to install and operate image information processing devices in public places, but
Exceptionally, installation and operation are permitted when necessary for protection. This law consists of five
The reasons for permission for installation and operation are stipulated.

① When specifically permitted by law (No. 1)
Some laws make it compulsory to install an image information processing device in consideration of the specificity of the place, or
installation is allowed.

163

Page 170
Explanation of personal information protection laws and guidelines and announcements

< Laws regulating the installation of image information processing equipment >
related laws

Contents
Self-propelled parking lot with more than 30 parking spaces, underground or

In the off-street parking lot with a building type, the entire interior of the parking lot can be seen from the management office.
「Enforcement Rules of Parking Lot Act」
By installing and managing crime prevention facilities including closed circuit televisions and recording devices,
Must (Article 6 (1) 11)
Kindergarten, elementary school, special school, childcare facility, city park, etc.

「Child Welfare Act」

Closed circuit televisions may be installed and operated in designated facilities (Article 32)

“Special Act on Support for Abandoned MineCasino
Area Development
operators have closed circuit televisions at key points inside and outside the hotel.
Enforcement Decree”

Must be installed and operated (Article 14 (2))
The director of the foreigner protection facility is a closed circuit in order to secure the safety measures of the protection facility.

「Alien Protection Rules」

Television may be installed and operated (Article 37 (2))

Bathhouse operators shall install unmanned surveillance cameras in facilities other than bath rooms, sweat rooms, and changing rooms.
「Public Sanitation Management Act Enforcement Rules」
Can be installed (Appendix 1)
“For the security of international sailing ships Passenger
and port facilities,
waiting areas of international passenger ship terminals, port facilities determined by Ordinance of the Ministry of Land, Transport and Maritime Affairs
Enforcement Rules of the Act”

Closed circuit televisions should be installed on fences installed in the area (Appendix 4)

“Act on Bioethics and Safety

The somatic cell cloned embryo research institute uses CCTV, etc. to monitor laboratories and storage facilities.

Enforcement Rules”

Must be installed (Appendix 4)

“Determination and structure of undergroundThe
public
sidewalk
facilities
and room of the underground public sidewalk facility must be equipped with its own surveillance camera (CCTV) facility.
central
disaster
prevention
“Rules on Installation Standards”

(Article 12)

② When necessary for crime prevention and investigation (No. 2)
In addition to crimes under the Criminal Act, crimes include crimes under various individual laws and enforcement laws. For example, “misdemeanor
Various misdemeanor offenses under the “Penalty Act” (strong sale of goods on roads, audiences, unauthorized pasting of advertisements, etc., cigarette butts, gum, etc.)
Abandonment of toilet paper and garbage, street lighting, natural damage to parks, scenic spots, amusement parks, etc., seat tax collection, etc.
A surveillance camera can also be installed and operated to prevent and investigate trafficking, smoking in non-smoking areas, etc.).
When CCTV is installed and operated on roads or alleys in crime-prone areas, it is used for crime prevention at bank ATM facilities.
When installing and operating CCTV, when installing and operating CCTV for anti-theft in department stores and convenience stores, etc.
This applies to the installation and operation of CCTV for anti-theft in the company's own warehouse.
③ When necessary for facility safety and fire prevention (No. 3)
Various natural disasters, facility deterioration, man-made damage, riots, arson, graffiti, etc.
Installation and operation of image information processing equipment is permitted if necessary to protect property, etc. underground
Prevention of safety accidents at railway stations, facility management and fire prevention of public buildings such as electricity, gas, and water, safety of cultural assets
and cases for protection.

164

Page 171

④ In case it is necessary for traffic control (No. 4)
Image information processor when necessary to crack down on and prevent violations of traffic laws by various vehicles and people
Installation and operation of the equipment is permitted. Violations of traffic laws such as parking/stop violations, signal violations, speed violations, etc.
This includes the installation of CCTV for security purposes.

⑤ When necessary for the collection, analysis and provision of traffic information (No. 5)
It is necessary to collect and provide information on traffic volume analysis and traffic accidents for smooth traffic flow.
If necessary, installation and operation of image information processing equipment is permitted. That is, the amount of traffic on highways and major arterial roads
This includes cases where it is necessary to collect and analyze

The third chapter

dog
sign
tablet
see
see
of

3. Inside a place that is likely to significantly infringe an individual's privacy

wife
Lee

Prohibition of installation and operation (Section 2)

A place where there is a risk of significantly infringing on an individual's privacy (the main text of paragraph 2)
For places where personal privacy is likely to be significantly infringed, of course,
It is necessary to strictly limit the installation and operation. Accordingly, this Act applies to anyone who
In places that are likely to significantly infringe on personal privacy, such as bathrooms, toilets, sweat rooms, and changing rooms.
It is prohibited to install and operate image information processing equipment so that the inside can be seen.

B. Exceptional permission (proviso to paragraph 2)
In facilities that detain or protect people for the purpose of public interest, there is no self-harm or damage in the bathroom, toilet, etc.
There is a need to install and operate image information processing devices to prevent suicide, violent acts, and escape.
Accordingly, this Act applies to laws and regulations such as prisons, detention centers, foreigner protection facilities, juvenile centers, and mental health facilities.
Exceptions shall be recognized for facilities prescribed by Presidential Decree as facilities for detaining and protecting persons based on the
have. Specific facilities are as follows.

165

Page 172
Explanation of personal information protection laws and guidelines and announcements

< Exceptional installation and operation allowed in places that are likely to significantly infringe on personal privacy >
related laws

Contents

“On the execution of sentences and treatment
Correctional
of prisoners
Facility (Article 2, No. 4)
※ Prisons, detention centers and their branches

Act on

「Mental Health Act」

Mental medical institutions (only those with accommodation facilities), mentally ill persons return to society
Facilities, mental care facilities (Article 3, 3 through 5)

In this regard, the head of the relevant central administrative agency is responsible for the personal information controller (prison, detention center and its
branch office, psychiatric institution, etc.) installs and operates an image information processing device in the relevant facility,
In order to minimize the invasion of privacy, the necessary details are set as the personal information protection guidelines and compliance is ensured.
It may be recommended (Article 22 Paragraph 2 of the Decree).

4. Installation and operation procedures and methods of image information processing equipment (paragraphs 3 and 4)
A. Expert advice and opinion gathering of interested parties (paragraph 3)
In order to prevent indiscriminate installation and operation of image information processing equipment and invasion of privacy due to this
It is necessary to collect and reflect the opinions of stakeholders during operation.

① In the case of public institutions (Article 23 (1) of the Decree)
When a public institution intends to install and operate an image information processing device in a public place, any of the following subparagraphs
Opinions of related experts and interested parties must be collected through one of the procedures.
1. Implementing an administrative notice or hearing opinions under the Administrative Procedure Act;
2. A briefing session for local residents, etc. directly affected by the installation of the relevant image information processing device;
a survey or poll

② Gathering opinions when installing in places where there is a risk of invasion of personal privacy (Article 23 (2) of the Enforcement Decree)
In accordance with Article 25 (2) of the Act and Article 22 of the Enforcement Decree, image information processing devices are installed in correctional facilities or psychiatric institutions.
A person who intends to install and operate shall collect opinions from all of the following persons:
1. Relationship Expert
2. A person who works in the relevant facility, a person who is detained or protected in the relevant facility, or a person who is
Stakeholders such as guardians of people

166

Page 173

B. Installation and operation of image information processing equipment (paragraph 4)
① Installation of signage (Main Paragraph 4, Article 24 Paragraph 1 of the Decree)
Since the image information processing device is continuously installed and operated in a public place, the subject to be photographed
It is virtually impossible to exercise control over what is filmed. Therefore, Article 25 of the Act
For image information processing devices that are subject to the application, shooting is done through the installation of a notice board notifying the fact of the shooting.
It is necessary to guarantee the subject's right to self-determination of personal information.
The image information processing device operator can easily recognize that the information subject is installing and operating the image information processing device.
A notice board should be installed. The information on the notice board is as follows.

The third chapter

dog
sign
tablet
see
see
of

① Purpose and location of installation
② Shooting range and time
③ Manager and contact information
④ Other matters prescribed by Presidential Decree

wife
Lee

However, in the case of large buildings such as department stores and stations, a number of image information processing devices are installed.
Forcing the installation of a guide plate individually for each of these devices may be overly restrictive.
Therefore, in the case of installing multiple image information processing devices in a building,
A sign indicating that the entire facility or place is an image information processing device installation area may be installed.
(proviso to Article 24 Paragraph 1 of the Decree).
The information board is designed to be easily readable by anyone in a place where the subject of information can easily recognize it within the shooting range.
must be installed, and if this is satisfied, the size or installation location of the guide board within the range is image information processing
The device operator may decide voluntarily (Standard Guide Article 39 Paragraph 2).
In some cases, public institutions integrate and manage image information processing devices for efficient management and information linkage.
In such cases, in order to make it easier for information subjects to understand the contents of integrated management, such as the purpose of installation, Article 39
It must be written on the information board according to Paragraph 1 (Standard Guideline Article 39 Paragraph 3).

② Posting on the Internet website (Article 24 (2) of the Decree)
Depending on the operation status of the image information processing device, it is meaningless to install a signboard or the information subject
There may be circumstances that are not recognizable.
Therefore, in the law, ① public institutions are required to conduct long-distance shooting, speeding/signal violation enforcement, or traffic flow investigations.
In the case of installing a video information processing device for the purpose of which there is little risk of personal information infringement, or ② Video
Due to the characteristics of the location, such as when an information processing device operator installs an image information processing device for forest fire monitoring,
It is impossible to install a guide board, or even if a guide board is installed, the information subject cannot easily recognize it.

167

Page 174
Explanation of personal information protection laws and guidelines and announcements

If there is no information board, the image information processing equipment operator's Internet homepage will be posted on the website of English No. 24
Article 1 Paragraph 1 of each subparagraph was allowed to be posted.

③ Posted on business sites, sales offices, etc. (Article 24 (3) of the Decree)
Small businesses or small business owners may not have an Internet homepage at all. Likewise
In the event that the image information processing device operator is unable to publish the posted information on the Internet website: ① Image information
In easy-to-see places at the place of business, sales office, office, store, etc. (hereinafter referred to as "place of business, etc.") of the processing equipment operator
② Post it in the official gazette (limited to the case where the operator of the image information processing equipment is a public institution) or the image information processing equipment
More than the Special Metropolitan City, Metropolitan City, Do, or Special Self-Governing Province (hereinafter referred to as "City/Do") or higher in which the operator's place of business, etc. is located
General under subparagraphs 1 and 2 of Article 2 of the 「Act on the Promotion of Newspapers, etc.」, which has an area as its main distribution area;
Article 24 of the Enforcement Decree shall be made public by posting it in daily newspapers, general weekly newspapers, or internet newspapers.
Section 2).

④ Exemption from the obligation to install information boards (proviso to paragraph 4, Article 24 (4) of the Decree)
Information boards for image information processing devices installed and operated for important public interest purposes such as national security
Installation may be an obstacle to the achievement of its purpose. Therefore, for these facilities,
Exemption is required That is, the head of a public institution (1) pursuant to subparagraph 2 of Article 2 of the 「Military Bases and Military Facilities Protection Act」
Military facilities, ② Nationally important facilities under Article 2, No. 13 of the 「Integrated Defense Act」, ③ 「Security Business Regulations」 Article 32
When installing image information processing equipment in national security facilities in accordance with
are doing
< Facilities exempt from installation of signage >
division

military facilities

Contents
Battle positions, obstacles for military purposes, explosives-related facilities, shooting ranges, training grounds, military telecommunications
Facilities and other facilities directly used for military purposes
National important facilities” means public institutions, airports, ports, major industrial facilities, etc.

National important facilities
If it is destroyed or paralyzed, it will seriously affect national security and people's lives.
say facilities.
national security facility
Facilities that are likely to cause chain chaos to national security

168

Page 175

5. Obligations of image information processing equipment operator (paragraphs 5 to 8)
Prohibition of arbitrary manipulation and use of recording function (Section 5)
Since image information processing equipment is continuously installed and operated in a certain place,
Having a recording function inadvertently results in recording conversations between people.
However, the act of listening to and recording conversations between others is strictly prohibited by the 「Communication Secrets Protection Act」.
(Article 3), it is necessary to limit the recording function of video information processing devices according to this Act. Also by the operator
Even if arbitrary manipulation is enabled, there is also a greater risk of invasion of privacy.
Therefore, this Act requires that operators of image information processing equipment

The third chapter

dog

Do not arbitrarily manipulate the image information processing device or illuminate other places, and use the recording functionsign
as well.
(Article 25 (5) of the Act).
.

ReferenceArticle 3 of the 「Communication Secret Protection Act」

tablet
see
see
of
wife
Lee

Article 3 (Protection of Communications and Conversation Secrets) (1 ) Except in accordance with this Act, the Criminal Procedure Act, or the Military Court Act, anyone
Inspection of mail, wiretapping of telecommunication, or provision of communication confirmation data
Cannot record or listen to conversations. However, in the case of each of the following subparagraphs, it shall be subject to the provisions of the relevant Act.
1. Processing of returned mail, etc.: Postal money with explosives, etc. in accordance with Article 28, Article 32, Article 35, Article 36, etc. of the Postal Act
When opening a parcel post suspected of containing the product (including similar items), the addressee
In the case of returning mail that cannot be delivered or the addressee refuses to receive, the address and name of the sender are returned to the sender.
When the addressee refuses to receive the mail and returns it, it is opened in order to know the address and name.
In case of handling non-refundable mail containing valuables
2. Inspection of import and export mail: For mails other than new letters pursuant to Articles 256 and 257 of the Customs Act, etc.
Customs Inspection Procedure
3. Correspondence to persons in detention or imprisonment: Article 91 of the Criminal Procedure Act, Article 131 of the Military Court Act, 「Execution and
Articles 41, 43, and 44 of the Act on the Treatment of Prisoners and 「Execution of sentences in the military and treatment of inmates in the military」
Management of communications for persons in detention or serving a sentence under Articles 42, 44 and 45 of the Act
4. Communication to a person declared bankrupt: According to Article 484 of the Debtor Rehabilitation and Bankruptcy Act
When a trustee in bankruptcy receives a communication sent to a person declared bankrupt
5. Radio wave monitoring for interference removal, etc.: Maintaining radio wave order such as interference removal according to Articles 49 to 51 of the Radio Act
In the case of radio wave monitoring for
Article 14 (prohibition of infringement of others confidential conversations) ① record or electronic devices conversation between anyone not already in the public domain others
or unable to listen using mechanical means.

B. Obligation to take measures to ensure safety (paragraph 6)
The operator of image information processing equipment shall ensure that personal information is not lost, stolen, leaked, forged, altered or damaged.
Measures necessary to ensure safety shall be taken pursuant to Article 29.

169

Page 176
Explanation of personal information protection laws and guidelines and announcements

ReferenceArticle 29 of the 「Personal Information Protection Act」
Article 29 (Obligation for Safety Measures) The personal information controller shall ensure that personal information is not lost, stolen, leaked, forged, altered or damaged.
Establishment of internal management plan, storage of access records, etc., as prescribed by Presidential Decree, technical and
Administrative and physical measures should be taken.

However, since personal image information is created and stored as image files on videotape or memory, its safety
Security measures are also different from general personal information. Accordingly, in the standard guidelines, personal image information is
Measures to ensure safety are stipulated separately (Standard Guideline Article 47).
< Measures to secure the safety of personal image information >
· Establishment and implementation of an internal management plan for safe processing of personal image information, provided that “Securing the safety of personal information
A 'small business owner' pursuant to subparagraph 4 of Article 2 of the Notification of Measures Standards may not establish an internal management plan.
· Measures to control access to personal image information and restrict access rights
· Application of technology that can safely store and transmit personal image information (in the case of network cameras, secure transmission is
encryption measures, password setting for personal image information files, etc.)
· Measures to keep processing records and prevent forgery and falsification
Recording and management measures, such as purpose, viewer, date of reading, etc.)
· Provision of storage facilities for safe physical storage of personal image information or installation of locking devices

C. Enactment of policy for operation and management of image information processing equipment (Section 7, Article 25 of the Enforcement Decree)
The image information processing equipment operator shall comply with the image information processing equipment operation and management policy including the following matters.
should be prepared
Article 25 (1) of the Enforcement Decree
1. Grounds for installation of image information processing equipment and purpose of installation
2. Number of installed image information processing equipment, installation location, and shooting range
3. The person in charge of management, the department in charge, and the person who has access to video information
4. Recording time, storage period, storage location and processing method of video information
5. Method and place of video information processing equipment operator confirmation
6. Measures to the information subject's request, such as viewing of video information
7. Technical, administrative and physical measures to protect video information
8. Other matters necessary for the installation, operation and management of image information processing devices

In the case where the operator of image information processing equipment has established a policy for operation and management of image information processing equipment, it shall be subject to Article 30 of the Act.
A personal information processing policy may not be established in accordance with the Act (Article 25 (7) of the Act). In addition, image information processing equipment

170

Page 177

Installation and operation matters may be included in the personal information processing policy pursuant to Article 30 of the Act.
(Standard Guidelines Article 36 Paragraph 2).
If the image information processing equipment operator has set the image information processing equipment operation and management policy, it shall disclose it.
do. Regarding disclosure, Article 31 (2) and (3) of the Enforcement Decree (Disclosure Method of Personal Information Handling Policy) shall apply mutatis mutandis.
(Article 25 Paragraph 2 of the Decree). That is, the image information processing equipment operation and management policy is, in principle, that of the image information processing equipment operator.
It must be continuously posted on the Internet homepage, and if it is not possible to post on the Internet homepage, the following
The operation and management policy of image information processing equipment shall be disclosed by any one or more methods of each subparagraph.
1. How to post in a place that is easy to see, such as the place of business of the personal information manager
2. The city/province where the official gazette (applicable only to cases where the personal information controller is a public institution) or the
business of the personal information controller is located;
Theplace
thirdofchapter
Subparagraph 1 (a) and (c) of Article 2 of the 「Act on the Promotion of Newspapers, etc.」, in which the above areas are the main distribution areas;
Method of publication in general daily newspapers, general weekly newspapers or internet newspapers under subparagraph 2 of the same
3. Publications, newsletters, publicity brochures, or bills issued twice a year with the same title and distributed to information subjects;
How to keep loading on your back

dog
sign
Article;
tablet
see
see
of

4. Information included in the contract written by the personal information controller and the information subject to provide goods or services wife
Lee

How to issue to subject

D Designation of personal image information management manager (Standard Guidelines Article 47)
The image information processing device operator is responsible for the overall processing of personal image information.
A person in charge of information management should be designated. The person in charge of management shall be in charge of personal information protection pursuant to Article 31 of the Act.
perform work in accordance with However, if a person in charge of personal information protection has already been designated in accordance with Article 31 of the Act,
In this case, there is no need to designate the person in charge repeatedly, so the person in charge of personal information protection
Able to perform the duties of a manager.

E. Personal image information management ledger (Standard Guidelines Articles 42, 44, 5 and 6, and Article 45)
The image information processing device operator may use personal image information for any purpose other than collection or provide it to a third party.
In this case, the following items must be recorded and managed (Standard Guideline Article 42 Paragraph 1).
<Records when using or providing to a third party for purposes other than personal image information>
1. Name of personal image information file
2. Name of the person (public institution or individual) who used or received it
3. Purpose of use or provision
4. If there is a basis for use or provision under the law, the basis
5. If the period of use or provision is set, the period
6. Forms of use or provision

171

Page 178
Explanation of personal information protection laws and guidelines and announcements

In addition, when the image information processing device operator destroys personal image information, the following shall be recorded and
It must be managed (Article 42 Paragraph 2 of the Standard Guideline).
<Records when personal image information is destroyed>
1. Name of personal image information file to be destroyed
2. Date and time of destruction of personal image information (in the case of automatic deletion with a predetermined period of destruction, etc. in advance, the destruction period and automatic deletion)
when to check whether
3. Person in charge of destruction of personal image information

In addition, the operator of the image information processing device may request that the data subject request to view or destroy personal image information.
In such a case, measures and details thereof shall be recorded and managed (Article 44 (5) and (6) of the Standard Guideline).
<Records when requested by the information subject to view personal image information>
1. Name and contact information of the information subject who requested access to personal image information
2. Name and contents of the personal image information file requested by the information subject to read, etc.
3. Purpose of viewing personal image information, etc.
4. In case of refusal to view personal image information, specific reasons for refusal
5. If a copy of personal image information is provided to the information subject, the content of the image information and the reason for the provision

In case the operator of the image information processing equipment records and manages the above, the standard guideline attached form No. 3
You can use the 'personal image information management ledger' form.
< Personal image information management ledger >
use and receive
number

division

file name/

Pause

shape

manager

purpose/ is a third party Use·
Reason

/read, etc.

use/use

basis for provision
ball shape

term

claimant
□ Use
□ Offer

One

□ Reading
□ Destroy
□ Use
□ Offer

2

□ Reading
□ Destroy
□ Use
□ Offer

3

□ Reading
□ Destroy

172

Page 179

Bar Consignment of installation and operation of image information processing equipment (Section 8, Article 26 of the Enforcement Decree)
In some cases, the installation and operation of image information processing equipment is done directly, but many of them are installed and operated by an external professional company.
It is done in the form of outsourcing operation. In view of this operational reality, this Act
Device operators are permitted to entrust the installation and operation of image information processing devices.
(Article 25 (8) of the Act).
In particular, when a public institution entrusts affairs related to the installation and operation of image information processing equipment,
It should be a document with contents, and the name and contact information of the trustee should be posted on the information board.
(Article 26 of the Decree).
The third chapter

< Documents included when consigning installation and operation of image information processing equipment
dog to public institutions >
sign
tablet
see
see
of

1. Purpose and scope of entrusted affairs
2. Restrictions on re-entrustment
3. Matters concerning measures to ensure safety, such as restricting access to video information

wife
Lee

4. Matters concerning the inspection of the management status of video information;
5. Matters concerning liability, such as compensation for damages in case the entrusted person violates the obligation to be complied with;

However, if a private company, organization, or individual entrusts the installation and operation of image information processing equipment,
As there are no special restrictions on the entrustment method, etc., as a result, Article 26 of this Act
Restrictions on the processing of personal information) apply.

Inspection of installation and operation of image information processing equipment (Standard Guideline Article 48)
Whether the image information processing device is operated according to the purpose of its installation even after installation, and whether personal image information is violated
It is necessary to continuously check whether there are any concerns, etc., and supplement the problems. In particular, public institutions
Since a number of image information processing devices are being operated to fulfill the purpose, stricter inspection is required compared to the private sector.
need.
When the head of a public institution installs and operates an image information processing device, this Act
and self-inspection on compliance with standard guidelines, and submit the results by March 31 of the following year to the Ministry of Government Administration and Home Affairs
Notify the Minister and enter the system (Personal Information Protection Comprehensive Support Portal System) in accordance with Article 34 (3) of the Enforcement Decree
must be registered. In addition, the results should be disclosed through the portal system homepage.

173

Page 180
Explanation of personal information protection laws and guidelines and announcements

<Considerations when checking image information processing equipment in public institutions>
1. Matters listed in the operation and management policy of image information processing equipment
2. Current status of management manager's work
3. Status of installation and operation of image information processing equipment
4. Current status of collection, use, provision, and destruction of personal image information
5. Current status of management and supervision of consignment and trustee
6. Status of measures for the exercise of rights by data subjects
7. Status of technical, administrative, and physical measures
8. Whether the necessity to install and operate an image information processor continues, etc.

Operators of image information processing equipment other than public institutions are obliged to check the installation and operation of image information processing equipment.
However, if there is a concern about the infringement of the personal image information of the information subject,
Active efforts should be made to prevent infringement.

6. Request for viewing, etc. of personal image information (Standard Guideline Article 44)
In general, the image captured through the image information processing device is viewed and operated by the person who installs and operates the device.
It is common to use it, but in some cases, the information subject photographed through the image information processing device
There may be cases where you want to use video information about For example, theft or
A person who has experienced other criminal acts may not access or confirm the existence of video information for the purpose of investigating the crime.
That's the case when you ask for it. Accordingly, in the standard guidelines, regulations on requests for viewing of personal image information, etc.
are leaving

A Request for viewing of personal image information, etc.
The information subject must view or confirm the existence of personal image information processed by the operator of the image information processing device.
There may be cases where it is requested from the operator of the relevant image information processing device (for example,
Request to view CCTV footage to confirm theft). However, individuals not related to the data subject
If you allow viewing of video information, you may infringe on the privacy of others who have been photographed in the video.
have. Therefore, personal image information that can be requested to be viewed is 1) personal image information taken by the information subject himself.
and 2) It is limited to personal image information clearly necessary for the immediate benefit of the life, body, and property of the information subject.

174

Page 181

Or visual information processing equipment operator actions
When the operator of the image information processing device receives a request to view personal image information, etc., he/she shall take necessary measures without delay.
should be taken However, even in this case, in order to prevent invasion of privacy, etc., the person who requested
It is necessary to submit identification documents such as resident registration card, driver's license, or passport to confirm whether the agent is a legitimate agent.
do.
An operator of an image information processing device may reject a request for viewing, etc. of an information subject in the following cases:
can In this case, the operator of the image information processing device shall notify the information subject of the reason for rejection in writing within 10 days.
should be notified.
The third chapter

<Reason for refusal to request to view personal image information>
1. In the case of a serious impediment to criminal investigation, maintenance of public prosecution, or trial execution (limited to public
2. When personal image information is destroyed after the retention period has elapsed

dog
sign
tablet
see
institutions);
see
of
wife
Lee

3. In the event that there exists a justifiable reason to reject the request of the information subject, etc.

7. Establishment and recommendation of guidelines for installation and operation of image information processing equipment (Article 27 of the Enforcement Decree)
The Minister of the Interior and Home Affairs shall be responsible for the installation and operation of image information processing devices other than those prescribed by the Act and this Decree.
Standard personal information protection guidelines in accordance with Article 12 (1) of the Act regarding standards, entrustment of installation and operation affairs, etc.
It can be determined and recommended to the operator of the image information processing device to comply with it.

8. Partial exclusion of legal use for image information processing devices installed in public places
(Article 58 (2) of the Act)
As described above, when an image information processing device is installed and operated in a public place, it is generally
Since the principle of personal information protection is difficult to apply, there are separate regulations in Article 25 of this Act. Therefore
Therefore, this Act does not apply to personal information processed by installing and operating an image information processing device in a public place.
Article 15 (Collection and Use of Personal Information), Article 22 (Method of Obtaining Consent), Article 27 Paragraph 1 and Paragraph 2 (Business Transfer, etc.)
restrictions on transfer of personal information), Article 34 (Notice of Personal Information Leakage, etc.) and Article 37 (Suspension of Personal Information Processing, etc.)
stipulated not to apply.

175

Page 182
Explanation of personal information protection laws and guidelines and announcements

Partial exclusion of the law (Article 58 (2) of the Act)
￭Article 15 (Collection and Use of Personal Information) Obligation to notify the information subject of collection and use of personal information and obtain consent
⇒ Replaced by obligations such as installation of information boards
￭Article 22 (Method of obtaining consent) Separately notify each information subject and give consent individually
⇒ The image information processing device installed in a public place makes it difficult to consent due to the nature of the unspecified number of people.
￭Article 27 (Restriction on transfer of personal information due to business transfer, etc.) Obligation to notify in case of transfer or merger of business
⇒ Difficult to notify due to the nature of the unspecified number of people
■ Article 34 (leakage of personal information, such as notification) to the notification and related agencies for the leakage of personal information in the event of an accident data subject
Obligation to report to Korea ⇒ Difficult to notify due to the nature of the unspecified number of people
■ Article 37 (Stop processing of personal information, etc.) treatment of their personal information and process personal data processing self
Suspension request ⇒ It is impossible to suspend processing only for specific data subjects

9. Penalty Regulations
violation

penalty

A person who violates the installation and operation standards

A fine of not more than 30 million won

(Violation of Article 25 (1))

(Article 75 (2) 7)

A person who installed and operated a toilet, bathroom, etc.

A fine of not more than 50 million won

(Violation of Article 25 (2))

(Article 75 (1) 3)

Violation of the duty to take measures, such as installation of notice boards
A fine of not more than 10 million won
(Violation of Article 25 (4))

(Article 75 (3) 3)

Arbitrary manipulation of image information processing devices for illegal purposes;
Imprisonment for not more than 3 years or a fine not exceeding 30 million won
Those who illuminate other places, those who use the recording function
(Article 72 subparagraph 1)
(violation of Article 25 (5))

10. Q&A
Q

Should signage be installed wherever CCTV is installed?

A

In principle, it is a principle to install a signboard for each CCTV installed in a public place, but there are many
In case of operating CCTV, the facility or
A sign indicating that the entire place is an installation area for image information processing equipment may be installed.
In addition, public institutions installed for the purpose of long-distance shooting, speeding/signal violation control, or traffic flow investigation.
In some cases, it is a case where there is little risk of invasion of personal information or due to the characteristics of the location, such as for forest fire monitoring.
Due to this, it is impossible to install the information board, or even if it is installed, the information subject cannot easily recognize it.

176

Page 183

If there is no information board, it is posted on the Internet homepage of the operator of the image information processing device instead of the installation of the information board.
The purpose and location of CCTV installation, shooting range and time, manager and contact information can be posted.
(If the Internet website is not operated, it will be posted on business sites, general daily newspapers, general weekly newspapers, etc.)
(Possible to be published in newspapers or online newspapers)

Q

Can CCTV footage be released for public interest?

A

There are cases in which the screen shot with an image information processing device is disclosed or provided to the general public for the purpose of public interest.
have. For example, CCTV screens of traffic information and CCTV screens of tourist spots and historical sites are provided to the general public on the Internet/
This is the case when provided by smartphone.
In this case, the original purpose of installation and operation of the image information processing device is not the purpose
of Article 25 (1) of the Act.
The third chapter
It is consistent, and the filmed image is limited to the extent to which the entire view of traffic information or tourist attractions is projected.
dog
sign
tablet
see
see
of

Disclosure for the public interest is not permitted unless the individual is specifically identifiable.
free of charge

wife
Lee

Q

Can the National Police Agency provide traffic image information to external agencies?

A

When the National Police Agency links and transmits traffic image information to external agencies, CCTV is installed to the extent that personal information is included.
If it is controlled, it will be in violation of Article 18 (1) of this Act. However, Article 17, Paragraph 1, Article 18 of the same Act
Paragraph 2, in the case of exceptions to consent, or in cases falling under Article 58, exceptionally
It can be linked and transmitted to external organizations.

Q

What is the standard for the standard or material of the guide board?

A

The information board can be easily read by anyone in a place where the subject of information can easily recognize it within the shooting range.
Within that range, the operator of the image information processing equipment determines the size and installation location of the information board.
can be determined voluntarily.
<Example of information posted on information board and website>

CCTV installation guide
◈ Purpose of installation: crime prevention
◈ Venue: OO-dong, OO-dong
◈ Shooting range: 100M omnidirectional
◈ Time: 24 hours (all day)
◈ Manager in charge: OO department OO department manager
◈ Contact: 02-OOO-OOOO

177

Page 184
Explanation of personal information protection laws and guidelines and announcements

Q

In case the illegal dumping of garbage is filmed through CCTV installed in a public place by a local government,
Can the video be disclosed to local residents for the purpose of inquiring the personal information of illegal dumpers?
Article 3 of the 「Personal Information Protection Act」, which stipulates the principle of personal information protection, provides for personal information including local governments.

A

Obligation to the processor to 'process personal information in a way that minimizes the invasion of privacy of the data subject'
is giving Therefore, it is not a legal basis for local governments to disclose personal information of information subjects.
It should be done in a way that minimizes the invasion of privacy of information subjects only in clear cases.
The direct purpose of filming illegal dumping, that is, collecting personal information, is evidence of illegal dumping.
As it is limited to collection, it will be said that spring is considerable. Therefore, it is necessary to disclose the evidence to the public.
It would be unreasonable to view that even the items are included in the scope of the purpose of collection. Personal information of the speculator
Inquiries can also be made through local government self-investigation or related agency inquiries, and the police also
As the procedure is being used, local governments can minimize the invasion of privacy of information subjects.
You will have to process your personal data in some way.

178

Page 185

Article 26 Restrictions on processing of personal information according to business entrustment
Article 26 (Restrictions on the processing of personal information due to business entrustment) ① The personal information controller provides personal information to a third party.
In the case of entrusting the processing of information, documents containing the following
should depend
1. Matters concerning the prohibition of processing of personal information other than the purpose of performing entrusted work
2. Matters concerning technical and administrative protection measures for personal information;
3. Other matters prescribed by Presidential Decree for the safe management of personal information.
② The personal information controller who entrusts the processing of personal information in accordance with paragraph 1 (hereinafter referred to as
“Consignor”) is entrusted with the contents of entrusted work and personal information processing.

The third chapter

The information subject can easily identify the person who processes it (hereinafter referred to as the “trustee”)
dog at any time.
sign
tablet
see
see
of

It shall be disclosed in accordance with the method prescribed by Presidential Decree.
③ If the consignor entrusts the business of promoting or recommending the sale of goods or services

In this case, information on the details of the entrusted business and the trustee in accordance with the method prescribed by Presidential Decree

law

wife
Lee

subject should be informed. Even if the contents of the entrusted work or the consignee is changed
Also the same.

④ The consignor is responsible for the loss, theft, leakage, forgery, or alteration of the personal information of the information subject due to the entrustment of work.
Or, educate the trustee so that it is not damaged, and follow the Presidential Decree, such as checking the status of processing.
As stipulated, the trustee shall supervise the safe handling of personal information.
⑤ The trustee exceeds the scope of the work entrusted by the personal information manager
The information must not be used or provided to a third party.
⑥ In the process of processing personal information in relation to the work entrusted by the trustee, this Act
For the liability for damages caused by violation, the trustee belongs to the personal information controller
see as an employee
⑦ Regarding the trustee, from Articles 15 to 25, from Articles 27 to 31, and from Articles 33
Articles 38 and 59 shall apply mutatis mutandis.
Article 28 (Measures when entrusted with processing of personal information) ① In Article 26 (1) 3 of the Act, “the President
“Matters prescribed by Ordinance” means the following matters:
1. Purpose and scope of entrusted work
2. Restrictions on re-entrustment
3. Matters concerning measures to ensure safety, such as restricting access to personal information
Enforcement Decree
4. For supervision, such as checking the management status of personal information held in connection with consignment work
Matters concerning
5. Obligations that the trustee (hereinafter referred to as “trustee”) under Article 26 (2) of the Act must comply
Matters concerning liability, such as compensation for damages in case of violation
② In Article 26 (2) of the Act, “method prescribed by Presidential Decree” refers to the personal information processing business.
The consigned personal information controller (hereinafter referred to as the “consignor”) is placed on the consignor’s Internet website.

179

Page 186
Explanation of personal information protection laws and guidelines and announcements

It refers to the method of continuously posting the contents of the entrusted work and the consignee.
③ In the event that it cannot be posted on the Internet homepage pursuant to Paragraph 2, any of the following
The contents of the entrusted work and the consignee shall be disclosed in one or more ways.
1. How to post in an easily visible place such as the consignor's place of business
2. City/Do where the official gazette (applicable only to cases where the consignor is a public institution) or the place of business of the consignor
Article 2 of the 「Act on the Promotion of Newspapers, etc.」, which has the above areas as the main distribution areas
General daily newspapers, general weekly newspapers under subparagraph 1 (a) and (c) and subparagraph 2 of the same Article;
How to publish in internet newspaper
3. Publications, newsletters, and publications issued with the same title at least twice a year and distributed to information subjects;
How to consistently put on flyers or bills, etc.
4. In order to provide goods or services, it is included in the contract written by the consignor and the information subject
How to issue to the data subject
④ “Method prescribed by Presidential Decree” in the former part of Article 26 (3) of the Act means written, e-mail,
Fax, telephone, text transmission, or an equivalent method (hereinafter referred to as “method in writing, etc.”)
say
⑤ The details of the work entrusted by the consignor by the method under paragraph (4) without negligence and the
If it is not possible to notify the information subject, the relevant information is posted on the Internet website for at least 30 days.
should be published. However, in the case of a consignor who does not operate an Internet website,
It must be posted in an easily visible place such as a business place for at least 30 days.
⑥ The consignor shall comply with the Act or this Decree when the consignee conducts personal information processing.
In accordance with the provisions of Article 26 Paragraph 1 of the Act,
Compliance shall be supervised in accordance with Paragraph 4 of the same Article.
Article 16 (Considerations when selecting a trustee) Personal information entrusted with processing of personal information
A person who is entrusted with the processing of personal information by the processor (hereinafter referred to as “consignee”)
When selecting (hereinafter referred to as “trustee”), manpower, physical facilities, financial capacity, and technology
standard guidelines
The degree of ownership and responsibility should be considered comprehensively.
Article 17 (Obligation to take measures to protect personal information ) In order to protect the entrusted personal information, the trustee
Administrative, technical, and physical measures in accordance with the 「Notice of Standards for Measures to Secure the Safety of Personal Information」
shall.

Recently, for various purposes such as cost reduction, work efficiency, and service improvement, private as well as public institutions
Even the cases of outsourcing various tasks to external companies or individuals are increasing. Business consignment is modern
It is one of the natural management methods that appeared due to the division of labor in society, but most of the customers' personal information is also included.
There is a high risk of personal information being distributed or abused due to the transfer, so countermeasures are needed.

180

Page 187

< Type of personal information infringement due to business entrustment >
· Provision of personal information such as indiscriminate re-entrustment to increase sales performance
· Sharing personal information while simultaneously handling products and services of other companies
· Unauthorized subscription to other services such as additional services using customer personal information
· Loss or leakage of personal information such as service subscription application form
· Take out customer DB and sell it
· Personal information leakage due to insufficient information system safety measures, etc.

1. Types of business entrustment
The third chapter

dog

The types of business entrustment are largely the personal information processing business that entrusts the collection and management
of personal information itself.
sign
tablet

By consignment of personal information handling business that entrusts general business involving consignment and use and provision
of personal information
see
see

can be distinguished. In addition, the entrustment of personal information handling tasks is again the same as the entrustment of of
marketing tasks such as promotion and sales solicitation.
It can also be divided into consignment of contract performance tasks such as product delivery and after-sales service.

wife
Lee

2. Difference between business entrustment and third party provision
In both business entrustment and provision of personal information to a third party, personal information is transferred to another person or shared with another person.
It is the same in terms of joint use, but the purpose of transferring personal information is completely different and
Legal relations such as management and supervision of personal information are also completely different.
In the case of business entrustment, personal information processing is carried out within the scope of the personal information controller's business processing.
Although it is managed and supervised by the personal information controller who is the consignor, the provision of personal information to a third party is for the benefit of the third party.
Processing takes place and third parties process the personal data at their own risk. Jurisprudence of personal information
Provision to a third party means that personal information is transferred for the purpose of handling the business of the third party and for the benefit of the third party.
However, in the case of consignment processing of personal information, for the purpose of handling the business of the personal information manager
There is a difference that personal information is transferred to a third party for the benefit of the personal information controller (Supreme Court 2011. 7. 14.
Sentencing 2011 and 1960)).
Therefore, in the case of business entrustment, even if personal information is transferred to the trustee,
Although the right of management and supervision of the processor extends, in the case of provision to a third party, personal information is provided to a third party and
After that, the management and supervision rights of the personal information controller do not reach.

181

Page 188
Explanation of personal information protection laws and guidelines and announcements

< Comparison of business entrustment and third party provision >
division

business consignment

Related Provisions
example

Third-Party Provision

Article 26

Article 17

· Delivery service consignment, TM consignment, etc.· Business partnerships, sales of personal information, etc.

Purpose of transfer
· Processing for the benefit of the consignor (handling of entrusted work) · Processing for the benefit of a third party
prediction
Possibility

· Able to predict in advance
(within the range of trust of the data subject)

· It is difficult for data subjects to predict in advance
(Out of the trust of the data subject)

Previous

· Principle: Disclosure of Consignment

· Principle: Consent of the information subject after notification of the purpose of provision, etc.

Way

acheive
· Exception: Notice of consignment (marketing business entrustment)

Management and Supervision
ConsignorResponsibilities
Responsibilities

Recipient Responsibility

liability for damagesConsignor's responsibility (user responsibility)

The recipient pays

On the other hand, depending on the purpose for which personal information is transferred to a third party,
there may be cases. In this case, there is no exception in the law that only the requirements for provision to a third party need be met.
Rather, from the point of view that data subjects should be informed exactly how their information is being used.
In relation to the provision to a third party, the requirements for consent stipulated in the relevant article shall be met, and in relation to business entrustment,
Procedures and methods should be in place according to the methods set out below.

3. Procedure and method of entrustment of work;
A. Documenting the purpose of entrustment (paragraph 1, Article 28 Paragraph 1 of the Decree)
When the personal information controller entrusts the processing of personal information to a third party, the following
It must be in accordance with the included documentation.

1. Matters concerning the prohibition of processing of personal information other than the purpose of performing entrusted work
2. Matters concerning technical and administrative protection measures for personal information;
3. Purpose and scope of entrusted work
4. Matters concerning restrictions on re-entrustment
5. Matters concerning measures to ensure safety, such as restricting access to personal information
6. Matters concerning supervision, such as inspection of the management status of personal information held in connection with consigned work;

7. In case the trustee (hereinafter referred to as the "trustee") has violated the obligation to comply under Article 26 (2) of the Act;
Matters concerning liability, such as compensation for damages

182

Page 189

B. Disclosure of general entrusted work contents (paragraph 2, Article 28 Paragraph 2, Paragraph 3 of the Decree)
The personal information controller (consignee) who entrusts the personal information processing business shall include ① the contents of the entrusted business and ② the individual
To ensure that the information subject can easily check the person (the trustee) who is entrusted with the processing of information at any time
It shall be disclosed by continuously posting it on one's own Internet homepage (Article 28 (2) of the Decree).
If the consignor is unable to post the details of the consigned work and the name of the consignor on the Internet website,
It must be disclosed in one or more of the following ways (Article 28 (3) of the Decree).
Disclosure method of entrusted work, etc. (Enforcement Decree Article 28 (3))
The third chapter

1. How to post in an easily visible place such as the consignor's place of business

2. The main area of ​the city/do or higher in which the official gazette (applicable only to cases where the consignor is a public institution) or thedog
place of business of the consignor is located;
sign

In accordance with subparagraph 1 (a) and (c) of Article 2 of the 「Act on the Promotion of Newspapers, Etc.」 and subparagraph 2 of thetablet
same Article as a distribution area;
see
see
of

How to publish in general daily newspapers, general weekly newspapers or internet newspapers
3. Publications, newsletters, publicity brochures, bills, etc. issued twice a year with the same title and distributed to information subjects

wife
Lee

How to keep loading

4. In order to provide goods or services, the information is issued to the data subject in the contract written by the consignor and the data subject.
Way

The notification of such information referral service, such as public relations, sales pitch (paragraph 3, Article 28 paragraph 4 of the Spirit, claim 5)
If the consignor entrusts the business of promoting or soliciting sales of goods or services, written,
By e-mail, facsimile transmission, telephone, text transmission, or an equivalent method
② The trustee must be notified to the data subject (Article 28 (4) of the Decree). The contents of the work entrusted or the consignee
The same shall apply in case of change.
Information on the details of the work entrusted by the consignor in writing, e-mail, etc. without negligence and the consignee
If it is impossible to notify the subject, the relevant matter must be posted on the Internet homepage for at least 30 days.
However, in the case of a consignor who does not operate an Internet website, it must be placed in an easily accessible place such as a business place for more than 30 days
It must be posted (Article 28 Paragraph 5 of the Decree).

D Considerations when selecting a trustee
When the personal information controller selects a trustee for personal information processing, the trustee’s “① manpower, ② physical facilities,
③ Financial Abilities, ④ Degree of Technology Possession, ⑤ Responsibility” and other personal information processing and protection of trustees
It should be selected by considering the capabilities comprehensively (Standard Guideline Article 16).

183

Page 190
Explanation of personal information protection laws and guidelines and announcements

In case the entrusted work is performed on a one-time basis

case

If the consignment work is done once (single-shot), the consignment period is very short, so the website is disclosed or the consigned company within the consignment period.
If training is not possible, the matters to be observed by the consignee when concluding the consignment contract are clearly notified through contract documents, etc.
You can ask the contractor to pass it on to the relevant staff for training

4. Responsibilities and Obligations of the Consignor
Education and supervision of trustees (paragraph 4, Article 28 Paragraph 6 of the Decree)
The consignor shall ensure that the personal information of the information subject is not lost, stolen, leaked, altered or damaged due to the entrustment of work.
The trustee must be educated not to do so, and the trustee must supervise whether the trustee handles personal information safely (paragraph 4).
In addition, the consignor is responsible for the matters that the consignee must comply with by the personal information manager in accordance with this Act or the Decree, and
Whether or not the matters to be complied with in accordance with the contents of the entrustment contract (subject to each subparagraph of Article 26 Paragraph 1 of the Act) are complied with;
It must be checked and checked (Article 28 (6) of the Decree).
Therefore, the consignor not only conducts regular training for the consignee, but also processes the personal information of the consignee.
Periodically inspect and verify the current status and actual conditions, use and provision for other than purpose, whether or not to re-entrust it, and whether to take measures to ensure safety, etc.
should be checked.

B. Liability for damages caused by the trustee’s tortious acts (paragraph 6)
In case the trustee violates this Act in the process of processing personal information in relation to the entrusted business
For liability for damages, the trustee is regarded as an employee belonging to the personal information controller.
In regard to liability for damages, the personal information controller regards the trustee as an employee belonging to the personal information controller.
As it is regarded as a user of the trustee, the personal information controller shall be liable for damages caused by the trustee in civil law.
User responsibility (subrogation responsibility) is borne.
Since the user's responsibility in Article 756 of the 「Civil Act」 is 'unsubstantiated joint debt', the data subject who has suffered damage is the trustee and the trustee.
You can file a claim for damages by selecting one of the personal information controllers. That is, the consignor acts on behalf of the consignee and the user
Even if the trustee is liable, the trustee himself is compensated for the damage because an illegal act is established independently of the trustee.
take responsibility In this case, the consignor's liability for damages is the user's responsibility under Article 756 of the Civil Act, and the consignee
Liability for damages is tort liability under Article 750 of the Civil Act. What the consignor loses to the data subject
Liability for damages is the responsibility for the appointment and supervision of the trustee, not about the trustee's harm.
In the relationship between the trustee and the trustee, even if damage is caused by the trustee's negligence, the trustee

184

Page 191

When due care has been exercised with respect to appointment and supervision, or even if due care has been taken, damage may have occurred.
In this case, the consignor is not liable for damages. However, the burden of proof is on the
bear.
If the consignor compensates the information subject for damages due to the negligence of the consignee,
can exercise the right to indemnity.
Referenceunsettled joint debt
Unsettled joint debt refers to a joint debt that occurs by chance regardless of the will of the joint debtors. multiple debtors
In relation to the obligations of the work, each of them has agreed to independently bear the obligation to perform all the benefits, and one of them or
It is the same as a joint debt in that when several people make payments, the debts of all debtors are extinguished. However, subjective among debtors
The third chapter
Since there is no relevance, the reasons for one of them may be other than the reasons for achieving the purpose of the claim, such as repayment.

dog
sign
tablet
see
see
of

It does not affect the debtor. For example, if a taxi driver causes an accident, the driver
Of course, you are responsible, and the taxi company is responsible for you as a user. In this case, the taxi company will
By chance, he has a joint liability relationship with the taxi driver, which is referred to as subordinated joint debt. In this case, the victim
Even if the driver has given up the right to compensation for damages or expressed his intention to discharge the debt, the other debtor

wife
Lee

The exemption does not apply to taxi companies. In other words, the victim damages the driver and the taxi company respectively.
You can claim compensation, or you can claim compensation only from the taxi company.

In the event of damage in the process of re-entrusting the processing of personal information from the trustee, the information
The subject may claim compensation from the sub-trustee. The re-trustee shall determine the scope of the re-entrusted business.
Personal information should not be used or provided to a third party in excess, and the
Compensation for damages caused by violating the 「Personal Information Protection Act」 in the process of processing personal information related to work
This is because the re-trustee is regarded as an employee belonging to the re-trustee (Standard Guideline, Article 21). For example
Company A entrusts customer information management to Company B (if there is no regulation on prohibition of re-entrustment),
When Company B re-entrusts the entrusted customer information management task to Company C again, the management task of Company C
If the information subject suffers damage due to negligence, since Company C is an employee of Company B, the information subject is liable to Company B.
may claim compensation. On the other hand, since Company B is also an employee of Company A, Company A ultimately compensates for damages.
be responsible

185

Page 192
Explanation of personal information protection laws and guidelines and announcements

5. Responsibilities and obligations of the trustee (paragraphs 5 and 7)
A. Prohibition of use and provision of personal information other than for entrusted business purposes (Section 5)
The trustee may use personal information beyond the scope of work entrusted by the personal information manager, or
It must not be provided to a third party. For example, if you have been entrusted with the processing of personal information from the personal information controller
After that, it is prohibited to conduct marketing for the purpose of the trustee separately from the entrusted work. If like this
If it is necessary to use it for the purpose of a trustee, it is necessary to meet the standards for providing third parties according to the Personal Information Protection Act or related laws.
Procedures must be followed.

B. Duties of personal information controller, etc. (paragraph 7)
Regarding the trustee, Articles 15 through 25, Articles 27 through 31, and Articles 33 through 38 of this Act
Up to and including Article 59 shall apply mutatis mutandis. Is the trustee also a personal information controller subject to this Act?
In order to clarify the trustee's obligation to comply with the law, a separate article stipulates that the relevant regulations are applied mutatis mutandis.
will be.
In order to protect personal information, the trustee who is entrusted with the processing of personal information
Technical and technical information prescribed by the "Notification of Standards for Safety Measures"
Physical and administrative measures must be taken (Standard Guideline Article 17).

6. Relationship with other laws
The 「Information and Communications Network Act」 applies to entrustment of users' personal information processing. 「Information and Communications Network Act」
Although it is required to obtain the consent of the information subject for consignment handling of personal information, the 「Personal Information Protection Act」
In the case of general consignment other than business consignment, the fact of consignment is made public. Therefore, information and communication
When a service provider entrusts affairs related to the personal information of information and communications service users, the 「Information and Communications Network Act」
consent must be obtained. Regarding entrustment of processing of personal information other than information and communication service users,
The 「Personal Information Protection Act」 applies. As for the use and provider of credit information, the credit information company, etc.
Allow the collection and investigation of credit information to be entrusted to other credit information companies, etc.
This is provided in the regulations below the Enforcement Decree.

186

Page 193

Article 25 (Consignment of processing of personal information) ① Information and communication service providers and from there to Article 24-2 (1)
The person who has been provided with the user's personal information (hereinafter referred to as "information and communication service provider, etc.")
Collect, create, link, link, record, store, retain, process, edit,
Search, output, correction, restoration, use, provision, disclosure, destruction, and other similar acts
(hereinafter referred to as “processing”) entrusts work (hereinafter referred to as “consignment of personal information processing”)
In this case, all of the following matters must be notified to the user and consent must be obtained. next
The same shall also apply where any matter in each subparagraph is changed.
1. Persons entrusted with processing personal information (hereinafter referred to as “trustee”)
2. Details of work entrusted with processing personal information
② Information and communications service providers, etc. shall fulfill the contract for the provision of information and communications services and
Article 27-2 (1) shall apply all matters under each subparagraph of paragraph (1) as necessary for the promotion of convenience, etc.
In the event that it is disclosed to the user or notified to the user in accordance with the method prescribed by PresidentialThe
Decree,
third chapter
such as e-mail,
In accordance with the entrustment of personal information processing, the notification procedure and consent procedure indog
Paragraph 1 may be omitted.
Information and Communications Network Act
sign
The same shall also apply where any matter in each subparagraph of paragraph (1) is changed.
tablet

see
③ Information and communication service providers, etc., when entrusting the processing of personal information, the trustee
see
of

The purpose for processing personal information must be determined in advance, and the trustee must
Users' personal information must not be processed.

wife
Lee

④ The information and communications service provider, etc. shall manage and supervise the trustee so that he/she does not violate the provisions of this Chapter.
and education.
⑤ If the trustee violates the provisions of this chapter in relation to the work entrusted with processing personal information,
If damage is caused to the user, the trustee is liable for damages
It is regarded as an employee belonging to the provider, etc.
⑥ When an information and communications service provider, etc. entrusts a trustee to process personal information, it must be in accordance with documents.
do.
⑦ When the trustee has obtained the consent of the information and communications service provider who entrusted the processing of personal information,
Only the work entrusted under paragraph (1) may be re-entrusted to a third party.
Article 17 (Consignment of Collection, Investigation and Processing)
① A credit information company, etc., within the scope of its business, shall obtain the consent of the client and
The collection and investigation of credit information may be entrusted.
② The credit information company, etc. shall process the collected credit information by the President, such as a certain amount of capital, etc.
It may be entrusted to a person who meets certain requirements prescribed by Ordinance, and a person who has been entrusted accordingly
(hereinafter referred to as “the trustee”), Articles 19 through 21,
Articles 40, 43, 43-2 and 45 (including the provisions of penalties and fines for negligence in respect of the relevant articles);
apply
Credit Information Act
③ A credit information company, etc. that intends to entrust the processing of credit information pursuant to paragraph (2) as prescribed by Presidential Decree.
The designated person shall notify the Financial Services Commission of the scope, etc. of the credit information to be provided, as prescribed by Presidential Decree.
should inform
④ The credit information company, etc. shall provide the trustee with personal information to entrust the processing of credit information pursuant to paragraph (2).
In the case of providing credit information, information that can identify a specific subject of credit information is prescribed by Presidential Decree.
Protection measures such as encryption should be taken accordingly.
⑤ When a credit information company provides credit information to a trustee, the credit information may be lost, stolen, leaked,
The trustee shall be educated so as not to be tampered with or damaged, as prescribed by Presidential Decree;
Matters related to the safe handling of credit information of the trustee must be reflected in the consignment contract.

187

Page 194
Explanation of personal information protection laws and guidelines and announcements

⑥ The trustee shall not use the credit information provided in excess of the scope of work entrusted under paragraph (2).
No.
⑦ The trustee shall not re-entrust the work entrusted under paragraph (2) to a third party. but,
to the extent that it does not impair the protection and safe processing of credit information;
In this case it is not so.

7. Penalty Regulations
violation

penalty

Using personal information beyond the scope of the entrusted business, or
The trustee who provided it to a third party, knowing the circumstances andImprisonment
making a profit
forornot more than 5 years or a fine not exceeding 50 million won
A person who has been provided with personal information for an unlawful purpose(Article 71, subparagraph 2)
(Violation of Article 26 (5))
In the case of entrustment of work, the documents containing the contents of each subparagraph of the same
A fine of not more than 10 million won
one who is not dependent
(Article 75 (3) 4)
(Violation of Article 26 (1))
A person who has not disclosed the fact of processing personal information in accordance
A fine
withof
thenot
entrustment
more than of
10work
million won
(Violation of Article 26 (2))

(Article 75 (3) 5)

A person who fails to notify the provision of personal information in accordance with
A the
fineentrustment
of not moreofthan
work
30 million won
(Violation of Article 26 (3))

(Article 75 (2) 1)

8. Q&A
While operating a travel agency, reservation confirmation and customer consultation are handled by a specialized call center.

Q

The target event and travel product promotion work will also be carried out at the call center. a legal problem
isn't it?
To entrust tasks such as events, public relations, etc. that are not consigned for processing the original service

A

In order to do this, the contents of the entrusted work and the trustee must be notified to the data subject.

Sharing patient information between the hospital and the medical information delivery system management company is also

Q

do you need consent
A management company is used to share and provide electronic prescriptions and electronic medical records in accordance with the Medical Act, etc.

A

As it corresponds to the consignment of personal information processing necessary to fulfill the contract for the provision of services.
It must be disclosed to the subject of information without obtaining separate consent, and public relations and sales work during entrusted work
If included, the data subject should be notified.

188

Page 195

Q

If the agent (trustee) has caused damage to the customer by illegally using the customer's personal information, the agent's
Is the head office (consignee) also responsible for the actions?
The trustee (headquarters) shall manage and supervise the trustee (agent) to comply with the personal information protection regulations of the Act.

A

If the trustee violates the law and causes damage to the information subject, the trustee
taking responsibility for this. Therefore, the head office compensates for the actions of the agent's employees.
take responsibility

The third chapter

dog
sign
tablet
see
see
of
wife
Lee

189

Page 196
Explanation of personal information protection laws and guidelines and announcements

Article 27 Restrictions on transfer of personal information due to business transfer, etc.
Article 27 (previously limited personal information or the like operating according to transfer) ① all of the sleeping person operating the information processing
Or, in the case of transferring personal information to another person due to partial transfer or merger,
Each of the following matters shall be notified to the relevant information subject in accordance with the method prescribed by Presidential Decree:
do.
1. The fact that personal information is being transferred
2. The name (in the case of a corporation) of the person to whom the personal information is transferred (hereinafter referred to as “business transferee, etc.”)
refers to the name of the corporation), address, phone number, and other contact information
law

3. In case the information subject does not want to transfer personal information, measures can be taken and
step
② When the business transferee, etc. receives personal information, it shall be notified without delay by Presidential Decree.
The information subject shall be notified in accordance with the method specified. However, in paragraph 1, the personal information controller
This does not apply to cases where the previous fact has already been notified accordingly.
③ In the case of transfer of personal information due to business transfer or merger, the business transferee, etc.
Personal information may be used or provided to a third party only for the original purpose at the time. in this case
A business transferee, etc. shall be deemed a personal information controller.
Article 29 (Notification of transfer of personal information due to business transfer, etc.) ① Except for each subparagraph of Article 27 (1 ) of the Act
“Method prescribed by Presidential Decree” in the main sentence of Paragraph 2 of the same Article as in the section
say

② A person who intends to transfer personal information pursuant to Article 27 (1) of the Act (hereinafter referred to as “business transfer in this paragraph”)
Enforcement Decree
“Children, etc.”) without negligence in accordance with Paragraph 1 of Article 27 (1) of the Act
If it is not possible to notify the information subject, the relevant information is posted on the Internet website for at least 30 days.
should be published. However, the business transferor who does not operate the Internet homepage, etc.
In this case, it must be posted in an easily visible place such as a business place for at least 30 days.

When business assets are transferred to another business operator due to business transfer, merger, etc., the
Rights and obligations related to personal information DB are also comprehensively inherited to other business operators. As a result, the data subject
As undesirable results may occur, when transferring personal information due to business transfer, merger, etc.
Opportunities to exercise rights such as withdrawal of membership and withdrawal of consent shall be given in advance. here
Business transfers, mergers, etc. are targeted at private business operators.

190

Page 197

1. Duty of notice of business transfer, transferee, etc. (paragraphs 1 and 2)
A. Duty to notify business transferors, etc. (Paragraph 1)
The personal information controller shall transfer personal information to another person through transfer or merger of all or part of its business.
In the case of transfer, the information subject must be notified in advance (paragraph 1, Article 29 Paragraph 1 of the Decree).
Instead of obtaining the consent of the information subject for the transfer of personal information, the information subject
This is to give them an opportunity to refuse.

The third chapter

B. Obligation to notify business transferee (paragraph 2)

dog
sign
tablet
The business transferee, etc. shall notify the information subject of the fact without delay when personal information has beenseetransferred.
see
However, this is not the case if the personal information controller has already notified the information subject of the transfer. of
wife
Lee

If the business transferee, etc. does not notify the transfer of personal information, the business transferee, etc.
This is to notify the information subject so that the information subject can know the fact and take necessary measures.

2. Notification of business transfer, acquisition, etc. (paragraphs 1 and 2, Article 29 of the Enforcement Decree)
When a business transferor, etc. or a business transferee, etc. notifies the information subject of the fact of business transfer or transfer, the following
Matters in each subparagraph shall be notified to the relevant information subject in writing, etc. (each subparagraph of Paragraph 1, Article 29 Paragraph 1 of the Decree).
Methods such as written means individual notification methods such as postal mail, e-mail, fax, telephone, personal mail, etc.
In principle, methods such as posting on the Internet homepage are not permitted.
Notice of business transfer (Article 27 (1) of the Act)
1. The fact that personal information is being transferred
2. Name (referring to the name of the corporation in the case of a corporation), address, and telephone number of the person to whom the personal information is transferred (business transferee, etc.)
number and other contact information
3. Methods and procedures to be taken if the information subject does not want the transfer of personal information

The business transferor, etc., without negligence, informs the information subject of each subparagraph of Article 27 (1) of the Act in writing, etc.
If it is not possible to notify, the relevant information must be posted on the Internet homepage for at least 30 days. However, the Internet
In the case of a business transferor who does not operate a website, it is located in an easily accessible place such as a business place for at least 30 days
It must be posted (paragraph 1 each item, Article 29 Paragraph 1 of the Decree).

191

Page 198
Explanation of personal information protection laws and guidelines and announcements

3. Timing of notice of business transfer/acquisition, etc. (paragraphs 1 and 2)
When the business transferor, etc. notifies the information subject of the transfer of personal information,
prior notice must be given. In the case of transfer of personal information according to the law, prior notice must be given.
At least, sufficient time is available for the information subject to confirm the fact of the transfer and exercise the right to withdraw from membership.
leeway should be given. In addition, in the case of “transfer” of personal information according to the law, notification is required.
This is not the time when the actual personal information DB is transferred, but at the time of conclusion of the contract, such as a merger.
will have to see
When the business transferee, etc. notifies the information subject of the transfer of personal information,
You must notify us without delay.

4. Prohibition of use and provision of personal information for purposes other than the purpose (paragraph 3)
In the case of transfer of personal information due to business transfer or merger, the business transferee, etc.
We may use personal information only for the purpose or provide it to third parties. In this case, the business transferee, etc.
regarded as a processor.
'Considering as a personal information controller' means that you have the rights and obligations as a personal information controller under this Act.
it means. The business transferee, etc. will also transfer personal information to the personal information controller subject to this Act the moment it is transferred.
However, in order to clarify the duty to comply with laws and regulations of the business transferee, the
will be.
Therefore, the business transferee, etc. may use personal information for purposes other than the purpose of processing personal information at the time of business acquisition or merger.
If you wish to use or provide personal information, in accordance with the regulations on the use and provision of personal information for purposes other than the purpose (Article 18),
Separate consent must be obtained or other requirements must be met.

5. Subject to which this Article applies
As this Article is stipulated as 'transfer, merger, etc. of all or part of business', Article 530-2 of the 「Commercial Act」
It should be interpreted that this applies also to the case of spin-off and merger through spin-offs.
A company spin-off is when a company is divided into two or more companies and the divided operating property is used as capital.
Creating a new company or merging with another company. The original company (spun-off company) is extinguished or reduced
The shares of the newly established spin-off company (or the spin-off and merged company) that continue to exist in the state of being and have succeeded the rights and obligations of the spin-off company
It is acquired by the spin-off company or the shareholders of the spin-off company share it in a certain proportion.

192

Page 199

This Article is premised on the comprehensive transfer of rights and obligations regarding personal information DB, etc.
Since business transfer and merger are stipulated as examples, through transactions such as human/physical division and asset transfer,
In the event that an effect similar to a business transfer occurs, such as a business transfer, an individual in accordance with this Article
It is reasonable to make the transfer of information subject to the provisions of this Article.

6. Relationship with other laws
As there are individual regulations in the 「Information and Communications Network Act」 regarding the transfer of business, information and communication service providers, etc.
In the case of transferring user personal information due to business takeover, etc., the 「Information and Communications Network Act」 shall apply. On the other hand, personal credit
Regarding information, there are separate provisions in the 「Credit Information Act」 as follows.

The third chapter

dog
sign
Article 26 (Transfer of personal information due to acquisition, etc. of business) ① Information and communication service
providers, etc.

In the case of transferring the user's personal information to another person due to partial transfer or merger, etc.
In advance, all of the following items must be posted on the Internet website, e-mail, etc. determined by Presidential

tablet
see
Decree.see
of

How to notify users.

wife
Lee

1. The fact that personal information is being transferred

2. The name of the person to whom the personal information is transferred (hereinafter referred to as "business transferee, etc.") (in the case of a corporation, the
say the name Hereinafter the same in this Article), address, telephone number and other contact information
3. If the user does
not want
Information and Communications
Network
Act the transfer of personal information, how to withdraw the consent and
step
② The business transferee, etc. shall, upon receipt of personal information transfer, without delay the fact and the name of the business transferee, etc.
Posting addresses, phone numbers and other contact information on the Internet website, e-mail, etc. prescribed by Presidential Decree.
How to notify users.
③ The business transferee, etc. may not use or provide the user's personal information by the information and communication service provider, etc.
Personal information may be used or provided only for the original purpose for which it is possible. However, as a user
This is not the case where separate consent has been obtained from
Article 32 (Consent to Provision and Use of Personal Credit Information) ⑥ Credit information company, etc.
Paragraphs (1) through (5) in cases falling under any of the following subparagraphs
does not apply
3. Transferring all or part of rights and obligations due to business transfer, division, merger, etc.;
When providing relevant personal credit information
⑦ A person who intends to provide or receives personal credit information to another person pursuant to each subparagraph of Paragraph 6
As prescribed by Presidential Decree, the facts and reasons for the provision of personal credit information shall be identified in advance.
The credit information subject must be informed. However, if there are unavoidable reasons prescribed by Presidential Decree,
Credit Information Act
It may be notified or disclosed later through posting on the Internet website or other similar methods.
⑧ As a credit information provider/user who provides personal credit information to others pursuant to paragraph (6) 3
A person prescribed by Presidential Decree shall be subject to matters prescribed by Presidential Decree, such as the scope of credit information to be provided.
Approval from the Financial Services Commission is required.
⑨ A person who has been provided with personal credit information with approval under paragraph 8
Separately from the personal credit information of the current credit information subject as determined by the Committee,
should be managed

193

Page 200
Explanation of personal information protection laws and guidelines and announcements

Even under the Credit Information Act, all or part of the rights and obligations are waived due to business transfer, division, merger, etc.
In the case of providing personal credit information related to the transfer, consent from the information subject is not obtained.
stipulated that it is not necessary. Personal credit information in accordance with each subparagraph of Article 32 (6) of the Credit Information Act
A person who intends to provide it to others or a person who has been provided with personal credit information, as prescribed by Presidential Decree.
The fact and reason for the provision shall be notified to the relevant credit information subject in advance. However, as prescribed by Presidential Decree
In case of unavoidable reasons, through posting on the Internet website or other similar methods
It may be notified or disclosed later.
In addition, as a credit information provider/user who provides personal credit information to others pursuant to paragraph (6) 3, the President
A person prescribed by Ordinance shall be able to finance the matters prescribed by Presidential Decree, such as the scope of credit information to be provided.
must be approved by the committee.
A person who has been provided with personal credit information with approval pursuant to paragraph (8) shall transfer the personal credit information to the Financial Services Commission.
As prescribed, it shall be managed separately from the personal credit information of the credit information subject currently being transacted.

7. Penalty Regulations
violation

penalty

Non-notification of transfer of personal information due to business transfer, etc.A fine of not more than 10 million won
(Violation of Article 27 (1) and (2))

(Article 75 (3) 6)

Imprisonment for not more than 5 years; or
Use or provide personal information to a third party for purposes other than the original purpose at the time of transfer
A fine of not more than 50 million won
(Violation of Article 27 (3))
(Article 71, subparagraph 2)

8. Q&A
Q

I am trying to notify customers as I am merging sales with another business operator, but my company and
Do all the merged companies have to give notice?
In the case of transferring personal information due to business transfer, merger, etc., in principle, the person who transfers personal information

A

and all recipients of the transfer, “the fact of the transfer of personal information, the name (name), address, phone number, etc. of the recipient
Contact information and methods and procedures for withdrawal of consent if the user does not wish to transfer personal information” to the user
should inform
However, in economic reality, if both the transferor and transferee notify the
Because there is a possibility of causing confusion, the 「Personal Information Protection Act」 provides that the person who transfers personal information (business operator)
In the case of notification of relevant facts, it is stipulated that the transferee (business transferee, etc.) is not required to notify.
have.

194

Page 201

Article 28 Supervision of personal information handlers
Article 28 (Supervision of Personal Information Handler) ① The personal information controller is responsible for processing personal information.
employees, dispatched workers, and part-time workers so that personal information can be safely managed
law

A person who processes personal information under the direction and supervision of the personal information controller (hereinafter referred to as “personal information
“handler”) shall be appropriately managed and supervised.
② The personal information controller handles personal information to ensure the proper handling of personal information.
The necessary training should be provided on a regular basis.
Article 2 (Definition of Terms) The meanings of terms used in this guideline are as follows.

The third chapter

6. “Personal information handler” refers to a person who processes personal information under the direction and supervision of the personal information controller.

dog
sign
Persons in charge of work include executives and employees, dispatched workers, and part-time workers.
tablet
Article 15 (directed to the private information handler) ① The personal information processing business person
see
see
It should be kept to a minimum within the necessary limit, and the personal information handling of the personal
of

handling the private information
information handler should be kept to a minimum.

wife
The scope shall be limited to the minimum within the limits necessary for business.
Lee
standard guidelines
② The personal information controller shall grant the right to access the personal information processing system according to the nature of the business.

Differentially grant and access to the person in charge of the task to the minimum extent necessary for the performance of the task
Actions must be taken to manage authority.
③ The personal information controller requires the personal information handler to submit a security pledge, etc.
Appropriate management and supervision should be carried out, and the personal information handler’s work
In case of change, the right to access personal information must be changed or canceled.

1. Difference between personal information handler and personal information controller
A personal information controller is a person who uses himself or another person to manage personal information files for business purposes.
refers to a person who processes personal information through That is, public institutions, corporations, organizations and individuals fall under this category.
(Article 2, No. 5 of the Act).
In contrast, personal information handlers are executives and employees who process personal information under the direction and supervision of the personal information controller;

Dispatched workers, part-time workers, etc. The standard guidelines specify this, and
As a person in charge of handling personal information under the direction and supervision of personal information,
By accessing personal information according to the person in charge and other business needs,
It is stipulated that it means all persons who deal with it.
In other words, a personal information handler is a person in charge of personal information processing, including regular, non-regular, subcontracted,
irrespective of any type of work, including part-time. Even if there is no employment relationship, the personal information controller
Persons who process personal information under supervision are included in personal information handlers.

195

Page 202
Explanation of personal information protection laws and guidelines and announcements

A trustee who is entrusted with the handling of personal information, etc., can also be called a personal information handler,
Education and management/supervision regulations for trustees are separately stipulated in Article 26 of this Act.
follow

2. Management and supervision of personal information handlers (paragraph 1)
In handling personal information, the personal information controller is responsible for granting indiscriminate access to personal information.
In order to prevent access, leakage, misuse and abuse of personal information due to
Appropriate management and supervision shall be performed on the personal information handler so that it can be managed.
Appropriate management and supervision will depend on the status and position of the personal information handler, the content of the job in charge, and the job skill level, etc.
each should be different. In addition, management and supervision should not be limited to a one-time event, but should be systematically and systematically performed.
and an evaluation and feedback system must be devised. For this purpose, the personal information controller
Limit the scope of handlers to the minimum and limit the scope of access and processing of personal information by them
It should be limited to the minimum necessary to the extent necessary (Article 18 Paragraph 1 of the Standard Guideline). In addition, the personal information processing system
The right to access is given differentially to the person in charge of the relevant work within the minimum scope necessary for the performance of the work.
The right to access the personal information processing system shall be managed, such as by granting them (Standard Guideline Article 18 Paragraph 2). Other than that
As a means of managing and supervising personal information handlers, it is mandatory to submit a security pledge, and the personal information handler
In case of change, a management plan such as change of access authority shall be prepared in detail (Standard Guideline Article 18 (3)).

3. Regular training for personal information handlers (Section 2)
In order to ensure the proper handling of personal information, the personal information controller regularly
Necessary training should be provided. Training can be of various types, such as in-house training, external training, and consignment training.
However, it is necessary to establish an annual education plan so that all personal information handlers participate in education for a certain period of time or longer.
do. In addition, according to the position and position of the personal information handler, the content of the job in charge, the job skill level, etc., the training contents are also changed.
each should be different.

4. Relationship with other laws
As other laws do not have regulations related to 'supervision of personal information handlers',
Communication service providers, credit information use/providers, etc. are responsible for protecting personal information in accordance with the 「Personal Information Protection Act」.
Supervisory duties must be fulfilled.

196

Page 203

5. Q&A
For business processing, part-time employees were allowed to view customer personal information, but in this case

Q

Are you a data handler?
Temporary employees, such as part-time workers, may also view and process personal information for business necessity.

A

data handlers. Therefore, even in this case, the scope of access and processing of personal information
It should be restricted to the minimum within the limit, and necessary management measures such as obtaining a security pledge must be taken.
do.

The third chapter

dog
sign
tablet
see
see
of
wife
Lee

197

Page 205
204

Chapter 4
Safe management of personal information
Article 29 Safety Measures Obligation
Article 30 Establishment and disclosure of personal information processing policy
Article 31 Designation of the person in charge of personal information protection
Article 32 Registration and disclosure of personal information files
Article 32-2 Personal Information Protection Certification
Article 33 Personal information impact assessment
Article 34 Notification of personal information leakage, etc.
Article 34-2 Imposition of Penalty Surcharges, etc.

Page 207
206

Article 29 Safety Measures Obligation
Article 29 (safeguards obligations) Privacy The personal information is leaked, lost, stolen, counterfeit, alteration or
law

Establishment of internal management plan to prevent damage, and storage of access records, etc. prescribed by Presidential Decree.
As such, technical, managerial and physical measures necessary to secure safety shall be taken.
Article 30 (Measures to ensure the safety of personal information ) ① In accordance with Article 29 of the Act, the personal information controller:
Measures to ensure safety in each subparagraph shall be taken.
1. Establishment and implementation of an internal management plan for safe processing of personal information
2. Measures to control access to personal information and restrict access rights
3. Application of encryption technology that can safely store and transmit personal information, or
corresponding action
4. Storage of access records and prevention of forgery and falsification to respond to incidents of personal information infringement

Enforcement Decreeaction for

Article 4 Section

5. Installation and update of security program for personal information
6. Provision of storage facilities for safe storage of personal information or installation of locking devices,
physical measures

dog
sign
etc.
tablet
see
see
of

② The Minister of Government Administration and Home Affairs shall require the personal information controller to take measures to ensure safety pursuant to paragraph (1).
within
I'm
One

We can provide necessary support, such as building a system.

③ The detailed standards for measures to ensure safety under paragraph 1 shall be determined by the Minister
tubeof the Interior and Safety.
Lee

notice

Article 47 (measures to ensure safety of the individual image information), the image information processing unit is a private operator
Article 29 of the Act and the Enforcement Decree to prevent loss, theft, leakage, alteration or damage of video information
In accordance with Article 30 (1), the following measures shall be taken to ensure safety:
1. Establishment and implementation of an internal management plan for safe processing of personal image information;
'Small business owners' pursuant to Article 2, Item 4 of the Notification of Standards for Measures to Secure Information Security are managed internally.
You may not have a plan.
standard guidelines
2. Measures to control access to personal image information and restrict access rights
3. Application of technology that can safely store and transmit personal image information (network camera
Encryption measures for safe transmission, password when storing personal image information files
settings, etc.)
4. Measures to keep processing records and prevent forgery and falsification (the date and time of creation of personal image information)
and in case of reading, record and management measures such as purpose of reading, reader, date of reading, etc.)
5. Provision of storage facilities for safe physical storage of personal image information or installation of locking devices

201

Page 208
Explanation of personal information protection laws and guidelines and announcements

Standards for measures to ensure the safety of personal information
Article 1 (Purpose) This standard applies to Articles 23 (2) and 24 of the 「Personal Information Protection Act」 (hereinafter referred to as the “Act”).
In accordance with Articles 21 and 30 of the Enforcement Decree of the Act (hereinafter referred to as the “Spirit”) such as paragraphs 3 and 29,
When the personal information controller processes personal information, personal information is lost, stolen, leaked,
Technical, managerial and necessary to secure safety so that it is not forged, falsified or damaged
The purpose of this is to set minimum standards for physical safety measures.
Article 2 (Definition) The meanings of terms used in this standard are as follows.
1. “Information subject” means a person who can be identified by the processed information, and
refers to the person who is the subject of
2. “Personal information file” means according to certain rules so that personal information can be easily retrieved.
It refers to a collection of personal information that is systematically arranged or composed.
3. “Personal information controller” means to operate personal information files for business purposes.
or public institutions, corporations, organizations and individuals that process personal information through others
say etc.
4. “Large corporation” means fair trade in accordance with Article 14 of the Monopoly Regulation and Fair Trade Act.
It refers to a group of companies designated by the committee.
5. The term “mid-sized enterprise” is defined in Article 2 of the 「Special Act on the Promotion of Growth and Competitiveness of Midsize Companies」.
the relevant company.

notice

6. “Small and medium-sized enterprises” refers to Article 2 of the Framework Act on Small and Medium Enterprises and Article 3 of the Enforcement Decree of the same Act.
say the company
7. “Small business owner” means a person who falls under Article 2 of the 「Act on the Protection and Support of Small Businesses」
say
8. “Person in charge of personal information protection” refers to the personal information processing of the personal information manager.
It refers to a person who is in general responsibility and falls under Article 32 (2) of the Decree.
9. “Personal information handler” means a person who processes personal information under the direction and supervision of the personal information controller.
Persons in charge of work include executives and employees, dispatched workers, and part-time workers.
10. “Personal information processing system” refers to a database system that can process personal information.
It is a system that is systematically structured to
11. “Risk analysis” refers to various risk factors that may affect personal information leakage.
To identify and evaluate and come up with measures to appropriately control the relevant risk factors.
It refers to the act of comprehensive analysis.
12. “Password” means the personal information processing system, business
When accessing a computer or information and communications network, enter it together with an identifier and
must be communicated to the system so that it can be identified as who has access
It refers to information that is not disclosed to others as a unique character string.
13. “Information and communications network” refers to telecommunication facilities under subparagraph 2 of Article 2 of the Framework Act on Telecommunications.

202

Page 209

information by using or using telecommunication facilities and computers and computer use technologies.
It refers to information and communication systems that collect, process, store, search, transmit, or receive.
14. “Open wireless network” means an unspecified number of people who use the Internet through a wireless access device (AP).
network that can be used.
15. “Mobile device” means a PDA, smartphone, tablet PC, etc. that can use the wireless network.
It refers to a portable device used for personal information processing.
16. “Bio information” means information that can identify individuals such as fingerprints, face, iris, veins, voice, and handwriting.
Information about physical or behavioral characteristics, processed or generated therefrom
include information.
17. “Secondary storage medium” means a removable hard disk, USB memory, CD (Compact Disk),
Personal information as a medium to store data such as DVD (Digital Versatile Disk)
Storage that can be easily connected or disconnected from a processing system or personal computer
say the medium.
18. “Internal network” means physical network separation, access control system, etc. in the Internet section.
Article 4 Section

A section where access is controlled or blocked.

dog

19. “Access record” refers to the fact that the personal information handler, etc. has accessed the personal information
processing system.
sign
tablet

Recognizable account, access date and time, visitor information, and work performed are recorded electronically
see
see
of

say that In this case, “access” means data connected to the personal information processing system.

within
I'm
One

It is a state in which transmission or reception is possible.

20. “Terminal for management” means the management, operation, development, security, etc. of the personal information processing system.
tube
Lee

A terminal that directly accesses the personal information processing system.

Article 3 (Application of Standards for Safety Measures) Necessary for the personal information controller to secure the safety of personal information
In case of taking measures, [asterisk] Safety measures according to the type of personal information manager and the amount of personal information retained
Criteria should be applied. In this case, the type of personal information controller
The burden of proof is borne by the personal information controller.
Article 4 (establish and enforce the Internal management plan) ① The Privacy of personal information is lost, stolen, leaked,
To prevent forgery, alteration, or damage, the following
An internal management plan including matters should be established and implemented.
1. Matters concerning the designation of the person in charge of personal information protection
2. Matters concerning the roles and responsibilities of the person in charge of personal information protection and personal information handler
3. Matters related to education of personal information handlers
4. Matters concerning the management of access rights
5. Matters related to access control
6. Matters concerning encryption measures for personal information
7. Matters concerning the storage and inspection of access records
8. Matters concerning the prevention of malicious programs, etc.

203

Page 210
Explanation of personal information protection laws and guidelines and announcements

9. Matters concerning physical safety measures
10. Matters concerning the composition and operation of the personal information protection organization
11. Matters concerning the establishment and implementation of a personal information leakage incident response plan
12. Matters concerning risk analysis and preparation of countermeasures
13. Matters concerning the physical safety measures of the personal information processing system in preparation for disasters and disasters
14. Matters concerning management and supervision of trustees when entrusting personal information processing business
15. Other matters necessary for the protection of personal information
② The personal information controller who falls under Type 1 of [Attached Table] shall maintain the internal management plan in accordance with Paragraph 1.
It may not be established, and the personal information controller who falls under Type 2 of [Attached Table] is subject to Paragraph 1
Subparagraphs 12 through 14 may not be included in the internal management plan.
③ If there is an important change in the matters in each subparagraph of Paragraph 1, the personal information controller shall
The internal management plan should be revised and implemented by immediately reflecting it, and the revision history should be managed.
④ The person in charge of personal information protection checks the implementation of the internal management plan at least once a year
should be managed
Article 5 (Management of Access Rights) ① The personal information controller shall retain the right to access the personal information processing system.
It should be given differentially according to the person in charge of the work within the minimum scope necessary for the performance of the work.
② The personal information controller is responsible for the personal information manager due to a change in personnel, such as a transfer or resignation.
In the event of a change, the right to access the personal information processing system must be changed or canceled without delay.
do.
③ The personal information controller is responsible for granting, changing, or canceling the authority under paragraphs 1 and 2.
Records must be made and the records must be kept for at least 3 years.
④ The personal information controller is responsible for issuing a user account that can access the personal information processing system.
In this case, a user account must be issued for each personal information handler, and
should not be shared.
⑤ The personal information controller is responsible for setting a secure password by the personal information handler or information subject.
Password creation rules should be established and applied for implementation.
⑥ As for the personal information controller, only authorized personal information handlers have access to the personal information processing system.
If you enter your account information or password incorrectly more than a certain number of times,
Necessary technical measures shall be taken, such as restricting access to the information processing system.
⑦ A personal information controller who falls under Type 1 of [Annexed Table] may omit Paragraphs 1 and 6.
Article 6 (Access Control) ① The personal information controller shall be responsible for illegal access and intrusion through the information and communications network.
In order to prevent it, measures including the functions of each of the following subparagraphs shall be taken.
1. The right to access the personal information processing system is set to an IP (Internet Protocol) address, etc.
Restrict unauthorized access
2. By analyzing the IP (Internet Protocol) address connected to the personal information processing system,
Detect and respond to illegal personal information leakage attempts

204

Page 211

② The personal information controller means that the personal information handler receives personal information from the outside through the information and communications network.
Virtual Private Network (VPN) when accessing the processing system
Alternatively, a secure connection method such as a dedicated line must be applied or a safe authentication method must be applied.
③ The personal information controller shall ensure that the personal information being handled is stored on the Internet homepage, P2P, sharing settings,
It is not disclosed or leaked to persons who do not have the right to read through the use of open wireless networks, etc.
personal information processing systems, business computers, mobile devices, and management terminals
Measures related to access control, etc. shall be taken.
④ The personal information controller who processes uniquely identifiable information is uniquely identified through the Internet homepage.
Vulnerabilities are checked at least once a year to prevent leakage, falsification, or damage of identification information, and
Complementary measures should be taken.
⑤ The personal information controller shall be responsible for illegal access to the personal information processing system and incidents of infringement
In the event that the personal information handler does not process for more than a certain period of time to prevent
System access should be blocked automatically.
⑥ The personal information controller does not use a separate personal information processing system for business
Article 4 Section

In the case of processing personal information using a computer or mobile device,

dog
sign
tablet
see
see
of

It may not be applicable, and in this case, the operation of a business computer or mobile device
Access control functions provided by the operating system (OS) or security programs
Available.

within

⑦ The personal information controller shall ensure that personal information is not leaked due to loss or theft
of business mobile devices.
I'm
One

Protective measures such as setting a password on the relevant mobile device should be taken to prevent this.
⑧ The personal information controller who falls under Type 1 of [Attached Table] is subject to paragraphs

tube
2Leeand

4 through 5.

action may not be taken.
Article 7 (Encryption of Personal Information ) ① The personal information controller is responsible for unique identification information, password, and biometric information.
Transmitting information through information and communication networks or through auxiliary storage media
In this case, it must be encrypted.
② The personal information controller shall encrypt and store passwords and bio-information.
However, when storing the password, it is encrypted in one way so that it cannot be decrypted.
should be saved
③ The personal information controller is the Internet section and the intermediate point between the Internet section and the internal network (DMZ:
If unique identification information is stored in the Demilitarized Zone), it must be encrypted.
④ When the personal information controller stores unique identification information in the internal network,
It can be implemented by determining whether or not encryption is applied and the scope of application according to the standards.
1. In the case of public institutions subject to personal information impact assessment under Article 33 of the Act,
Results of Personal Information Impact Assessment
2. Results according to risk analysis when encryption is not applied
⑤ The personal information controller collects personal information in accordance with paragraphs 1, 2, 3, or 4

205

Page 212
Explanation of personal information protection laws and guidelines and announcements

In case of encryption, it shall be encrypted and stored with a secure encryption algorithm.
⑥ The personal information controller shall use a secure encryption key to safely store encrypted personal information.
Procedures for creation, use, storage, distribution and destruction shall be established and implemented.
⑦ The personal information controller stores unique identifiable information in the business computer or mobile device.
If managed, use commercial encryption software or secure encryption algorithms to
It should be encrypted and then stored.
⑧ The personal information controller who falls under Type 1 and Type 2 in [Attached Table] may not comply with Paragraph 6.
The (storage and inspection of recording access) 8000000000000 ① Privacy Privacy The parties personal information
The records of access to the processing system shall be stored and managed for at least 6 months.
② The personal information controller shall respond to the loss, theft, leakage, forgery, alteration, or damage of personal information.
For this purpose, the access records of the personal information processing system shall be checked at least once every half year.
③ The personal information controller shall ensure that the access records of the personal information handler are not forged, altered, stolen, or lost.
The access records must be kept safely.
Article 9 (anti-malware, etc.) to prevent malicious programs, such as handling of personal information shall be treated
You must install and operate security programs such as vaccine software,
must be complied with.
1. Use the automatic update function of your security program, or update at least once a day.
to keep it up to date
2. When an alert related to a malicious program is issued or the application or operation in use
If there is a security update notice from the manufacturer of the system software, immediately follow it.
update according to
3. Countermeasures such as deletion of detected malicious programs, etc.
Article 10 (Safety measures for managing terminal) Privacy The private information such as personal information
In order to prevent intrusion accidents, the following safety measures shall be taken for management terminals.
1. Measures to prevent unauthorized persons from accessing and arbitrarily operating the management terminal
2. Measures not to be used for anything other than the original purpose
3. Application of security measures to prevent infection by malicious programs, etc.
Article 11 (Physical Safety Measures) ① The personal information controller shall store personal information in the computer room, data storage room, etc.
If there is a separate physical storage place, access control
Procedures shall be established and operated.
② The personal information controller shall store documents containing personal information, auxiliary storage media, etc. with a locking device.
It should be stored in a safe place.
③ The personal information controller is responsible for security for controlling the export and import of auxiliary storage media containing personal information.
measures should be taken. However, we do not operate a separate personal information processing system
If personal information is processed using a business computer or mobile device,
may not apply.

206

Page 213

Article 12 (Safety Measures for Disasters and Disasters) ① The personal information controller is responsible for disasters such as fire, flood, power outage, etc.
Response procedures such as a crisis response manual to protect the personal information processing system in case of a disaster
should be prepared and inspected regularly.
② The personal information controller shall be responsible for the backup and recovery of the personal information processing system in the event of a disaster or disaster.
A plan should be prepared.
③ Personal information controllers who fall under Type 1 and Type 2 of [Annexed Table] are subject to Paragraphs 1 through 2.
measures may not be implemented.
Article 13 (Destruction of Personal Information ) ① When the personal information controller destroys personal information, one of the following
Either action must be taken.
1. Complete destruction (incineration, crushing, etc.)
2. Deletion using dedicated device equipment
3. Perform a reset or overwrite to prevent data from being restored
② In the case where the personal information controller destroys only a part of the personal information, in the method of Paragraph 1
When it is difficult to destroy, the following measures shall be taken.
Article 4 Section

1. In the case of an electronic file: Manage so that personal information is not recovered or reproduced after deletion
and supervision
2. In the case of records, printed materials, writings, or other recording media other than subparagraph 1:
Delete by perforation, etc.

dog
sign
tablet
Mask
see the
see
of

relevant part;

within
I'm
One

Once personal information is lost, stolen, leaked, forged, altered or damaged, it is difficult to restore it to its original state.
Therefore, prevention of personal information is more important than ex post remedy or response to damage such as leakage.

tube
Lee

Accordingly, appropriate safety measures are taken to prevent personal information from being lost, stolen, leaked, forged, falsified or damaged.
Establishing and implementing it is the most basic requirement for personal information protection, and civil damages
It will be said to be the minimum required standard in judging whether and how much liability is recognized.
(Standards for Safety Measures Article 1). The personal information controller considers the size of the business and the number of personal information
Establishing standards for personal information protection measures suitable for one's environment in consideration of the latest security technologies at the time
At the same time, the duty of care as a good manager must be fulfilled.
To this end, this Act and the Enforcement Decree and standards for safety measures (notice)
The specific criteria required are specified.

1. Fulfillment of safety measures obligations (Article 30 (1) of the Decree)
According to the Enforcement Decree of this Act, as measures to prevent damage such as leakage of personal information, management
Protection measures, technical protection measures for personal information processing systems, etc., in the place or medium where personal information is stored
It stipulates physical protection measures for

207

Page 214
Explanation of personal information protection laws and guidelines and announcements

Especially in '16. 9. 1. According to the revised standards for measures to ensure safety, personal information controllers
Safety measures should be applied differentially according to the amount of information retained, and
The burden of proof is borne by the personal information controller (Article 3).
The types of personal data controller are: (i) small business owners with personal data about less than 10,000 data subjects;
Organizations, individuals (Type 1, mitigation), (ii) SMEs with personal information about less than 1 million data subjects;
Large corporations, medium-sized companies, public institutions with personal information of less than 100,000 data subjects, 10,000 or more
Small business owners, organizations, and individuals (Type 2, standard) who have personal information about the subject of information (iii) information of more than 100,000 people
Large corporations, medium-sized companies, public institutions, and information subjects with more than 1 million personal information
It is divided into small and medium-sized enterprises (SMEs) and organizations (type 3, strengthened) holding personal information, and is applied by type of personal information processor.
The provisions of the standards for measures to ensure safety are as follows (Annexed Table of Standards for Measures to Ensure Safety).
· Type 1 (Mitigation): Article 5 (paragraphs 2 through 5), Article 6 (paragraphs 1, 3, 6 and 7), Article 7
(Paragraphs 1 through 5, Paragraph 7), Articles 8, 9, 10, 11, 13
· Type 2 (standard): Article 4 (paragraphs 1 through 11 and 15 and 3 through 4),
Articles 5, 6 (paragraphs 1 through 7), Article 7 (paragraphs 1 through 5, paragraph 7);
Articles 8, 9, 10, 11, 13
· Type 3 (Reinforcement): Articles 4 through 13

The administrative safety measures
The personal information controller shall take the following administrative safety measures for the safe management of personal information.
Administrative safeguards
1. Establishment and implementation of an internal management plan for safe processing of personal information

Here, 'internal management plan' means that the personal information controller is responsible for the loss, theft, leakage, forgery, falsification, or loss of personal information.
Established and implemented through the internal decision-making process to safely handle it so that it is not damaged.
internal standards.
In order to properly implement measures to protect the personal information of the data subject, the personal information controller
There is a need for internal regulations that apply throughout. Based on this, detailed guidelines or guides are prepared and
It is necessary to ensure that all handlers take the same actions in accordance with the same standards necessary for the protection of personal information.
For this purpose, personal information controllers such as public institutions and business operators are responsible for preventing loss, theft, leakage, or loss of personal information handled.
Organization for personal information protection activities to ensure safety so that it is not forged, falsified or damaged
Establish an internal management plan for internal personal information management, and provide information to all employees and related persons related to personal information.
Notifications should be made so that they can be complied with.

208

Page 215

The reason for establishing an internal management plan is that personal information protection activities are systematic and not ad hoc.
The purpose is to ensure that it can be carried out within the company-wide plan, and for this purpose, management
Support is essential.
The internal management plan should include the following matters regarding the organization and operation of the personal information protection organization.
do.
· Matters concerning the designation of the person in charge of personal information protection
· Matters concerning the roles and responsibilities of the person in charge of personal information protection and personal information handler
· Matters related to education of personal information handlers
· Matters related to the management of access rights
· Matters related to access control
· Personal information encryption measures
· Matters concerning the storage and inspection of access records
· Matters concerning the prevention of malicious programs, etc.
Article 4 Section

· Matters concerning physical safety measures
· Matters concerning the composition and operation of the personal information protection organization
· Matters concerning the establishment and implementation of a personal information leakage incident response plan
· Matters related to risk analysis and preparation of countermeasures

dog
sign
tablet
see
see
of
within

· Matters concerning the physical safety measures of the personal information processing system in preparation for disasters I'm
and disasters
· Matters concerning management and supervision of trustees when entrusting personal information processing tasks
· Other matters necessary for personal information protection

One
tube
Lee

If there is an important change in the matters set out in the internal management plan, the personal information controller shall immediately reflect it and
The internal management plan shall be revised and implemented, and the revision history shall be managed. In particular, the person in charge of personal information protection
The implementation status of the internal management plan shall be checked and managed at least once a year.
On the other hand, in case of type 1, an internal management plan may not be established, and in case of type 2, risk analysis and
Matters concerning preparation of countermeasures, and physical safety measures of personal information processing systems in preparation for disasters and disasters
Matters related to the management and supervision of the trustee in the case of entrusting personal information processing tasks are included in the management plan.
may not be included.

B. Technical Safety Measures
The personal information controller shall take the following technical safety measures for the safe management of personal information.
shall.

209

Page 216
Explanation of personal information protection laws and guidelines and announcements

technical safeguards
1. Management of restrictions on access rights to the personal information processing system and control of access to personal information
2. Application of encryption technology to safely store and transmit personal information
3. Measures to keep access records and prevent forgery and falsification in order to respond to the occurrence of personal information infringement incidents
4. Installation and update of security programs for personal information, etc.
5. Safety measures for management terminals to prevent personal information leakage

1) Restriction and management of access rights
The number of persons in charge who can process personal information shall be limited to the minimum number of persons necessary to achieve the purpose.
It is necessary, and its management authority needs to be controlled accordingly. Accordingly, this law and notice
It stipulates restrictions and management of access rights.
First, the personal information controller shall grant the right to access the personal information processing system to the minimum necessary for business performance.
The scope should be differentiated according to the person in charge of the task (Article 5 (1) of the Safety Ensuring Measures Notice). And
If the personal information handler is changed due to a change in personnel, such as a transfer or resignation, without delay
The right to access the personal information processing system must be changed or canceled (Article 5 (2) of the Safety Ensuring Measures Notice).
On the other hand, the personal information controller keeps the details of granting, changing or canceling the authority under paragraphs 1 and 2
Records must be made and the records must be kept for at least 3 years (Article 5, Paragraph 3 of the Safety Enforcement Measures Notice).
In addition, when the personal information controller issues a user account that can access the personal information processing system,
One user account must be issued for each personal information handler, and it is not shared with other personal information handlers.
(Standards for measures to ensure safety, Article 5, Paragraph 4). The reason for regulating this is that a large number of personal information
Even if the handler performs the same task, by not sharing one ID,
This is to secure accountability for information processing details.
In this regard, the personal information controller is responsible for setting a secure password by the personal information handler or information subject.

Password creation rules should be established and applied so that they can be implemented (Standards for measures to ensure safety, Article 5)
Section 5). This is because there is a risk of information being exposed if an insecure password is used. safe
A password cannot be easily guessed by a third party and cannot be obtained through password hacking.
It means that it does not exist or that a lot of time is required to obtain it. Therefore, the personal information handler or information subject
Create a password so that you do not use easy-to-guess numbers or letters such as birthdays and phone numbers as passwords
By establishing rules and applying them to the personal information processing system, secure access control to personal information
can be achieved
In general, the minimum length of a password is at least 10 characters depending on the types of characters that make up the password.
Or, it must be composed of more than 8 digits in length.

210

Page 217

· At least 10 digits: uppercase and lowercase letters (A~Z, 26), lowercase letters (a~z, 26), numbers (0~9, 10) and special characters
If it consists of 2 or more types of numbers (32 characters)
· At least 8 characters: uppercase and lowercase letters (A~Z, 26), lowercase letters (a~z, 26), numbers (0~9, 10)
If it consists of 3 or more types of characters (32 characters)
In addition, it is necessary to create a password that is difficult to guess, and set an expiration date on the password and periodically
need to change
· An easy string such as a serial number or phone number such as 12345678 is included in the generated password.
must not be included
· Does not include well-known words such as love, happy, etc. or strings that are side by side on the keyboard.
should not
In addition, the personal information controller shall ensure that only authorized personal information handlers have access to the personal information processing system.
If you enter your account information or password incorrectly more than a certain number of times, access to the personal information processing system is blocked.
Necessary technical measures such as restrictions shall be taken (Standards for Safety Ensuring Measures, Article 5, Paragraph 6).

Article 4 Section

On the other hand, personal information controllers falling under Type 1 of the attached table must comply with Article 5 (1) dog
and (6) of the standards for measures to ensure safety.
sign
tablet
see
see
of

may not apply.

2) access control
Personal information controllers such as business operators and public institutions shall prevent illegal access and

within
I'm
Oneaccidents
infringement

To this end, a security system that can block access by unauthorized persons through an IP address must be installed and

through information and communication networks.

tube
operated.
Lee

To this end, the personal information controller is responsible for the following in order to prevent illegal access and intrusion through the information and communications network.
Measures including the functions of each subparagraph shall be taken (Standards for Measures to Ensure Safety, Article 6 Paragraph 1)
1. Restrict access to the personal information processing system to IP (Internet Protocol) addresses, etc.
Restrict unauthorized access
2. By analyzing the IP (Internet Protocol) address connected to the personal information processing system,
Detect information leak attempts
In addition, the personal information controller means that the personal information handler can access the personal information processing system from outside through the information and communications network.
In case of connection, secure connection such as a virtual private network (VPN) or a dedicated line
Means must be applied or a safe authentication method must be applied (Standards for Safety Ensuring Measures, Article 6 Paragraph 2).
Here, the virtual private network means when a personal information handler remotely accesses the personal information processing system.
It refers to a security system that enables secure cryptographic communication through cryptographic protocol technology, etc.
In addition, the personal information managed by the personal information controller is also transmitted through the Internet homepage and P2P service.
may be disclosed or leaked. In order to prevent this, the personal information controller is responsible for storing the personal information it is handling on the Internet website,

211

Page 218
Explanation of personal information protection laws and guidelines and announcements

Through P2P, sharing settings, and use of open wireless networks, it is disclosed to those who do not have the right to read or
Access to personal information processing systems, business computers, mobile devices, and management terminals to prevent leakage
Measures related to control, etc. must be taken (Standards for Measures to Ensure Safety, Article 6 Paragraph 3).
In addition, the personal information controller who processes uniquely identifiable information may
Vulnerabilities shall be checked at least once a year to prevent leakage, alteration, or damage, and necessary remedial measures shall be taken.
(Standards for measures to ensure safety, Article 6 Paragraph 4).
On the other hand, the personal information controller ensures that only authorized personal information handlers can access the personal information processing system.
If you enter your account information or password incorrectly more than a certain number of times, access to the personal information processing system is blocked.
Necessary technical measures such as restrictions must be taken (Standards for measures to ensure safety, Article 6, Paragraph 6).
On the other hand, in the case of a small personal information controller such as a small business owner or small business operator, a separate individual
Personal information processing using only a business computer (PC) or mobile device without an information processing system
There may be cases. In this case, measures to ensure safety regarding the mandatory installation of an access control system
Article 5, Paragraph 1 of the Standard Notice may not apply, and in this case, the
You can use the access control function provided by the operating system (OS) or security program.
(Article 6, Paragraph 6 of the Notice of Standards for Safety Ensuring Measures). For example, provided by Windows
This is how you use the firewall function.
In addition, in the case of the type of personal information controller falling under Annex 1, measures to ensure safety regarding access control
Paragraphs 2, 4, and 5 of Article 6 of the standard may not be applied.
Finally, mobile devices have high performance and can store or transmit large amounts of personal information, but
It is convenient to carry and move, so if the device is lost or stolen, personal information stored in the device or processing of the device
There is a high risk of personal information leakage through system access. Accordingly, the personal information controller
To prevent personal information from being leaked due to loss or theft of the device, it is necessary to set a password on the mobile device, etc.
Protective measures must be taken (Article 6, Paragraph 7 of Standards for Measures to Ensure Safety).

3) Encryption of personal information
'Encryption' means that personal information is lost due to a mistake of a personal information handler or an attack by an external attacker (hacker).
It refers to a security technology that makes it impossible to check the main contents even if it is leaked or exposed to unauthorized persons. main
When personal information is stored in the personal information processing system without encryption or transmitted over a network,
Since there is a risk of illegal exposure and forgery, safe protection measures such as encryption should be provided.
First, with respect to the subject of encryption, if all personal information is encrypted, the level of protection can be increased, but
The burden on personal information controllers such as business operators and public institutions increases significantly. Accordingly, the standards for measures to ensure safety
In the notice, only unique identification information, password, and bio-information are defined as personal information subject to encryption.

212

Page 219

(Notice of Safety Measures Article 7 Paragraph 1). However, if the personal information controller encrypts the above personal information,
It shall be stored after being encrypted with a cryptographic algorithm (Section 7, Paragraph 5 of the Safety Measures Notice).
Next, in the notification of standards for safety measures, encryption at the time of transmission and at the time of storage
It is specified by encryption, and when personal information is stored, what kind of personal information is stored again,
The storage section is differentially regulated.
· The personal information controller transmits the personal information subject to encryption through the information and communications network or uses auxiliary storage media, etc.
In the case of transmission through it, it must be encrypted (Section 7, Paragraph 1 of the Safety Measures Notice).
· The personal information controller must encrypt and store passwords and bio-information.
do. However, when storing the password, it must be stored in one-way encryption so that it cannot be decrypted.
(Section 7, Paragraph 2 of the Safety Measures Notice).
· The personal information controller is the Internet section and the intermediate point between the Internet section and the internal network (DMZ: Demilitarized
In the case of storing unique identification information in the Zone), it must be encrypted (notice of measures to ensure safety)
Article 7(3)).

Article 4 Section

dog
sign
tablet
Notice
see
see
of

· When the personal information controller stores unique identification information in the internal network,
It can be implemented by determining whether or not to apply and the scope of application (Article 7, Paragraph 4 of the

of Measures to Ensure Safety).

1. In the case of a public institution subject to a personal information impact assessment under Article 33 of the Act, the personal information
within
I'm
One

Results of Impact Assessment

tube

2. In the case of personal information controllers other than public institutions subject to personal information impact assessment,
encryption
Lee
Results according to risk analysis when not applied
In addition, unique identification information is not stored in a personal information processing system, but in a simple business computer or mobile device.
Even when stored, there is a risk of being easily leaked or stolen. Therefore, unique identification information such as resident registration number
Commercial encryption software or secure, if stored and managed on a work computer or mobile device
It should be encrypted using an encryption algorithm and then stored.
And the personal information controller generates a secure encryption key to safely store encrypted personal information;
Procedures for use, storage, distribution, and destruction shall be established and implemented (Standards for Measures to Ensure Safety, Article 7)
Section 6). However, the personal information controller falling under Type 1 and Type 2 of the attached table may not apply Paragraph 6
have.

213

Page 220
Explanation of personal information protection laws and guidelines and announcements

4) Retention of access records and measures to prevent forgery and falsification
The access records of the person in charge of personal information to the personal information processing system include input/output and correction of personal information;
Illegal access by creating a log file that automatically records data access details by file and person in charge
Or, it is an important data to confirm behavior. Therefore, in the standard for safety measures, access records are
It is compulsory to keep it for a certain period of time.
The personal information controller shall keep records of the personal information handler accessing the personal information processing system for at least 6 months.
It should be stored and managed. In addition, the personal information controller shall be responsible for the loss, theft, leakage, forgery, falsification, or loss of personal information.
In order to respond to damage, etc., the access records of the personal information processing system shall be checked at least once every half year.
do. In addition, to prevent forgery, alteration, theft, or loss of access records of personal information handlers,
It must be stored safely (Article 8 of the Safety Ensuring Measures Notice).

5) Installation and operation of security programs
A so-called 'malicious program' is a program created with malicious intent by the creator to intentionally cause damage.
and executable code, also called malicious code. computer virus
(Computer Virus), Internet Worm, Trojan Horse, Spyware, etc.
To prevent and prevent this, by obliging the installation and operation of security programs such as vaccine software, malicious
There is a need to prevent leakage of personal information due to the program.
Accordingly, the personal information controller is responsible for providing security such as vaccine software that can prevent and treat malicious programs.
The program must be installed and operated, and the following standards must be complied with (Standards for Measures to Ensure Safety, Article 9).
1. Use the automatic update function of the security program or update at least once a day to receive the latest
keep it
2. When an alert related to a malicious program is issued or the application or operating system being used
If there is a security update notice from the software manufacturer, update accordingly
practice
3. Countermeasures such as deletion of detected malicious programs, etc.

6) Safety measures for management terminals
'Management terminal' means personal information processing for the purpose of management, operation, development, security, etc. of the personal information processing system.
A terminal that directly accesses the system. Personal information leakage accidents through management terminals are frequent.
As this is a problem, safety measures related to this are very important. Accordingly, the personal information controller
The following safety measures should be taken for the management terminal to prevent personal information infringement accidents such as leakage.
do. (Standards for Measures to Secure the Safety Book Article 10)

214

Page 221

1. Measures to prevent unauthorized persons from accessing and arbitrarily operating the management terminal
2. Measures not to be used for anything other than the original purpose
3. Application of security measures to prevent infection by malicious programs, etc.

Multi- physical safety measures
The personal information controller shall take the following physical safety measures for the safe management of personal information.
shall.
physical safeguards
1. Provision of storage facilities for safe storage of personal information
2. Installation of locks, etc.

If there is a separate computer room or data storage room that stores a large amount of personal information, or
Article 4 Section

If the storage medium is managed separately, unauthorized access to the physical storage

dog
sign due to this.
Necessary procedures should be established so that physical threats such as theft or destruction of personal information do not occur
tablet
see
To this end, first, the personal information controller is responsible for the physical storage of personal information such as computer
see
rooms and
of

If there is a separate storage place, access control procedures for it shall be established and operated.

data storage rooms.

within
I'm
One

In addition, the personal information controller shall secure documents containing personal information, auxiliary storage media, etc. in a safe and secure manner with a locking device.
tube
Lee

should be kept in place.

In addition, the personal information controller shall take security measures to control the import and export of auxiliary storage media containing personal information.
should be prepared However, without operating a separate personal information processing system,
When personal information is processed using a mobile device, this may not be applied. (safety
Securing Measures Standard Article 11 (3)

D Disaster Preparedness and Disaster Preparedness Measures
The personal information controller is responsible for protecting the personal information processing system in case of disasters such as fire, flood, power outage, etc.
A response procedure such as a crisis response manual should be prepared and inspected on a regular basis. In particular, the personal information controller
A plan for the backup and recovery of the personal information processing system should be prepared in case of a disaster or disaster. (safety
Securing Measures Standard Article 12)

215

Page 222
Explanation of personal information protection laws and guidelines and announcements

2. Support for system construction, etc. (Article 30 (2) of the Decree)
The Minister of the Interior and Home Affairs shall require personal information controllers to take safety measures pursuant to Article 30 (1) of the Decree.
We can provide necessary support, such as building a system.
The Minister of Government Administration and Home Affairs shall provide a remote inspection system that can remotely monitor whether personal information has been leaked or not.
In case of an emergency, a technical support system can be built and operated to support rapid recovery.

3. Establishment and announcement of detailed standards for safety assurance measures (Article 30 (3) of the Decree)
As technology for infringement of personal information such as hacking is developing day by day, it is possible to respond more flexibly.
The detailed standards for safety assurance measures under Article 30 (1) shall be determined by public notice by the Minister of the Interior and Safety.
made it possible Accordingly, the Ministry of Government Administration and Home Affairs enacted the 'Standards for Measures to Secure Personal Information Safety' on September 30, 2011.
is being implemented

4. Relationship with other laws
Article 28 of the Information and Communications Network Act and Article 18 of the Enforcement Decree of the Act
Specific contents are stipulated, and the “Standards for Technical and Administrative Protection Measures” are to be announced so that business operators can
Security measures are enforced, and the 「Credit Information Act」 has similar provisions. Therefore, information and communication services
Providers, credit information use/providers, etc. are covered by the “Information and Communications Network Act” and the “Credit Information Act” (“Credit information business supervision
Regulations”), technical and administrative protective measures must be implemented.
Article 28 (Personal Information Protection Measures)
① When information and communications service providers, etc. process personal information, loss, theft, leakage, counterfeiting,
In order to prevent falsification or damage and secure the safety of personal information,
In accordance with the standards, the following technical and administrative measures shall be taken.
1. Establishment and implementation of an internal management plan for safe handling of personal information
2. The use of access control devices such as intrusion prevention systems to block illegal access to personal information;
Installation and operation
Information and Communications Network Act
3. Measures to prevent forgery and falsification of access records
4. Security measures using encryption technology, etc. that can safely store and transmit personal information
5. Measures to prevent infringement by computer viruses, such as installation and operation of vaccine software
6. Other protective measures necessary to ensure the safety of personal information
② Information and communication service providers, etc. shall limit the persons who process users' personal information to a minimum.
do.

216

Page 223

Article 19 (Safety Protection of Credit Information Computerized System) ① Credit information companies, etc.
Including the credit information joint computer network under paragraph (6). illegal access by a third party to
Change, damage, destruction, and other risks of input information as prescribed by Presidential Decree
Credit Information Act
Technical, physical, and administrative security measures shall be established and implemented.
② A credit information provider/user and another credit information provider/user or credit inquiry company are mutually exclusive with this Act.
In the case of providing credit information in accordance with the provisions of the Financial Services Commission, credit information is provided as determined and announced by the Financial Services Commission.
A contract including security management measures must be concluded.

5. Penalty Regulations
violation
Failure to take measures to ensure safety
A person who has been stolen, leaked, altered, damaged or lost

penalty

Imprisonment for not more than 2 years or a fine not exceeding 20 million won
(Article 73 subparagraph 1)

(violation of Article 29)

Article 4 Section

Violation of obligation to secure safety measures

A fine of not more than 30 million won

(violation of Article 29)

dog
sign
tablet
see
see
of

(Article 75 (2) 6)

within
I'm
One

6. Q&A

tube
Lee

Q

I need to install an antivirus program to prevent viruses, so I bought the program and installed it on my PC.
installed. Are no further protective measures necessary?
A business operator shall take measures to prevent infringement by computer viruses, such as installation and operation of vaccine software.

A

do. It is important to install antivirus software first, but use the automatic update function afterwards.
Alternatively, update at least once a day to prevent the latest computer viruses or malware.
it is necessary to make

Q

When inputting fingerprint and iris, input the code value (identification value) of the fingerprint and iris using a program rather than an image
When saving, whether the code value corresponds to bio-information and should be encrypted and stored
By storing bioinformation as a code value (identification value), identification is difficult in systems with different coding methods.

A

Even if it is impossible, the system can identify individuals, so
Therefore, it must be encrypted and stored

217

Page 224
Explanation of personal information protection laws and guidelines and announcements

Article 30 Establishment and disclosure of personal information processing policy
Article 30 (Establishment and Disclosure of Personal Information Processing Policy) ① The personal information processed each of the following:
A policy for the processing of included personal information (hereinafter referred to as “personal information processing policy”) must be established.
do. In this case, the public institution shall store the personal information file subject to registration pursuant to Article 32.
for personal information processing policy.
1. Purpose of processing personal information
2. Processing and retention period of personal information
3. Matters concerning the provision of personal information to a third party (determined only if applicable)
4. Matters concerning entrustment of personal information processing (determined only if applicable)
5. Matters concerning the rights and obligations of information subjects and their legal representatives and methods of exercising them;
6. Name of the person in charge of personal information protection under Article 31 or personal information protection duties and related matters;

law

Contact information such as the name and phone number of the department handling grievances
7. Installation and operation of devices that automatically collect personal information, such as Internet access information files, and
Matters concerning the refusal (determined only if applicable)
8. Other matters prescribed by Presidential Decree regarding the processing of personal information
② If the personal information controller establishes or changes the personal information processing policy, the information owner
It shall be disclosed in accordance with the method prescribed by Presidential Decree so that the body can easily verify it.
③ The contents of the personal information processing policy and the contract concluded between the personal information controller and the information subject
If the contents are different, the one that is advantageous to the data subject is applied.
④ The Minister of Government Administration and Home Affairs shall set guidelines for the preparation of personal information processing policies and notify the personal information controllers.
Compliance can be encouraged.
Article 31 (Contents of Personal Information Handling Policy and Disclosure Method, etc.) ① In Article 30 (1) 6 of the Act
“Matters prescribed by the Presidential Decree” means the following matters:
1. Items of personal information to be processed
2. Matters concerning the destruction of personal information
3. Matters concerning measures to secure the safety of personal information under Article 30;
② The personal information controller shall process personal information established or changed pursuant to Article 30 (2) of the Act.
The policy shall be continuously posted on the personal information controller's Internet homepage.

Enforcement Decree
③ In the event that it cannot be posted on the Internet homepage pursuant to Paragraph 2, any of the following
The personal information processing policy established or changed in one or more ways shall be disclosed.
1. How to post in a place that is easy to see, such as the place of business of the personal information manager
2. Official Gazette (applicable only when the personal information controller is a public institution) or
"Newspapers, etc.," whose main distribution area is the city/province or higher where the business site
General days under subparagraph 1 (a) and (c) of Article 2 of the Promotion Act and subparagraph 2 of the same Article
How to publish in newspapers, general weekly newspapers or online newspapers
3. Publications, newsletters, and publications issued with the same title at least twice a year and distributed to information subjects;

218

Page 225

How to consistently put on flyers or bills, etc.
4. A contract written by the personal information controller and the information subject to provide goods or services
How to issue information to the subject of information
Article 18 (such as basis for the Privacy Policy) ① Privacy self the Privacy Policy
When preparing, each subparagraph of Article 30 (1) of the Act and each subparagraph of Article 31 (1) of the Decree
They should be clearly differentiated, but expressed concretely and clearly in easy-to-understand terms.
② The personal information controller shall ensure that the personal information processed is necessary for the purpose of processing personal information.
It should be noted that the minimum
Article 19 (Items to be stated in the personal information processing policy)
When preparing, all of the following matters shall be included in accordance with Article 30 (1) of the Act:
1. Purpose of processing personal information
2. Items of personal information to be processed
3. Processing and retention period of personal information
4. Matters concerning the provision of personal information to a third party (determined only if applicable)
5. Matters concerning the destruction of personal information
6. Personal information processing consignee contact information, consignee management status check result, etc.
Matters concerning entrustment of information processing (determined only if applicable)

Article 4 Section

dog

7. Matters concerning measures to ensure the safety of personal information pursuant to Article 30 (1) of thesign
Decree
tablet
8. Rights and obligations of information subjects, such as the right to view, correct, delete, and request suspension
of processing of personal information
see
see
of

Matters concerning the event method
9. Matters concerning changes to the personal information processing policy

within
I'm
One

10. Matters concerning the person in charge of personal information protection
standard guidelines
11. Department that receives and processes requests for access to personal information

tube
Lee

12. Remedies for Infringement of Rights and Interests of Information Subjects

Article 20 (Disclosure of Personal Information Handling Policy) ① Personal information controller in accordance with Article 30 (2) of the Act
In the case of establishing a personal information processing policy,
In this case, the name “Privacy Policy” shall be used, but the font size,
It can be easily identified by the information subject by distinguishing it from other notices by using color, etc.
there should be
② If the personal information controller does not operate the Internet homepage or the Internet homepage
If there is a management defect, at least one or more of Article 31 (3) of the Decree
You must disclose your personal information processing policy in a way that Even in this case, “personal information processing
policy”, but use the font size, color, etc.
It should be classified so that the data subject can easily identify it.
③ The personal information controller uses the method of Article 31 (3) 3 of the Decree to change the personal information processing policy.
In the case of disclosure, each time a publication, newsletter, publicity leaflet, bill, etc. is issued,
should be published.
21 (change of the Privacy Policy) Privacy parties to change the Privacy Policy
In this case, the timing of changes and implementation, and the changed contents shall be continuously disclosed;
The changed contents shall be disclosed by comparing before and after the change so that the information subject can easily check it.
do.

219

Page 226
Explanation of personal information protection laws and guidelines and announcements

The personal information processing policy is the personal information controller's internal policy regarding the processing of personal information.
It is a kind of self-regulatory device. Through this, the personal information controller can increase the transparency of personal information processing.
The data subject can compare and compare how the personal information controller is handling his or her personal information.
can be verified.

1. Establishment of personal information processing policy (paragraph 1, Article 31 Paragraph 1 of the Decree)
The personal information controller shall establish a personal information processing policy that includes the following 10 items.

1. Purpose of processing personal information
2. Processing and retention period of personal information
3. Matters concerning the provision of personal information to a third party (determined only if applicable)
4. Matters concerning entrustment of personal information processing (determined only if applicable)
5. Matters concerning the rights and obligations of information subjects and their legal representatives and methods of exercising them;
6. The name of the person in charge of personal information protection pursuant to Article 31 or personal information protection tasks and related grievances
Contact information such as department name and phone number
7. Matters concerning the installation and operation of devices that automatically collect personal information, such as Internet access information files, and rejection thereof;
(Determine only if applicable)
8. Items of personal information to be processed
9. Matters concerning the destruction of personal information
10. Matters concerning measures to secure the safety of personal information under Article 30

In addition to the essential items mentioned above, the personal information processing policy
It may include all matters to be determined as an internal policy.
However, in the case of public institutions, they are required to be registered with the Minister of Government Administration and Home Affairs pursuant to Article 32 of the Act.
It is sufficient to set the personal information processing policy only for the personal information file subject to registration. excluded from registration
Personal information files such as personal information files related to national security, etc.
This is because, if disclosed, it could seriously impede the performance of business.
In addition, if a personal information controller other than a public institution collects and uses only the personal information of internal employees,
It is not necessary to set and disclose the personal information processing policy to the outside, but it is
Employees should be able to see how their personal information is being processed.

220

Page 227

Personal information file exempt from registration (Article 32 Paragraph 2 of the Act)
1. Personal information files that record matters concerning national security, diplomatic secrets, and other important national interests
2. Investigation of crimes, filing and maintenance of prosecution, execution of punishment and probation, corrective measures, protective measures, security observation measures and immigration
Personal information file recording matters related to management
3. A record of matters pertaining to the investigation of offenses under the Punishment of Tax Offenders Act and the investigation of offenses under the Customs Act;
personal information file
4. Personal information files used only for internal business processing of public institutions
5. Personal information files classified as confidential under other laws

2. Standards for writing personal information processing policy
When the personal information controller prepares a personal information processing policy, the personal information subject
In order to make the meaning and contents easy to understand, the items are explicitly divided and written in easy-to-understand terms.
It should be expressed concretely and clearly (Article 18 Paragraph 1 of the Standard Guideline). Accordingly, the information subject

Article 4 Section

It should be easy to understand without knowledge and there should be no confusion regarding the details of provision of personal
information.
dog
As the first principle of the principle of personal information protection in Article
The purpose should be clear, and only the minimum amount of personal information

sign
tablet controller
3 Paragraph 1 of the Act, “personal information
see
seelegal.
required for that purpose should be legal and
of

must be collected legitimately”, and in Article 16 of the Act, the minimum collection
imposes an obligation In terms of clarifying these obligations, the data controller is responsible for the processing of personal

shall process personal information

within
I'm
One
data.
tube

Recognize that the personal information items specified in the policy are the minimum personal information necessary for the purpose
Lee
of processing personal information.
It must be disclosed (Article 18 Paragraph 2 of the Standard Guideline).

3. Disclosure of personal information processing policy (Section 2, Article 31 Paragraph 2, Paragraph 3 of the Decree)
If the personal information controller has established a personal information processing policy, make sure that the information subject can easily check it.
It shall be disclosed by continuously posting it on the Internet homepage of the personal information controller.
(Article 31 Paragraph 2 of the Decree). In this case, in order to easily recognize the disclosed personal information processing policy,
Use the standardized name of “Privacy Policy”, but use font size and color to make other notices
It should be so that the information subject can easily check it by separating it from the matters (Standard Guideline Article 20 Paragraph 1).
Because the 「Personal Information Protection Act」 applies regardless of online and offline, the personal information controller
There are cases where an Internet homepage is not operated, and even if an Internet homepage is operated, the Internet
There may be cases where there is a defect in the management of the website. Even in this case, the privacy policy
The disclosure obligation is not exempted, and the personal information processing policy must be disclosed in one or more of the following ways.
(Article 31 (3) of the Decree).

221

Page 228
Explanation of personal information protection laws and guidelines and announcements

· How to post in a place that is easy to see, such as the place of business of the personal information manager
· If there is an official gazette (applicable only if the personal information controller is a public institution) or the place of business of the personal information controller
Subparagraph 1 of Article 2 of the 「Act on the Promotion of Newspapers, Etc.」, which has a city/province or higher as the main distribution area
and the method of publication in general daily newspapers, general weekly newspapers or internet newspapers under subparagraph 2;
· Publications, newsletters, publicity brochures, or publications issued twice a year with the same title and distributed to information subjects;
Method of continuously posting on invoices, etc. (must be continuously published each time it is issued)
· In order to provide goods or services, it is included in the contract written by the personal information controller and the information subject.
How to issue to the data subject
Even when the personal information controller discloses the personal information processing policy in the above way, the
As in the case of posting, use the name “Privacy Policy”, but change the font size, color, etc.
It should be used to distinguish it from other notices so that the information subject can easily check it (standard
Guideline Article 20 Paragraph 2).

4. Change of personal information processing policy (paragraph 2, Article 31 Paragraph 2, Paragraph 3 of the Decree)
Because the personal information processing policy contains important matters related to the processing of personal information by the personal information controller,
Changes thereto can have a significant impact on the rights and interests of the personal information subject. Therefore, the personal information controller
Even if the contents of the processing policy are changed, the fact of the change shall be notified in the same way as when establishing the personal information processing policy.
must be disclosed, and the personal information controller handles the changed personal information so that the information subject can easily check it
The policy must be continuously posted on the Internet homepage (Article 31 (2) of the Decree). In this case, the changed
The comparison before and after the change should be disclosed so that the data subject can easily check it (Standard Guideline Article 21).
The personal information controller shall maintain a comparison table, etc. so that the information subject can easily identify the reason and details of the change as much as possible.
It should be attached and measures should be taken so that changes can be easily checked at any time.
If there is no Internet website and it is not possible to post on the website, place it in an easily accessible place such as a business place.
Post it or continuously send it to contracts, bills, publications, newsletters, publicity papers, etc., or send it to the official gazette or newspaper
etc. (Article 31 (2) of the Decree).

5. Legal Effect of Privacy Policy (Section 3)
The personal information processing policy is that the personal information controller is responsible for the processing of personal information in accordance with this Act, the Enforcement Decree, and the public notice.
related matters were determined and disclosed to the public, and it is necessary for the fulfillment of obligations under the Act on the processing of personal information of information subjects.
It can be said that it is a promise about
Therefore, the content of the personal information processing policy and the contract concluded between the personal information controller and the data subject
In other cases, it is stipulated to apply what is advantageous to the data subject.

222

Page 229

6. Establishment and recommendation of guidelines for personal information processing policy (paragraph 4)
The Minister of Government Administration and Home Affairs establishes guidelines for the preparation of personal information processing policies and requires personal information controllers to comply with them.
can recommend In the case of a small business or a vulnerable field, the personal information controller determines the personal information processing policy.
because it's not easy. In accordance with this purpose, standards for the preparation of personal information processing policy
It is stipulated in the guidelines.

7. Relationship with other laws
Article 27-2 of the ｢Information and Communications Network Act｣ mandates that a 'personal information handling policy' be established and disclosed.
Therefore, there is no need to establish a separate personal information processing policy under the 「Personal Information Protection Act」.
In the ｢Credit Information Act｣, the 'Credit Information Management' prescribed by the Financial Services Commission in relation to the processing of credit information
'Standards' are established to preserve records, but in accordance with the 'Personal Information Protection Act', the 'Personal Information Handling Policy' is different.
Since the contents are different, a personal information processing policy in accordance with this Act must be prepared.
Article 4 Section

Article 27-2 (Disclosure of Personal Information Handling Policy) ① Information and communication service providers, etc.dog

sign

In the case of processing, a personal information processing policy is established so that users can easily check it at any time. tablet
It shall be disclosed in accordance with the method prescribed by Presidential Decree.
② The personal information processing policy pursuant to Paragraph 1 shall include all of the following matters.

see
see
of

1. Purpose of collection and use of personal information, items of personal information to be collected and method of collection
within
2. In the case of providing personal information to a third party, the name of the recipient (in the case of a corporation, the
refers to the name), the purpose of use of the recipient and the items of personal information provided

I'm
One
tube

Lee
3. Period of retention and use of personal information, procedures and methods of destruction of personal information (each subparagraph
of Article 29 (1))

If personal information needs to be preserved in accordance with the proviso of other parts, the basis for preservation and the
including personal information items)

Information and Communications Network Act
4. Details of the business entrusted with processing personal information and the trustee (included in the processing policy only if applicable)
do)
5. Rights of users and their legal representatives and how to exercise them
6. Installation and operation of devices that automatically collect personal information, such as Internet access information files, and their rejection
Matters concerning
7. The name of the person in charge of personal information protection or personal information protection tasks and related complaints
Contact information such as the name of the department and its phone number
③ If the information and communications service provider, etc. changes the personal information processing policy pursuant to Paragraph 1, the
The reasons and changes shall be notified without delay in accordance with the method prescribed by the Presidential Decree, and the
Measures should be taken so that changes can be easily recognized at any time.

8. Penalty Regulations
violation

penalty

Undisclosed privacy policy

A fine of not more than 10 million won

(Violation of Article 30 (1) and (2))

(Article 75 (3) 7)

223

Page 230
Explanation of personal information protection laws and guidelines and announcements

Article 31 Designation of the person in charge of personal information protection
Article 31 (Designation of Person in Charge of Personal Information Protection)
A person in charge of personal information protection who is responsible for overall work must be designated.
② The person in charge of personal information protection shall perform the following tasks.
1. Establishment and implementation of a personal information protection plan
2. Regular investigation and improvement of personal information processing status and practices
3. Handling of complaints related to the processing of personal information and remedy for damage
4. Establishment of an internal control system to prevent personal information leakage and misuse/abuse
5. Establishment and implementation of personal information protection education plan
6. Protection, management and supervision of personal information files
7. Other duties prescribed by Presidential Decree for proper processing of personal information.

law

③ If the person in charge of personal information protection is necessary for performing the duties of each subparagraph of Paragraph 2,
Investigate from time to time the status of processing of personal information, processing system, etc.
You can get a report from
④ The person in charge of personal information protection shall comply with this Act and other related laws in relation to the protection of personal information.
If you become aware of a violation, you must take immediate corrective action and, if necessary,
Improvement measures should be reported to the head of the institution or organization.
⑤ As for the personal information controller, the person in charge of personal information protection performs the duties of each subparagraph of Paragraph 2.
Therefore, it shall not be given or allowed to receive disadvantages without justifiable reasons.
⑥ Requirements for designation, duties, qualifications, and other necessary matters of the person in charge of personal information protection
determined by Presidential Decree.
Article 32 (Personal Information Protection Officer's Duties and Designation Requirements, etc.) ① In Article 31 (2) 7 of the Act
“Duties prescribed by the Presidential Decree” are as follows:
1. Establishment, change and enforcement of personal information processing policy pursuant to Article 30 of the Act
2. Management of data related to personal information protection
3. Destruction of personal information when the purpose of processing has been achieved or the retention period has expired
② The personal information controller intends to designate a person in charge of personal information protection pursuant to Article 31 (1) of the Act.
In this case, it is designated according to the classification of each of the following subparagraphs.

1. Public institution: Public officials, etc. who meet the criteria for each of the following categories:
Enforcement Decree
end. An institution that handles administrative affairs of the National Assembly, the courts, the Constitutional Court, and the National Election Commission
and Central Administrative Institutions: Public officials belonging to the Senior Civil Service (hereinafter referred to as “Senior Public Officials”)
) or a public official equivalent thereto
I. In addition to item (a), a state institution headed by a public official in political service: Grade 3 or higher public officials (high-ranking officials)
including public officials) or equivalent public officials
All. In addition to items (a) and (b), high-ranking public officials, third-level public officials, or equivalent public officials or higher
State institution headed by a public official: Grade 4 or higher public official or public official equivalent thereto
la. State institutions other than national institutions under the provisions of items (a) through (c) (including affiliated institutions);

224

Page 231

): The head of the department in charge of the personal information processing of the relevant institution
hemp. City/Province and City/Province Office of Education: Grade 3 or higher public officials or equivalent public officials
bar. Si/Gun and autonomous Gu: Grade 4 public officials or equivalent public officials
four. Schools at each level under subparagraph 5 of Article 2: A person in charge of administrative affairs of the relevant school
Ah. Public institutions other than institutions under the provisions of items (a) through (g): related to personal information processing
The head of the department in charge of the work. However, the department in charge of personal information processing
In the case of two or more heads, the head of the department designated by the head of the relevant public institution.
2. Personal information controller other than a public institution: A person who falls under any of the following items
end. business owner or representative
I. Executives (If there is no executive, the head of the department in charge of personal information processing)
③ The Minister of the Interior and Home Affairs shall ensure that the person in charge of personal information protection performs the duties of Article 31 (2) of the Act smoothly.
Provide support such as opening and operating a training course for the person in charge of personal information protection so that
can do.
Article 22 (Disclosure of Person in Charge of Personal Information Protection) ① The personal information controller appoints the person in charge of personal information protection
Article 4 Section protection, the name and
In case of designation or change, the fact of designation and change of the person in charge of personal information

Contact information such as name and phone number must be disclosed.

dog
sign
tablet
see
see
of

② If the personal information controller discloses the person in charge of personal information protection,
Contact information that can actually handle related grievances and consultations shall be disclosed.

In this case, the name of the person in charge of personal information protection and the person in charge of handling personal information protection;
within
I'm
One

Contact information such as department name and phone number can be disclosed together.

Article 23 (Education of Person in Charge of Personal Information Protection) In accordance with Articletube
32 (3 ) of the Decree , the Minister of Government Administration and Home Affairs
Lee

The contents of education for the person in charge of personal information protection who can open and operate are as follows.
standard guidelines
1. Contents of laws and systems related to personal information protection
2. Matters necessary for the performance of business under Article 31 (2) of the Act and Article 32 (1) of the Decree;
3. Other matters necessary for the processing of personal information by the personal information controller
Article 24 (Establishment and Implementation of Education Plan) ① The Minister of Government Administration and Home Affairs shall provide personal information for the year at the beginning of each year.
Establish and implement a protection manager education plan.
② The Minister of Government Administration and Home Affairs, in accordance with the education plan in Paragraph 1, is the Korea Personal Information Protection Council.
Organizations such as those in charge of personal information protection can be trained.
③ The Minister of Government Administration and Home Affairs shall ensure that the person in charge of personal information protection is
Efforts should be made to create a convenient environment for receiving education.

The person in charge of personal information protection is also responsible for the protection of personal information managers, such as compliance with personal information laws and prevention of leakage and misuse.
It can be said to be one of the autonomous regulatory mechanisms to promote information protection activities. personal information within the organization
By designating and operating an executive or department head who will be responsible for overall processing related to
It will be possible to further solidify the internal management system of the information controller.

225

Page 232
Explanation of personal information protection laws and guidelines and announcements

1. Qualification requirements for personal information protection officer (paragraph 1, Article 32 Paragraph 2 of the Decree)
The personal information controller appoints a personal information protection officer who is responsible for the overall handling of personal information.
must be designated (paragraph 1). The qualifications for the person in charge of personal information protection by field are as follows (Article 32 of the Enforcement Decree)
Section 1).
Qualifications of the person in charge of personal information protection
(Article 32 (2) of the Decree)
1. In the case of public institutions, public officials, etc. who meet the criteria for each of the following categories:
end. Institutions and central administrative agencies that handle administrative affairs of the National Assembly, the courts, the Constitutional Court, and the National Election Commission: Senior
Public officials belonging to the public officials group (hereinafter referred to as "high-ranking public officials") or public officials equivalent thereto
I. In addition to item (a), a state institution headed by a public official in political service: a public official of grade 3 or higher (including high-ranking public officials); or
equivalent civil servant
All. In addition to items (a) and (b), high-ranking public officials, third-grade public officials, or equivalent public officials or higher
State agency: Grade 4 or higher public officials or equivalent public officials
la. A national institution other than a national institution under the provisions of items (a) through (c) (including its affiliated institution):
Head of the department in charge of personal information processing
hemp. City/Province and City/Province Office of Education: Grade 3 or higher public officials or equivalent public officials
bar. Si / Gun / Autonomous Gu : Grade 4 public officials or equivalent public officials
four. Schools at each level under subparagraph 5 of Article 2: A person in charge of administrative affairs of the relevant school
Ah. Public institutions other than those under the provisions of items (a) through (g): those in charge of personal information processing
A person designated by the head of a public institution as the head of a department
2. In cases other than public institutions, a person who falls under any of the following items
end. business owner or representative
I. Executives (If there is no executive, the head of the department in charge of personal information processing)

The person in charge of personal information protection determines overall matters regarding personal information processing and is responsible for all results.
As a person who is responsible for the handling of personal information, he has practical authority over the collection, use, and provision of personal information.
Must be in a position to make independent decisions to some extent within the organization
do.
In particular, in cases other than public institutions, the person who can be designated as the person in charge of personal information protection is the business owner or representative,
If there are no executives or no executives, they must be the head of the department in charge of personal information processing.

226

Page 233

2. Duties of the person in charge of personal information protection (paragraph 2, Article 32 Paragraph 1 of the Decree)
The person in charge of personal information protection is a person who is in general responsible for the processing of personal information, and is
carry out work This task of the person in charge of personal information protection is the task of the general manager, so
The person in charge of information protection shall have a personal information protection manager, personal information protection officer, etc.
can do.
Personal Information Protection Officer's Duties
(Article 31 (2) of the Act, Article 32 (1) of the Decree)
1. Establishment and implementation of a personal information protection plan
2. Regular investigation and improvement of personal information processing status and practices
3. Handling of complaints related to the processing of personal information and remedy for damage
4. Establishment of an internal control system to prevent personal information leakage and misuse/abuse
5. Establishment and implementation of personal information protection education plan
6. Protection, management and supervision of personal information files
Article 4 Section

7. Establishment, change and implementation of personal information processing policy pursuant to Article 30 of the Act
8. Management of data related to personal information protection

dog
sign
tablet
see
see
of

9. Destruction of personal information when the purpose of processing has been achieved or the retention period has elapsed

within
I'm
One

3. Disclosure of the person in charge of personal information protection (Standard GuidelinetubeArticle 22)
Lee

If the personal information manager designates or changes the person in charge of personal information protection, the
Contact information such as designation and change, name, department name, phone number, etc. must be disclosed in the personal information processing policy.
do. The personal information controller handles grievances related to personal information protection when the person in charge of personal information protection is disclosed
and contact information that can actually handle consultations. In this case, the person in charge of personal information protection and
Disclosure of contact information such as the name of the person in charge of personal information protection, the name of the department, and phone number
can do.

4. Rights and obligations of the person in charge of personal information protection (paragraphs 3 and 4)
It is not a device for the person in charge of personal information protection to formally show to the outside, but the inside of the personal information controller
To establish a more effective system that strengthens the management system and activates self-regulation
The Act grants practical powers and duties to the person in charge of personal information protection.

227

Page 234
Explanation of personal information protection laws and guidelines and announcements

A. Authority of the person in charge of personal information protection (paragraph 3)
The person in charge of personal information protection shall, if necessary to carry out his/her duties,
You can inspect the processing system, etc. from time to time or receive a report from the concerned party. Privacy
The person in charge of protection is a person who has company-wide responsibility for personal information protection, so the investigation is conducted regardless of the department to which he belongs.
and be able to report.

B. Obligations of the person in charge of personal information protection (paragraph 4)
The person in charge of personal information protection becomes aware of the violation of this Act and other related laws in relation to the protection of personal information.
If necessary, corrective action shall be taken immediately, and if necessary, the head of the affiliated institution or organization shall take the corrective action.
should report Here, the head of an affiliated institution or organization refers to the person in charge of personal information protection.
Refers to the head of the relevant institution or organization.

The tenure of the Privacy Officer (claim 5)
The personal information controller shall not be responsible for personal information protection without any justifiable reason in performing his/her duties.
You must not give or receive any disadvantage. Protection of personal information in many countries such as Germany and Canada
While it is mandatory to designate a person in charge, a mechanism for preventing disadvantages and securing the identity of the person in charge of personal information protection has been established.
In order to support the cost and manpower necessary for the performance of the duties of the person in charge of personal information protection,
specified by law.

5. Support for the establishment and operation of educational courses (paragraph 6, Article 32 (3) of the Decree)
The Minister of the Interior and Home Affairs shall provide personal information in order for the person in charge of personal information protection to perform his/her duties smoothly.
We can provide necessary support, such as opening and operating a training course for the person in charge of protection. Privacy
Accurately communicate government policies and policies to the person in charge, and ensure that the person in charge of personal information protection fulfills his/her role within the organization
This is to support them to perform properly.
The Minister of the Interior and Home Affairs shall be responsible for the contents of laws and systems related to personal information protection and the performance of the duties of the person in charge of personal information protection.
Education on necessary matters and other matters necessary for the processing of personal information by the personal information manager
A course can be opened and operated (Standard Guideline Article 23), for this purpose, the personal information of the year at the beginning of each year
Establish and implement the education plan for the person in charge of protection, and according to the education plan, the Korea Personal Information Protection Council
Organizations such as those in charge of personal information protection may be trained (Article 24, Paragraph 2 of the Standard Guidelines). Also

228

Page 235

The Minister of the Interior and Home Affairs said that the person in charge of personal information protection can conveniently provide education regardless of geographical and economic conditions.
Efforts should be made to create educational conditions, such as opening online courses so that students can receive
Article 24 (3).

6. Relationship with other laws
If a person subject to the 「Information and Communications Network Act」 designates a 'person in charge of personal information protection', the 「Personal Information Protection Act」
There is no need to separately designate a person in charge of personal information protection. In this case, the person in charge of personal information management
All duties of the information protection officer must be performed.
If a credit information manager/protector is designated in accordance with the Credit Information Act, a separate personal information protection officer is appointed.
Without designation, the personal information manager/protector may replace the person in charge of personal information protection. However, “credit
The duties of a credit information manager and custodian stipulated in the “Information Act” and protection of personal information stipulated in the “Personal Information Protection Act”
Since the duties of the person in charge are different, the credit information manager/protector must additionally perform the duties stipulated in this Act.
Article 4 Section

do.

dog
sign
tablet
see
Article 27 (Designation of Personal Information Protection Officer) ① Information and communication service providers, etc.see
of
In order to protect and handle users' grievances related to personal information, the person in charge of personal information protection
within

should be specified However, if the number of employees, number of users, etc. meets the standards prescribed by PresidentialI'm
Decree,
One

Information and communication service providers, etc. may not be designated.

tube

「 Enforcement Decree of the Information and Communications Network Act」
」
Lee
Information and Communications Network Act
Article 13 (Qualifications, etc. of Person in Charge of Personal Information Protection) ② In the proviso to Article 27 (1 ) of the Act, “by Presidential Decree
Information and communications service providers, etc. that meet the prescribed standards” means information with less than five full-time employees
telecommunication service providers, etc. However, its main business is to provide information and communication services over the Internet.
In the case of an information and communications service provider, etc., the number of regular employees is less than 5 and
It refers to a person who has less than 1,000 daily average users in the preceding three months as a standard.
Article 20 (Clarification of Credit Information Management Responsibilities and Preservation of Business Process Records) ③ Credit Information Company, Credit Information Concentration
Institutions and credit information providers and users prescribed by Presidential Decree shall conduct business pursuant to paragraph (4).
At least one manager/guardian must be designated. However, in consideration of total assets and number of employees, the President
A person prescribed by Ordinance shall have a credit information manager/protector as an executive.
④ The credit information manager and custodian under paragraph (3) shall perform the following duties:
1. Establishment and implementation of management and protection plans, such as collection, retention, provision, and deletion of credit information;
Periodic investigation of the management and protection status and practices, such as collection, retention, provision, and deletion of credit information;
Credit Information 2.
Act
and improvement
3. Exercising the rights of the subject of credit information, such as accessing credit information and requesting correction, and remedy for damage;
4. Establishment and operation of an internal control system to prevent leakage of credit information, etc.
5. Establishment and implementation of credit information protection education plans for executives and employees, exclusive solicitors, etc.
6. Inspection of compliance with laws and regulations related to credit information protection of executives and employees and exclusive solicitors
7. Other affairs prescribed by Presidential Decree for the management and protection of credit information.

229

Page 236
Explanation of personal information protection laws and guidelines and announcements

⑤ Credit information managers and custodians, as prescribed by the Financial Services Commission, with respect to the business under each subparagraph of paragraph (4).
Reports must be prepared on a regular basis and reported to the CEO and Board of Directors, and to the Financial Services Commission.
must be submitted
⑥ Qualifications for a credit information manager and custodian under paragraph (3) and other matters necessary for designation shall be determined by the President.
determined by decree
⑦ A customer information manager appointed pursuant to Article 48-2 (6) of the 「Financial Holding Company Act」 meets the qualifications for paragraph 6
If applicable, he/she shall be deemed a credit information manager/protector designated pursuant to paragraph (3).

7. Penalty Regulations
violation
Personal information protection manager not designated
(Violation of Article 31 (1))

penalty
A fine of not more than 10 million won
(Article 75 (3) 8)

8. Q&A
Q

It is necessary to designate a person in charge of personal information protection. What rank should I designate as the person in charge?
I would like to know.

A

In the case of the company, the person who can be designated as the person in charge of personal information protection is the business owner, representative, executive, or
In the absence of an executive, he must be the head of the department in charge of personal information processing.
In addition, the business operator must include the name of the person in charge of personal information protection, the name of the department, and the contact information such as phone number in personal information.
It must be specified in the processing policy and disclosed so that the information subject can easily check it at any time.
Even if the person in charge of protection is changed, the change must be disclosed without delay.

Q

Designate the head of the department in charge of personal information protection as the person in charge of personal information protection, and
Phone numbers and e-mails were disclosed in the personal information processing policy, but minor items such as general product and service inquiries
All consultations are also received over the phone of the executive in charge. How can I do it?

A

It is not necessary to provide the direct contact information of the person in charge of personal information protection.
Responsible for handling related grievances and counseling, and disclose the contact information that can actually be handled. Also
You may include the name and contact information of the personal information handler in charge.

Q

There is no separate employee, and I run the store with my wife, and even small business owners like us
Is it necessary to designate a personal information protection officer?

A

Even small businesses with “less than 5 full-time employees” must designate a personal information protection manager.
In this case, the business owner or the representative himself/herself may be the person in charge of personal information protection.

230

Page 237

Article 32 Registration and disclosure of personal information files
Article 32 (Registration and Disclosure of Personal Information File)
In this case, the following matters shall be registered with the Minister of the Interior and Home Affairs: registered
The same shall also apply where matters are changed.
1. Name of personal information file
2. Operational basis and purpose of personal information file
3. Items of personal information recorded in the personal information file
4. How to process personal information
5. Retention period of personal information
6. In the case of providing personal information normally or repeatedly, the person to whom it is provided
7. Other matters prescribed by Presidential Decree.
② Paragraph 1 shall not apply to personal information files falling under any of the following subparagraphs.
No.
Article 4 Section

1. Recording matters concerning national security, diplomatic secrets, and other important national interests

dog
sign
tablet
and
see probation,
see
of

personal information file
law

2. Investigation of crimes, establishment and maintenance of public prosecution, execution of punishment
Personal information file that records security observation disposition and immigration control

corrective measures, protective measures;

within

3. For the investigation of offenses under the Tax Offenders Punishment Act and the investigation of offenses
I'munder the Customs Act;
One

Personal information file that records related matters

tube
Lee

4. Personal information files used only for internal business processing of public institutions
5. Personal information files classified as confidential under other laws

③ The Minister of the Interior and Home Affairs shall, if necessary, register the personal information file under paragraph (1) and
After reviewing the contents, the head of the relevant public institution can recommend improvement.
④ The Minister of the Interior and Home Affairs shall make it easy for anyone to check the status of registration of personal information files under paragraph (1).
It must be made public for viewing.
⑤ Necessary for registration under Paragraph 1 and the method, scope and procedure of disclosure under Paragraph 4
Matters shall be determined by Presidential Decree.
⑥ The National Assembly, the courts, the Constitutional Court, and the National Election Commission (including its affiliated institutions)
Regarding the registration and disclosure of personal information files, the National Assembly Rules, Supreme Court Rules, Constitutional Court Rules
and the National Election Commission Regulations.
Article 33 (Registration of Personal Information File) In Article 32 (1) 7 of the Act, “the
Matters” means the following matters:
Enforcement Decree
1. Name of public institution that operates personal information files
2. Number of information subjects of personal information held as personal information files
3. Department in charge of personal information processing in the relevant public institution

231

Page 238
Explanation of personal information protection laws and guidelines and announcements

4. Department that receives and processes requests for access to personal information under Article 41;
5. Restriction or refusal of access in accordance with Article 35 (4) of the Act among personal information in the personal information file
The scope and limit of personal information that can be provided or reasons for rejection
Article 34 (Registration and Disclosure, etc. of Personal Information Files )
Within 60 days from the date of commencement of its operation, the mayor, as prescribed by Ordinance of the Ministry of Government Administration and Home Affairs
Matters registered under Article 32 (1) of the Act and Article 33 of this Decree to the Minister of the Interior
(referred to as “Registration Matters”) must apply for registration. Changes in registered information after registration
The same is also true for cases.
② The Minister of the Interior and Home Affairs shall monitor the status of registration of personal information files in accordance with Article 32 (4) of the Act.
It must be posted on the Internet website.
③ The Minister of Government Administration and Home Affairs shall register the personal information file registration matters under paragraph (1), or
A system can be built and operated so that changes can be handled electronically.
Article 3 (Books and Document Formats Related to Personal Information Protection) ② Article 32 (1 ) of the Act and Article 34 of the Decree
enforcement rules
Application for registration of personal information file and application for change registration pursuant to Paragraph 1 shall be submitted to individuals in Attached Form 2
Follow the information file registration/change registration application.
Article 49 (Applicable subject) The subject of this chapter is as follows.
1. Central administrative agencies (including those belonging to the President and those belonging to the Prime Minister) and their affiliations;
Institutions, local governments
2. The National Human Rights Commission of Korea under the National Human Rights Commission Act;
3. Public institutions under the Act on the Management of Public Institutions;
4. Local public corporations and regional corporations under the Local Public Enterprises Act;
5. A special corporation established under the Special Act
6. Schools established in accordance with the Elementary and Secondary Education Act, the Higher Education Act and other Acts;
Article 50 (Exclusion of Application) This chapter applies to personal information files falling under any of the following subparagraphs.
does not apply to
standard guidelines
1. In the National Assembly, the courts, the Constitutional Court, and the National Election Commission (including its affiliated institutions)
Managed personal information files
2. The following personal information files excluded from application pursuant to Article 32 (2) of the Act
end. Records of national security, diplomatic secrets, and other important national interests
personal information file
I. Investigation of crimes, establishment and maintenance of public prosecution, execution of punishment and probation, corrective measures, protective measures;
Personal information file that records matters related to security monitoring and immigration control
All. Investigation of offenses under the “Tax Offenders Punishment Act” and investigations of offenses under the “Customs Act”
Personal information file that records related matters
la. Personal information files used only for internal business processing of public institutions

232

Page 239

hemp. Personal information files classified as confidential under other laws
3. The following personal information files excluded from application pursuant to Article 58 (1) of the Act
end. Personal information files collected in accordance with the 「Statistics Act」 among personal information processed by public institutions
I. Individuals who are requested to be collected or provided for the purpose of analyzing information related to national security
information file
All. When it is urgently necessary for public safety and well-being, such as public health, it is temporarily
Personal information files processed
4. Personal image information files processed through image information processing devices
5. Sending data, goods or money, performing one-time events, etc.
In some cases, personal information files collected for the purpose of destruction without storage or recording
6. Financial institutions under the Act on Real Name Financial Transactions and Confidentiality
Personal information files held for
Article 51 (Personal Information File Registration Subject) ① Personal information of public institutions operating personal information files
The person in charge of protection shall register the current situation with the Ministry of Government Administration and Home Affairs.
Article 4 Section

② Central administrative agencies, metropolitan governments, special self-governing cities and local governments are directly involved in the Ministry of Government Administration and Home Affairs.
dog
sign
tablet
The Office of Education and schools of all levels must register with the Ministry of Government Administration
see
see
Central administrative agencies, agencies belonging to local governments, and other public institutions of

must be registered.
③
④

and Home Affairs through the Ministry of Education.

within
I'm
One

must be registered with the Ministry of Government Administration and Home Affairs.
Article 52 (Application for Registration and Change of Personal Information File )
The personal information handler must register the personal information file with the person in charge of

tube
Lee
personal

information protection of the relevant public institution.

must apply
② The personal information file registration application is as follows. Application for "Personal Information Protection Act"
Enforcement Rules” (hereinafter referred to as “Enforcement Rules”) of Attachment Form 2 pursuant to Article 3 (2)
You can use the 'Personal Information File Registration/Change Registration Application'.
1. Name of public institution that operates personal information files
2. Name of personal information file
3. Operational basis and purpose of personal information file
4. Items of personal information recorded in the personal information file
5. Number of information subjects of personal information held as personal information files
6. How to process personal information
7. Retention period of personal information
8. In the case of providing personal information normally or repeatedly, the person to whom it is provided
9. Department in charge of personal information processing in the relevant public institution
10. Department that receives and handles requests for access to personal information
11. Restrict access to personal information in the personal information file pursuant to Article 35 (4) of the Act;

233

Page 240
Explanation of personal information protection laws and guidelines and announcements

Scope and limit of personal information that can be rejected or reasons for rejection
12. In the case of a personal information file that has undergone a personal information impact assessment pursuant to Article 33 (1) of the Act
The result of the impact assessment
③ The personal information handler shall comply with Article 3 (2) of the Enforcement Rule if the registered matters are changed.
Personal information using the 'Personal Information File Registration/Change Registration Application' in Attached Form No. 2
You must apply for a change to the person in charge of protection.
Article 53 (Confirmation of registration and change of personal information file ) ① Application for registration or change of personal information file
The person in charge of personal information protection will review the registration and changes and determine the appropriateness of the
It must be registered with the Ministry of Government Administration and Home Affairs.
② The person in charge of personal information protection at the Office of Education and each level of school is subject to paragraph 1 of the Ministry of Education, Science and Technology.
After requesting a review of registration and changes and a judgment of adequacy, the Ministry of Education, Science and Technology
It must be confirmed and registered with the Ministry of Government Administration and Home Affairs.
③ Central administrative agencies, agencies affiliated with local governments, and other public institutions
After requesting review of registration and changes and judgment of adequacy in accordance with Paragraph 1, higher management
It must be registered with the Ministry of Government Administration and Home Affairs after receiving the confirmation of the institution.
④ Registration under Paragraphs 1 through 3 must be made within 60 days.
Article 54 (Registration and Management of Standard List of Personal Information Files) ① Special local administrative agencies, local governments,
Institutions that are executing a single common task nationwide, such as educational institutions (including schools),
You must register according to the 'Standard List of Personal Information Files' provided by the central administrative agency.
② A standard list of personal information files related to a single common task across the country is available from the relevant central department.
must be registered and managed.
Article 55 (Destruction of personal information files ) ① Public institutions must retain and process personal information files
When the personal information file becomes unnecessary, such as when the purpose is achieved, the personal information
The file must be destroyed. However, if it is required to be preserved in accordance with other laws,
Not so.
② Public institutions destroy personal information reflecting the retention period and processing purpose of personal information files
A plan should be established and implemented. However, internal management in accordance with Article 30 (1) 1 of the Decree
If a plan is established, including the personal information destruction plan in the internal management plan
can be implemented
③ The personal information handler is an individual who has a cause for destruction, such as the expiration of the retention period or achievement of the purpose of processing.
Select an information file and destroy it in the personal information file destruction request form in accordance with Attachment No. 4
The name of the target personal information file, destruction method, etc. shall be stated to the person in charge of personal information protection.
Personal information must be destroyed with approval.
④ The person in charge of personal information protection checks the destruction result after the destruction of personal information and
A personal information file destruction management ledger according to Form 5 must be prepared.
Article 56 (deletion of the personal information file registered true) ① Private pursuant privacy The 59th

234

Page 241

In the case of destroying the information file, the information on the registration of the personal information file in accordance with Article 32 of the Act
You must request deletion from the person in charge of personal information protection.
② The person in charge of personal information protection requested to delete the registration of personal information file confirms the fact,
After the fact of registration is deleted without delay, the fact is notified to the Ministry of Government Administration and Home Affairs.
Article 57 (Recommendation for Improvement on Registration and Destruction) ① Article 53
If it is determined that the personal information file reviewed in accordance with Paragraph 1 is being used excessively,
improvement can be recommended.
② Offices of Education, schools at all levels, central administrative agencies and local government agencies, and other public institutions
The person in charge of personal information protection of the institution shall have the personal information file reviewed pursuant to Article 53 (2) and (3).
If it is judged to be over-operated, or if it is confirmed that there are unregistered files
In some cases, improvements may be recommended.
③ The Minister of the Interior and Home Affairs shall review the registration details of the personal information file and its contents, and
In any of the cases, the individual of the relevant public institution pursuant to Article 32 (3) of the Act.
Improvements can be recommended to the information protection officer.
Article 4 Section

1. When it is judged that the personal information file is being used excessively
2. If there is an unregistered personal information file
3. Continue to use the personal information file despite the fact that the registration of the personal
if you have

dog
sign
tablet
information
see file
see
of

has been deleted

within

4. Register the results even if you have a personal information file that has undergone a personal informationI'mimpact assessment
One

If not included
5. Other matters that violate the registration and disclosure of personal information files pursuant to Article

tube
Lee of
32

the Act

If it is judged that there is
④ When the Minister of the Interior and Safety recommends improvement pursuant to paragraph (3), he/she shall be aware of the contents and results thereof.
It may be published after deliberation and resolution of the Personal Information Protection Committee.
⑤ The Minister of Government Administration and Home Affairs shall check the status of registration and destruction of personal information files of public institutions.
can be carried out.
Article 58 (Preparation of personal information file ledger) A public institution shall have one personal information in one personal information file.
You need to create a file ledger.
Article 59 (Management of the use and provision of personal information files) Public institutions shall comply with each subparagraph of Article 18 (2) of the Act.
If a third party requests the use and provision of personal information files, each can be used and provided
After checking whether or not it exists, record it in the 'Personal Information Use/Provision for Other Purposes' of Attachment No. 6
have to manage
Article 60 (Calculation of retention period for personal information files) ① The retention period is for individual information, not for all personal information.
The life cycle from collection to deletion of personal information is the minimum period that meets the purpose of retention.
However, it should be calculated according to the retention period of data specified in the provisions of individual laws and regulations.
② If the specific retention period is not specified in individual laws, personal information

235

Page 242
Explanation of personal information protection laws and guidelines and announcements

It should be calculated through the approval of the head of the agency after consultation with the person in charge of protection. However, hold
The period is based on the standards presented in the standard table for the retention period of personal information files in Attached Table 1 and the
It cannot exceed the records management standard table according to the Enforcement Decree of the Records Management Act.
③ The list of external customers for the purpose of publicity and public service of policy customers, website members, etc.
Except in special cases, the information subject must go through the re-consent procedure every two years to give consent.
You can keep holding it only in case.
Article 61 (Disclosure and Method of Personal Information File Status) ① The person in charge of personal information protection of public institutions
Periodically inspect the status of possession and destruction of the accreditation information file and report the results to the relevant public institution.
It must be managed by including it in the personal information processing policy.
② The Minister of Government Administration and Home Affairs shall ensure that anyone can easily view the registration status of personal information files.
should be disclosed
③ The Ministry of Security and Public Administration collects the status of registration and deletion of personal information files of all public institutions every year.
must be disclosed, and electronically handle the work related to the disclosure of the current status of personal information files.
For this purpose, information systems can be built and operated.

The existing 「Act on the Protection of Personal Information of Public Institutions」 requires a 'pre-consultation system when holding or changing personal information files'.
was stipulated That is, if a public institution intends to retain a personal information file, the name of the personal information file,
Certain matters, such as the purpose of retention, are to be discussed with the Minister of the Interior and Safety, and the matters to be discussed are discussed in the Official Gazette at least once a year.

Or, it was advertised by posting it on the Internet website.
However, in the prior consultation system, the administrative burden of each level of public institution is increased and the consultation standards are not uniform.
Problems have been raised In order to improve this point, in the current 「Personal Information Protection Act」, public institutions
If the operated personal information file meets certain requirements, it is mandatory to register and disclose it.
did.

1. Obligation to register personal information file (Paragraph 1, Article 33 of the Enforcement Decree)
Person responsible for file registration (Section 1)
When the head of a public institution operates a personal information file, he/she shall register the fact with the Minister of the Interior and Safety.
do. Even if there is a change in the registered matters, the contents must also be registered. Registration of personal information file
This obligation is borne only by public institutions, and the obligation to register personal information files does not apply to private sector companies and organizations.
does not The public institutions obligated to register personal information files are as follows (Standard Guideline Article 49).
1. Central administrative agencies (including those belonging to the President and those belonging to the Prime Minister) and their affiliated institutions, local governments;
municipality

236

Page 243

2. The National Human Rights Commission of Korea under the National Human Rights Commission Act;
3. Public institutions under the Act on the Management of Public Institutions;
4. Local public corporations and regional corporations under the Local Public Enterprises Act;
5. A special corporation established under the Special Act
6. Schools established in accordance with the Elementary and Secondary Education Act, the Higher Education Act and other Acts;
It is the person in charge of personal information protection of the relevant public institution that actually performs the personal information file registration task. individual
The person in charge of personal information protection of a public institution that operates information files shall register the current status with the Ministry of Government Administration and Home Affairs.
do. In this case, the central administrative agency, metropolitan government, special self-governing city/province, and basic self-governing body shall directly apply to the Ministry of Government Administration and Home Affairs.
After registration, the central administrative agency, the affiliated organizations of local governments, and other public institutions are
It must be registered with the Ministry of Government Administration and Home Affairs. The Office of Education and schools at each level must register with the Ministry of Government Administration and Home Affairs through the Ministry of Education.
(Standard Guidelines Article 51).
Here, the meaning of “registration through” means that the higher level institution reviews the registration and changes of the personal information file and
It judges its adequacy and presents its opinions, and registration means that the institution itself performs it.
Article 4 Section

dog
sign
tablet
see
see
inofcharge

B. Registration method and procedure (Standard Guidelines Articles 52 and 53)
The personal information handler of the public institution that operates the personal information file shall notify the person
You must apply for registration of personal information file. At this time, the person in charge of personal information

within
protectionI'm
who
One

of personal information protection of the relevant public institution.

received the registration application

tube
After reviewing the changes and judging the appropriateness, the personal information file must be registered with the Ministry of
Government Administration and Home Affairs.
Lee

However, the person in charge of personal information protection at the Office of Education and each level of school is registered/changed under Paragraph 1 by the Ministry of Education.
After requesting review of the matter and adequacy judgment, it must be registered with the Ministry of Government Administration and Home Affairs after receiving confirmation from the Ministry of Education.
In addition, institutions belonging to central administrative agencies, local governments, and other public institutions are registered and changed with higher management institutions.
After requesting a review of the matter and adequacy judgment, it must be registered with the Ministry of Government Administration and Home Affairs after receiving confirmation from a higher-level management agency.
do.

C. Registration matters (paragraph 1, Article 33 of the Decree)
When the head of a public institution registers a personal information file, he/she shall register all of the following matters:
(Section 1, Article 33 of the Decree). In addition, in accordance with Article 33 of the Act, the head of a public institution
In the case of information impact assessment, the result shall be attached together (Article 33 (4) of the Act).

237

Page 244
Explanation of personal information protection laws and guidelines and announcements

File registration information (Article 32 Paragraph 1 of the Act, Article 33 of the Enforcement Decree)
1. Name of personal information file
2. Operational basis and purpose of personal information file
3. Items of personal information recorded in the personal information file
4. How to process personal information
5. Retention period of personal information
6. In the case of providing personal information normally or repeatedly, the person to whom it is provided
7. Name of public institution operating personal information files
8. Number of information subjects of personal information held as personal information files
9. Department in charge of personal information processing in the relevant public institution
10. Department that receives and handles requests for access to personal information pursuant to Article 41 of the Decree
11. Individuals who can restrict or refuse access to personal information in the personal information file pursuant to Article 35 (4) of the Act
Scope of Information and Reasons for Restriction or Rejection

D Registration deadline (Article 34 (1) of the Decree)
The head of a public institution that operates personal information files must be operated by the Ministry of the Interior and Safety within 60 days from the date of commencement of the operation.
An application for registration of registered matters shall be filed with the Minister of the Interior and Safety as prescribed by Ordinance. after registration
The same shall also apply where registration matters are changed.

2. Exclusion of personal information file registration (Section 2, Standard Guideline Article 50)
Personal information for the achievement of important national interests such as national security and diplomatic secrets or public interest such as criminal investigation
It may be more in the public interest not to disclose the file. Therefore, these personal information files are
It is necessary to exempt the registration and disclosure obligations.

A. Personal information files of constitutional institutions (Article 32 (6), Standard Guideline Article 50 (1))
Registration and disclosure of personal information files of the National Assembly, the courts, the Constitutional Court, the National Election Commission and its affiliated organizations
The National Assembly Regulations, Supreme Court Regulations, Constitutional Court Regulations, and National Election Commission Regulations.
are doing
Accordingly, the National Assembly, the courts, the Constitutional Court, the National Election Commission, and their affiliated organizations
For personal information files managed by personal information files (including their affiliated organizations), this Act and Standards
Registration/disclosure obligations according to the guidelines do not apply.

238

Page 245

B. Personal information files excluded from application pursuant to Article 32 (2) of the Act
When a public institution operates a personal information file that falls under any of the following subparagraphs, it is
There is no need to register with the Minister (Article 32 Paragraph 2 of the Act).
Registration Exemption Personal Information File (Article 32 Paragraph 2 of the Act)
1. Personal information files that record matters concerning national security, diplomatic secrets, and other important national interests
2. Investigation of crimes, filing and maintenance of prosecution, execution of punishment and probation, corrective measures, protective measures, security observation measures and immigration
Personal information file recording matters related to management
3. Individuals who have recorded matters concerning investigations of offenses under the Punishment of Tax Offenders Act and investigations of offenses under the Customs Act;
information file
4. Personal information files used only for internal business processing of public institutions
5. Personal information files classified as confidential under other laws

Example 1 Personal information file for internal business processing of public institutions
Article 4 Section

• Employee phone book, emergency contact network, personnel record file, etc.

dog
sign
tablet
see
see
of

• Personal information files for utility bill settlement, meeting attendee allowance, and advisory organization operation

Example 2 Confidential personal information files according to other laws
「 Act on the Management of Public Records」
」 Article 33 (Management of Confidential Records )
In this case, the confidentiality protection period and retention period are set together on the original document of the record, and until the

within
I'm
retention
One

period expires.

tube
Lee

should be managed. In this case, the retention period shall be set to be longer than the confidentiality protection period.
② Originals of confidential records are transferred to the competent records management agency as prescribed by Presidential Decree.
should be preserved.

「 Security Business Regulations」
」 Article 4 (Classification of Secrets ) Confidentiality is classified as follows according to the degree of importance and value.
separate
1. Class I secret: If leaked, diplomatic relations with the Republic of Korea will be cut off, causing war, and
There are concerns about jeopardizing the development of science and technology essential for information activities and national defense.
a secret
2. Class II secrets: Secrets that, if leaked, may seriously impair national security
3. Class III secrets: Secrets that, if leaked, may harm national security

The personal information file except the application according to the method of claim 58, paragraph 1
If personal information protection is emphasized too much, the realization of other public values ​guaranteed by the Constitution will be difficult.
There are times when it is difficult. Accordingly, Article 58 (1) of the Act applies to other public interests such as national security and public health.
For the realization of values, the application of Chapters 3 to 7 of the Act is excluded. Therefore, below
The obligation to register and disclose personal information files does not apply to personal information that falls under the circumstances.

239

Page 246
Explanation of personal information protection laws and guidelines and announcements

Registration Exemption Personal Information File (Standard Guideline Article 50)
1. Personal information files collected in accordance with the 「Statistics Act」 among personal information processed by public institutions
2. Personal information files requested to be collected or provided for the purpose of analyzing information related to national security
3. Personal information files that are temporarily processed in cases of urgent need for public safety and well-being, such as public health

D. Other personal information files to which registration obligations are excluded
Most of the data generated and operated by public institutions through video information processing devices such as CCTV is
It is taken continuously in a certain place, and it follows certain rules so that personal information can be easily retrieved.
It is difficult to view it as a 'personal information file', which is a collection of personal information that is systematically arranged or composed according to the therefore
Data taken through image information processing devices in public institutions are exempted from the obligation to register and disclose personal information files.
is excluded
In addition, data, goods, or money are sent only for the purpose of performing a one-time event.
In this case, personal information files collected for the purpose of destruction without storage or recording are also registered and disclosed.
excluded from duty.
Finally, the status of public institutions among financial institutions under the 「Act on Real Name Financial Transactions and Confidentiality」
Personal information files held by financial institutions for 'financial business handling' are also obligated to register under this Act
application is excluded.

3. Recommendation for improvement of personal information file registration (paragraph 3, standard guideline Article 57)
Personal information files are reviewed in the registration process, and any defects or improvements are required.
If there are any issues, improvement measures should be made according to the results of the review.
First, the person in charge of personal information protection of each public institution must ensure that the personal information handler of the relevant institution registers the personal information file.
If an application is made, improvement can be recommended by reviewing it (Standard Guideline Article 57 Paragraph 1). School districts and schools at all levels,
Institutions affiliated with central administrative agencies and local governments, and those in charge of personal information protection of other public institutions also have personal information
If it is determined that the file is being operated excessively or it is confirmed that there is an unregistered file
improvement can be recommended.
In addition, when a public institution registers a personal information file, the Minister of Government Administration and Home Affairs shall review the contents and confirm the registration details.
If it is found that the content is defective or the content is insufficient, it may be recommended to the head of the relevant public institution for improvement.
Yes (Article 32 (3)). Specifically, the cases in which the Minister of Government Administration and Home Affairs may recommend improvement are as follows.

240

Page 247

< Recommendations for improvement when registering personal information files >
1. When it is judged that the personal information file is being used excessively
2. If there is an unregistered personal information file
3. In case the personal information file is retained despite the fact that the registration of the personal information file has been deleted
4. Even if you have a personal information file that has undergone a personal information impact assessment, do not include the result in the registration
if not
5. When it is judged that there is a violation of the registration and disclosure of personal information files pursuant to Article 32 of the Act

In some cases, it is necessary to allow general information subjects, etc. to know the recommendations for improvement on the registration of personal information files.
There is a need to disclose Accordingly, when the Minister of the Interior and Home Affairs recommends improvement to the head of the relevant public institution,
The contents and results can be made public after deliberation and resolution of the Personal Information Protection Committee.
(Standard Guidelines Article 57 Paragraph 4).

4. Management of personal information files (Standard Guidelines Articles 58-61)
Article 4 Section

dog
sign
tablet
see
see
beof checked

Public institutions need to create and manage a ledger for personal information files. To this end, public institutions
One personal information file ledger must be created and managed for one personal information file. Also, public institutions
When a third party requests the use and provision of personal information files, the availability of each use and provision shall

and

within
It must be recorded and managed in the 'Record of Use and Provision of Personal Information for Non-Personal Information (Standard
Guideline Attachment No. 6 Form)'.
I'm
One
tube
Lee

5. Disclosure of personal information files (paragraph 4, Article 34 Paragraph 2 of the Decree)
Personal information files that are registered and managed can ultimately be easily checked by individual citizens.
It is necessary to disclose it so that Through this, citizens who are information subjects can know what kind of public information about them
Check which personal information files are included in the institution and how they are managed, and read through them
and correction may be requested. Accordingly, this Act specifies the disclosure of personal information files.
The Minister of Government Administration and Home Affairs shall disclose the status of registration of personal information files so that anyone can easily read them.
To this end, the Minister of Government Administration and Home Affairs shall publish the registration status of personal information files on the Internet homepage.
In addition, the Minister of the Interior and Home Affairs is responsible for registering or changing the registration details of personal information files of each public institution.
In order for the person in charge of personal information protection, etc. to process it easily, it may be processed electronically.
A system can be built and operated (Article 34 (3) of the Decree).
Currently, the Minister of Government Administration and Home Affairs has established and operated the 'Personal Information File Registration and Disclosure System (www.privacy.go.kr)'.
Through this, the public can view the registration details of the personal information file registered by each public institution.
Each public institution supports the easy and convenient registration of personal information files.

241

Page 248
Explanation of personal information protection laws and guidelines and announcements

Article 32-2 Personal Information Protection Certification Evaluation
Article 32-2 (Certification of Personal Information Protection) ① The Minister of Government Administration and Home Affairs shall determine the personal information of the personal information controller.
To certify whether a series of measures related to processing and protection comply with this Act, etc.
can
② The validity period of the certification under Paragraph 1 shall be three years.
③ The Minister of the Interior and Safety shall, in any of the following cases, by Presidential Decree
Certification under Paragraph 1 may be revoked as prescribed. However, in case of subparagraph 1
In this case, it must be cancelled.
1. Where personal information protection certification has been obtained by fraudulent or other fraudulent means;
2. In case of refusal or obstruction of follow-up management under paragraph (4);
3. In case of failing to meet the certification standards under paragraph 8;
4. In case the violation of personal information protection-related laws is serious
law

④ The Minister of Government Administration and Home Affairs at least once a year to maintain the effectiveness of personal information protection certification.
Follow-up management should be carried out.
⑤ The Minister of Government Administration and Home Affairs shall appoint a specialized institution prescribed by Presidential Decree under paragraph (1).
Certification, cancellation of certification according to paragraph 3, follow-up management according to paragraph 4, and certification according to paragraph 7
Auditor management can be performed.
⑥ A person who has obtained certification under paragraph (1) may review the details of certification as prescribed by Presidential Decree.
can be displayed or promoted.
⑦ Qualifications and qualifications of auditors to conduct the necessary audits for certification under paragraph (1)
For cancellation requirements, etc., in consideration of professionalism, experience, and other necessary matters,
determined by Presidential Decree.
⑧ Other personal information management systems, information subject rights guarantees, and safety measures are included in this Act.
Necessary matters, such as standards, methods, procedures, etc. for certification under paragraph (1), such as whether or not the
determined by decree
Article 34 2 (privacy standards, the authentication method, procedures, etc.) ① Government Administration Minister of Article 30
In consideration of each subparagraph of Paragraph 1, administrative, technical, and physical protection measures for personal information protection
The standards for certification in accordance with Article 32-2 (1) of the Act, including establishment, etc., shall be established and publicly announced.
② A person who intends to obtain personal information protection certification pursuant to Article 32-2 (1) of the Act (hereinafter referred to as this Article and
In Article 34-3, “applicant”) refers to personal information protection including the following matters:

Protection of personal information pursuant to Article 34-6 of the certification application (including the application in electronic form)
Enforcement Decree
It must be submitted to a certification agency (hereinafter referred to as “certification agency”).
1. List of personal information processing systems subject to certification
2. Methods and procedures for establishing and operating a personal information protection management system;
3. List of documents related to the implementation of the personal information protection management system and protection measures
③ When the certification body receives an application for certification under paragraph 2, the applicant and the scope of certification
and schedule, etc. shall be negotiated.

242

Page 249

④ Personal information protection certification examination pursuant to Article 32-2 (1) of the Act shall be conducted by individuals pursuant to Article 34-8.
The information security certification auditor shall conduct a written examination or an on-site examination.
⑤ In order to review the results of the certification examination pursuant to Paragraph 4, the certification body shall
An accreditation committee, which is composed of persons with extensive knowledge and experience, shall be established and operated.
do.
⑥ In addition to the matters stipulated in paragraphs 1 through 5, the certification application, certification review, and certification committee
Details necessary for personal information protection certification, such as installation and operation and issuance of certificates, are
It is determined and announced by the Minister of Home Affairs.
Article 34-3 (Fees for Personal Information Protection Certification) ① Applicant must submit personal information protection certification to a certification body
You must pay the fee required for the examination.
② The Minister of Government Administration and Home Affairs shall determine the number and
In consideration of the number of days required for certification examination, the specific
Standards are set and announced.
Article 34-4 (Certification Cancellation) ① The certification body shall perform personal information protection certification in accordance with Article 32-2 (3) of the Act.
In case of cancellation, deliberation and resolution of the certification committee under Article 34-2 (5) must be passed.
Article 4 Section

do.

dog
sign
② The Minister of Government Administration and Home Affairs or the certification agency may cancel certification
tablet
In this case, the fact is notified to the parties and posted in the official gazette or the website of the certification
see body.
see
It must be announced or posted.
of

pursuant to Article 32-2 (3) of the Act.

within
Article 34-5 (Follow-up management of certification) ① The follow-up management review pursuant to Article
32-2 (4 ) of the Act shall be conducted in writing.
I'm
One

Conducted by the method of examination or on-site examination.

tube

② As a result of the follow-up management pursuant to paragraph 1, the certification body shall comply with
Leeeach subparagraph of Article 32-2 (3) of the Act.
In case the cause is discovered, after deliberation by the certification committee pursuant to Article 34-2 (5)
The results must be submitted to the Minister of the Interior and Home Affairs.
Article 34-6 (Institution specializing in personal information protection certification) ① In Article 32-2 (5 ) of the Act, “by Presidential Decree
The term “specialized institution designated” means an institution falling under each of the following subparagraphs:
1. Korea Internet & Security Agency
2. The Ministry of Government Administration and Home Affairs from among corporations, organizations, or institutions that satisfy all of the following requirements:
A corporation, organization or institution designated and publicly notified by the Minister
end. Have 5 or more personal information protection certification examiners under Article 34-8;
I. Recognized as appropriate in the examination of job performance requirements and abilities conducted by the Minister of the Interior and Home Affairs
will receive
② For the designation of a corporation, organization or institution falling under paragraph (1) 2 and the cancellation of the designation
Necessary detailed standards, etc. shall be determined and publicly notified by the Minister of the Interior and Safety.
Article 34-7 (Indication of Certification and Public Relations) A person who has obtained certification pursuant to Article 32-2 (6 ) of the Act
In the case of displaying or promoting the certified content, the Minister of the Interior and
You can use the personal information protection certification mark announced. In this case, the scope and validity of the certification
The period should be indicated together.

243

Page 250
Explanation of personal information protection laws and guidelines and announcements

Article 34 Article 8 (privacy protection authentication credentials and qualifications of auditor requirements, cancellation) ① Certification Authority Act
Certified as a person with specialized knowledge on personal information protection pursuant to Article 32-2 (7)
Protection of personal information to those who have completed the professional training course necessary for the examination and passed the examination
Qualifications of certification auditors (hereinafter referred to as “certification auditors”) are granted.
② In accordance with Article 32-2 (7) of the Act, the certification body shall be subject to any of the following subparagraphs:
If applicable, the qualification may be revoked. However, in the case of subparagraph 1,
must be canceled
1. Where he/she acquires the certification auditor qualification by fraudulent or fraudulent means;
2. In connection with the personal information protection certification examination, unreasonably receiving money, valuables, profits, etc.
Occation
3. Without any justifiable reason, or divulging information acquired during the personal information protection certification examination process
When used for purposes other than business purposes
③ Completion of specialized training courses in accordance with Paragraphs 1 and 2, granting of qualifications as an accredited auditor, and
Details regarding cancellation, etc. shall be determined and publicly notified by the Minister of the Interior and Safety.
Notification on personal information management system certification, etc.
Article 1 (Purpose) This notice is provided in Article 32-2 of the 「Personal Information Protection Act」 and 「Information and Communications Network Utilization Promotion and
In accordance with Article 47-3 (2) of the Information Protection, Etc. Act (hereinafter referred to as the “Information and Communications Network Act”);
The purpose of this is to set matters necessary for authentication of the personal information protection management system.
Article 2 (Definition of Terms) The definitions of terms used in this notice are as follows.
1. “Personal information protection management system certification” means a series of
Approval means that actions and activities meet the certification audit criteria.
2. “Personal Information Protection Management System Certification Authority (hereinafter referred to as ‘Certification Agency’)” refers to the
Administration in accordance with Article 32-2 (5) of the 「Personal Information Protection Act」
Article 47-3 (3) of the Specialized Institutions and Information and Communications Network Act prescribed by the Ministry of Home Affairs and the Information and Communications Network Act
Refers to an institution designated by the Korea Communications Commission pursuant to Article 47 (5).
notice

3. “Examination of business performance requirements and competency” means a corporation that has applied for designation as a certification body or
Examination of the organization's business performance requirements and capabilities in accordance with the detailed standards in Attached Table 2
say
4. “Certification review” refers to the personal information protection management system established and operated by the application institution as specified in Attached Table 5.
The 'Korea Internet & Security Agency' checks whether the personal information protection management system meets the certification standards.
(hereinafter referred to as 'Internet Promotion Agency') or the certification body
way to check
5. “Personal Information Protection Management System Certification Committee (hereinafter referred to as “Certification Committee”)” means the Internet
Established/resolved by the Promotion Agency or the head of a certification body to deliberate and decide on the results of certification examination, etc.
As an operating organization, it consists of a chairperson and members.
6. “Certification auditor” means a person who is qualified by the Internet & Security Agency and conducts certification audit.
say the person
7. “Applicant organization” means the certification of the personal information protection management system to the Internet & Security Agency or a certification agency.

244

Page 251

refers to the person who applied
8. “Initial audit” means the first application for certification or a significant change in the scope of certification.
It refers to the certification audit conducted when a re-certification application is made.
9. “Post review” means personal information protection management established and operated by an institution that has obtained certification
Checking that the system meets the certification standards and is continuously maintained
For this purpose, it refers to a certification audit conducted at least once a year during the validity period of the certification.
10. “Renewal review” refers to the certification review conducted when a re-certification application is made due to the expiration of the validity period.
say
Article 3 (Certification Agency, etc.) ① The Internet & Security Agency or certification agency shall perform the following tasks.
1. Implementation of certification audit and certification/revocation of certification;
2. Issuance of certificates, issuance of certification marks, and management of certification facts
3. Organization and operation of the certification committee
4. Research and development of certification examination standards and certification examination techniques
5. Recognition of qualifications, training, promotion and management of certification examination experience of certification auditors
6. Research and trend research and analysis related to the certification system, and other matters necessary for the operation of the certification system
Article 4 Section

② The Ministry of Government Administration and Home Affairs and the Korea Communications Commission shall consult with each other when it is necessary to designate a certification body.
dog
The number of designated organizations, the scope of work, and the application method, etc. are determined,sign
and the official
tablet
It must be announced on the website for at least 20 days.
see
see
③ A person who intends to be designated as a certification body pursuant to paragraph (2) submits the following
documents
of

gazette and Internet
to the Ministry of Government Administration and Home Affairs.

within
I'm
One

Or, it must be submitted to the Korea Communications Commission.

1. Application for designation of personal information protection management system certification body in Attachment No. 1 form
tube
Lee

2. Current status of certification auditors in Attachment No. 2 form and documents proving it

3. Documents required for the examination of requirements and competence for work performance in Attached Table 1.
Article 4 (Designation of Certification Authorities criteria and procedures specified) ① perform tasks for the certification authority requirements,
Detailed standards for competency screening are as shown in Attached Table 2.
② The Ministry of Government Administration and Home Affairs and the Korea Communications Commission shall submit an application for designation of a certification body pursuant to Article 3 (3).
Upon receipt, after consultation, the requirements and capabilities for business performance are reviewed in accordance with Paragraph (1), and the target of designation
rank the institutions;
③ The Ministry of Government Administration and Home Affairs and the Korea Communications Commission shall consult with each other to examine the requirements and capabilities for business performance and to apply for designation.
As many as necessary, the sum of the points is selected in the order of the highest.
④ The Ministry of Government Administration and Home Affairs and the Korea Communications Commission consult and certify based on the examination results
The final decision on whether to designate as an institution or not.
⑤ The Ministry of Government Administration and Home Affairs and the Korea Communications Commission shall notify the applicant designated as a certification body according to Attachment 3
Personal information protection management system certification agency designation is issued.
Article 5 (Follow-up management of certification body ) The certification body shall report the certification performance of the previous year by the end of February every year in a separate sheet.
Fill out the certification performance report in Form 4 and submit it to the Ministry of Government Administration and Home Affairs and the Korea Communications Commission
shall.
Article 6 (Re-designation of the certification body ) ① The certification body shall be appointed from 6 months to 3 months before the expiration of the validity period.

245

Page 252
Explanation of personal information protection laws and guidelines and announcements

You may apply for re-designation to the Ministry of Government Administration and Home Affairs or the Korea Communications Commission in accordance with Attachment No. 1 form.
can
② When the Ministry of Government Administration and Home Affairs and the Korea Communications Commission receive an application for redesignation pursuant to paragraph (1), they
decide whether to re-designate.
Article 7 (qualifications of certified auditors, etc.) ① rating qualifications of certified auditors and Annex 3
same.
② Certification auditors are divided into assistant auditors, auditors, and senior auditors according to their ability to perform certification audits.
separate
Article 8 (certified auditor qualification application) ① The internet become a certified auditor for the Agency performed
You must complete the certification auditor training course and pass the evaluation.
② Those who wish to apply for the qualification of an examiner must apply within the application period announced by the Internet & Security Agency.
Submit the application form for the personal information protection management system certification examiner in Attachment No. 5 and related documents.
must be submitted
Article 9 (Granting of Certification Examiner Qualifications) ① Internet & Security Agency shall receive the certification examiner qualification application form.
In this case, you can review the application documents and request supplementation and additional submission of documents.
② Qualification applicants who have been requested to supplement and submit additional documents must submit related documents within one month.
must be submitted
③ The Internet & Security Agency checks the suitability of the certification examiner's qualification and sends a separate sheet to those who pass.
A certificate of qualification as a certification examiner in Form 6 shall be issued.
Article 10 (Maintenance of Qualifications of Certification Auditors ) ① The validity period of qualifications of certification auditors is
3 years from the date.
② In order to maintain the qualifications, the certification examiner shall be appointed by the Internet & Security Agency or
You must complete the accreditation auditor refresher training conducted by an institution designated by the Internet & Security Agency.
do. However, if the maintenance training is not received due to unavoidable reasons, the Internet & Security Agency
Recognized alternative education is required.
③ The validity period of qualifications is extended for 3 years only for those who have completed the refresher training.
Article 11 (certified auditors qualified canceled) Internet Development Agency is the following, each one heading
If the cause is discovered, the certification auditor's qualification may be revoked.
1. If the documents submitted at the time of application for qualification as a certification examiner are false
2. Information obtained during the certification examination is not disclosed without the consent of the applicant organization or the basis of the relevant laws and regulations.
In case of divulging it to others or using it for other than business purposes
3. In the case of unreasonably receiving any money, bribes, profits, etc. related to the certification examination
Article 12 (Preparation by the Applicant Organization) ① Those who wish to obtain personal information protection management system certification
Before applying for personal information protection management system certification, the applicant organization
An information security management system must be established and operated for at least two months.
② The applicant institution shall prepare the following matters before conducting the certification examination for the certification examination.
shall.
1. Provision of perusal of related documents and evidence for certification examination

246

Page 253

2. Securing necessary places, facilities, equipment, equipment, etc. to conduct certification audits;
3. In order to perform other certification examinations smoothly, the Internet & Security Agency or a certification agency
Requirements
Article 13 (Application for Certification, etc.)
You can apply for one type of certification.
1. To small business owners under subparagraphs 1 and 2 of Article 2 of the 「Act on the Protection and Support of Small Businesses」
Eligible business operators and other businesses (Type 1)
2. A business entity that falls under Article 2 of the Framework Act on Small and Medium Enterprises (Type 2)
3. Applicable to large enterprises under subparagraph 2 of Article 2 of the 「Act on Promotion of Coexistence of Large and Small Businesses」
“Information and Communication Service Provider” under Article 2 Subparagraph 2 of the Business Operators and Information and Communications Network Act (Type 3)
4. Public institutions under subparagraph 6 of Article 2 of the Personal Information Protection Act (Type 4)
② An institution applying for certification pursuant to Paragraph 1 shall designate the subject of certification as a specific service or task.
You must apply separately.
③ Institutions wishing to apply for certification pursuant to Paragraph 1 shall apply for personal information protection in Attachment No. 7 form.
The following matters related to the management system certification application and certification examination must be submitted to the Internet & Security Agency.
Article 4 Section

Or, it should be submitted to the certification body.
1. List of personal information
2. Methods and procedures for
3. List of documents related to

dog
sign
processing systems within the scope of certification
tablet
establishing and operating a personal information protection management system;
see
see
the implementation of the personal information protection management system
of and

protection measures

within
④ The applicant organization shall discuss the scope and schedule of the certification with the Internet & Security
Agency or the certification agency in advance.
I'm
One

must apply

tube

⑤ In order to determine whether or not to conduct an accreditation review, the Internet & Security Agency or
Leethe certification body shall comply with Article 12
It is possible to check whether the applicant institution is ready for certification examination according to the
If it is insufficient, you can request the applicant institution to supplement it.
⑥ When it is necessary to change the scope of certification, the Internet & Security Agency or the certification body shall communicate it with the applicant agency.
It can be changed by consultation.
Article 14 (Conclusion of Certification Examination Contract) After consulting with the Korea Internet & Security Agency or the certification agency
Including audit period, number of auditors, certification fee, certification scope, certification suspension or cancellation, etc.
Conclude a certification audit contract.
Article 15 (Calculation of authentication fee ) ① The authentication fee is the personal information protection management system certification in Attached Table 4.
It is calculated by applying the fee calculation criteria.
② The Internet & Security Agency or the certification agency shall notify the certification fee calculated in accordance with Paragraph (1).
do. However, when a small and medium-sized enterprise applies for certification under Article 2 of the 「Framework Act on Small and Medium Business」
We can provide necessary support such as fee reduction.
③ When there are two or more applicants for the same certification target, or one application
When an institution has applied for accreditation for multiple accreditation targets, the number of audit days is consolidated.
Calculate and set fees accordingly.
④ In accordance with Article 16 (2), the scope of certification of the applying institution shall be determined by the Internet & Security Agency or the certification body.

247

Page 254
Explanation of personal information protection laws and guidelines and announcements

In case of addition or adjustment, the fee may be adjusted in consultation with the applicant organization.
⑤ The applicant institution shall pay the fee when applying for initial examination, follow-up examination and renewal examination,
If the fee is not paid, the certification examination may not be conducted.
⑥ The applicant organization certifies the certification fee within one month from the date of signing the certification examination contract.
must be paid to the institution.
Article 16 (Criteria for Certification) ① The criteria for the certification examination of the applicant institution are classified in Attached Table 5 by application type.
follow
② The Korea Internet & Security Agency or the certification body determines the scale of personal information processing,
Certification audit items can be added or adjusted in consideration of business characteristics, etc.
Article 17 ( Organization of Certification Review Team) ① The Internet & Security Agency or certification body shall
In this case, a certification audit team shall be formed.
② When composing the certification audit team, the audit team leader is an auditor belonging to the Internet & Security Agency or a certification agency.
should be selected above.
③ Certification auditor who participated in consulting for certification of the personal information protection management system of the applicant institution
Or, an employee belonging to the applicant institution shall be excluded from the membership of the certification examination team.
Article 18 (certification audit methods and complementary action) ① audits are written to visit the applicant laboratory examination and
Conduct on-site inspections.
② Written examination is based on whether the certification criteria in Attached Table 5 are met by the personal information protection management system.
Review, personal information protection policies, guidelines, procedures and evidence of implementation related to establishment and operation
The management factors are reviewed by checking whether the security measures are applied or not.
③ The on-site examination is conducted to confirm the results of the written examination and the implementation of technical and physical protection measures.
In order to do this, technical elements are analyzed through methods such as interviewing the person in charge, checking related systems, and checking vulnerabilities.
examine
④ The Internet & Security Agency or the certification body shall take up to 90 days (re-measurement) for defects found in the certification examination.
You can request the applicant agency to complete the supplementary measures within 60 days of the request).
⑤ The Internet & Security Agency or the certification body shall be notified within 30 days according to the deliberation result of the certification committee.
Remedial measures may be requested.
⑥ When necessary to confirm the results of supplementary measures, the Internet & Security Agency or the certification body
On-site verification is possible.
Article 19 (Suspension of Examination) ① The Internet & Security Agency or the certification body shall be responsible for the occurrence of any of the following reasons:
In this case, the certification audit may be suspended.
1. The applicant institution intentionally delays or interferes with the implementation of the certification examination, or the applicant institution is at fault
If it is recognized that it is difficult to continue the certification examination for any reason
2. As a result of reviewing the relevant materials submitted by the applicant institution, it can be considered that the certification is ready.
if not
3. Up to 90 days of supplementary measures under Article 18 (4) after certification review (including 60 days of request for re-measures)
if not done within
4. It is not possible to proceed with the certification audit due to natural disasters or changes in the business environment.

248

Page 255

If judged
② When the Internet & Security Agency or the certification body suspends the certification examination pursuant to paragraph (1), the
The reason must be notified in writing to the applicant.
③ The Korea Internet & Security Agency or the certification body shall be notified if the reason for the suspension of certification examination in Paragraph 1 is resolved or
The certification examination may be resumed or terminated according to the result of handling objections pursuant to Article 29.
Article 20 (Organization of the Certification Committee) ① The head of the Internet & Security Agency or the certification body shall comply with the following subparagraphs:
A certification committee shall be established and operated to deliberate and decide on matters.
1. Whether the results of the initial audit or renewal audit conform to the certification criteria
2. In the event that a cause falling under Article 28 (1) is found as a result of the follow-up examination, the appropriateness of the result
Synthetic or not
3. Matters concerning the revocation of certification under Article 28 (1);
4. Matters concerning objections under Article 29;
5. Other information deemed necessary by the chairperson in relation to certification of the personal information protection management system.
matters
② The certification committee shall be composed of no more than 35 members, including one, and the members shall be individuals.
Article 4 Section

Among those with knowledge and experience in the field of personal information protection, such as information protection experts, lawyers, and professors,
dog

It is appointed by the head of the Internet & Security Agency or the certification body, and the chairperson issign
elected from among the members.
③ The chairperson controls the affairs of the certification committee and represents the committee.
④ When a member of the Internet & Security Agency or the head of a certification agency violates laws

tablet
see
see
andof regulations

or these regulations,

within
I'm
One

The member may be dismissed.

Article 21 (Operation of the Certification Committee ) ① The meeting of the Certification Committee shall be held by the Internet & Security Agency or the certification body.
tube

It is held on demand, but at least 5 people per meeting considering the specialties of the chairperson and accreditation
Lee
member
It is composed and operated by accreditation committee members.
② The Internet & Security Agency or the head of the certification agency reviews the agenda for deliberation by the certification committee,
Submit to the accreditation committee 5 days prior to the event. However, in case of emergency or unavoidable reasons,
Not so if there is.
③ The chairperson of the certification committee shall review the results of deliberation and resolution on the matters under each subparagraph of Article 20 (1).
Submit to the Internet & Security Agency or the head of the certification body.
④ If the certification committee deems it necessary for deliberation, the certification committee participates in the certification review.
You can hear opinions about it from the certification auditor or related experts.
⑤ Other details regarding the operation of the certification committee can be found on the Internet through the resolution of the certification committee.
It shall be determined by the head of the Korea Promotion Agency or the certification body.
Article 22 (Exclusion, Rejection, Evasion) ① Members of the certification committee shall
In cases falling under any of the following circumstances, they cannot participate in deliberation and resolution.
1. Matters that have a direct interest in the member himself/herself
2. Matters related to persons who are or were related to the member himself/herself;
3. Matters involved in audits, investigations, or investigations before becoming a member
② If there are circumstances in which it is difficult to expect fairness of deliberation and resolution from a member, the applicant institution shall

249

Page 256
Explanation of personal information protection laws and guidelines and announcements

An application for challenge may be filed, and the committee decides on it by resolution.
③ In the case of a reason for exclusion or a reason for refusal, a member shall deliberate and decide on his/her own.
can be avoided
Article 23 (Issuance of Certificates, etc.) ① The head of the Internet & Security Agency or the certification body
When the results of deliberation and resolution are submitted, the results are notified to the applicant organization, and the
When it is determined that the personal information protection management system meets the certification standards set out in this notice
A certificate of personal information protection management system in Attachment No. 8 form must be issued.
② The validity period of the personal information protection management system certificate pursuant to Paragraph 1 shall be 3 years.
③ The Korea Internet & Security Agency or the head of the certification body will be responsible for the certification committee for matters other than issuance of certificates.
When the results of deliberation and resolution are submitted, the results shall be immediately notified to the applicant institution.
Article 24 (certificate management and replacement) ① KISA or the certification body of a certificate issued
Certificates such as certification number, issuance date, and validity period must be managed.
② If a person who has obtained a certificate wishes to receive a reissuance due to loss of the certificate, etc.,
The application for reissuance of personal information protection management system certificate in Form 9 is submitted to the Internet & Security Agency.
Or, it should be submitted to the certification body.
③ If a person who has obtained certification wants to request a change in the details of the certificate, such as address, company name, etc.
If you do, please submit the application for change of personal information protection management system certificate in Attachment No. 10 form.
It must be submitted to the Korea Internet & Security Agency or a certification body.
Article 25 (Indication of Certification and Public Relations) ① Article 34-7 of the 「Personal Information Protection Act Enforcement Decree」 and 「Information」
Certification pursuant to Article 52 of the Enforcement Decree of the Act on Promotion of Communication Network Utilization and Information Protection, etc.
Indications are as shown in Table 6.
② In the case of using the certification mark under paragraph 1, the type of certification under Article 13 and
The scope of certification and the validity period shall be indicated together.
Article 26 (Post-examination) ① The institution that acquires the certification shall do it at least once a year during the validity period of the issued certificate.
You must apply for a follow-up review to the Korea Internet & Security Agency or a certification body.
② Follow-up examination shall be conducted in accordance with Chapters 4 and 5 mutatis mutandis.
Article 27 (Renewal Examination) ① The certification authority shall renew the certificate three months before the expiration of the validity period.
You must apply for review.
② Renewal examination shall be conducted in accordance with Chapters 4 and 5 mutatis mutandis.
③ The validity period of the certification has expired without the certification agency applying for renewal of certification under Paragraph 1
When this expires, the validity of the certification is lost.
Article 28 (Cancellation of Certification) ① The Internet & Security Agency or certification agency shall
In this case, the certification may be revoked after deliberation and resolution by the Certification Committee.
1. In case of obtaining certification by fraudulent or fraudulent means;
2. Where it falls short of the certification standards under Article 16 (1);
3. An institution that acquires certification shall conduct a follow-up examination under Article 26 (1) or under Article 27 (1);
If the renewal review has not been performed or supplementary measures have not been taken pursuant to Article 18 (4)
4. Types of certification and scope of certification under Article 25 (2) while promoting the certified content;

250

Page 257

and if the validity period is falsely indicated or omitted
5. When an institution that has obtained certification refuses or interferes with follow-up management under Articles 26 and 27
Occation
② The Korea Internet & Security Agency or the certification body acquires certification when the certification is revoked pursuant to paragraph (1).
Notify the institution and retrieve the certificate issued in accordance with Article 23.
The (complaint) 29 ① application engine or certification authority or certification audit result certification
If there is an objection to the cancellation disposition, within 15 days from the date of notification of the result
You can file an objection to the Internet & Security Agency or the certification body.
② The Korea Internet & Security Agency or the certification body shall be notified that the objection pursuant to paragraph (1) is deemed justifiable.
In this case, the certification committee may request a re-deliberation.
③ The Korea Internet & Security Agency or the certification body shall report the result of processing the objection to the requesting agency or the
The certification body shall be notified in writing.
Article 30 (Maintenance of Confidentiality, etc.) ① Internet & Security Agency or accreditation agency, accreditation committee member, accreditation examiner
A person who is engaged in or has been engaged in certification examination, etc., without legitimate authority or
In excess of the permitted authority, divulging information on confidential information acquired in the course of work
Article 4 Section

It must not be used for any other purpose.

dogof the certification committee, and a certification examiner
② For certification examination tasks such as the Internet & Security Agency or certification body, a member
sign
tablet
profits,
see
see
of

A person who has been engaged or has been engaged in the certification shall not give any money, bribes,
It must not be received unfairly.

etc. in relation to the certification.

Article 31 (Certification Guidelines) National Internet Development Agency or the certification authority necessary
to perform certification services
within
I'm
One

In this case, guidelines for certification work may be prepared and implemented.

tube
Lee

1. Significance of Personal Information Protection Management System Certification (PIMS) System
A series of measures related to the processing and protection of personal information of the personal information controller is required by the Minister of the Interior and Safety.
It may certify whether it conforms to this Act, etc. (Article 32-2 (1)).
In particular, in accordance with Article 32-2 of the Personal Information Protection Act, which was operated separately by the Ministry of Government Administration and Home Affairs and the Korea Communications Commission,
Personal information protection certification system (PIPL, Personal Information Protection Level) and personal information protection management
The PIMS (Personal Information Management System) certification system has been implemented since January 2016.
integrated and operated. The name of the certification system refers to the certification of the personal information protection management system in which the system was first introduced.
are using

251

Page 258
Explanation of personal information protection laws and guidelines and announcements

2. Personal information protection management system (PIMS) certification system operating entity
A. Personal information protection certification agency
Personal information protection certification agency (hereinafter referred to as “certification agency”) means the Korea Internet & Security Agency (KISA) or personal information protection agency.
A corporation or organization that has 5 or more certification auditors and is recognized as suitable in the examination of business performance requirements and competence
or an institution (paragraph 5, Article 34-6 of the Decree).
The certification body composes an audit team and applies the personal information protection management system established and operated by the applicant agency to the certification standards.
In accordance with the certification criteria, it is checked whether the defects found during the audit period are supplemented or not.
While issuing certificates to institutions, they are in charge of revocation of certification and follow-up management. In addition, the certification body
Conducting tasks such as committee operation, training and qualification management of certification auditors, research and trend surveys related to certification systems, and analysis
(Personal Information Protection Management System Certification, etc., Notice Article 3).

I accreditation committee
The Personal Information Protection Management System Certification Committee determines that the results of the certification examination (initial examination or renewal examination results) meet the certification standards.
Deliberates and decides on whether it is appropriate, matters related to revocation of certification, and matters related to objection (personal information protection)
Notice on management system certification, etc. Article 20).
The certification committee is a personal information protection expert, lawyer, professor, etc. who have knowledge and experience in the field of personal information protection.
It shall be composed of no more than 35 members commissioned by the head of the Korea Internet & Security Agency or the certification body from among them.
It operates and the chairperson is elected from among the members.

C Certification Auditor
An accreditation auditor refers to a person who has been granted qualifications by the Korea Internet & Security Agency and conducts accreditation audits.
Certification auditors are divided into assistant auditors, auditors, and senior auditors according to their ability to perform certification audits. certification
The qualification requirements for each grade of the auditor are as follows.
division

Eligibility Criteria

o A person who satisfies the educational background and experience requirements of the certification auditor and is implemented by the Internet & Security Agency.
Judge's Assistant
Those who have completed the certification auditor training course and passed the evaluation
o As an auditor qualification, participate in certification audits at least 4 times and the sum of the number of audit days

judge

Those who have more than 20 days

seniority

o As an auditor qualification acquirer, perform the overall audit three times or more and the sum of the number of audit days
15 days or more

judge

252

Page 259

In order to apply for a certification auditor, a person with expertise in personal information protection is required
Alternatively, a person who meets the career replacement requirements may apply.

D Application institution
In order to receive objective verification of the systematic and continuous management of personal information protection activities, the
It refers to a person who applies for personal information protection management system certification.
Before applying for the certification of the personal information protection management system, the applicant organization must manage personal information protection according to the certification standards.
A system must be established and operated for at least two months (personal information protection management system certification, etc.)
Article 12, Paragraph 1) of the related notice.
< Responsibilities and roles of each organization in charge of personal information protection management system >
Responsible Authority

Responsibilities and Roles
Article 4 Section

policy agency

• Improvement of certification-related laws and systems and policy decisions
(Ministry of Government Administration and Home Affairs, Korea Communications Commission)

dog
sign
tablet
see
see
of

• Receive application for certification review
• Conduct certification audits
• Organization and operation of the certification committee
Korea Internet & Security Agency (KISA)
• Issuance of certificates and certification marks

within
I'm
One

• Training and management of certification auditors

tube
Lee

• Formation and operation of certification audit team
• Deliberation and resolution of certification audit results
Certification Committee

• Deliberation and resolution on objections
• Deliberation and resolution on revocation of certification
• Conduct certification audit

Certification Auditor

• Preparation of certification audit result report

Application institution

• Acquisition and maintenance of certification

3. Subject to certification audit
A. Type of applicant
Applicants who wish to obtain certification may apply for the corresponding type of certification.
1) Small business owners under subparagraphs 1 and 2 of Article 2 of the Act on the Protection and Support of Small Businesses
Businesses and other businesses (Type 1)

253

Page 260
Explanation of personal information protection laws and guidelines and announcements

2) Businesses that fall under Article 2 of the 「Small and Medium Businesses Framework Act」 (Type 2)
3) Entrepreneurs who fall under subparagraph 2 of Article 2 of the 「Act on Promotion of Coexistence with Large and Small Businesses」
and “Information and Communication Service Provider” pursuant to Article 2, Subparagraph 2 of the Information and Communications Network Act (Type 3)
4) Public institution pursuant to Article 2, Subparagraph 6 of the 「Personal Information Protection Act」 (Type 4)

B certification standards
Personal information protection management system certification standards include personal information protection management process (16), life cycle and rights guarantee (20),
Personal Information Protection Measures (50) consists of 86 examination items in 3 fields.
Certification standards by application type
division

Large corporations and information
Public institutions
small business
new service provider

small business

Personal Information Protection Management16
Course (16)

16

15

4

Life Cycle and Rights Guarantee (20)

19

19

19

48

40

24

83

74

47

20

Personal Information Protection Measures 50
(50)
sum

86

The standard is based on the type of application institution (public institution, large corporation, information and communication service provider, SME, small business).
It is applied differentially by alleviating the burden on small business owners and considering the characteristics of each company. (For detailed certification standards,
Refer to Annex 5 of the Notice on Information Protection Management System Certification
type

number of items

Public institutions

Application criteria

‣ Legal requirements

86

‣ Establishment and implementation of PIMS
large corporations and

‣ Risk analysis and risk management through personal information flow analysis

Information and communication
83 service‣ Management participation and decision-making
provider

‣ Protection measures to strengthen personal information protection
‣ Legal requirements

small business

‣ Establishment and implementation of PIMS

74

‣ Protection measures to strengthen personal information protection
small business

‣ Legal requirements

47

254

Page 261

4. Certification process
Personal information protection management system certification consists of (i) preparation stage, (ii) examination stage, (iii) authentication stage, and (iv) follow-up management stage.
is done
① Preparation stage: acceptance of certification application, preliminary inspection, contract consultation and conclusion
② Audit stage: Written and on-site evaluation of compliance with certification standards
③ Certification stage: Review of certification suitability based on the results of certification audit
④ Follow-up management stage: Inspection of maintenance status every year after obtaining certification

The preparation phase
1) Construction and operation
Before submitting an application for certification, the applicant organization establishes a personal information protection management system in accordance with the certification standards and
Article 4 Section

You must prepare evidence that has been in operation for at least 2 months. In particular, the applicant organization must specify the scope of
dog

When determining, in accordance with the Life-Cycle (collection, retention, use, provision, and disposal) by analyzing the personal
sign information-related business in detail
tablet

While the evidence is prepared in consideration of the flow of personal information, the relevant evidence includes all services, personnel,
etc.
see
see
of

should be included
Whether the scope of personal information to be authenticated includes only user-centered external services, executives and
It should also be decided by considering whether to include even internal services to be used.

within
I'm
employees
One
tube
Lee

2) Application for and reception of certification examination
Those who wish to apply for personal information protection management system certification submit the following application documents to the certification body.
① Official letter of application for certification
② Personal information protection management system certification application
③ Personal information protection management system specification
④ Personal information protection management system certification scope
⑤ A certified copy of corporate registration
⑥ Documents proving this if the certification application institution is eligible for a discount on certification fees
※ Refer to the website (pims.or.kr) for application form and personal information protection management system specification form

Application for certification can be made in person or by registered mail.
If there is a request for supplementation, the application documents must be prepared and submitted.
From the certification audit to the certification audit, a period is required for business processing such as preliminary inspection, contract, and recruitment of auditors.
Applications must be made at least 6 weeks prior to the desired examination date.

255

Page 262
Explanation of personal information protection laws and guidelines and announcements

In particular, regarding the personal information protection management system certification system, the Korea Internet & Security Agency (KISA) website (http://pims.kisa.
or.kr), and specific consultations are possible through e-mail (pims@kisa.or.kr).

3) Preliminary inspection
Preliminary inspection means that the inspection team leader of the certification body visits the application institution to determine the size and personal information of the personal information system.
Availability of basic data necessary for certification audit, such as flow chart, risk analysis report, and countermeasure specification, preparation status for certification audit
and checking the operation status.
During the preliminary inspection period, the operating status of the personal information protection management system of the applicant institution is checked and whether the certification examination is possible.
Judging and adjusting the examination schedule. In particular, the person in charge of the applicant organization should check the explanation of the scope of certification and evidence
must cooperate to In addition, the audit team leader of the certification body is responsible for the personal information protection (management) of the applying institution.
Share preliminary inspection results with (CPO, Chief Privacy Officer) or the person in charge, and consider the scope of certification.
Confirm the examination schedule.

4) Contract and fee payment
The certification body is responsible for the applicant organization and the scope of certification, the audit period, the number of audit personnel, the composition of the audit team, and the certification fee (homepage).
Reference), etc. to conclude a personal information protection management system certification review contract.
When the certification audit contract is completed, the applicant institution pays the audit fee set according to the contract before the certification audit (after the contract).
within 1 month) must be paid in full. The applicant institution pays fees when applying for initial examination, follow-up examination and renewal examination.
If the fee is not paid, the certification examination may not be conducted.
The certification examination fee is a fee paid by the application institution to the certification body.
Refers to all expenses required for preliminary inspection and advisory fees. The certification examination fee is direct labor cost, direct
It is calculated as the sum of expenses, administrative expenses, and technical fees.

I screening stage
1) Certification review (Public Information Protection Management System Certification, etc. Article 18)
When a certification body concludes a certification audit contract, it shall form a certification audit team. When forming a certification audit team
The audit team leader shall be selected as an auditor or higher from the Korea Internet & Security Agency or certification body. Meanwhile, apply
Affiliation of an accreditation auditor or an applicant organization who participated in consulting for the certification of an institution's personal information protection management system
Employees shall be excluded from membership in the certification audit team. (Regarding personal information protection management system certification, etc.)
Notice Article 17)

256

Page 263

The certification examination consists of the personal information protection management process, life cycle and rights guarantee, and personal information protection measures.
It is to check whether the applicant organization is properly implementing the certification standards of the personal information protection management system.
A written examination and an on-site examination are conducted in parallel by visiting the institution.
Written examination is based on whether or not the certification standards are met.
by methods such as reviewing protection policies, guidelines, procedures and evidence of implementation, and checking whether or not personal information protection measures are applied
Review management factors.
The on-site inspection is conducted in order to confirm the results of the written examination and the implementation of technical and physical protection measures.
The technical elements are evaluated by methods such as interview, verification of related systems, and inspection of vulnerabilities. The certification body is accredited
After the evaluation, a report summarizing the problems identified through the written and on-site examinations is prepared and sent to the applicant institution.
You should request that you take supplementary measures.

2) Submission of supplementary measures for certification audit
The applicant institution shall take supplementary measures within 30 days from the date of receiving the request for supplementary
measures, and
Article 4 Section
A statement of supplementary measures should be prepared and submitted to the certification body. Complementary measures submitted
dog
by the applicant body by the certification body
sign
tablet
If the result is judged to be insufficient, or if the applicant organization itself determines that an additional period of supplementary
action is necessary
see
The period of supplementary measures can be extended up to 60 days through an official notice. (Personal information protectionseemanagement system
of

certification, etc.)

within
Article 18 (4) of the Public Notice on Supplemental Measures Summaries of Supplementary Measures and Completed Deficiencies
in the case of extension of the deadline for supplementary actions

The statement of supplementary measures must be submitted together with the official document. The period of supplementary

I'm
One
action

of up to 90 days is supplemented by the audit team leader.

tube
Lee

It includes the time until the completion of the implementation check to confirm the result of the action.

The certification body verifies the results of the supplementary measures of the applicant institution through documents and on-site verification, and confirms the supplementary measures
Confirmation of supplementary action is completed by signing and sealing the result on the confirmation of completion of supplementary action. Details of supplementary measures
It should be written so that you can check the contents before and after the action.

Certification audit noticeSuspension of review
The Korea Internet & Security Agency or the certification body shall not: (i) the applicant body knowingly delays or interferes with the implementation of the certification examination, or
If it is recognized that it is difficult to continue the certification examination due to reasons attributable to the applicant, (ii) related materials submitted by the applicant organization
If it is not considered ready for certification as a result of reviewing etc., (iii) supplementary measures can be taken up to 90 days after certification audit (requires re-action)
If not within 60 days) or (iv) due to natural disasters or changes in the business environment, the certification audit process may be delayed.
If it is judged impossible, the certification audit may be suspended. (Personal Information Protection Management System Certification, etc. Article 19)

257

Page 264
Explanation of personal information protection laws and guidelines and announcements

Multi- authentication stage
1) Deliberation and resolution by the certification committee
In the case of the initial or renewal audit, for the institution for which supplementary measures have been completed, the certification body shall conduct the audit conducted by the certification audit team.
In order to secure objectivity and fairness of the audit results and to secure quality above a certain level, the
The audit result report is submitted to the certification committee organized and operated by the chief.
The accreditation committee is held at the request of the accreditation body.
Review the adequacy of conformity and supplementary measures to review the conformity of the certification, and 30 days depending on the result of the deliberation
Remedial measures may be requested.
After completing the supplementary measures, the applicant organization that receives the supplementary measures must notify the review team leader of the revised “supplementation”.
Measures” must be submitted and submitted to the Certification Committee for the next session to receive a decision on whether to grant final certification.
do. When the accreditation committee completes the resolution, the accreditation chairperson sends the accreditation deliberation result and deliberation opinion to the accreditation body.
submit
The validity of certification is 3 years (Article 32-2, Paragraph 2 of the Act).

2) Notification of certification result
The head of the certification body notifies the applicant organization of the results of the deliberation and resolution of the certification committee, and the personal information protection management system
If it meets the certification standards, a certificate is issued, and the applicant organization that has been notified of non-conformity may file an objection.
have.
The certification authority shall continuously maintain the personal information protection management system during the period of validity of the personal information protection management system certification.
should be maintained and managed.

D Follow-up management steps
1) Follow-up examination
Post-examination means that the personal information protection management system established and operated by the certification acquisition institution meets the certification standards.
In order to check whether the level is continuously maintained, a certification audit conducted at least once a year during the validity period of the certification is conducted.
say The follow-up audit must be completed one year prior to the date of issuance of the certificate and within the validity period of the certificate.
Failure to do so will result in the certification being revoked.

258

Page 265

2) Renewal review
The validity period of the personal information protection management system certification is 3 years, so the certification authority wants to extend the validity of the certification.
In this case, it is necessary to apply for renewal audit and renew the certification after being reviewed by the certification body. Application for renewal review
This must be done at least 3 months before the expiration of the certificate's validity period. If the certification acquisition period does not apply for renewal of certification,
If the validity period of the certification has elapsed, the validity of the certification is lost.

5. Indication and promotion of certification
A person who has obtained the certification of the personal information protection management system can promote the fact that the certification has been obtained and display the certification mark.
(For details on how to use the certification mark and how to make the certification nameplate, personal information
Refer to Attached Table 6 of the Notice on Protection Management System Certification, etc.).

Article 4 Section

dog
sign
tablet
see
see
of

Authentication Type:

within
I'm
One

Validity :

tube
Lee

Certification scope:

The publicity of the acquisition of personal information protection management system certification starts from the date of issuance of the personal information protection management system certificate.
It can only be used while the effect is maintained. In addition, a person who has obtained certification may exaggerate the fact of certification or
You may not advertise using obscure language. On the other hand, if certification is revoked, publicity for certification,
The use of the personal information protection management system certificate should be stopped.
In case of using the certification mark, the certification type, validity period, and certification scope shall be indicated together. authentication type
When entering, the type corresponding to the certified institution among the types of application institutions under Article 13 (1) must be entered.
do.

259

Page 266
Explanation of personal information protection laws and guidelines and announcements

6. Revocation of certification
When the Internet & Security Agency or the certification agency discovers any of the following reasons, it shall use false or unlawful means.
In the case of acquiring certification, if the certification standards are not met, the certification acquisition institution shall follow-up under Article 26 (1).
Failure to undergo review or renewal review under Article 27 (1), or take supplementary measures under Article 18 (4)
If not, the type of certification, the scope of certification, and the validity period under Article 25 (2) while promoting the certified content
In case of false indication or omission, the institution that has obtained the certification shall perform follow-up management in accordance with Articles 26 and 27.
In case of rejection or interference, the certification may be revoked after deliberation and resolution by the certification committee. Internet & Security Agency
Or, when the certification body revokes the certification pursuant to Paragraph 1, the certification body notifies the certification acquisition body, and in accordance with Article 23
Retrieve the issued certificate. The applicant organization or certification acquisition organization is responsible for the results of the certification examination or the cancellation of certification.
If there is any objection to this, within 15 days from the date of notification of the result, the Korea Internet & Security Agency or accreditation
You can appeal to the institution.

260

Page 267

Article 33 Personal Information Impact Assessment
Article 33 (Personal Information Impact Assessment) ① The head of a public institution shall comply with the standards prescribed by Presidential Decree.
There are concerns about infringement of the personal information of the information subject due to the operation of the corresponding personal information file.
In this case, analysis of risk factors and evaluation for improvement (hereinafter referred to as “impact evaluation”)
) and submit the results to the Minister of the Interior and Home Affairs. In this case, public institutions
The Minister shall conduct an impact assessment from among the institutions designated by the Minister of the Interior and Safety (hereinafter referred to as “evaluation institutions”).
must be ordered
② In the case of impact assessment, the following matters should be considered.
1. Number of personal information processed
2. Whether personal information is provided to a third party
3. Possibility of harming the rights of the data subject and the degree of risk
4. Other matters prescribed by Presidential Decree.
law

③ The Minister of Government Administration and Home Affairs is responsible for the evaluation of the results of the impact assessment submitted under paragraph (1) of the Protection Committee.
Opinions may be presented after deliberation and resolution.

Article 4 Section

④ The head of a public institution shall submit the personal information file that has been evaluated for impact
pursuant to paragraph (1) in Article 32 (1).
dog
When registering accordingly, the results of the impact assessment should be attached together.
⑤ The Minister of Government Administration and Home Affairs shall nurture and evaluate relevant
Necessary measures such as development and dissemination of standards shall be prepared.

sign
tablet
seein order
experts
see
of

to promote impact assessment.

within

⑥ Criteria for designation and revocation of designation, evaluation standards, and methods of impact evaluation
of evaluation institutions under paragraph 1
I'm
One

Matters necessary for procedures, etc. shall be prescribed by Presidential Decree.
⑦ Influence of the National Assembly, the courts, the Constitutional Court, and the National Election

tube
Lee
Commission

(including its affiliated institutions)

For evaluation, refer to the National Assembly Regulations, Supreme Court Regulations, Constitutional Court Regulations, and the National Election Commission.
As stipulated by the rules.
⑧ Personal information controllers other than public institutions are responsible for the management of personal information files.
If there is a concern about infringement of personal information, an active effort shall be made to conduct an impact assessment.
Article 35 (Objects of Personal Information Impact Assessment) In Article 33 (1 ) of the Act, “as prescribed by the Presidential Decree
“Personal information file that meets the standards” means an individual who can handle personal information electronically.
As an information file, it refers to a personal information file that falls under any of the following subparagraphs:
1. Personal information files that are intended to be constructed, operated, or changed, and are related to 50,000 or more information subjects.
of sensitive information (hereinafter referred to as “sensitive information”) or uniquely identifiable information under Article 23 of the Act;
Enforcement Decree
Personal information files accompanied by processing
2. Build/operate personal information files inside or outside the relevant public institution
In the case of linking with other personal information files in operation, the result of linking is 500,000
Personal information file containing personal information about the above information subjects
3. Personal information files that are intended to be constructed, operated, or changed, and related to information subjects of 1 million or more.
personal information file

261

Page 268
Explanation of personal information protection laws and guidelines and announcements

4. Personal information impact assessment (hereinafter referred to as “impact assessment”) pursuant to Article 33 (1) of the Act
If you intend to change the operating system of personal information files, such as the personal information search system,
personal information file. In this case, the subject of impact assessment is limited to the changed part.
Article 36 (Considerations for Impact Assessment) “Matters prescribed by Presidential Decree” in Article 33 (2) 4 of the Act means
Refers to the matters in each of the following subparagraphs:
1. Whether sensitive information or uniquely identifiable information is processed
2. Personal information retention period
Article 37 (Designation of Evaluation Institution and Revocation of Designation) (1 ) The Minister of the Interior and Home Affairs shall apply to the latter part of Article 33 (1) of the Act.
Accordingly, a corporation that meets all of the following requirements is selected as a personal information impact assessment agency (hereinafter referred to as “evaluation
organization”).
1. The amount received in exchange for performing any of the following duties during the last five years;
A corporation with a total amount of 200 million won or more

end. Impact assessment work or similar work
I. Information systems (including information protection systems) under subparagraph 13 of Article 2 of the Electronic Government Act;
Information security consulting service during construction (information to prepare for electronic infringement)
It refers to the work of analyzing and evaluating the system and presenting information protection measures based on it.
the same below)
All. Information protection consulting during information system supervision under Article 2, No. 14 of the 「E-Government Act」
task
la. In accordance with Article 23 (1) 1 and 2 of the 「Act on the Promotion of Information Security Industry」
task
hemp. Information under subparagraph 8 of Article 2 of the 「Act on Promotion of Information and Communications Network Utilization and Information Protection, etc.」
Information security consulting work among the work that falls under the protection industry
2. A corporation that employs 10 or more professional manpower in accordance with Attached Table 1.
3. A corporation equipped with the following offices and facilities;
end. Offices with facilities for identification and access control
I. Facilities for safe management of records and data
② A person who intends to be designated as an evaluation institution shall be designated as an evaluation institution prescribed by Ordinance of the Ministry of Government Administration and Home Affairs.
The Ministry of Government Administration and Home Affairs attaches the following documents (including electronic documents; hereinafter the same shall apply) to the application form.
must be submitted to the Minister.
1. Articles of Incorporation
2. Names of representatives and officers
3. Documents proving the qualifications of professional manpower under paragraph (1) 2;
4. Other documents prescribed by Ordinance of the Ministry of Government Administration and Home Affairs.
③ The Minister of Government Administration and Home Affairs who has received an application for designation of an evaluation institution pursuant to paragraph (2) shall comply with the 「Electronic Government Act」
Through the joint use of administrative information pursuant to Article 36 (1), the following documents shall be verified:
do. However, if the applicant does not agree to the confirmation in subparagraph 2, the
The documents must be attached.

262

Page 269

1. Certificate of corporate registration
2. Certificate of fact of alien registration under Article 88 (2) of the 「Immigration Control Act」 (only for foreigners
applicable)
④ When the Minister of the Interior and Safety has designated an evaluation agency pursuant to paragraph (1), the evaluation agency shall without delay.
A designation letter shall be issued, and the following matters shall be announced in the Official Gazette. what has been announced
The same shall apply in case of change.
1. The name, address and telephone number of the evaluation institution and the name of the representative
2. In the case of attaching conditions at the time of designation, the contents of the conditions
⑤ The Minister of Government Administration and Home Affairs shall determine that the evaluation institution designated pursuant to paragraph (1) shall be evaluated in any of the following subparagraphs.
If applicable, the designation of the evaluation agency may be revoked. However, in subparagraph 1 or 2
If applicable, the designation of the evaluation institution shall be revoked.
1. Where the designation of the evaluation agency has been obtained by fraudulent or other fraudulent means;
2. In case the designated evaluation institution voluntarily withdraws its designation or closes its business
3. Where it fails to meet the requirements for designation under paragraph (1);
4. Where he/she fails to fulfill his/her duty to report under paragraph (6);

Article 4 Section

5. Inadvertently or by gross negligence, the impact assessment task was performed poorly and the task was properly performed.
If it is recognized that it cannot be performed
6. In case of violation of any other obligations under this Act or this Decree
⑥ After designation, the evaluation institution designated pursuant to Paragraph 1 shall be evaluated

dog
sign
tablet
see
see
under of
any of

the following subparagraphs.

Where a cause occurs, as prescribed by Ordinance of the Ministry of Government Administration and Homewithin
Affairs, the cause has occurred
I'm
One
It must be reported to the Minister of the Interior and Safety within 7 days from the date of receipt. However,
in subparagraph 3
tube
Lee

In this case, it must be reported within 30 days from the date the cause occurred.
1. In the event that any matter falling under each subparagraph of Paragraph 1 is changed;
2. In the case where the matters falling under paragraph (4) 1 are changed
3. In the event of a cause such as transfer, acquisition, or merger of an evaluation institution;

⑦ When the Minister of the Interior and Home Affairs intends to revoke the designation of an evaluation institution pursuant to paragraph (5), a hearing shall be held.
shall.
Article 38 (Evaluation Standards for Impact Assessment, etc.) ① The assessment standards for impact assessment under Article 33 (6 ) of the Act shall be
It is the same as each of the following items.
1. The type and nature of personal information included in the personal information file, the number of information subjects, and
Possibility of Personal Information Infringement
2. The level of measures to ensure safety under Articles 24 (3), 25 (6) and 29 of the Act;
Possibility of personal information infringement
3. Whether to take measures for each risk factor of personal information infringement
4. Other matters concerning the measures necessary under the Act and this Decree or elements of violation of duty
② The evaluation institution requested for impact evaluation pursuant to Article 33 (1) of the Act shall comply with the evaluation criteria in paragraph (1).
After analyzing and evaluating risk factors of personal information infringement due to the operation of personal information files
The results of the evaluation including the following items should be prepared as an impact evaluation form, and the

263

Page 270
Explanation of personal information protection laws and guidelines and announcements

It must be sent to the head of the public institution, and the head of a public institution must send the personal information file corresponding to each subparagraph of Article 35.
Submit the impact assessment report to the Minister of Public Administration and Home Affairs before building, operating, or modifying it (impact assessment
In the event that the item needs improvement pursuant to subparagraph 3 in the
included) should be
1. Outline of business related to personal information file operation and purpose of personal information file operation
2. Overview of personal information files subject to impact assessment
3. Analysis, evaluation and improvement of risk factors of personal information infringement according to the evaluation criteria
matters
4. Personnel and cost to conduct impact assessment
③ The Minister of Government Administration and Home Affairs shall designate and influence evaluation agencies other than those prescribed by the Act and this Decree.
Detailed standards for evaluation procedures, etc. may be determined and announced.
Article 3 (Books and Document Formats Related to Personal Information Protection) ③ Individuals pursuant to Article 37 (2) of the Decree
A person who intends to apply for the designation of an information impact assessment agency shall apply for personal information impact in Attached Form 3
Attach the following documents (including electronic documents) to the application for designation of an evaluation institution
It must be submitted to the Minister of Home Affairs.
1. Documents under Article 37 (2) 1 through 3 of the Decree;
2. The following documents under Article 37 (2) 4 of the Decree
end. Current status of personnel performing personal information impact assessment: Attachment No. 4
I. Status of Offices and Facilities Relevant to Personal Information Impact Assessment: Attachment No. 5

enforcement rules

All. The Minister of the Interior and Home Affairs, such as documents proving the facts under Article 37 (1) 1 of the Decree
documents to be determined

3. Certificate of fact of alien registration under Article 88 (2) of the 「Immigration Control Act」 (each subparagraph of Article 37 (3) of the Decree)
Attach only if it falls under the proviso other than that)
④ Personal information impact assessment agency designation in accordance with Article 33 (6) of the Act and Article 37 (4) of the Decree
Follow the attached Form No. 6.
⑤ Reports pursuant to Article 33 (6) of the Act and Article 37 (6) of the Decree are personal information in Attached Form 7
According to the report of changes to the impact assessment agency.
Article 1 (Purpose) This notice includes Article 33 of the 「Personal Information Protection Act」 (hereinafter referred to as the “Act”) and 「Personal Information」
Designation of evaluation agency and impact evaluation pursuant to Article 38 of the Enforcement Decree of the Protection Act (hereinafter referred to as “the Enforcement Decree”)
The purpose is to set detailed standards for procedures, etc.
Article 2 (Definition of Terms) The definitions of terms used in this notice are as follows.
Impact Assessment
1. “Personal information impact assessment (hereinafter referred to as “impact assessment”)” means public information pursuant to Article 33 (1) of the Act.
notice

In accordance with the operation of personal information files corresponding to Article 35 of the Enforcement Decree, the head of the institution
When there is concern about personal information infringement, it is necessary to analyze the risk factors and derive improvements.
say evaluation.
2. “Target institution” means the establishment, operation, modification or modification of personal information files falling under Article 35 of the Enforcement Decree.
It refers to the public institution you want to connect with.

264

Page 271

3. “Personal information impact assessment agency (hereinafter referred to as “assessment agency”)” refers to the impact assessment of public institutions.
Refers to an institution designated by the Minister of the Interior and Safety for the purpose of carrying out
4. “Target system” refers to the establishment, operation, modification or modification of personal information files corresponding to Article 35 of the Decree.
It refers to the information system to be linked.
5. “Performance of Personal Information Impact Assessment-related Fields (hereinafter “Impact Assessment-related Field Performance Performance”)
)" means the impact assessment service pursuant to Article 37 (1) 1 of the Decree and similar work;
Refers to the performance of information security consulting services, etc.
Article 3 (Procedure for Designation of Evaluation Agency) ① The procedure for designation of evaluation agency pursuant to Article 37 of the Decree shall be applied for designation.
Announcement, receipt and review of the application for designation, on-site inspection, and comprehensive examination are carried out in the following order.
② The Minister of the Interior and Home Affairs shall ensure that a person who intends to be designated as an evaluation institution can apply for designation.
Notification of the designation application must be made at least 15 days through the Official Gazette.
③ A person who intends to be designated as an evaluation agency is subject to the 「Personal Information Protection Act Enforcement Rules」 (hereinafter referred to as the “Rule”).
In addition to the “Application for Designation of Personal Information Impact Assessment Agency” in Attachment No. 3, each of the following
Submit the documents to the Minister of Government Administration and Home Affairs.
1. Personal Information Impact Assessment Performance Specification in Attachment No. 1

Article 4 Section

2. Personal Information Impact Assessment Performance Management Guard in Attachment No. 2
3.
4.
5.

dog
sign
Certificate of experience and performance of personnel performing the personal information impact assessment
in
tablet
Personnel Management Card for Personal Information Impact Assessment in Attached Form No. 4
see
see
Detailed examination data for the ability to perform personal information impact assessment in Attachment
of No. 5

Attached Form 3

6. List of holdings of technical assets related to personal information impact assessment in Attachment No. 6within
I'm
One
④ When the Minister of the Interior and Safety receives an application for designation of an evaluation institution
under paragraph (3), the
tube
Lee

Designated evaluation committee (hereinafter referred to as “designated examination committee”)
to configure and operate).

⑤ The Minister of Government Administration and Home Affairs shall review the results of the examination by the Designated Review Committee through on-site due diligence and comprehensive examination.
After verifying and confirming the qualifications of the personnel performing the impact assessment, the evaluation agency is confirmed.
⑥ The validity period of an evaluation institution is two years from the date designated as an evaluation institution by the Minister of Government Administration and Home Affairs.
do.
⑦ A person who wishes to extend the validity period of the evaluation institution shall be at least 3 months prior to the expiration date of the validity period.
Documents under Article 3 (3) shall be submitted to the Minister of the Interior and Home Affairs.
Article 4 (Organization and Operation of Designated Review Committee)
It shall be composed of no more than 15 members commissioned by the Minister of the Interior and Safety from among those with qualifications.
1. At a school or an accredited research institute under subparagraph 1, 2 or 5 of Article 2 of the Higher Education Act;
Personal information protection as a person who has or was in the position of assistant professor or higher or an equivalent position
Those with more than 8 years of research experience
2. Personal information for more than 8 years in a personal information protection-related company, institution, or group (association, union)
a person engaged in protective work
3. Other persons with extensive knowledge and experience in the protection of personal information
② The Designation Review Committee shall determine the qualifications and business performance of the corporation that has applied pursuant to Article 37 (1) of the Decree.

265

Page 272
Explanation of personal information protection laws and guidelines and announcements

review etc.
③ The term of office of the members of the Designated Review Committee shall be two years, but they may be reappointed.
④ The meeting of the Designation Review Committee shall be convened by the Minister of the Interior and Safety as necessary.
Article 5 (Qualification of Impact Assessment Performance Personnel ) ① The impact assessment performance personnel are general and advanced personnel.
can be classified as manpower.
1. Qualifications of general performance personnel are as follows:
end. A person who has professional qualifications under Article 37 (1) 2 of the Decree
I. More than 1 year after acquiring the personal information manager qualification implemented by the Korea CPO Forum
A person who has experience in the field of personal information impact assessment
2. Qualifications for advanced performance personnel are as follows.
end. 5 or more years of experience related to impact assessment after qualifying for general performance personnel in subparagraph 1
person with
I. After obtaining a doctoral degree in a related field, those who have more than 3 years of experience in impact assessment
Person
All. Information management engineer in accordance with Article 3 of 「National Technical Qualification Act Enforcement Rules」, computer system application
3 years or more of experience in impact assessment after acquiring the qualifications of technician and information and communication technology technician
person with
② Personnel performing impact assessment under paragraph (1) must complete specialized education under Article 6 (2),
An impact assessment can be performed when a professional manpower certificate is obtained under Article 6 (3).
Article 6 (impact assessment operations, and conduct professional training) ① The Minister of Government Administration and assessment professionals
Efficiently promote tasks such as establishment of detailed education plans for training and operation of education
To this end, the Korea Internet & Security Agency is designated as a specialized educational institution.
② The head of a specialized educational institution establishes a detailed education plan for nurturing experts in impact assessment,
Professional education, etc. shall be conducted.
③ The head of a specialized educational institution conducts an evaluation of those who have completed professional education, and according to the result,
Personal information impact assessment professional personnel certificate is issued.
④ The head of a specialized educational institution falls under any of the following subparagraphs, professional manpower under paragraph (3).
Continuing education must be conducted for those who have been issued a certificate, and depending on whether or not they have completed
Renew and issue a professional manpower certificate.
1. When every two years have elapsed since the issuance of the certificate
2. The implementation of education has been delayed due to changes caused by amendments to laws and regulations or evaluation standards, etc.
If deemed necessary
⑤ A person who has been issued a professional manpower certificate pursuant to paragraph (3) or (4) is a professional educational institution.
If you do not renew your certificate because you do not complete the continuing education in Paragraph 4 within the period set by the head
Otherwise, the validity of the existing certificate is lost.
Article 7 (Detailed Evaluation and Designation Criteria for Performance Evaluation of Impact Assessment ) ① Implementation of Impact Assessment by Evaluation Institutions
The detailed evaluation criteria for competency examination are as shown in Attached Table 1.
② The Minister of the Interior and Home Affairs shall determine that the results of the evaluation according to the detailed evaluation criteria

266

Page 273

If the total score is 75 or higher, the corporation that has applied is designated as the evaluation agency.
③ Detailed evaluation criteria for those who wish to extend the validity period of an evaluation institution are as shown in Attached Table 2.
Article 8 (Follow-Up Management) ① The Minister of the Interior and Home Affairs shall designate an evaluation agency under Article 37 (1 ) of the Decree.
In order to check whether the requirements are met and the changes pursuant to Article 37 (6) of the Decree
On-site inspections and requests for the submission of related materials may be made.
② The evaluation institution shall establish and implement protection measures including the following items as shown in attached Table 3,
The Minister of Government Administration and Home Affairs may check compliance with it.
1. Protection measures for areas and facilities performing impact assessment
2. Protection measures for personnel performing impact assessment
3. Protection measures for documents and computerized data
4. General Administrative Protection Measures
③ The Minister of Government Administration and Home Affairs shall ensure that evaluation institutions comply with the provisions of Article 37 (5) 3 through 6 of the Decree.
If applicable, correction and supplementation may be requested prior to cancellation of designation.
Article 9 (Evaluation Procedure) The target institution shall prepare in advance, carry out the impact assessment, and implement it as follows.
The impact assessment is carried out in stages.

Article 4 Section

1. In the preliminary preparation stage, an impact assessment business plan is established to secure a budgetdog
and evaluate
select an institution
2. In the stage of carrying out the impact assessment, the assessment agency analyzes and improves
Establish a plan and prepare an impact assessment.

sign
tablet
see
personalseeinformation
of
within
I'm
impact
One

3. In the implementation stage, it is checked whether the improvement plan for the infringing factors of the
check

infringement factors

assessment report is reflected.

tube
Lee

Article 10 (Evaluation Area and Evaluation Field) The evaluation area according to the impact evaluation criteria of Article 38 (1 ) of the Decree shall be
As shown in Table 4. However, if the target institution has received an impact assessment of other information systems within one year,
In this case, the evaluation of the personal information protection management system of the target institution may be omitted.
Article 11 (Evaluation Items) ① The evaluation institution selects appropriate evaluation items according to attached Table 4 and
An evaluation should be carried out. However, if the target institution has already been evaluated within one year of the year,
Items are excluded from evaluation items if there is no change.
② In the case of applying a specific IT technology not specified in Attached Table 4, the technology is
Evaluation items for the impact on protection should be developed and reflected in the impact assessment.
Article 12 (Submission of Impact Assessment Report) Subjects who have received impact assessment report pursuant to Article 38 (2 ) of the Decree
The head of the institution goes through the internal approval process for the evaluation results within two months and writes an impact assessment.
It must be submitted to the Minister of Government Administration and Home Affairs.
Article 13 (Guideline for Implementation of Impact Assessment ) The Minister of Government Administration and Home Affairs shall provide detailed standards and procedures necessary for impact assessment,
An “impact evaluation guide” that specifies evaluation items, etc. may be prepared and provided.
Article 14 (implementation of impact assessment improvement plan) Young received submit impact assessment according to claim 38, paragraph 2
The heads of public institutions report the status of implementation of the areas pointed out as areas for improvement in the impact assessment report.
It must be submitted to the Minister of Government Administration and Home Affairs within one year from the date of submission.

267

Page 274
Explanation of personal information protection laws and guidelines and announcements

If you intend to build or change a personal information file, you may violate the laws in the contents of the file in advance.
Investigate in advance whether there is any possession of the file or whether there is a potential risk of invasion of privacy in the file.
Evaluating the personal information file is the key to securing the information subject's trust in the personal information file and preventing damage to personal information.
becomes the way

1. Significance of Personal Information Impact Assessment (Section 1)
'Privacy Impact Assessment (PIA)' means the collection and use of personal information.
Investigate whether there is a potential risk of privacy infringement due to misuse of personal information during business promotion
It is a system for forecasting, reviewing, and improving.
Article 33 of the Act stipulates that the personal information impact assessment is conducted on the personal information of the information subject due to the operation of the personal information file.
When there is a concern about infringement, it is defined as 'evaluation to analyze the risk factors and derive improvements'
There is (paragraph 1).
The purpose of the personal information impact assessment system is to evaluate potential risks
It is to review and reflect in advance whether damage caused by information infringement can be reduced.
In the United States, Article 208 of the “E-Government Act of 2002” states that in the process of implementing e-Government, personal information and privacy
Personal information impact assessment has been stipulated for protection, and Canada has also been in the public sector since 2002.
Information impact assessment is mandatory. In addition, in New Zealand, Hong Kong, and Australia, the public and private sectors
Personal information impact assessment is recommended.
< Comparison of PIA systems by country >
division

United States of America

Implementation target

Canada
Federal agencies and

federal agency

Private and public autonomy

some local governments

E-Government Act (2002),

Relevant Basis

New Zealand

Privacy

Personal Information Impact Assessment

Office of Management and Budget Guidelines
Impact Assessment Guidelines
Project Implementation Agency

Evaluation subject

Project Implementation Agency

(Self-evaluation)

(Self-evaluation)

Guideline
external evaluation

supervision and

Office of Management and Budget
Privacy Commissioner
Where to submit evaluation results
Forced or not

Obligation

Obligation (medical field)

website, official gazette,

Evaluation results

Recommendations

Two via website, booklet

other

uses

-

Summarize in the above official language

disclosure by other means

-

open

268

Page 275

2. Personal information files subject to impact assessment (Article 35 of the Enforcement Decree)
In the case of the public sector, e-Government is promoted to systematize personal information in large quantities and interlink with each other, etc.
Since there is a high risk of personal information infringement, in order to share administrative information and to enhance the reliability of e-government projects
Impact assessment is compulsory.
However, if a public institution conducts an impact assessment on all personal information files constructed, operated, and changed,
This may lead to a waste of budget, so the impact assessment is limited to personal information files that fall under each of the following subparagraphs.
making it compulsory
Personal information files subject to impact assessment (Article 35 of the Enforcement Decree)
1. Personal information file accompanying the processing of sensitive information or unique identification information: Personal information to be constructed, operated or changed
If the file contains personal information about 50,000 or more data subjects
2. In the case of linking with other personal information files: other personal information files built and operated inside or outside the relevant public institution
When personal information about 500,000 or more data subjects is included as a result of linking with personal information files
Article 4 Section
3. General personal information file: For more than 1 million information subjects in the personal information file to be built, operated, or changed

If personal information about
4. If you want to change the operating system of personal information files, such as the personal information search system, after receiving the
Changed part of personal information file

dog
sign
impact
tablet
see
see
of

assessment:

within
I'm
One

3. Method of impact assessment, etc. (Section 2, Article 36 of the Enforcement Decree)

tube
Lee

When the head of a public institution intends to conduct a personal information impact assessment,
It must be requested from among the evaluation agencies, and the evaluation must be made in consideration of the following matters. What is an evaluation agency?
Those who meet the designation requirements for work performance, professional manpower, and safe offices and facilities necessary for impact assessment
Refers to an institution designated as an evaluation institution by the Minister of Government Administration and Home Affairs after going through the designation procedure as a corporation.
Article 2, subparagraph 3) of the related notice. In the impact evaluation, the evaluation agency excludes subjective opinions according to the evaluation criteria.
An objective evaluation must be performed, and when preparing an impact evaluation form, in good faith and faithfully
You must not conduct an impact assessment and make a false impact assessment statement. In addition, the evaluation agency is another legal entity
(Company) shall not be allowed to conduct personal information impact assessment using the name of the evaluation institution.
Considerations for Impact Assessment (Article 33 Paragraph 2 of the Act, Article 36 of the Enforcement Decree)
1. Number of personal information processed
2. Whether personal information is provided to a third party
3. Possibility of harming the rights of the data subject and the degree of risk
4. Whether sensitive information or uniquely identifiable information is processed
5. Personal information retention period

269

Page 276
Explanation of personal information protection laws and guidelines and announcements

4. Utilization of personal information impact assessment results (paragraphs 3 and 4)
When the head of a public institution conducts a personal information impact assessment, the result shall be submitted to the Minister of the Interior and Home Affairs.
(Section 1). In this case, when the Minister of the Interior and Safety has an opinion on the submitted impact assessment result,
Opinions may be presented to the relevant public institution after deliberation and resolution of the Protection Committee (paragraph 3). Also, public institutions
When the Minister registers personal information files with the Minister of the Interior and Home Affairs, the results of the personal information impact assessment are also included.
It must be attached (paragraph 4).

5. Laying the foundation for the vitalization of impact assessment (Section 5, Article 37 of the Enforcement Decree)
The specialist training such as activated foundation (claim 5)
The Minister of Government Administration and Home Affairs is responsible for nurturing relevant experts and developing and implementing impact assessment standards to promote impact assessment.
Necessary measures such as dissemination shall be prepared.

B. Designation and cancellation of designation of personal information impact assessment agency (Article 37 of the Enforcement Decree)
1) Requirements for designation of an evaluation agency
The Minister of Government Administration and Home Affairs designates a corporation that meets all of the following requirements as a personal information impact assessment agency.
can do. Designation here actually has the meaning of 'permission'. That is, if all of the following requirements are met:
If there is an application from a corporation, it is not necessary to designate it unconditionally, but whether to designate it in consideration of market demand, etc.
can decide
In order to be designated as an evaluation agency by the Ministry of Government Administration and Home Affairs, personal information impact evaluation work and
Similar work, information security consulting, information security consulting when constructing an information system or information security system;
In the case of information system supervision, the performance of impact evaluation such as information protection consulting is more than 200 million won, and there are more than 10 people
Offices with professional personnel and facilities for identification and access control, secure storage of records and materials
There should be facilities for management.
Evaluation agency designation requirements (Article 37 Paragraph 1 of the Decree)
1. The total amount of the amount received in consideration for performing any of the following duties during the last five years is 200 million won;
corporation with more than one
end. Impact assessment work or similar work
I. Information in the construction work of information systems (including information protection systems) under Article 2, No. 13 of the 「E-Government Act」
Protection consulting service (analysis and evaluation of information systems to prepare for electronic infringement and information based thereon)
It refers to the task of presenting protection measures. the same below)

270

Page 277

All. Information security consulting service among information system supervision tasks under Article 2, Item 14 of the 「E-Government Act」
la. Business under Article 23 (1) 1 and 2 of the 「Information Protection Industry Promotion Act」
hemp. In accordance with subparagraph 8 of Article 2 of the 「Act on Promotion of Information and Communications Network Utilization and Information Protection, etc.」,
Information security consulting work during work
2. A corporation that employs 10 or more professional manpower in accordance with Attached Table 1.
3. A corporation equipped with the following offices and facilities;
end. Offices with facilities for identification and access control
I. Facilities for safe management of records and data

Personal information impact assessment is the introduction of a new information system that utilizes personal information or the handling of personal information.
In the event of significant changes to the accompanying existing information system, the construction, operation, and change of the system may affect privacy.
It refers to the task of deriving improvement plans by investigating, predicting, and reviewing the impact in advance.
Information security consulting service includes information security management system inspection and vulnerability analysis of information assets to ensure confidentiality,
4 Section
Information system pursuant to Article 2, No. 13 of the 「Electronic Government Act」 as a task to support ensuring integrity,Article
availability,
etc.
dog
Prepare for electronic infringement with information protection consulting work among construction work (including information
protection system)

sign
tablet
Analysis and evaluation of information systems for the purpose of data protection and presentation of information protection measures
based thereon, Article
see
see
Information security consulting work among information system supervision tasks under Item 14, 「Act on Promotion of Information
Security Industry」
of

2 of the 「Electronic Government Act」

within
I'm
One

Businesses under Article 23 (1) 1 and 2 are included.

tube operator.
Information system supervision is a self-administered information system independent of the interests of the orderer and business
Lee

In order to improve efficiency and secure safety, the establishment and operation of information systems from the perspective of a third party, etc.
It refers to the task of comprehensively inspecting related matters and improving problems.
The professional manpower that an evaluation institution must possess is divided into general performing manpower and advanced conducting manpower.
The following persons are applicable to the performing personnel (Impact Assessment Notice Article 5).

• Personal information for at least one year after obtaining the information security expert (SIS) qualification implemented by the Korea Internet & Security Agency
Persons with experience in the field of impact assessment
Specialist for Information Security (SIS) is a certification hosted by the Korea Internet & Security Agency.
In order to test the ability with professional technology and practical experience in the field of information security and to respond to the demand for information security experts
It is a qualification system developed and implemented.

271

Page 278
Explanation of personal information protection laws and guidelines and announcements

• Personal information impact assessment for more than one year after acquiring the ISA qualification under Article 60 of the 「Electronic Government Act」
A person with experience in a related field
Information Systems Auditor (ISA) is a certificate supervised by the National Information Society Agency.
Introduced to establish a supervisory system for major information projects and to train professional manpower who can perform actual supervision work
It is a nationally accredited private certification.

• Information management engineer, computer among the national technical qualifications in the field of information and communication jobs in accordance with the 「National Technical Qualification Act」
System application engineer, information and communication engineer, electronic calculator organization application engineer, information processing engineer or information communication engineer
Those who have performed work in the field of personal information impact assessment for at least one year after acquiring the technical qualification
someone with experience
Electronic calculation organization application engineer, information management engineer, information processing engineer, computer system in accordance with Article 3 of the 「National Technical Qualification Act Enforcement Rules」
As a person who has acquired the qualifications of an applied engineer, information and communications engineer, and information and communications engineer, develops, operates, maintains, and manages personal information handling information systems
Performs safe management tasks through maintenance, etc.

• At least one year after obtaining the Certified Information Systems Auditor (CISA) qualification of the International Information Systems Audit and Control Association
A person who has experience in the field of personal information impact assessment
Certified Information Systems Auditor (CISA) is the Information Systems Audit and Control Association.
(ISACA) grants to those who meet certain qualifications 'in the field of information system governance, control, security and auditing'.
Certified professional certification' with management strategy and organization management, information system-based technology, information system security and risk management, information
We have systematic knowledge and practical experience in fields such as system development and project management, BPR and e-commerce.
it can be seen that there is

• At least one year after obtaining the Certified Information System Protection Specialist (CISSP) qualification from the International Information System Security Qualification Association
A person who has experience in the field of personal information impact assessment
Certified Information Systems Security Professional (CISSP)
It is a certification administered by the International Information Systems Security Certification Consortium (ISC2).
Those who achieve this certification will ensure that businesses implement robust security practices, perform risk analysis, identify necessary countermeasures, and
and the technical capabilities to help the entire organization secure its facilities, networks, systems, and information;
It can be seen as a person with knowledge and experience.

• At least one year after obtaining a qualification related to personal information protection, as determined by the Minister of the Interior and Safety
A person who has experience in the field of personal information impact assessment
“Person with experience in performing work in the field of personal information impact assessment” means public institutions, corporations and organizations, etc.
Common base technology for personal information protection (referring to encryption technology, authentication technology, etc.), system/network protection (system
protection, hacking/virus response, network protection, etc.) or application service protection (electronic transaction protection, application service protection,
planning, analysis, design, development, operation, maintenance/repair, supervision, consulting in the fields corresponding to information security standardization, etc.)
Or it refers to a person who has experience in research and development.

272

Page 279

• Impact of personal information for more than one year after acquiring the CPPG (personal information manager) qualification implemented by the Korea CPO Forum
Persons with experience performing work in the field of evaluation
Personal information manager (CPPG) is developed and developed to test the knowledge and ability of personal information protection policies and coping methodologies.
As a qualification system implemented, it is a qualification hosted by the Korea CPO Forum.

Qualifications for advanced performance personnel are: ① After qualifying for general performance personnel, 5 years or more of experience in impact assessment is required.
② A person with at least 3 years of experience in impact assessment after obtaining a doctorate in a related field;
③ Information management technician, computer system application technician, information communication engineer in accordance with Article 3 of the 「National Technical Qualification Act Enforcement Rules」
A person who has 3 or more years of experience in impact assessment after obtaining a technician qualification
Meanwhile, the personnel performing the impact assessment must complete the specialized training of the Korea Internet & Security Agency, a specialized educational institution.
Received a personal information impact assessment expert certificate that is given according to the evaluation result for those who have completed professional training
Impact assessment can be carried out only in certain cases (Impact Assessment Notice Article 5, Paragraph 2, Article 6).

Article 4 Section

2) Procedure for designation of evaluation agency

dog
sign
tablet
see
see
of

< Personal information impact assessment agency designation procedure >
① Application for designation

within
I'm
One

Notification of designation application
― • Published in the Official Gazette for more than 15 days

tube
Lee

↓
Application for designation

― • Application documents

↓
Review of submitted documents
― • Request for supplementation in case of incomplete documents
↓
Composition of Designated Review
―Committee
• Composition of working group for document/site/comprehensive examination
↓
• Current status of executives and employees
Document review

—

• Whether performance performance, execution manpower, equipment, and capital requirements are met
• Quantitative evaluation items for performance evaluation
• Adequacy of other evaluation criteria

↓
― • On-site inspection of document review contents

on-site due diligence
↓

273

Page 280
Explanation of personal information protection laws and guidelines and announcements

Comprehensive examination
↓
• Selection of a company to be designated
Verification of audit results

— • Review of documents, site, and comprehensive examination
• Confirmation of the company to be designated

↓
• Identification for designated and confirmed legal entities
of the personnel performing the impact assessment
— • In case of non-fulfillment of personnel requirements as a result of identification
Identification
designation reservation
↓
Designation of evaluation agency

The Minister of the Interior and Home Affairs shall publish the notice of the application for designation in the Official Gazette for at least 15 days. Contents of the announcement
For the purpose of application for designation, designation criteria, designation procedure, application documents, application method, application period and contact information, etc.
Includes necessary guidance (Article 3 Paragraph 2 of the Impact Assessment Notice).
A person who intends to receive designation as an evaluation institution shall submit the articles of incorporation,
Names of representatives and executives, documents (including electronic documents) proving the qualifications of professional personnel, and enforcement regulations
It must be submitted to the Minister of Government Administration and Home Affairs along with the documents submitted in accordance with the Regulations and the Public Notice on Impact Assessment.
< Documents stipulated in the Enforcement Regulations and Notifications >
Documents to be submitted in accordance with the Enforcement Documents
Regulationsto be submitted according to the notice
① Status of personnel who perform personal information impact
① Personal
assessment
information impact assessment performance statement
② Offices and facilities related to personal information impact②
assessment
Personal information impact assessment performance management card
③ Certificate of experience and performance of personnel performing the personal information impact assessment

Holdings

④ Personal information impact assessment personnel management card
⑤ Personal information impact assessment performance detailed review data
⑥ List of technical assets related to personal information impact assessment

② Reception and confirmation of application for designation
Confirmation documents upon receipt of application for designation (Article 37 (3) of the Decree)
1. Certificate of corporate registration
2. Certificate of alien registration under Article 88 (2) of the Immigration Control Act (applicable only to foreigners)

274

Page 281

Designation application documents must be submitted by mail or in person. The Minister of Government Administration and Home Affairs
If the submitted documents are incomplete, supplementation may be requested, and the application may be rejected if it does not comply.
have. The Minister of Government Administration and Home Affairs who has received the application for designation of an evaluation institution shall comply with Article 36 (1) of the Electronic Government Act.
Through the joint use of administrative information, the following documents shall be verified. However, if the applicant is
If you do not agree to the confirmation, you must have the applicant attach the documents.
③ Composition and operation of the Designated Review Committee
When receiving an application for designation of an evaluation institution, the Minister of the Interior and Home Affairs shall examine the conformity of the designation criteria.

Forms and operates an evaluation agency designation review committee (Article 3, Paragraph 4 of the Public Notice on Impact Assessment).
15 persons who meet the following qualification criteria to secure transparency, fairness, and reliability of the designation examination
The committee members are appointed and appointed, and the term of office of the designated judges is two years, and they can be reappointed.
• Universities, industrial colleges, broadcasting colleges, telecommunications colleges, and broadcasting under subparagraphs 1, 2 or 5 of Article 2 of the Higher Education Act;
Associate professor or higher at a university of communication, cyber university (hereinafter referred to as “remote university”) or an accredited research institute
Article 4 Section
A person who has been or has been in a position or an equivalent position and has more than 8 years of personal information
protection research experience

dog
the sign
field
tablet
see
see
of

• Personal information protection-related companies, institutions or groups (associations, unions) for more than 8 years in
person who worked
• Others with extensive knowledge and experience in personal information protection

of personal information protection

within
I'm
One

The Minister of Government Administration and Home Affairs shall hold a meeting of the Designation Review Committee regularly every year, but
tube
Lee

A resolution may be convened at any time when necessary.

In order to secure fairness and credibility of the review, the designated review committee consists of scholars, researchers, practitioners, and related organizations.
It is composed of experts and verifies comprehensive matters regarding document review, on-site inspection, and comprehensive review.
The Designation Review Committee, based on the application documents, determines whether the evaluation institution is eligible, performance performance, manpower, capital, and equipment.
It examines whether the requirements for designation are met, etc., and, if necessary, conducts on-site inspections to confirm adequacy and compliance.
can be checked The Designated Review Committee combines the results of document review and on-site inspection to determine the qualifications of the person in charge and
It examines work performance requirements such as experience and consulting methodology of companies.

④ Evaluation of the evaluation agency's ability to perform impact assessment (Article 7 of the Public Notice on Impact Assessment)
The Designation Review Committee examines the documents submitted by the evaluation institution when applying for designation according to the detailed evaluation criteria, and
The Minister of Home Affairs will target institutions that have acquired a total of 75 points or more in the objective performance capability of the applying corporation.
It is designated as an evaluation institution after on-site inspection and comprehensive examination. The detailed evaluation criteria for the evaluation of the impact evaluation performance are
It is divided into quantitative evaluation (60 points) and qualitative evaluation (40 points).
① Experience, ② Specialization, ③ Reliability, ④ Competency to perform impact assessment for detailed evaluation
Evaluate according to the criteria.

275

Page 282
Explanation of personal information protection laws and guidelines and announcements

Experience (25 points) is based on the performance performance (15 points) in the field of impact assessment conducted by the corporation applying for designation over the past 5 years and the recent
It is evaluated according to the impact evaluation performance (10 points) of 10 million won or more of the contract amount carried out for two years. in the last 5 years
The evaluation index of the performance of the impact assessment is set as the total amount of the contract, and the contract amount of the performance of the recent impact assessment is set as the total contract amount.
If the total amount is more than 500 million won, 10 points are given, and if the total amount is less than 500 million won, the contract amount is reduced.
Divide the total amount by 500 million won and multiply by 100 to give a score calculated.
The degree of specialization (25 points) is determined by the number of advanced performing personnel (15 points) and the number of people who passed the professional education certification test for personal information impact assessment
(10 points) are divided and evaluated. That is, high-level performance personnel are given 1 point per person, up to a maximum of 15 points,
The number of passers of the personal information impact assessment professional education certification test is 10 points, and those who passed the personal information protection professional education certification test
It is calculated by multiplying the number by the personal information impact ratio (%) divided by the average number of passers of the certification exam of all evaluation agencies.
give a score
Reliability (10 points) is evaluated based on the credit rating, but also when submitting a corporate credit evaluation report.
Ratings are based on credit ratings.
In relation to the qualitative evaluation, the impact evaluation performance capacity (40 points)) is the qualitative evaluation of the impact evaluation performance performance (20 points), the impact
The qualifications and experience of the personnel performing the evaluation (10 points), and the personal information impact assessment measures of the corporation applying for designation (10 points)
evaluated. Qualitative evaluation of impact assessment performance includes impact assessment quality improvement activities, institutions subject to impact assessment,
The excellence of the impact assessment method is comprehensively evaluated, and the qualifications and experience of the impact assessment personnel are evaluated.
It is evaluated through application documents and on-site inspection.
As for the measures for the impact assessment of personal information of the corporation applying for designation, the corporation applying for designation shall conduct the impact assessment of personal information on its own.
Measures prepared to carry out are reviewed and evaluated, and the validity of risk analysis and personal information impact assessment are reviewed and evaluated.
Appropriateness and effectiveness of personal information impact assessment are comprehensively evaluated.
In addition to quantitative evaluation and qualitative evaluation, the company is recognized as a venture company in accordance with Article 25 of the Act on Special Measures for the Promotion of Venture Businesses.
If confirmation is received (maximum of 5 points), a local company, that is, the head office location is located in a province other than the metropolitan area.
Participation in bidding by being designated as an illegal business operator in accordance with the procurement laws and regulations (up to 5 additional points) and for the past 3 years
If you are restricted (0.5 points deducted for each month of restricted months), your score may be affected.

276

Page 283

< Detailed Evaluation Criteria for Personal Information Impact Evaluation Performance Evaluation >
division Evaluation items

Detailed evaluation items

points

contract amount• Less than 500 million won: χ% of points

15

Total amount ※ χ = (total contract amount / KRW 500 million)

performance

1. Experience

Detailed evaluation criteria

• 500 million won or more: 100% of points

Impact assessment for the last 5 years
Related fields

evaluation index

× 100

(25)
Contract amount for the last 2 years
over 1 million won

• 5 or more: 100% of points awarded
• Less than 5 cases: χ% of points
number of executions

10

※ χ = (Number of executions/5 cases) × 100

Performance in the field of impact assessment
Number of advanced execution personnel
15

I.

• Number of people × 1 point (maximum 15 points)
Number of people

dose
evaluation
2. Professionalism
(60)
Personal Information Impact Assessment Professional Training
(25)
Certification exam
10
ratio
number of successful applicants

• Points × (Privacy Protection
Number of passers/
Average of all evaluation agencies certification exams
Number of successful applicants*)
※ Number of applicants who passed the evaluation agency certification exam
Average
Article 4 Section

• Based on your credit rating
3. Reliability

credit rating

(10)

10

dog
sign
tablet
see
see
of

evaluation

rank

※ Regarding personal information impact assessment
Attachment standard of Annex 1 of the notice
• Impact assessment quality improvement activities

impact assessment performance
Impact Assessment

non-metering • Institutions subject to impact assessment
• Excellence in how to conduct impact assessment

20

qualitative evaluation

performance capability

II.

Qualitative (40)

tube
Lee

of the personnel performing the impact assessment
※ Application documents, on-site inspection, etc.
10
non-metering
Qualities and experience
evaluation through

evaluation
(40)

within
I'm
One

• Relevance of risk analysis
of the corporation applying for designation
performance capability
10
non-metering • Appropriateness of personal information impact assessment
Independent Personal Information Impact Assessment Measures
• Effectiveness of personal information impact assessment
(40)
Impact Assessment

「Regarding Venture Business Development
In accordance with Article 25 of the Act extra
on Special
points
Confirmation
Measures ※ Venture confirmed company: 5 points
A company that has been confirmed as a venture company
※ The location of the head office is excluding the metropolitan area

III.

Local companies (excluding metropolitan
extra
areas)
points
Confirmation

Etc

If you are located in a province
: 5 points

According to the procurement law for the past 3 years
Participate in bidding
designated as a fraudulent
deduction
※ Limited number of months per month: 0.5 points
limited number of months
Period during which participation in bidding was restricted
remark
1. Scores for each detailed evaluation item in the above table are rounded to the second decimal place.
2. Among the detailed evaluation criteria, the reliability item can be replaced by the submission of a corporate credit evaluation report, and the scoring criteria for this is [Attachment]
It follows the evaluation criteria according to the credit rating.
3. The 'recent' date of counting shall be based on the designated announcement date.

277

Page 284
Explanation of personal information protection laws and guidelines and announcements

⑤ Issuance and notification of designation letter
The Minister of Government Administration and Home Affairs verifies the results of the examination by the Designation Review Committee and finally confirms the identity of the performing personnel.
If an evaluation agency is designated, the evaluation agency designation letter is issued without delay, and ①Name and address of the evaluation agency
and the phone number and name of the representative ② If a condition is attached at the time of designation, the contents of the condition are announced in the Official Gazette
shall. The same shall apply where the relevant matters are changed.

⑥ Cancellation of designation of evaluation agency
The Minister of Government Administration and Home Affairs shall, if the designated evaluation institution falls under any of the following subparagraphs,
The designation of the coffin may be cancelled. However, in the case of subparagraph 1 or 2, the designation of the evaluation institution
must be canceled When the Minister of the Interior and Home Affairs intends to revoke the designation of an evaluation agency, a hearing shall be held.
do.
Reason for revocation of designation of evaluation agency (Article 37 (5) of the Decree)
1. Where the designation of the evaluation agency has been obtained by fraudulent or other fraudulent means;
2. In the case where the designated evaluation institution itself wants to cancel the designation or closes the business
3. Where it fails to meet the requirements for designation under paragraph (1);
4. In case of failure to fulfill the duty to report changes in designation requirements, etc. (Article 37 (6) of the Decree)
5. In case of poor performance of the impact assessment service intentionally or by gross negligence, the task cannot be properly performed.
If recognized
6. In case of violation of any other obligations under this Act or this Decree

⑦ Duty to report changes in designation requirements, etc.
The designated evaluation institution shall, after designation, if any of the following reasons occur:
As prescribed by Ordinance of the Ministry of Government Administration and Home Affairs, within 7 days from the date on which the cause occurred, to the Minister of the Interior and Home Affairs.
should be reported However, in the case of subparagraph 3, a report must be made within 30 days from the date on which the cause occurred.
have to tell
Reasons for notification of change, etc. (Article 37 (6) of the Decree)
1. When any of the matters falling under each subparagraph of Paragraph 1 (requirements for designation of evaluation agencies) is changed
2. In the event that the matters falling under Paragraph 4 (1) (name of evaluation institution, address, phone number, and representative) are changed
3. In the event of a cause such as transfer, acquisition, or merger of an evaluation institution;

Personal information impact assessment requires a significant level of experience and expertise, so an appropriate level of facilities and manpower
A designation procedure is established to enable organizations with standards to conduct impact assessments;
have. Therefore, in order to continuously conduct an appropriate level of personal information impact assessment, the Minister of Government Administration and Home Affairs
Designated in a false or unlawful way, or in case of non-compliance with the designation criteria after designation

278

Page 285

The designation of the evaluation institution shall be cancelled. In addition, it strengthens the professionalism of evaluation agencies and enhances the performance of insolvency evaluations.
In order to prevent the designation of the evaluation agency, the personnel change, suspension/closure, transfer/takeover, merger, etc.
If there are any changes, they are to be reported.

3) Personal information impact assessment procedure (Impact Assessment Notice Article 9)
Impact assessment is a risk assessment that may occur when trying to build, operate, change, or link personal information files.
Because it is to analyze and improve the infringing factors of personal information in advance, the target organization
In case of building, operating, changing, or linking, setting the direction of the business, defining the task, and proposing the system
In the stage, preliminary design and model setting stage of the system, impact evaluation should be performed.
Impact assessment can also be carried out in the process of developing or building the target system, in this case the impact
Risk analysis and improvement directions should be derived for the actual implementation form according to the evaluation plan.
< Personal information impact assessment process >
Article 4 Section

dog
sign
tablet
see
see
of
within
I'm
One
tube
Lee

The preliminary preparation stage is ① Review of the necessity of the impact assessment ② Composition of the actors performing the impact assessment ③ The evaluation execution plan
It proceeds in the order of establishment. Review of the need for impact assessment is to review the need for new personal information in the process of project implementation.
Through the preparation of the 'Pre-Evaluation Questionnaire' whether there is any change in collection, use, connection, or handling procedures, etc.
Determine the need for an impact assessment.

279

Page 286
Explanation of personal information protection laws and guidelines and announcements

The subject of the impact assessment shall cooperate with the relevant departments within the institution for the implementation of the impact assessment and external relevant organizations.
A work system (impact evaluation team) is established and organized so that evaluation can be carried out smoothly. The impact assessment team
Person in charge of personal information protection, person in charge of informatization business (system to be established, operated, changed, linked), external consultant (administrative
It is composed of personnel who perform impact evaluations of evaluation institutions designated by the Minister of Home Affairs) and internal and external experts.
The evaluation execution plan is implemented in the evaluation process by the system development department or business department (the department in charge of impact assessment) of the target institution.
Organize and carry out detailed evaluation procedures that can be shared internally by organizing necessary matters
plan for The evaluation execution plan includes an overview of the target system, the purpose of collecting personal information, the scale of handling, and personal information
It includes an overview of the personal information file such as the collection status, evaluation items and evaluation scope, evaluation method, etc.
< Direction of evaluation implementation plan >
Contents

Main Content

References

• Request for Proposal (RFP)
• Target system name, project purpose and schedule, main contents, etc.
• Business plan, etc.

1. Business Overview

• Personal information collection purpose, handling scale, personal information collection status, etc.
2. Overview of Personal Information
Personal information file overview
3. Purpose of evaluation

• Necessity and background of personal information impact assessment • Necessity Review Questionnaire

4. Evaluation agencies and

• Selection of an evaluation agency and formation of an impact evaluation
• Impact
team Assessment Team Operation Plan
Formation of evaluation team
• The period from initiation to completion of the impact assessment;

5. Evaluation period

• When selecting a subject for impact assessment

• Impact assessment process, major steps and duration, etc.
6. Evaluation procedure (method)

Results and contents of consultation;
• What to focus on

7. Key evaluation points

Public institution personal information
Refer to the Impact Assessment Guide

8. Evaluation Criteria and • Standardly required in the Impact Assessment Implementation Guide
Evaluation items

Items derived according to evaluation items and whether specific IT technologies are used
• Reference materials for analyzing infringing factors when performing Privacy
impact assessment;
Policy;

9. Data Collection and
analysis plan

Refer to the output of the legal review stage

Identification of data related to the relevant institution, etc.

• Results derived from the impact assessment (impact assessment report)Impact
and assessment team meeting contents, etc.

10. Evaluation of results
Usage direction

Reference

Describe the application plan between the projects through

The steps of the impact assessment are ① collection of evaluation data, ② analysis of the flow of personal information, and ③ infringement of personal information.
Factor analysis, ④ risk calculation, and ⑤ improvement are carried out in this order. Collection of evaluation data is subject to evaluation
Identify data and target systems for analyzing internal and external policy environments related to business and personal information protection
data collection for Personal information protection related laws and guidelines of higher-level institutions and internal regulations of those institutions
Gather and analyze the data necessary to understand the current situation and understand and analyze the target system.

280

Page 287

< Data to be analyzed >
Item

Purpose of collection

Materials to be collected

• Institutional personal information protection regulations
• The organization's internal privacy protection system, regulations,
• Information security-related regulations within the institution
Analyze organizational status, etc.
• Organization table, etc.
• Job division table and position within the organization related to personal information
internal policy • Personal information handler (information system operator,
authority
material

handlers, etc.), consigned companies, etc.

• Internal regulations on access rights of information systems

Check internal regulations and management/education
• Subcontractor
system management regulations, etc.
• Training plan for system operators and information handlers
• Protection of personal information related to the system structure
• Security system structure such as intrusion prevention system, etc.
Know the current status of technology
• Analysis of general privacy policy environment
external policy
material

• Personal information protection laws, guidelines, etc.
• Personal information protection master plan and implementation plan, etc.

• Policy reflecting the specificity of the target system
• Act on the basis of implementation of the target system and protection of personal information
environmental analysis

Applicable Law
Article 4 Section

• collected by the information system;

• Project execution plan
The amount and scope of personal information may affect the conduct of business.
• proposal
target system
determine if it is appropriate for
explanatory material
• Review of external linkage of information system• Referral plan
• Linkage plan

dog
sign
tablet
see
see
of

Analysis of the flow of personal information is aimed at enhancing the understanding of the business and personal

within
informationI'm
flow
One

It refers to the analysis of the flow of personal information within the target system for A thorough analysis of the target system

among the members of the impact assessment team.

tube
Lee

By defining tasks and deriving tasks that involve the handling of personal information among tasks processed through the business,
Clarify the scope of the evaluation.
Analysis of factors for infringement of personal information includes personal information protection measures according to the flow of personal information in the target system and
This is the stage to identify the plan, etc. and to derive the risk of personal information infringement.
The risk level is calculated by calculating personal information as an asset value to determine the asset value, the possibility of personal information infringement, and the legal
It is calculated by evaluating the risk by combining the criteria and adding them together. asset value and personal information
The higher the probability of occurrence of the infringing factor, the more obligatory it is under the law, the more difficult it is to control the infringing factor.
In this case, the risk of infringement of personal information is considered high.
The derivation of improvement is to remove or minimize risk factors for each intrusion factor derived from the impact assessment process.
Short-term, mid-term, and long-term improvement measures can be suggested depending on the degree of risk.
The process of organizing the evaluation results is in the order of ① writing an improvement plan and ② writing an impact assessment. Improving
Based on the derived improvement plan, the plan is reviewed by an internal or external expert to determine the security of the target institution.
It is established in consideration of the current status of measures, budget, manpower, and informatization project schedule. Risks when establishing an improvement plan

281

Page 288
Explanation of personal information protection laws and guidelines and announcements

Prepare countermeasures that can eliminate or minimize factors, and respond to similar cases to solve risk factors
Benchmarking, etc., measures and responsibilities for the person in charge (personal information handler) to correct vulnerabilities
etc should be considered.
The preparation of the impact assessment document is a comprehensive record of all processes and results of the impact assessment.
will be. The target institution shall establish, operate, or change the target system after the established improvement plan, or the linkage has been completed.
Measures must be taken so that it is reflected before (end of business). However, if the target system is built, operated, or changed,
If it is not possible to reflect the improvements derived for unavoidable reasons before the linkage is completed (end of the project),
The justifiable reasons for this should be recorded and an implementation plan for future actions should be established.

4) Standards for Impact Assessment (Article 38 Paragraph 1 of the Decree)
When the evaluation agency conducts the personal information impact evaluation, it shall be conducted in accordance with the following evaluation criteria.
As shown below, the evaluation agency determines the type and nature of the processed personal information, the amount (scale) of the data, and the system.
The environment and the risk of infringement must be considered comprehensively.
Evaluation Criteria (Article 38 Paragraph 1 of the Decree)
1. The type and nature of personal information processed by the relevant public institution, the number of data subjects, and the resulting infringement of personal information
Possibility
2. The level of safety security measures under Article 24 (3) of the Act, Article 25 (6) of the Act, and Article 29 of the Act, and individuals accordingly
Possibility of data breach
3. Whether to take measures for each risk factor of personal information infringement
4. Other matters concerning necessary measures or elements of violation of duty pursuant to the Act and this Decree

The evaluation agency shall select appropriate evaluation items according to the following table and conduct impact evaluation (Impact Evaluation)
Notice Articles 10 and 11).
<Evaluation area and field of personal information impact assessment>
evaluation area

evaluation field

specific field
Designation of the person in charge of personal information protection

1. Personal information protection organization
Acting as a personal information protection officer
I.

Establishment of internal management plan
2. Privacy plan

object

Establish an annual plan for personal information protection

Institutional privacy protection
management

3. Response to Personal Information Infringement

system

Information on how to report an infringement incident
Leakage incident response
Establishment of procedures for guaranteeing the rights of data subjects

4. Guarantee of information subject rights
Information on how to guarantee the rights of information subjects
Designation of personal information handler

II.
of the target system

5. Personal information handler management

Management and supervision of personal information handlers

282

Page 289

evaluation area

evaluation field

specific field
Personal information file ledger management

6. Personal information file management
Personal information protection management
system

Personal information file registration
Disclosure of Privacy Policy

7. Privacy Policy
Preparation of personal information processing policy
Suitability of Personal Information Collection

8. Collect

Appropriateness of the method of obtaining consent

9. Retention

Retention period calculation
Appropriateness of Provision of Personal Information

III.

10.Use/Provision

Restrictions on use and provision for other purposes

Personal information processing stage

Securing safety when providing
Disclosure of consignment

star protection
measure

11. Consignment

consignment contract
Management and supervision of the trustee
Establish a destruction plan

12. Destroy

Establish a separate storage plan
Write a record of destruction
Account Management

13. Manage access rights

Article 4 Section

Authentication Management
Permission Management

dog
sign
tablet
see
see
of

Access Control Measures
14. Access Control

Internet homepage protection measures
Protective measures for mobile devices for work
encryption at rest

15. Encryption of personal information

within
I'm
One

Encryption in transit

IV.

Access record storage

of the target system 16. Storage and inspection of access records

Connection history check

technical protection

Access record storage and backup

measure

tube
Lee

Vaccine installation and operation

17. Prevention of malicious programs, etc.

Apply security update
Establishment of access control procedures

18. Physical Access Prevention

Establishment of import/export control procedures

19. Destruction of personal information

safe destruction
Development Environment Control

20. Other technical protection measures

Personal information processing screen security
Protective measures when printing

21. Protection of personal information processing area
Designation of protected areas
Gathering opinions when installing CCTV
CCTV installation guide

22. CCTV

V.

Restrictions on CCTV use

certain

Consignment for CCTV installation and management

IT technology
When using

RFID User Guide

23. RFID

RFID tag attachment and removal

24. Bio information

Privacy

Protection measures when storing original information
Consent to collection of personal location information

25. Location information

Guidelines for providing personal location information

283

Page 290
Explanation of personal information protection laws and guidelines and announcements

The evaluation agency ensures the safety of the information system handling personal information, and removes all infringement factors during impact assessment.
The necessary evaluation items should be selected so that they can be derived and improved, and improvement measures should be presented accordingly.
However, if the same target institution conducts multiple impact assessments in the same year, the overlapping assessment contents will be evaluated in advance.
can be substituted for the result.
For example, an OO institution conducts an impact assessment of system A (completed evaluation) and an impact assessment of system B (start of evaluation).
It was conducted in the same year, and changes in the evaluation area and evaluation field (personal information protection management system of the target institution)
If not, the results derived from the impact assessment of system A, which was performed first, are transferred to the impact assessment system of system B.
to avoid duplicate evaluation.
In the evaluation area of ​personal information protection when using specific IT technology, CCTV, RFID, bio information, location
Classify the information to compose and evaluate the evaluation items. However, each specific IT technology depends on its characteristics.
As the factors of infringement of personal information may differ depending on the situation, differentiated evaluation items should be derived. specified in the table
If there is an IT technology that you want to utilize other than a specific IT technology, you must fully consider the characteristics of the relevant IT technology.
The evaluation items should be developed and applied, and improvement measures should be derived based on the analysis results of the infringement factors.
do.

5) Prepare and send an impact assessment report (each subparagraph of Article 38 (2) of the Decree)
An evaluation institution that has received a request for an impact evaluation from a public institution shall, in accordance with the evaluation criteria,
After analyzing and evaluating risk factors of personal information infringement due to operation, an impact assessment report including step-by-step results is provided.
It must be prepared and approved by the head of the target institution and sent to the head of the relevant public institution. effect
In the evaluation report, an overview of the business related to the operation of personal information files, the purpose of operation of personal information files, and impact assessment
Analysis and evaluation of risk factors of personal information infringement according to the overview of the target personal information file, evaluation standards, and
What needs to be improved, the personnel performing the impact assessment, and the budget should be included.
In addition, after the evaluation agency terminates the contract with the target agency and completes the evaluation, the target agency
All provided documents, tools, equipment, etc. must be returned to the head of the target institution.
Relevant data, etc. must be safely destroyed with the approval of the target institution.

6) Submission of Impact Assessment (Section 38 Paragraph 2 of the Enforcement Decree)
The head of a public institution who has received an impact assessment letter from the evaluation institution prior to the establishment and operation of the personal information file
The relevant impact assessment must be submitted to the Minister of the Interior and Safety. If the impact assessment needs improvement
If it is included, it should also include the contents of the action taken.

284

Page 291

7) Follow-up management
Changes due to personnel changes, closures/closures, transfers/acquisitions, mergers, etc. after designation of an evaluation agency
You can check whether there are any issues and whether the evaluation agency meets the evaluation criteria at the time of the evaluation.
For this purpose, you may be asked to submit an on-site inspection and related data.
The evaluation agency is responsible for the protection measures for the work area and facilities, the protection measures for personnel, and documents and computerized data.
Protection measures should be established and followed. Protection of the impact assessment area and facilities
As a countermeasure, the evaluation agency designates a business area that conducts personal information impact assessment, access control, and personal information
Control measures according to risk analysis for information and communications networks that process, transmit, and store impact assessment analysis data
should be insisted on
As a protection measure for the personnel performing the impact assessment, the evaluation agency is obliged to maintain the confidentiality of the personnel performing the impact assessment.
All obligations including, qualification screening when hiring performance personnel, and retirement management at the time of retirement.
Sanctions and handling of violations of security measures, and regular internal and external personal information impact assessment training for employees
Guidelines and procedures for all matters such as and completion of the course must be devised.

Article 4 Section

dog
As a protection measure for documents and computerized data, the evaluation agency collects personal information impact assessment
analysis data (including ancillary data).

In order to protect, the following protection measures should be taken.
• Prepare protection measures in accordance with the standard personal information protection guidelines in Article 12 of

sign
tablet
see
see
the of
Act
within
I'm
One

• Controlling access to, reading, editing, exporting, and disposal of analysis data other than the person performing it
• Control according to risk analysis of analyzed data when using information and communications networks

tube
Lee

• Control on storage, copying, distribution, and disposal of personal information impact assessment analysis data in the form of printouts
As for other general management measures, the representative announces the basic policy on impact assessment and conducts impact assessment.
Ensure that all employees, including manpower, are familiar with the risk analysis and control measures for impact assessment work.
The actual condition should be periodically inspected and evaluated to ensure safe management.
<Main contents of personal information impact assessment agency protection measures>
Item

week

I.

Yo

of mine for

1. The area in which the impact assessment is to be carried out is to be designated. In this area, the personnel performing the impact assessment

Impact Assessment

Access to non-persons should be restricted.

execution area

2. Control according to risk analysis on information and communications networks that process, transmit, and store impact assessment analysis data;

and

measures should be taken. In this case, the notebook computer and other portable information processing devices

about the equipment
protection measures
II.

control measures should be included.

3. The personnel performing the impact assessment should be fully aware of all obligations, including the duty to maintain confidentiality, in accordance with relevant laws and regulations.

Impact Assessment

Guidelines and procedures for writing a written pledge of commitment to comply with this should be prepared.

285

Page 292
Explanation of personal information protection laws and guidelines and announcements

Item

week

Yo

of mine for

4. Guidelines for qualification screening when hiring personnel performing impact assessment and management of retirees at the time of retirement;
procedures should be in place.
to the number of attendees
5. Regarding the sanctions and handling of impact assessment personnel who violate the security measures of the assessment agency
About
Internal regulations should be prepared.
protection measures
6. Influence of personal information inside and outside the company on a regular basis by executives and employees, including personnel performing impact assessment
Evaluation training should be provided.
7. Standard individual in Article 12 of the Act to protect impact assessment analysis data (including incidental data)
III.

Security measures in accordance with the information protection guidelines should be prepared.

document
and

8. Persons other than the personnel performing the impact assessment may access, view, edit, export, or perform impact assessment analysis data.
Control measures should be devised to prevent disposal.

in computerized data 9. For risk analysis on impact assessment analysis data processed, transmitted, and stored through information and communications networks
About

Control measures should be devised.

protection measures 10. Analysis of impact assessment data in the form of printed materials such as written, drawings, microfilm, and computerized output
Control measures for storage, copying, distribution, and destruction shall be devised.
IV.

11. The representative publishes the basic policy of the evaluation agency on impact assessment in writing and conducts the impact assessment

Normal

Employees, including manpower, should be aware of this.

management
Measures

12. Periodically inspect and manage the management and operation of risk analysis and control measures for impact assessment work
should be evaluated.

8) Impact Assessment Performance Guide (Impact Assessment Notice Article 13)
The Minister of Government Administration and Home Affairs provides a general overview of impact assessment and the procedure for impact assessment in the Impact Assessment Implementation Guide.
and method, evaluation field and evaluation items, analysis of personal information infringement factors, derivation of improvement, and preparation of impact evaluation report
An impact assessment performance guide explaining the details of such matters can be prepared and provided.

6. Special provisions for constitutional institutions, etc. (paragraphs 7 and 8)
A Constitutional Institution's Impact Assessment
Regarding the impact assessment of the National Assembly, the courts, the Constitutional Court, and the National Election Commission (including its affiliated institutions);
Matters shall be governed by the National Assembly Rules, Supreme Court Rules, Constitutional Court Rules, and National Election Commission Rules.
Since these constitutional institutions are also included in public institutions, they are trying to construct, operate, or change personal information files.
However, in accordance with the principle of separation of powers, it is necessary to conduct an impact assessment.
Matters were to be determined by the rules of the relevant institution.

286

Page 293

B. Impact Assessment of Private Institutions
Personal information controllers other than public institutions may not infringe on the personal information of the information subject due to the operation of personal information files.
In case of concern, active efforts should be made to conduct an impact assessment.
In the case of the private sector, the handling of personal information varies by sector, so the impact of personal information on a uniform basis
Since it is difficult to determine the necessity or effectiveness of the evaluation and the cost is high, it is implemented autonomously.
made to do

Article 4 Section

dog
sign
tablet
see
see
of
within
I'm
One
tube
Lee

287

Page 294
Explanation of personal information protection laws and guidelines and announcements

Article 34 Notification of Personal Information Leakage, etc.
Article 34 (Notification of Personal Information Leakage, etc.) ① The personal information controller becomes aware that personal information has been leaked.
When it is, the information subject must be notified of the following facts without delay.
1. Items of leaked personal information

2. The time of the leak and its background
3. In order to minimize damage that may occur due to leakage, information subjects can
Information on how to be there, etc.
4. Response measures and damage relief procedures of personal information controllers
5. In case of damage to the information subject, the department in charge and
Contact

law

② The personal information controller shall take measures to minimize the damage when personal information is leaked.
and take necessary actions.
③ The personal information controller shall, in the event that personal information exceeding the scale prescribed by Presidential Decree is leaked,
The Minister of the Interior and Home Affairs or the Minister of the Interior without delay notify the notification under paragraph (1) and the results of measures under paragraph (2).
A report shall be made to a specialized institution prescribed by Presidential Decree. In this case, the Minister of Government Administration and Home Affairs or
Specialized institutions prescribed by Presidential Decree shall develop technologies for preventing the spread of damage and recovering from damage.
can support
④ Necessary matters concerning the time, method, procedure, etc. of notification under paragraph (1) shall be made by the President.
determined by decree
Article 39 (Scope and Organization of Personal Information Leakage Report) ① In the former part of Article 34 (3 ) of the Act, “President
“Personal information exceeding the scale prescribed by Ordinance” means personal information about 10,000 or more data subjects.
say
② In the former part and latter part of Article 34 (3) of the Act, "specialized institution prescribed by Presidential Decree" means each
Korea Internet & Security Agency.
Article 40 (method of the private information and the notification procedure) ① Privacy The personal information is leaked
Article 34 (1) of the Act, without delay, in writing, etc.

The information in each subparagraph shall be notified to the subject of information. However, the spread and addition of leaked personal information
Enforcement Decree
In order to prevent leakage, blocking the access path, checking and supplementing vulnerabilities, and preventing leakage of personal information
In the event that urgent measures such as deletion are necessary, the information subject shall be notified without delay after taking such measures.
can inform
② Notwithstanding Paragraph 1, the personal information controller shall not disclose personal information according to the main body of the same paragraph.
When it became known that there was a leak, or in accordance with the proviso to the same paragraph,
Even after that, it was not possible to confirm the details of the leak under Article 34 (1) 1 and 2 of the Act.
In this case, only the fact that personal information has been leaked and the matters that have been confirmed to be leaked must first be reported in writing, etc.
You can notify us first and then inform us about what is confirmed later.

288

Page 295

③ Notwithstanding paragraphs 1 and 2, in accordance with Article 34 (3) of the Act and Article 39 (1) of this Decree
If personal information about 10,000 or more data subjects is leaked,
Each subparagraph of Article 34 (1) of the Act is posted on the Internet homepage for easy identification by information subjects.
It must be published for at least 7 days. However, personal information that does not operate an Internet website
In the case of a processor, in a place that is easy to see, such as a place of business, together with a written method, Article 34 of the Act
Items in each subparagraph of Paragraph 1 shall be posted for at least 7 days.
Article 25 (Leakage of Personal Information ) The leakage of personal information is subject to laws and regulations or the freedom of the personal information controller.
Without intention, the personal information controller controls the personal information of the information subject.
In any of the following subparagraphs, access is permitted to a person who has lost or is not authorized.
refers to the case
1. Loss or loss of documents containing personal information, removable storage devices, portable computers, etc.
if stolen
2. Normal authority is granted to the personal information processing system, such as the database in which personal information is stored.
When someone who is not there approaches
Article 4 Section

3. Files or papers containing personal information due to the intention or negligence of the personal information controller
When documents or other storage media are erroneously delivered to unauthorized persons
4. When personal information is transferred to a person without other authority
Article 26 (Time and Items of Notice of Leakage) ① The personal information controller becomes aware

dog
sign
tablet
see
see
that
of personal

information has been leaked.

within
I'm
One

If there is no justifiable reason, the information subject must be notified within 5 days of
should inform However, in order to prevent the spread and further leakage of leaked personal information

tube
Lee

Urgent measures such as blocking access paths, checking and supplementing vulnerabilities, and deleting leaked personal information
standard guidelines
If necessary, the information subject may be notified within 5 days after taking the action.
1. Items of leaked personal information
2. The time of the leak and its background
3. In order to minimize damage that may occur due to leakage, information subjects can
Information on how to be there, etc.
4. Response measures and damage relief procedures of personal information controllers
5. In case of damage to the information subject, the department in charge and
Contact
② If it is difficult for the personal information controller to confirm all the matters in each subparagraph of Paragraph 1,
Only the facts of each of the following subparagraphs shall be first notified to the subject and may be notified as soon as they are confirmed later.
1. The fact that the data subject has been leaked
2. Confirmed matters among the notification items in Paragraph 1
③ The personal information controller is not aware of the personal information leakage accident
Failure to notify the information subject of personal information leakage within 5 days from the
In this case, it is necessary to prove the time when the actual leakage accident became known.

289

Page 296
Explanation of personal information protection laws and guidelines and announcements

Article 27 (Method of Notifying Leakage) ① The personal information controller shall notify the information subject in each subparagraph of Article 26 (1).
In case of notification of matters, written, e-mail, facsimile transmission, telephone, mobile phone text transmission, or
The data subject shall be notified without delay through a similar method.
② The personal information controller shall notify Article 26 through the website, etc. at the same time as the notification method in Paragraph 1
Paragraph 1 may disclose matters in each subparagraph.
Article 28 (Personal Information Disclosure Report, etc.) ① Privacy The information on more than 10,000 subjects
If personal information is leaked, the information subject is notified and the result of the action is administered within 5 days.
It must be reported to the Minister of Home Affairs or the specialized agency under Article 39 (2) of the Decree.
② Reports pursuant to Paragraph 1 shall be made through the Personal Information Leakage Report Form in Attached Form No. 1
shall.
③ The personal information controller shall be notified by e-mail, fax, or by a specialized institution pursuant to Article 39 (2) of the Decree.
There is no time to report leaks through the Internet site, or there are other special circumstances.
If there is, first report the matters under Article 26 (1) over the phone, and then
You can submit a personal information leakage report according to the form.
④ The personal information controller shall, in the event that personal information of 10,000 or more data subjects is leaked,
In addition to the notice under Article 26 (1), the information subject can find out on the Internet homepage, etc.
For convenience, the matters under each subparagraph of Article 26 (1) shall be posted for at least 7 days.
Article 29 (Personal Information Leakage Accident Response Manual, etc.) ① Any of the following
The personal information controller is responsible for minimizing the occurrence of damage through prompt response in the event of a leakage accident.
In order to do this, the 「Personal Information Leakage Accident Response Manual」 should be prepared.
1. Public institutions under subparagraph 6 of Article 2 of the Act;
2. Other personal information controllers who process personal information about 10,000 or more data subjects
② In the personal information leakage accident response manual according to paragraph 1, the leakage notification and inquiry procedures,
Measures to respond to customer complaints such as expansion of branches and internet lines, measures to minimize on-site congestion, customer anxiety
Remedial measures and victim remedies should be included.
③ In carrying out damage recovery measures, etc. due to personal information leakage, the personal information controller
Efforts shall be made to minimize the inconvenience and economic burden of information subjects.

In the case of personal information, especially digitized personal information, it is difficult for the information subject to know whether it has been leaked, and once it is leaked
Personal information is highly likely to be transferred to the second and third damage.
For example, Internet identity theft using leaked personal information, phone fraud (phishing), sending spam, etc.
The risk of spreading damage is high. Therefore, this Act prevents damage caused by leakage of personal information in advance and
In order to enable the subject to respond to the leakage, notification to the data subject and reporting to the relevant authorities
imposes an obligation.

290

Page 297

1. Obligation to notify leakage of personal information (paragraph 1)
(a) the occurrence of the obligation to notify
The duty to notify occurs when it becomes known that personal information has been leaked. 'Leakage' means whether intentional or negligent
Regardless of whether personal information is disclosed, provided, leaked, or leaked outside the scope of the personal information controller,
all states That is, 'personal information leakage' does not depend on laws or the free will of the personal information controller,
If the personal information controller loses control over the personal information of the data subject or allows unauthorized persons to access
① When documents containing personal information, removable storage devices, portable computers, etc. are lost or stolen
In case ② A person who does not have normal authority in the personal information processing system such as the database in which personal information is stored
In case of access, ③ files or paper documents containing personal information due to the intention or negligence of the personal information controller;
In the event that other storage media is incorrectly delivered to an unauthorized person, ④ Personal information to other unauthorized persons
It refers to the case in which information is transmitted (Standard Guideline Article 25).
That is, if the personal information is outside the management and control of the personal information controller, a third party
who does not know the personal information
Article 4 Section
When it reaches a state where the contents are known, personal information has been leaked. In this case, the third party
It is not considered that the information was leaked only after acquiring the contents, and a general level third party cannot
If it reaches the state of being, it is considered that personal information has been leaked.

dog
sign
knowtablet
the
see
see
of

ReferenceJudgment on the meaning of personal information leakage

within
I'm
One

In order to check whether the system of the site interlocking with the server of the defendant Company B works properly,

tube
Lee

information.

The ID and password of C that can be linked with the server from C, the CP (Contents Provider) of Defendant B
The fact that '○○○○○○' was temporarily granted, A uses the above ID and password, and the system interlocking with the 2G server is
Although it has been confirmed that it has been successfully built, the above ID and password are not deleted from the site even after the system check.
As a result, the Mshop site and the 2G server continued to be linked, but the mobile phone numbers of the plaintiffs were found in the 'phone information inquiry' of the site.
In the case where it is not confirmed that the above personal information was entered on the page and transmitted from the server of the defendant A to the site,
“Leakage of personal information protected by the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc.
It means that it has reached a state where a third party can know the contents outside the management and control of the service provider.
Personal information is under the management and control of the information and communication service provider, and personal information is not actually viewed or accessed by a third party.
If not, the information and communication service provider's technical and administrative protection measures are insufficient, and a third party
It is said that the information and communication service provider was in a state of being able to access personal information stored through a specific site.
Even if it is, the personal information goes beyond the management and control of the information and communication service provider, and a third party cannot know the contents.
It cannot be said that it has reached a state of being.” (Supreme Court decision 2011da24555, sentenced on May 16, 2014)

The quantity, type, and time of the leaked personal information are not counted. Therefore, only one case of personal information was leaked
Even if it is, the data subject must be notified of the fact. The leaked personal information is encrypted
There are countries (such as the United States) that are exempt from the duty to notify, but Korea makes such an exception.
not acknowledging

291

Page 298
Explanation of personal information protection laws and guidelines and announcements

Since it is 'when you know' of the leakage of personal information, the duty to notify immediately if the leakage has occurred
It does not occur, and the obligation to notify the leakage occurs when the personal information controller is aware of the leakage.
When personal information is outside the management and control of the personal information controller, a third party can know the personal information.
This also applies when you find out that you have arrived.

B notice
The personal information controller shall ensure that the information subject accurately recognizes the leakage of personal information and appropriately responds to it.
The facts of each of the following subparagraphs shall be notified.
Notice of Personal Information Leakage (Article 34 Paragraph 1 of the Act)
1. Items of leaked personal information
2. The time of the leak and its background
3. Information on methods, etc. that information subjects can do to minimize damage that may occur due to leakage
4. Response measures and damage relief procedures of personal information controllers
5. In case of damage to the information subject, the department in charge and contact information to receive a report, etc.

The notice period
It should be notified without delay when 'when it becomes known that it has been leaked'. Here, 'without delay' means 'within 5 days'.
it means. Therefore, from the first discovery of the leak of personal information, the current status of the leak, the circumstances of the incident, and the provisional cause, etc.
In consideration of the time required for identification, notification shall be made within 5 days unless there is a justifiable reason.
(The main text of Article 26 Paragraph 1 of the Standard Guideline). Here, the justifiable reason is the non-disclosure of the investigation agency in relation to the leakage of personal information.
When there is a request or when the fact of personal information leakage itself is not confirmed. Meanwhile
Failing to recognize the personal information leakage accident, the information subject is notified within 5 days from the occurrence of the leakage accident.
If the personal information leakage notice is not notified, the personal information controller shall determine the time when it became aware of the actual leakage incident.
It must be proven (Article 27 Paragraph 3 of the Standard Guideline).
However, in order to prevent the spread and further leakage of the leaked personal information, blocking the access path, checking vulnerabilities,
If urgent measures such as supplementation or deletion of leaked personal information are necessary, without delay after taking such measures,
In other words, it can notify the data subject within 5 days (provided in Article 40 Paragraph 1 of the Decree, proviso to Article 26 Paragraph 1 of the Standard Guideline).

292

Page 299

LA notice method
Notification must be made in writing, etc. (Main sentence of Article 40 (1) of the Decree). i.e. in writing, e-mail, fax, telephone,
An individual notification method using text transmission or an equivalent method is sufficient. However, website posting,
Only collective disclosure, such as the official gazette, can be regarded as notifying the information subject of the leak.
none.

E. Priority notice of confirmation
Individuals who are leaked when they become aware of the leakage of personal information or even after taking urgent measures after knowing the leakage
If it is not possible to confirm the details of the item of information, the time of leakage, and the circumstances, the personal information
Only the facts of leaks and confirmed leaks shall be notified in writing, etc., and later confirmed matters shall be notified.
Additional notice may be given (Article 40 Paragraph 2 of the Decree, Article 26 Paragraph 2 of the Standard Guidelines).
Article 4 Section

dog
sign
tablet
see
see
of

2. Posting on the Internet website (Article 40 (3) of the Decree)
If personal information about 10,000 or more data subjects is leaked,

within

In order to make it easier for information subjects to recognize, the information in each subparagraph of Article 34 (1) of the ActI'm
(notice of leakage) is posted on the website for at least 7 days.
One

should be published. However, in the case of a personal information controller who does not operate an Internet website,

tube
Lee

It is sufficient to post the matters under each subparagraph of Article 34 (1) of the Act in an easily visible place such as a business place along with the method.
(Article 40 Paragraph 3 of the Decree).

3. Obligation to take measures such as minimizing damage (paragraph 2)
In case personal information is leaked, the personal information controller prepares measures to minimize the damage and
action should be taken System suspension, password change, leak cause analysis, technical security measures reinforcement,
From temporary countermeasures such as system change, request for technical support, and restoration, to measures to prevent similar accidents
Future damage prevention measures such as establishment and implementation should also be taken. First of all, personal information leakage
Notify the victim without delay, and report the current status of damage caused by the leakage of personal information from the victim.
There should be a window for reception. In addition, it is necessary to prevent the rapid and appropriate spread of damage and to reduce damage.
In order to recover, immediately remove the cause of the direct or indirect accident that caused the leakage of personal information, and
Complementing technical, administrative, and physical protection measures, and preventing the misuse or theft of leaked personal information
Measures should be taken, etc.

293

Page 300
Explanation of personal information protection laws and guidelines and announcements

In particular, public institutions and personal information controllers who process personal information about 10,000 or more data subjects
In order to minimize damage through prompt response in the event of an incident, the 'personal information leakage incident response manual' has been published.
(Standard Guidelines Article 29 Paragraph 1). In the Personal Information Leakage Accident Response Manual, there is a leak notification and inquiry
Procedures, measures to respond to customer complaints such as expansion of branches and internet lines, measures to minimize on-site congestion, measures to relieve customer anxiety,
Relief measures for victims should be included (Standard Guideline Article 29 Paragraph 2).
On the other hand, the personal information controller, in carrying out damage recovery measures due to the leakage of personal information,
Efforts shall be made to minimize inconvenience and economic burden (Standard Guideline Article 29 Paragraph 3).

4. Obligation to report personal information leakage (paragraph 3, Article 39 of the Enforcement Decree)
In the event of a large-scale leakage of personal information over a certain scale, it is simply a matter of notifying the information subject.
It is not enough, and it is necessary to take a systematic and systematic response by notifying the government and related specialized agencies.
have. Accordingly, this Act stipulates that if the personal information of '10,000 or more' information subjects is leaked,
In addition to the duty to notify the
made to report. Here, 'without delay' means within 5 days.
This Act designates the Korea Internet & Security Agency as a specialized agency to receive reports of personal information leakage.
(Article 39 Paragraph 2 of the Decree). Report personal information leakage through the 'Personal Information Leakage Report' (Standard Guidelines Annex No. 1 Form)
It must be reported (Article 28 Paragraph 1 of the Standard Guideline). However, through e-mail, fax or internet site
If there is no time to report a leak or there are other special circumstances,
After reporting, you can submit a 'personal information leakage report' (Standard Guideline Article 28 Paragraph 2). Minister of Government Administration and Home Affairs
Or, when a leak report is received, a specialized agency may develop technology for preventing the spread of damage and recovering damage.
can support
< Report of personal information leakage >
reporting agencyMinistry of Government Administration and Home Affairs (Comprehensive Personal Information Protection System)/Korea Internet & Security Agency
When to report Within 5 days (notification to information subject and notification of action result)
Institution name, notification status, leaked personal information items and scale, leaked time and details, measures to minimize leak damage
Report content Measures and results, methods of minimizing damage that information subjects can do, and remedial procedures, departments in charge, and persons in charge
and contact information
Leakage accident report and report submission via e-mail or fax internet site, free of time
How to report If there is no or special circumstances: After reporting the contents of the notification over the phone,
can submit

294

Page 301

5. RELATIONSHIP TO OTHER LAWS
The Information and Communications Network Act and the Credit Information Act have regulations related to 'the duty to notify and report personal information leakage' (information
Network Act Article 27-3, Credit Information Act Article 39-2).
In particular, the Information and Communications Network Act provides that even if one or more cases of personal information are leaked, 24 hours a day unless there is a justifiable reason.
It is stipulated to notify and report within

6. Penal provisions
violation

penalty

Violation of the duty to notify personal information leakage

A fine of not more than 30 million won

(Violation of Article 34 (1))

(Article 75 (2) 8)

A person who fails to report the results of measures

A fine of not more than 30 million won

(Violation of Article 34 (3))

Article 4 Section

(Article 75 (2) 9)

dog
sign
tablet
see
see
of

7. Q&A

within
I'm
One

When an official message with the same content is sent to multiple civil servants, each recipient's personal information is included.

Q

tube
Lee

Whether the case falls under personal information leakage

The name and address of the recipient of the official letter are personal information that can identify a specific individual.

A

It must be processed so that the official message is sent, and the group email is sent to members.
In the event that the recipient's name, e-mail address, and personal information in attached files are disclosed in the process, personal information
Corresponds to personal information leakage under the Protection Act

Q

If personal information leakage occurs, but there is no contact information of the information subject, it is difficult to notify the leakage
What should I do?

A

In cases where it is difficult to notify the information subject because there is no contact information, Article 28 (2) and Article 31 of the Enforcement Decree
Articles 2 and 3 shall be applied mutatis mutandis to continuously publish on the Internet homepage or to be recognized by the information subject.
It is necessary to disclose the leak through a method such as posting it in an easy place.

295

Page 302
Explanation of personal information protection laws and guidelines and announcements

Article 34-2 Imposition of Penalty Surcharges, etc.
Article 34 2 (imposition of fines, etc.) ① The Minister of Government Administration and residents who handle personal information processing
If the registration number is lost, stolen, leaked, forged, altered or damaged, a fine of not more than 500 million won
may be charged and collected. However, if the resident registration number is lost, stolen, leaked, forged, forged, or
In order not to be damaged, the personal information controller needs to secure safety under Article 24 (3).
This is not the case when all measures have been taken.
② When the Minister of Government Administration and Home Affairs imposes a penalty surcharge under paragraph (1),
should be considered.
1. Degree of effort to implement measures necessary to secure safety under Article 24 (3);
law

2. The degree of loss, theft, leakage, forgery, alteration, or damage to the resident registration number;
3. Whether to implement follow-up measures to prevent the spread of damage
③ The Minister of the Interior and Home Affairs shall notify the person who is liable to pay the penalty surcharge under paragraph (1) by the payment deadline.
Otherwise, for the period from the day following the payment deadline to the day before the date on which the penalty surcharge is paid
An additional amount prescribed by Presidential Decree within the limit of 6/100 per annum of the penalty surcharge not paid;
collect In this case, the period for collecting the surcharge shall not exceed 60 months.
④ The Minister of Government Administration and Home Affairs shall pay the penalty surcharge under paragraph (1) by the deadline for payment.
If not, a period is fixed and a reminder is issued, and within the designated period, the penalty surcharge and Paragraph 2
If the penalty is not paid, it will be collected according to the example of the disposition of national tax arrears.
⑤ Other necessary matters concerning the imposition and collection of penalty surcharges shall be prescribed by Presidential Decree.
Article 40-2 (Standards for Imposition of Penalty Surcharges, etc.) ① Imposition of Penalty Surcharges under Article 34-2 ( 1 ) of the Act
Standards are the same as in Table 1-2.
② Where the Minister of the Interior and Home Affairs intends to impose a penalty surcharge pursuant to Article 34-2 (1) of the Act,
The amount to be paid shall be specified by specifying the fact of violation, the amount to be charged, the method of objection and the objection period, etc.
It must be notified in writing to the person subject to the penalty surcharge.
③ A person who has received a notice pursuant to paragraph (2) within 30 days from the date of receipt of the notice by the Ministry of Government Administration and Home Affairs
The penalty surcharge shall be paid to the receiving institution designated by the Minister. However, natural disasters or other

Enforcement Decree
If the penalty surcharge cannot be paid within the period due to unavoidable reasons, the cause shall be
Payment must be made within 7 days from the date of disappearance.
④ In the former part of Article 34-2 (3) of the Act, “additional amount prescribed by Presidential Decree” means the payment deadline.
For the period from the next day to the day before the date on which the penalty surcharge is paid, every month passes
It refers to the amount obtained by adding an amount equivalent to 5/1,000 of the penalty surcharge not paid.
Article 62-3 (Review of Regulations) ① The Minister of Government Administration and Home Affairs shall comply with Article 40-2 and Attached Table 1-2.
As of January 1, 2014, every three years (every three years
Before January 1 of the year), the feasibility should be reviewed and measures such as improvement should be taken.

296

Page 303

② The Minister of Government Administration and Home Affairs shall, for each of the following matters, as of the base date of each of the following subparagraphs:
Every two years (referring to the same day as the base date of the second year)
After review, measures such as improvement shall be taken.
1. Gathering opinions when installing image information processing equipment under Article 23: January 1, 2015
2. Contents and disclosure method of personal information processing policy pursuant to Article 31: January 1, 2015
2 of 2. Requirements for designation and revocation of designation of evaluation institutions under Article 37: January 1, 2016
3. Procedures for viewing personal information under Article 41: January 1, 2015
4. Subject to application for collective dispute mediation under Article 52: January 1, 2015
5. Standards for imposition of fines for negligence in accordance with Article 63 and Attached Table 2: January 1, 2015

The resident registration number is used for important legal transactions or service use such as financial transactions and public services.
It is used for identification, etc. In case of leakage or misuse of resident registration number
There is a possibility that irreparable damage may occur to the subject of personal information. of these resident registration numbers
Considering the importance, etc., on August 6, 2013, the amended Personal Information Protection Act (Act No. 11990)

Article 4 Section

When processing is required or permitted by law, the imminent loss of life, body, or property of the data subject or a third party

dog
sign
On the other hand, it is limited to cases that are clearly necessary for profit (Article 24-2), and the personal information controllertablet
see
see
In case the resident registration number being processed is lost, stolen, leaked, forged, altered, or damaged, a penalty surcharge may
be
of

imposed.

within
I'm
One

stipulated (Article 34-2).

tube
Lee

1. The nature of the penalty surcharge
The term “penalty surcharge” refers to “a penalty imposed by an administrative agency on a person who violates or fails to fulfill the obligations under the Administrative Act.
financial sanctions”. This is separate from a fine, which is a monetary means of sanctions under the criminal law.
It is an administrative and financial means of sanctions.
Unlike the Information and Communications Network Act, the Personal Information Protection Act does not set a general penalty surcharge.
There are penalties for loss, theft, leakage, forgery, alteration, or damage of resident registration number.

2. Details of the imposition of a penalty surcharge;
The Minister of the Interior and Home Affairs declared that the 'resident registration number' processed by the 'personal information controller' is 'lost, stolen, leaked, forged, forged.
In case of damage or damage, a fine of not more than 500 million won may be imposed or collected. However, the personal information controller
In order to prevent loss, theft, leakage, forgery, alteration, or damage to the resident registration number in accordance with Article 24 (2),
In cases where measures necessary to ensure safety have been exhausted, a penalty surcharge may not be imposed or collected.

297

Page 304
Explanation of personal information protection laws and guidelines and announcements

On the other hand, when the Minister of Government Administration and Home Affairs imposes a penalty surcharge (i) the personal information controller
the degree of effort to implement the action; (ii) the degree of loss, theft, leakage, forgery, alteration, or damage to the resident registration number; (iii)
Whether to implement follow-up measures to prevent the spread of damage should be considered.

3. Procedures and Standards for Imposition of Penalty Surcharges
When the Minister of the Interior and Home Affairs intends to impose a penalty surcharge pursuant to Article 34-2 (1) of the Act, the fact of violation, the amount imposed,
The person subject to the penalty surcharge is instructed to pay the objection by specifying the objection method and objection period.
It must be notified in writing (Article 40-2 Paragraph 2 of the Decree).
A person who has received a notice of the imposition of a penalty surcharge shall be notified by the Minister of Public Administration and Home Affairs within 30 days from the date of receipt of the notice.
A penalty surcharge must be paid to the receiving institution. However, due to natural disasters or other unavoidable reasons
If the penalty surcharge cannot be paid within the period, it must be paid within 7 days from the date the cause ceases to exist.
(Article 40-2 (3) of the Decree).
If a person liable to pay a penalty surcharge fails to pay by the payment deadline, the Minister of the Interior and Home Affairs shall, from the day following the payment deadline,
Within the limit of 6/100 per annum of the penalty surcharge not paid for the period up to the day before the date on which the penalty surcharge was paid
The surcharge prescribed by Presidential Decree shall be collected. “Additional money prescribed by Presidential Decree” means from the day following the payment deadline
For the period up to the day before the date on which the penalty surcharge was paid, the amount of the penalty surcharge not paid for each month passes
It refers to the amount plus an amount equivalent to 5/1,000 (Article 30-2 (4) of the Decree). On the other hand, collecting a penalty
The period shall not exceed 60 months.
Specific penalty surcharge standards are given in the table below.

298

Page 305

<Standards for Imposition of Penalty Surcharges (Article 40-2 Paragraph 1 of the Enforcement Decree, Attached Table 1-2)>

1. Decision on whether to impose a penalty surcharge
A decision on whether to impose a penalty surcharge comprehensively considers the matters under each subparagraph of Article 34-2 (2) of the Act and the details of the violation
do. However, if the measures necessary to secure safety pursuant to Article 24 (3) of the Act are exhausted, no penalty surcharge shall be imposed.

2. Criteria for calculating penalty surcharges;
Penalty surcharges shall be calculated by comprehensively considering the matters under each subparagraph of Article 34-2 (2) of the Act and matters affecting them;
Adjustment of the calculation standard according to the degree of violation according to the level of effort to implement measures necessary to secure safety in item B (hereinafter referred to as “first round”).
Mediation”), and adjustments according to the period and frequency of violations in item C (hereinafter referred to as “secondary mediation”), and in accordance with item D.
Calculate the surcharge imposed. However, if the calculated penalty surcharge exceeds 500 million won, it shall be 500 million won.

end. Basic Calculation Criteria
degree of violation
very serious
violation

serious
violation

calculation standard

350 million won

2.3 billion won

general offense

remark

Due to intentional or gross negligence, more than 100,000 resident registration numbers
Article 4 Section

It refers to cases of loss, theft, leakage, alteration, or damage (hereinafter referred to as “lost, etc.”).

In case less than 100,000 resident registration numbers are lost due to intentional or gross negligence;
It refers to the case where more than 100,000 resident registration numbers have been lost due to the oversight.

dog
sign
tablet
see
see
of
within
I'm
One

100 million wonIt refers to a case where less than 100,000 resident registration numbers have been lost due to over-time.

tube
Lee

I. 1st adjustment
The degree of effort to implement measures necessary to secure safety pursuant to Article 24 (3) of the Act, preparation of measures to minimize damage, etc.
In consideration of the implementation of follow-up measures to prevent the spread of damage, it is added or reduced within the range of 50/100 of the calculation standard.

All. secondary adjustment
Period and number of violations, whether to cooperate with investigations for violations, whether additional damage has occurred due to violations,
Aggravated within the range of 50/100 of the first-adjusted amount, comprehensively considering the degree of effort to protect personal information, or
admire

la. Calculation of Imposed Penalty Surcharges
The actual burden of the personal information controller, the effect of the violation, and the amount of profit obtained from the violation, etc.
If it is deemed excessive in consideration of the amount, the amount shall be reduced within the range of 50/100 of the secondly adjusted amount as an imposed penalty surcharge.
can be determined

299

Page 307
306

Chapter 5
Guaranteeing the rights of data subjects
Article 35 Inspection of personal information
Article 36 Correction and deletion of personal information
Article 37 Suspension of processing of personal information, etc.
Article 38 Method and procedure for exercising rights
Article 39 Liability for Damages
Article 39-2 Claims for Statutory Damages

Page 309
308

Article 35 Inspection of personal information

Article 35 ( Perusal of Personal Information ) ① The information subject is his/her personal information processed by the personal information controller.
You may request the relevant personal information controller to view the information.
② Notwithstanding Paragraph 1, the information subject does not allow access to his/her personal information to public institutions
If you wish to make a request, you may request a direct inspection from a public institution or
In accordance with the foregoing, a perusal may be requested through the Minister of Government Administration and Home Affairs.
③ When the personal information controller receives a request for inspection pursuant to paragraphs 1 and 2, the President
The information subject must be able to view the personal information within the period prescribed by the ordinance.
do. In this case, if there is a justifiable reason for not being able to browse within the relevant period, the information
The subject may be notified of the reason and the reading may be postponed, and if the reason ceases to exist, without delay
should be made available for reading.
④ The personal information controller shall notify the information subject in any of the following cases:
You can notify the reason and restrict or refuse access.
1. When viewing is prohibited or restricted by law

law

2. There is a risk of harming the life or body of another person, or the property of another person and other
If there is a risk of unfairly infringing on profits
3. When a public institution performs any of the following tasks, it is important
If it causes trouble
end. Business related to the imposition, collection or refund of tax
Article 5 Chapter
I. Schools at each level under the 「Elementary and Secondary Education Act」 and the 「Higher Education
Act」, and under the 「Lifelong Education Act」

tablet with other laws
Grades in lifelong education facilities and other higher education institutions established in accordance

Tasks related to evaluation or selection of admissions
All. Tasks related to examinations and qualifications related to academic background, skills, and

see
week
sieve
of
recruitment

volume

la. Tasks related to the evaluation or judgment in progress regarding the calculation of compensation andLee
benefits, etc.
see
chapter

hemp. Tasks related to ongoing audits and investigations under other laws

⑤ Methods of requesting access, limiting access, notification, etc. in accordance with the provisions of paragraphs 1 through 4
and necessary matters concerning the procedure shall be prescribed by Presidential Decree.
Article 41 (Procedures for accessing personal information, etc.) ① The information subject is subject to Article 35 (1) and (2) of the Act.
If you wish to request access to your personal information,
In accordance with the provisions of each of the following subparagraphs, a request for access to personal information indicating the
It must be submitted to the personal information controller.
Enforcement Decree
1. Items and contents of personal information
2. Purpose of collection and use of personal information
3. Period of retention and use of personal information
4. Status of provision of personal information to third parties

303

Page 310
Explanation of personal information protection laws and guidelines and announcements

5. Facts and contents of consent to processing of personal information
② In accordance with Article 35 (2) of the Act, the information subject has his/her personal information through the Minister of Government Administration and Home Affairs.
If you wish to request access to information, submit a request for access to personal information pursuant to paragraph (1).
It must be submitted to the Minister of Government Administration and Home Affairs. In this case, the Minister of Government Administration and Home Affairs shall, without delay,
The request for access to personal information shall be transferred to the relevant public institution.
③ “Period prescribed by Presidential Decree” in the former part of Article 35 (3) of the Act means 10 days.
④ The personal information controller shall, within 10 days from the date of receipt of the request for access to personal information pursuant to paragraph (1).
In the case of allowing the information subject to view the personal information, and in Article 42 (1)
In the event that some of the reading requirements are allowed to be read in accordance with the
Possible date, time, place, etc. (Only part of the reading requirements pursuant to Article 42 (1)
In case of perusal, the reason and method of objection are included) by Ordinance of the Ministry of Government Administration and Home Affairs.
It shall be notified to the relevant information subject in the prescribed reading notice.
Article 42 (Restriction, Postponement, and Rejection of Access to Personal Information ) ① The personal information controller shall comply with Article 41 (1).
If some of the reading requirements in accordance with the Act fall under any of the subparagraphs of Article 35 (4) of the Act,
In this case, you may restrict access to a part of it, and you may
Excluded parts should be made available for reading.
② The personal information controller postpones the reading of the information subject pursuant to the latter part of Article 35 (3) of the Act;
10 days from the date of receipt of the request for reading in the case of refusal of reading pursuant to Paragraph 4 of the same Article
The reasons for delay or refusal and the method of raising an objection within the period of perusal prescribed by Ordinance of the Ministry of Government Administration and Home Affairs
The relevant information subject must be notified by a notice of postponement or rejection.
Article 3 (Books and Document Formats Related to Personal Information Protection) ⑥ Article 35 (5 ) of the Act and Article 41 of the Decree
In accordance with the request for access to personal information pursuant to paragraph (1), Article 36 (6) of the Act and Article 43 (1) of the Decree
Requests for correction or deletion of personal information and requests for suspension of processing of personal information pursuant to Article 44 (1) of the Decree
enforcement rules
Follow the request for personal information access, correction/deletion, and suspension of processing in Annex No. 8 form.
⑦ Notification of perusal and partial perusal of personal information pursuant to Article 35 (5) of the Act and Article 41 (4) of the Decree;
Notification of postponement and refusal of personal information access pursuant to Article 42 (2) of the Decree is in Attached Form 9.
Follow the notice of personal information access, partial reading, postponing of reading, and refusal of reading.
Article 31 (Privacy viewed disappearance of the reasons for delay) ① Privacy Act Section 35 (3) of the self back door
In the event that the cause ceases to exist after the personal information access has been postponed, there is no justifiable reason.
It must be perused within 10 days from the date the cause has ceased to exist.
② Provision of personal information from the data subject to a third party pursuant to Article 41 (1) 4 of the Decree
standard guidelines
The personal information controller who has received a request to view the current status is an important matter for national security, and Article 35 of the Act
In the event that it causes a significant impediment to the performance of business pursuant to the provisions of Paragraph 4, Item 3 (e),
Decisions are made by inquiring opinions about the permission, restriction, or rejection of a request for access to a third party
can

304

Page 311

Article 32 (Correction and Deletion of Personal Information ) ① The personal information controller is an individual under Article 36 (1) of the Act.
When a request for correction or deletion of information is received, from the date of receipt of the request unless there is a justifiable reason.
Investigate the personal information within 10 days, and according to the request of the information subject, necessary corrections, deletions, etc.
After taking the action, the result shall be notified to the data subject.
② If the data subject's request for correction or deletion falls under the proviso to Article 36 (1) of the Act,
Grounds that cannot request deletion within 10 days from the date of receipt of the request unless there is no reason
The contents of the Act shall be notified to the data subject.
Article 33 (Suspension of processing of personal information )
When requested to suspend the processing of personal information pursuant to Paragraph 1, unless there is a justifiable reason
Part or all of the processing of personal information must be stopped within 10 days from the date of receipt of the request.
do. However, in cases falling under the proviso to Article 37 (2) of the Act, the processing of the data subject is suspended.
You can decline the request.
② The personal information controller is responsible for the personal information whose processing has been suspended at the request of the information subject.
The individual concerned within 10 days from the date of receipt of the request to suspend processing unless there is a justifiable reason
Take measures commensurate with the data subject's request, such as destruction of information, and report the result
subject should be informed.
Article 34 (Methods and Procedures for Exercising Rights)
In the case of a request for viewing, etc. pursuant to Paragraph 1, it is the same as the method of collecting personal information, or
A simple method should be provided so that information subjects can exercise their rights, such as requesting access, more easily.
When collecting personal information, documentary evidence that was not requested or additional
You cannot ask for a procedure.

Article 5 Chapter

tablet
② The provisions of Paragraph 1 are for those who wish to confirm that they are the principal or a legitimate
agent in accordance with Article 46 of the Decree.

It shall also apply mutatis mutandis to the settlement of fees and postage pursuant to Article 47 of the
Article 44 (Request for viewing, etc. by data subject )

see
week
Decree.
sieve
of

volume

To view or confirm the existence of personal image information (hereinafter referred to as “viewing, etc.”), the
Lee relevant image
see

It may be requested from the information processing equipment operator. In this case, the information subject
may request access, etc.
chapter
Personal image information that can be used includes personal image information taken by the information subject himself and clearly information
It is limited to personal image information necessary for the immediate benefit of the subject's life, body, and property.
② In case the operator of the image information processing device is a public institution, the head of the relevant institution
With a request for viewing and confirmation of existence of personal image information (including electronic documents) in accordance with Form 2
shall.
③ When the operator of the image information processing device receives a request under paragraph (1), without delay
Take the necessary action. At this time, the operator of the image information processing device may request access, etc.
Identity such as resident registration card, driver's license, passport, etc.
Certificates must be submitted and verified.
④ Notwithstanding the provisions of Paragraph 3, image information processing is performed in any of the following cases:

305

Page 312
Explanation of personal information protection laws and guidelines and announcements

The device operator may reject the request of the information subject to view personal image information, etc. in this case
The image information processing device operator shall notify the information subject of the reason for rejection in writing within 10 days.
should be notified.
1. In the case of a serious impediment to criminal investigation, maintenance of public prosecution, or trial execution (limited to public institutions);
2. When personal image information is destroyed after the retention period has elapsed
3. In the event that there exists a justifiable reason to reject the request of the information subject, etc.
⑤ When an operator of an image information processing device takes measures pursuant to paragraphs 3 and 4, the following
The matters in each subparagraph shall be recorded and managed.
1. Name and contact information of the information subject who requested access to personal image information
2. Name and contents of the personal image information file requested by the information subject to read, etc.
3. Purpose of viewing personal image information, etc.
4. In case of refusal to view personal image information, specific reasons for refusal
5. If a copy of personal image information is provided to the information subject, the content of the image information and the information provided
Reason
⑥ The information subject shall notify the operator of the image information processing device about his/her personal image information.
When requesting destruction, the personal image information requested to be preserved in accordance with paragraph 1
You can only ask for it to be destroyed. The operator of the image information processing device shall
In case of intoxication, the contents shall be recorded and managed.
Article 45 (Personal Image Information Management Ledger) Article 42 (1) and (2) and 44 (5) and (6)
For records and management, use the 'personal image information management ledger' according to Attachment No. 3
can
The (personal video information other than the information Protection of subjects) 46. Video information processing equipment operator Article 44
In the case of taking measures such as reading according to paragraph 2, if a person other than the information subject is
If it is recognizable or there is a risk of invasion of privacy of persons other than the information subject
Protective measures are taken so that personal image information of persons other than the relevant information subject cannot be recognized.
should be taken

The data subject knows what information the personal information controller has about him/herself and how he/she uses it
In addition, it should be possible to confirm whether the personal information held by the personal information controller is accurate. With this
The rights of the same data subject form the core of the right to self-determination of personal information.

1. Right of information subject to request access (paragraph 1)
The information subject shall provide the personal information controller with access to his/her personal information processed by the personal information controller.
can request Inspection includes the issuance of copies. In addition to the personal information directly provided by the information subject

306

Page 313

Personal information collected from third parties or published information sources, personal information produced by the personal information controller (credit
Personal information automatically generated in the process of evaluation, personnel evaluation, transaction details, medical records, etc.) and service provision
(incoming and outgoing records, incoming/outgoing records, cookies, log records, etc.) are also subject to the reading request.

2. Method and procedure of request for inspection (paragraph 2, Article 41 (1) and (2) of the Decree)
A Submission of personal information access request (Article 41 (1) of the Decree)
When a data subject wants to request access to his/her personal information, as prescribed by Ordinance of the Ministry of Government Administration and Home Affairs
In accordance with each of the following subparagraphs, a request for viewing personal information indicating the
must be submitted
Items required for reading (Article 41 (1) of the Decree)
1. Items and contents of personal information
2. Purpose of collection and use of personal information
3. Period of retention and use of personal information
4. Status of provision of personal information to third parties
5. Facts and contents of consent to the processing of personal information

B. Special Cases for Public Institutions (Section 2, Article 41 (2) of the Decree)

Article 5 Chapter

When a data subject wants to request access to his/her personal information from a public institution,
You can request the inspection directly or through the Minister of Government Administration and Home Affairs. The

tablet
see
week
sievesubject
information
of

is the Ministry of Government Administration and Home Affairs

If you want to request access to your personal information through the Minister, you must apply for a personal information access
volume
request form.
Lee

It must be submitted to the Minister of Home Affairs. In this case, the Minister of the Interior and Home Affairs shall write a request
for access to the personal information without delay.
see
chapter

It must be transferred to the relevant public institution.

3. Inspection measures, etc. (paragraph 3, Article 41 (2), 3 and 4 of the Decree)
When the personal information controller receives a request to view personal information from the information subject, the information subject
Measures must be taken to allow access to the relevant personal information. In this case, the personal information controller shall
The date and time, place, etc., available for perusal (according to Article 42 (1), only part of the perusal requirements
In this case, the reason and method of raising an objection are included) as a notice of perusal prescribed by Ordinance of the Ministry of Government Administration and Home Affairs.
The data subject must be informed.

307

Page 314
Explanation of personal information protection laws and guidelines and announcements

Although the personal information controller has been requested to view personal information from the information subject, the
If there is a justifiable reason that cannot be done, the information subject may be notified of the reason and the reading may be postponed.
If the reason for the delay expires after the delay in viewing personal information, within 10 days from the date the reason for the postponement ceases to exist.
It should be made available for perusal (Article 31 Paragraph 1 of the Standard Guidelines). If the personal information controller wants to postpone the reading of the data subject
In this case, within 10 days from the date of receipt of the request for inspection, the reason for the postponement and the method of raising an objection to the
The relevant information subject shall be notified by a notice of postponement or refusal of reading prescribed by Ordinance.

4. Restriction and refusal of access (paragraph 4, Article 42 Paragraph 1, Paragraph 2 of the Decree)
The personal information controller shall notify the information subject of the reason in any of the following cases
You can limit or deny access. In addition, some of the viewing requirements are in any of the following subparagraphs:
If applicable, you may restrict access to a part of it, except for matters that are restricted
The section should be accessible for viewing.
10 days from the date of receipt of the request for access, if the personal information controller intends to refuse access to the information subject
The reasons for refusal and method of raising objections within
The data subject must be informed.
Restriction on reading and reasons for refusal (Article 35 (4) of the Act)
1. When viewing is prohibited or restricted by law
2. If there is a risk of harming the life or body of another person or unreasonably infringing on the property and other interests of another person;
In case of concern
3. In the event that a public institution causes a significant impediment in performing any of the following tasks;
end. Business related to the imposition, collection or refund of tax
I. Schools at each level under the Elementary and Secondary Education Act and the Higher Education Act, lifelong education facilities under the Lifelong Education Act, and others
Tasks related to the evaluation of grades or selection of admissions at higher education institutions established in accordance with other laws
All. Tasks related to examinations and qualifications related to academic background, skills, and recruitment
la. Tasks related to the evaluation or judgment in progress regarding the calculation of compensation and benefits, etc.
hemp. Tasks related to ongoing audits and investigations under other laws

However, the personal information controller who has received a request for access to the status of provision of personal information to a third party arbitrarily reads it
It can be decided whether to allow or not, but if an investigative agency such as the National Intelligence Service
In the case of an investigation, if the status of provision to a third party is exposed to the subject of investigation, the investigation may include destruction of evidence, etc.
Since it may be difficult to perform the activity properly, in this case,
A decision can be made by inquiring about opinions regarding the permission, restriction, or rejection of a request for inspection (Standard Guideline Article 31 (2)).

308

Page 315

5. RELATIONSHIP TO OTHER LAWS
The 「Information and Communications Network Act」 provides for the protection of personal information in addition to the personal information of users held by information and communication service providers, etc.
Requests for viewing and provision of data on the status of use and provision are permitted. Therefore, information and communication service providers, etc.
In accordance with the 「Information and Communications Network Act」, necessary measures shall be taken with respect to a user's request for reading.
As the “Credit Information Act” also stipulates on the access and correction of credit information, the use of credit information and
In accordance with the Credit Information Act, the provider, etc. shall take necessary measures when there is a request for reading by the subject of credit information.
should be taken
Article 30 (the user's rights, etc.) ② A user following about the person or the like information for the communication service provider
You may request to view or provide information on any of the matters in each subparagraph, and if there is an error,
You can ask for that correction.
1. Personal information of users held by information and communications service providers, etc.
2. Current status of information and communication service providers, etc. using or providing users' personal information to third parties
3. The status of consent for the collection, use, provision, etc. of personal information to information and communications service providers, etc.
Information and Communications
④ When the information
Network Act
and communications service provider, etc. is requested to read or provide pursuant to Paragraph 2,
action should be taken
⑤ When an information and communications service provider, etc. is requested to correct an error pursuant to paragraph 2, it shall promptly correct the error.
You must correct or take necessary measures, such as notifying the user of the reason for the failure to correct,
Until necessary measures are taken, the relevant personal information shall not be used or provided. but,
Provide or use personal information when requested to provide personal information under other laws
can do.
Article 38 (Request for Perusal and Correction of Credit Information, etc.) ① The subject of credit information shall disclose
Article his/her
5 Chapteridentity to the credit information company, etc.
by methods prescribed by Presidential Decree, such as by showing a certificate indicating

tablet
You can request to provide or view your personal information held by a credit information company, etc., after confirming thatseeyou are the person you
week
If the personal information is different from the facts, correction may be made as determined and announced by the Financial sieve
Services Commission.
of

can claim

are.

volume

② A credit information company, etc. that has received a request for correction pursuant to Paragraph (1) shall state that thereLee
is a justifiable reason for the request for correction.
see
If acknowledged, immediately indicate that the problematic credit information is being requested for correction or is being checked,

chapter

After suspending the provision and use of the relevant credit information without delay, it is investigated whether the
Credit information that cannot be verified must be deleted or corrected.
Credit Information
Article
Act 38-2 (Request for Notification by Credit Inquiry Office )
You may request to be notified of the fact that information is being viewed. In this case, the subject of credit information is
You must verify your identity according to the method determined by the committee.
② The credit inquiry company in receipt of the request under paragraph (1) shall be liable for the possibility of identity theft, etc. in cases prescribed by Presidential Decree.
When an inquiry occurs, the provision of information in response to the inquiry shall be stopped and the fact shall be reported without delay.
The credit information subject must be notified.
③ Matters necessary for the method of cessation of information provision and notification under Paragraph 2, and the burden of expenses related to the notification
determined by Presidential Decree.
Article 39 (Free yeolramgwon) credit reporting company in private at regular intervals as prescribed by the Presidential Decree within one year
Credit information subjects shall be provided with or view their personal information free of charge at least once.

309

Page 316
Explanation of personal information protection laws and guidelines and announcements

6. Penal provisions
violation

penalty

Unreasonable restriction or refusal of information subject's request for access A fine of not more than 30 million won
(Violation of Article 35 (3))
Obligation to notify in case of refusal of request of information subject
Non-compliance (violation of Article 35 (3) and (4))

(Article 75 (2) 10)
A fine of not more than 10 million won
(Article 75 (3) 9)

7. Q&A
Requests that the customer confirm all of the personal information use history, such as the additional service subscription history,

Q

have. The amount of personal information use is very large, what should be done in this case?

A

In principle, if there is a request for reading of self-information by the data subject, the reading pursuant to Article 35 (4) of the Act
Necessary measures must be taken within 10 days unless it falls under any of the reasons for restriction or rejection.
However, fees and postage required for the calculation of personal information usage details are provided to the information subject.
can claim

After receiving the membership application form from the customer in writing, it provides services such as point accumulation or new menu information.

Q

has been providing However, a customer confirms that he has never consented to the membership application form.
have been demanding What should I do in this case?

A

If you receive a request for confirmation of consent to collection of personal information from the information subject, within 10 days
Present the member's application for membership so that he/she can read and check whether the member's handwritten signature is in the consent field
shall.

310

Page 317

Article 36 Correction and deletion of personal information
Article 36 (Correction and Deletion of Personal Information) ① Information that has been viewed in accordance with Article 35
The subject may request the personal information controller to correct or delete the personal information. but,
If the personal information is specified as the object of collection in other laws, the deletion is
can't ask for
② When the personal information controller receives a request from the information subject pursuant to Paragraph 1, the personal information
Except for cases where special procedures are stipulated in other laws regarding correction or deletion
Then, without delay, the personal information will be investigated and corrected, deleted, etc. according to the request of the information subject.
After taking necessary measures, the result shall be notified to the data subject.

law

③ When the personal information controller deletes personal information pursuant to Paragraph 2, it cannot be recovered or reproduced.
measures should be taken to prevent
④ The personal information controller shall, without delay, when the request of the data subject falls under the proviso to Paragraph 1,
It must be communicated to the data subject.
⑤ When the personal information controller conducts an investigation pursuant to Paragraph 2, if necessary, the personal information controller shall notify the relevant information subject for correction and/or correction.
Evidence necessary to confirm the deletion requirement may be submitted.
⑥ Request for correction or deletion pursuant to Paragraphs 1, 2 and 4, notification methods and procedures, etc.
Necessary matters shall be prescribed by Presidential Decree.
Article 43 (Correction, Deletion, etc. of Personal Information)
In the case of requesting the processor to rectify or delete the personal information, by Ordinance of the Ministry
of Government Administration and Home Affairs.
Article 5 Chapter
A request for correction/deletion of personal information specified shall be submitted to the relevant personal
information controller.
tablet
see

② If you receive personal information from other personal information controllers and process personal information
files,
week
sieve

When the personal information controller receives a request for correction or deletion of personal information
of pursuant to Article 36 (1) of the Act,
In accordance with the request, correction or deletion of the personal information or a request for correctionvolume
or deletion of the personal information
Lee
see result of the processing
Enforcement Decree
Send it to the head of the institution that provided the personal information without delay, and according to the
chapter

The necessary measures should be taken.
③ The personal information controller receives the request for correction or deletion of personal information under paragraphs 1 and 2
In accordance with Article 36 (2) of the Act within 10 days from the date of
In the case of taking measures, the fact that the measures were taken shall be deleted as it falls under the proviso to Article 36 (1) of the Act.
If the request is not complied with, the facts, reasons, and method of raising an objection shall be determined by Ordinance of the Ministry of Government Administration and Home Affairs.
The relevant information subject shall be notified of the result of correction and deletion of personal information specified.
Article 3 (Books and Document Formats Related to Personal Information Protection) ⑥ Article 35 (5 ) of the Act and Article 41 of the Decree
In accordance with the request for access to personal information pursuant to paragraph (1), Article 36 (6) of the Act and Article 43 (1) of the Decree
enforcement rules
Requests for correction or deletion of personal information and requests for suspension of processing of personal information pursuant to Article 44 (1) of the Decree
Follow the request for personal information access, correction/deletion, and suspension of processing in Annex No. 8 form.

311

Page 318
Explanation of personal information protection laws and guidelines and announcements

⑧ Regarding requests for correction or deletion of personal information pursuant to Article 36 (6) of the Act and Article 43 (3) of the Decree
Notification of results and results of requests for suspension of processing of personal information pursuant to Article 44 (2) of the Decree
The notification is in the notification of the result of the request for correction, deletion, and suspension of processing of personal information in Attached Form 10.
follow
Article 32 (Correction and Deletion of Personal Information ) ① The personal information controller is an individual under Article 36 (1) of the Act.
When a request for correction or deletion of information is received, from the date of receipt of the request unless there is a justifiable reason.
Investigate the personal information within 10 days, and according to the request of the information subject, necessary corrections, deletions, etc.
standard guidelines
After taking the action, the result shall be notified to the data subject.
② If the data subject's request for correction or deletion falls under the proviso to Article 36 (1) of the Act,
Grounds that cannot request deletion within 10 days from the date of receipt of the request unless there is no reason
The contents of the Act shall be notified to the data subject.

In order to protect the rights of the data subject from false or inaccurate information,
This is to give the data subject the right to request correction or deletion. However, one-sided information
Correction/deletion may cause another problem, so there are certain restrictions on its exercise.

1. Right to request correction or deletion of information subject (paragraph 1)
The information subject who reads his or her personal information must be aware that there is an error in the personal information or that the retention period has elapsed.
In this case, you may request the personal information controller to correct or delete the personal information. The data subject is an individual
In the case of requesting the information controller to correct or delete the personal information,
A request for correction or deletion of personal information shall be submitted to the relevant personal information controller.

2. Measures such as correction and deletion (paragraphs 2 and 5)
A. Investigation of evidence, etc.
When the personal information controller receives a request for correction or deletion from the information subject, there is a special
Except in cases where procedures are stipulated, the personal information shall be investigated without delay. in this case
The personal information controller shall have the relevant information subject submit evidence necessary to confirm the request for correction and deletion.
can do.

312

Page 319

B. Necessary measures such as correction or deletion
If the personal information controller determines that the request of the information subject is justified as a result of the investigation, the personal information manager shall submit a request for correction or deletion of personal information.
Investigate the personal information within 10 days from the date of receipt, and in accordance with the request of the information subject,
Result of correction and deletion of personal information prescribed by Ordinance of the Ministry of Government Administration and Home Affairs after taking measures such as correction and deletion
The information subject must be notified by a notice (the former part of Article 43 (3) of the Decree).

C. Notification of correction/deletion request
A personal information controller who processes personal information files by receiving personal information from other personal information controllers
When a request for correction or deletion of personal information is received from the information subject, the personal information
Without delay, to the head of the institution that provided the relevant personal information with a request for correction or deletion, or the request for correction or deletion of personal information
and take necessary measures according to the result of the processing (Article 43 (2) of the Decree). personal information controller
When personal information is deleted, measures must be taken to prevent recovery or reproduction.

3. Notification of rejection of deletion (paragraphs 1 and 4, Article 43 Paragraph 3 of the Decree)
If the personal information is specified as the subject of collection in other laws, it may be requested to be deleted.
none. In this case, the personal information controller may request deletion of personal information within 10 days from the date of receipt of the request for correction or deletion of personal information.
Article 5 Chapter

The fact of not complying with the request, the content of the relevant laws and regulations, the reasons therefor, and the method of raising an objection shall be determined by Ordinance of the Ministry of the Interior
tablet

It shall be notified to the relevant information subject in the notification of the result of correction and deletion of personal information
specified.
see
week
sieve
of

Obligation to preserve personal information by law

case

volume
Lee

seeoperators, etc.) ② The telecommunications business operators under Article 15-2 (2 ) of the Act
Article 41 of the Enforcement Decree of the Communications Secret Protection Act (Obligation to cooperate with telecommunications business
chapter

The retention period of communication confirmation data shall be longer than the period specified in each of the following subparagraphs.
1. Data for confirmation of communication in accordance with subparagraph 11 (a) through (d) and (f) of Article 2 of the Act: 12 months However, long-distance and local calls
In the case of data related to service, it shall be six months.
2. Data confirming communication facts pursuant to subparagraph 11 (e) and (g) of Article 2 of the Act: 3 months
Article 6 of the Enforcement Decree of the Consumer Protection Act in Electronic Commerce, etc. (Objects of Transaction Records Preserved by Businesses, etc.) ① Article 6 of the Act
The subject, scope, and period of transaction records to be preserved by business operators pursuant to paragraph (3) are as follows: However, Article 20 of the Act
Mail-order sales brokers under paragraph (1) (hereinafter referred to as “mail-order sales brokers”) have processed information through their own information processing system.
Transaction records in each of the following subparagraphs shall be preserved within the scope of the records.
1. Records on display and advertisement: 6 months
2. Records on contract or subscription withdrawal, etc.: 5 years
3. Records on payment and supply of goods: 5 years

313

Page 320
Explanation of personal information protection laws and guidelines and announcements

4. Records on consumer complaints or dispute resolution: 3 years
② Methods of perusal and preservation of transaction records that business operators should provide to consumers pursuant to Article 6 (3) of the Act are as follows:
same.
1. In the cyber mall where the transaction was made (referring to the cyber mall under subparagraph 4 of Article 2 of the Act; hereinafter the same shall apply);
Allow consumers to view and check transaction records, and store them in the information processing system in the form of electronic documents.
to make
2. Transaction records with the consumer, who is a party to the transaction, may be sent by visit, telephone, fax or e-mail, depending on the consumer's wishes.
make it available for viewing or copying in a way that However, in the transaction record, Articles 4 through 6 of the 「Copyright Act」
If there is a work in accordance with the provisions (excluding works that can be copied under the Copyright Act), the
Copies may be refused.
3. Transaction records and individuals of consumers whose business operator has withdrawn consent on the use of personal information pursuant to Article 6 (2) of the Act
In the case of preserving information, the transaction records and personal information of consumers who have not withdrawn their consent to the use of personal information
to be kept separate from the information

4. Relationship with other laws
According to the 「Information and Communications Network Act」, users are required to provide information on information and communication service providers regarding personal information about themselves.
If there is an error, it is possible to request the correction, while the information and communication service provider, etc.
When a correction is requested, the error is corrected without delay or the user is notified of the reason for the failure to correct it.
It stipulates that necessary measures should be taken. Therefore, for this part, the 「Personal Information Protection Act」
First, the “Information and Communications Network Act” is applied.
On the other hand, since the Credit Information Act stipulates that the subject of credit information can request correction of credit information,
A credit information subject may exercise a request for correction of credit information in accordance with the Credit Information Act.
Article 30 (the user's rights, etc.) ② A user following about the person or the like information for the communication service provider
You may request to view or provide information on any of the matters in each subparagraph, and if there is an error,
You can ask for that correction.
1. Personal information of users held by information and communications service providers, etc.
2. Current status of information and communication service providers, etc. using or providing users' personal information to third parties
3. The status of consent for the collection, use, provision, etc. of personal information to information and communications service providers, etc.
⑤ When an information and communications service provider, etc. is requested to correct an error pursuant to paragraph 2, it shall promptly correct the error.
You must correct or take necessary measures, such as notifying the user of the reason for the failure to correct,
Information and Communications Network Act
Until necessary measures are taken, the relevant personal information shall not be used or provided. but,
Provide or use personal information when requested to provide personal information under other laws
can do.
Article 32-3 (Deletion and Blocking of Exposed Personal Information) ① Information and communication service providers, etc.
To prevent the personal information of users, such as information and credit card information, from being exposed to the public through the information and communications network.
shall.
② Information and communication service providers, etc., when requested by the Korea Communications Commission or Korea Internet & Security Agency
Necessary measures such as deletion and blocking of personal information exposed in Paragraph 1 shall be taken.

314

Page 321

Article 38 3 (delete the needs of individual credit information) ① credit subject is commerce relations, financial transaction is terminated
When the period prescribed by Presidential Decree has elapsed, the provision of credit information and the provision of personal credit information to users
You can request deletion. However, in cases falling under any of the subparagraphs of Article 20-2 (2)
Not so.
② When a credit information provider/user receives a request under Paragraph 1, the personal credit information
Credit Information Act
It shall be deleted and the result shall be notified to the credit information subject.
③ When the request of the credit information subject falls under the proviso to Paragraph 1, the credit information provider and user
It shall be managed as prescribed by Presidential Decree, such as separating it from credit information, and the result shall be credited.
The data subject must be notified.
④ The method of notification under paragraphs (2) and (3) shall be determined and publicly notified by the Financial Services Commission.

5. Penalty Regulations
violation

penalty

Do not take necessary measures for requests for correction or deletion of personal
Imprisonment
information
for not more than 2 years or a fine not exceeding 20 million won
without continuing to use or provide personal information to a third party.

(Article 73, subparagraph 2)

Child (use and provision after violation of Article 36 (2))
Necessary measures are not taken according to the request for correction and deletion of the information subject.
A fine of not more than 30 million won
one who didn't
(Article 75 (2) 11)
(Violation of Article 36 (2))
Non-fulfillment of notification obligation when data subject refuses to request correction
A fineorofdeletion
not more than 10 million won
(Violation of Article 36 (2) and (4))

Article 5 Chapter

(Article 75 (3) 9)
tablet
see
week
sieve
of

6. Q&A

volume
Lee
see
chapter

Q

We are conducting advertisement mail and telephone (TM) promotion of our company service to potential customers.
A customer has requested to unsubscribe. What action should be taken in this case?

A

In the event that the information subject requests to refuse to receive advertisement mail and phone TM, the operator shall do so within 10 days.
(Enforcement Decree Article 43), necessary measures such as suspension of shipment and deletion of list shall be taken.

315

Page 322
Explanation of personal information protection laws and guidelines and announcements

Article 37 Suspension of processing of personal information, etc.
Article 37 (including processing stop personal information) ① information subject of his Personal Information Processor
You can request the cessation of personal information processing. In this case, for public institutions, Article 32
Suspension of processing of one's personal information among personal information files subject to registration
can request
② When the personal information controller receives a request pursuant to Paragraph 1, without delay, the
Upon request, all or part of the processing of personal information shall be suspended. but,
Reject the request for suspension of processing by the information subject in any of the following cases
can do.
1. If there are special provisions in the law or it is unavoidable to comply with the legal obligations
2. There is a risk of harming the life or body of another person, or the property of another person and other
If there is a risk of unfairly infringing on profits

law

3. If a public institution does not process personal information, it may perform the duties under the jurisdiction of other laws.
If you can't
4. If personal information is not processed, the service contracted with the information subject cannot be provided, etc.
In the case where it is difficult to perform the contract, the information subject clearly expresses his/her intention to terminate the contract
If not disclosed
③ When the personal information controller rejects the request to suspend processing in accordance with the proviso to paragraph 2,
The reason shall be notified to the data subject without delay.
④ The personal information controller is responsible for the personal information whose processing has been suspended at the request of the information subject.
Necessary measures such as destruction of the relevant personal information shall be taken without delay.
⑤ Request for suspension of processing pursuant to paragraphs 1 through 3, refusal of suspension of processing,
Matters necessary for methods and procedures for notification, etc. shall be prescribed by Presidential Decree.
Article 44 (including processing stop personal information) ① information subject personal information in accordance with the method of claim 37, paragraph 1
In the case of requesting the processor to suspend the processing of his/her personal information, by Ordinance of the Ministry of the Interior and Safety
A request for suspension of processing of personal information prescribed by the Company shall be submitted to the personal information controller.

② 10 days from the date of receipt of the request for suspension of processing of personal information pursuant to Paragraph 1
Enforcement Decree
In the event that a measure is taken to suspend the processing of the personal information in accordance with the main sentence of Article 37 (2) of the Act within
If the fact of taking such measures was not complied with the request for suspension of processing due to the proviso to the same paragraph;
In the case of personal information, the facts, reasons, and methods of raising objections are prescribed by Ordinance of the Ministry of the Interior and Safety.
The data subject shall be notified with a notice of the result of the request for processing suspension.
Article 3 (Books and Document Formats Related to Personal Information Protection) ⑥ Article 35 (5 ) of the Act and Article 41 of the Decree
In accordance with the request for access to personal information pursuant to paragraph (1), Article 36 (6) of the Act and Article 43 (1) of the Decree
enforcement rules
Requests for correction or deletion of personal information and requests for suspension of processing of personal information pursuant to Article 44 (1) of the Decree
Follow the request for personal information access, correction/deletion, and suspension of processing in Annex No. 8 form.
⑧ Regarding requests for correction or deletion of personal information pursuant to Article 36 (6) of the Act and Article 43 (3) of the Decree

316

Page 323

Notification of results and results of requests for suspension of processing of personal information pursuant to Article 44 (2) of the Decree
The notification is in the notification of the result of the request for correction, deletion, and suspension of processing of personal information in Attached Form 10.
follow
Article 33 (Suspension of processing of personal information )
When requested to suspend the processing of personal information in accordance with the
Part or all of personal information processing must be stopped within 10 days from the date of receipt.
However, in cases falling under the proviso to Article 37 (2) of the Act, the data subject's request to suspend processing
standard guidelines
can refuse
② The personal information controller is responsible for the personal information whose processing has been suspended at the request of the information subject.
The individual concerned within 10 days from the date of receipt of the request to suspend processing unless there is a justifiable reason
Take measures commensurate with the data subject's request, such as destruction of information, and report the result to the data subject
should inform

1. Right of data subject to request suspension of processing (paragraph 1)
The data subject may request the personal information controller to suspend the processing of his/her personal information. stop processing
The right to request is a request to suspend personal information processing activities, and its concept is broader than the right to withdraw consent.
The right to withdraw consent can only revoke consent for the data subject himself/herself, but the processing is suspended
The right to request is the information processed by the personal information controller even if the information subject himself did not consent to the processing.
It means that you can request to suspend the processing of all personal information about the subject. the data subject
Article 5 Chapter

There is no need to give a reason for the request for suspension of processing, and the request can be made at any time.
On the other hand, if the information
Suspension of processing only for one's

tablet
subject requests a public institution to suspend the processing of personal information, inseeaccordance with Article 32,
week
personal information included in the personal information file subject to registration withsieve
the Ministry of Government
of

can request Therefore, the right to request suspension of processing of personal information contained in the following files

volume
Lee

cannot exercise

see
chapter

Administration and Home Affairs

Personal information files excluding requests for processing suspension (Article 32 Paragraph 2 of the Act)
1. Personal information files that record matters concerning national security, diplomatic secrets, and other important national interests
2. Investigation of crimes, filing and maintenance of prosecution, execution of punishment and probation, corrective measures, protective measures, security observation measures and immigration
Personal information file recording matters related to management
3. Individuals who have recorded matters concerning investigations of offenses under the Punishment of Tax Offenders Act and investigations of offenses under the Customs Act;
information file
4. Personal information files used only for internal business processing of public institutions
5. Personal information files classified as confidential under other laws

When a data subject wants to request the personal information controller to stop processing his or her personal information, the Ministry of Government Administration and Home Affairs
A request for suspension of processing of personal information prescribed by Ordinance shall be submitted to the relevant personal information controller.

317

Page 324
Explanation of personal information protection laws and guidelines and announcements

2. Suspension of processing of personal information (Main Paragraph 2, Paragraph 4, Article 44 Paragraph 2 of the Decree)
When the personal information controller receives a request to suspend the processing of personal information, the personal information controller shall respond to the request of the information subject without delay.
Accordingly, all or part of personal information processing must be suspended. The personal information controller suspends processing
The processing must be suspended unless there is an exception or a reason for rejection of the request.
Stopping only the target treatment type is sufficient, but stopping a specific treatment type is sufficient to stop that treatment.
If the request cannot be fulfilled, all processing shall be stopped. In this case, the personal information controller
The fact and the reason for the suspension of processing within 10 days from the date of receipt of the request for suspension of processing of personal information;
The information subject must be notified of the result of the request for suspension of processing of personal information that describes the method of objection.
do. If there is a request from the data subject, the personal information controller shall, without delay, deal with the personal information whose processing has been suspended.
Necessary measures such as destruction of the relevant personal information shall be taken. Necessary measures other than destruction of personal information
Separate personal information file so that the personal information is not used or provided
Separation and storage in (eg, processing suspension personal information file) or the purpose of the suspension of processing of the personal information
There are restrictions set to allow use or provision within the scope that does not harm the achievement, etc.
In each individual case, it is necessary to take the optimal action appropriate to achieve the purpose of the processing suspension requested by the data subject.
should be taken

3. Rejection of request to suspend processing (paragraph 2, Article 44 Paragraph 2 of the Decree)
When the personal information controller receives a request to suspend the processing of personal information from the information subject, any of the following
In one of the cases, the data subject's request to suspend processing may be rejected. In this case, the personal information controller
A decision to reject a request to suspend processing of personal information within 10 days from the date of receipt of a request to suspend processing of personal information from the information subject;
The notice of the result of the request for suspension of processing of personal information stating the facts, reasons and methods of objection
The data subject must be informed.
Reason for refusal of request for processing suspension (Article 37 (2) of the Act)
1. If there are special provisions in the law or it is unavoidable to comply with the legal obligations
2. If there is a risk of harming the life or body of another person or unfairly infringing on the property and other interests of another person;
if any
3. If a public institution is unable to perform its duties as stipulated by other laws without processing personal information
4. If personal information is not processed, it is difficult to fulfill the contract, such as not being able to provide the service agreed with the information subject.
In the case where the information subject did not clearly express his intention to terminate the contract

318

Page 325

4. Relationship with other laws
In the 「Information and Communications Network Act」 and 「Credit Information Act」, separate regulations are prepared for suspension of processing of personal information,
Therefore, in this regard, the 「Personal Information Protection Act」 will follow.

5. Penalty Regulations
violation

penalty

imprisonment for not more than two years; or
Without stopping the processing according to the request to suspend the processing of personal information
A fine of not more than 20 million won
Persons who continue to use or provide to a third party (Article 37)
(Article 73, subparagraph 3)
Take measures such as destruction of personal information that has been processed
A fine of not more than 30 million won
Those who do not (violation of Article 37 (4))

(Article 75 (2) 12)

Non-fulfillment of notification obligation when data subject rejects request to suspend
A fine
processing
of not more than 10 million won
(Violation of Article 37 (3))

(Article 75 (3) 9)

Article 5 Chapter

tablet
see
week
sieve
of
volume
Lee
see
chapter

319

Page 326
Explanation of personal information protection laws and guidelines and announcements

Article 38 Method and procedure for exercise of rights, etc.
Article 38 (Methods and Procedures for Exercising Rights)
Document the request for correction/deletion, suspension of processing under Article 37 (hereinafter referred to as “request for viewing, etc.”)
In accordance with the methods and procedures prescribed by Presidential Decree, such as
② The legal representative of a child under the age of 14 shall notify the personal information controller of the child's personal information.
You can make a request for reading, etc.
③ The personal information controller, as prescribed by Presidential Decree, to the person who makes a request for inspection, etc.

law

You may charge a fee and postage (limited to the case of requesting mailing of copies).
④ The personal information controller shall determine the specific method by which the information subject can request access, etc.
A procedure should be prepared and disclosed so that the data subject can know it.
⑤ The personal information controller shall be responsible for the measures taken by the information subject, such as refusal of a request for viewing, etc.
In case of dissatisfaction, necessary procedures should be prepared and guided so that an objection can be raised.
Article 45 (Scope of Agent, etc.) ① A person who can represent a subject of information pursuant to Article 38 of the Act
It is the same as each of the following items.
1. Legal representative of information subject
2. A person who has been delegated by the information subject
② When an agent under Paragraph 1 acts on behalf of a subject of information pursuant to Article 38 of the Act, personal information
The power of attorney of the information subject prescribed by Ordinance of the Ministry of Government Administration and Home Affairs shall be submitted to the processor.
Article 46 (Identification of information subject or agent) ① The personal information controller shall comply with Article 41 (1).
A request for inspection, a request for correction or deletion under Article 43 (1), or a request for correction under Article 44 (1);
Request for suspension of processing (hereinafter referred to as “request for viewing, etc.” in this Article, Articles 47 and 48)
Upon receipt, it is necessary to confirm whether the person making the request for inspection, etc. is the person or a legitimate representative.
do.
Enforcement Decree
② The personal information controller, which is a public institution, uses the administrative information under Article 36 (1) of the 「Electronic Government Act」.
Joint use of administrative information is prohibited if confirmation under Paragraph 1 is possible through joint use.
should be checked through However, if the relevant public institution cannot jointly use administrative information, or
This is not the case if the data subject does not agree to the confirmation.
Article 47 (Amount, etc. of Fees, etc.) ① The amount of fees and postage pursuant to Article 38 (3 ) of the Act shall be
Within the scope of actual expenses necessary for the request for viewing, etc., the personal information controller shall comply.
However, if the personal information controller is a local government,
follow the bar
② The personal information controller is responsible for the reason for requesting access, etc. to the personal information controller.
In this case, fees and postage are not charged.
③ Fees or postage pursuant to Article 38 (3) of the Act shall be paid in the following manner.
pay However, the National Assembly, the courts, the Constitutional Court, the National Election Commission, the central administrative agencies and the

320

Page 327

Personal information belonging to an affiliated institution (hereinafter referred to as “national institution” in this Article) or a local government
The processor shall be subject to electronic payment means or information and communications networks pursuant to subparagraph 11 of Article 2 of the Electronic Financial Transactions Act.
Telecommunication billing service pursuant to Article 2, Item 10 of the Act on Promotion of Utilization and Information Protection, etc.
You can use it to pay a fee or postage.
1. In case of payment to the personal information controller, which is a national institution: income stamp
2. In case of payment to the personal information controller who is a local government: Income certificate
3. In the case of giving to a personal information controller other than a national institution or local government: The individual concerned
Method determined by the data controller
Article 48 (built in the view request supported systems) ① Privacy The viewer request and the like thereto
Establish a system so that the relevant work can be handled electronically in lieu of notification
The business may be operated or other procedures may be established to handle the relevant business.
② The Minister of Government Administration and Home Affairs shall protect personal information held by public institutions among personal information controllers.
Efficiently carry out the duties of public institutions regarding the request for inspection, etc. and the notification thereof
A system can be built and operated for support.
Article 3 (Books and Document Formats Related to Personal Information Protection) ⑨ Information pursuant to Article 45 (2) of the Decree
enforcement rules
The format of the principal's power of attorney follows the attached Form 11.
Article 34 (Methods and Procedures for Exercising Rights)
In the case of requesting access, etc., it is the same as or better than the method of collecting personal information.
A simple method should be provided so that information subjects can easily exercise their rights, such as requesting access.
standard guidelines
When collecting personal information, documentary evidence that was not requested or additional
You cannot ask for a procedure.
② The provisions of paragraph 1 are intended to
It also applies mutatis mutandis to the settlement

Article 5 Chapter

tablet
see
confirm that the person is the principal or a legitimate agent
in accordance
week
sieve
of fees and postage in accordance with Article 47 of the Decree.
of

with Article 46 of the Decree.

volume
Lee

The personal information controller may make it difficult for the information subject to exercise his/her rights and procedures,seeor

chapter

You must not charge a fee. However, information by persons other than the data subject without authority or beyond authority
An appropriate level of identity verification procedure should be devised to prevent the subject's rights from being exercised on behalf of the subject.

1. Exercise of rights by an agent (paragraph 1)
The information subject may use an agent to exercise rights such as the right to request access to personal information, the right to request correction/deletion, and the right to request processing suspension.
This can be done through (paragraph 1). The scope of the agent includes information from data subjects other than the legal representatives of the data subjects.
It includes voluntary representatives who have been granted the power of representation based on a delegation contract, etc. (Article 45 of the Enforcement Decree). over 14 years old
Regarding the personal information of the information subject who is a minor, the minor himself/herself may exercise the above rights,

321

Page 328
Explanation of personal information protection laws and guidelines and announcements

The above rights may be exercised through the legal representative of minors over the age of 14. information like this
The right to self-determination of personal information is to have the subject's right to request related to personal information through an agent.
It can represent incidental procedural acts necessary for exercise. Therefore, the essence of the right to self-determination of personal information is
Only the data subject can decide whether to correct, delete, or suspend the processing of his/her personal information.

2. Exercise of rights of legal representatives (paragraph 2)
The legal representative of a child under the age of 14 must provide the personal information controller with access to personal information about the child,
You can request correction, deletion, suspension of processing, etc. Access to personal information about children under the age of 14 is prohibited by law.
It must be done by the representative himself, and children are not permitted to do so with the consent of the legal representative. method
In order to process personal information of children under the age of 14 in Article 22 (5), consent under this Act must be obtained.
It is in the same context as obtaining the consent of the legal representative.

3. Duties and Methods of Identification (Article 46 of the Enforcement Decree)
A. Identification Obligation
When the personal information controller receives a request for access to personal information, a request for correction/deletion, or a request to suspend processing,
It must be confirmed whether the person making the request is the person or a legitimate representative. In the case of an agent, the agent
A power of attorney that can prove the agency relationship between the data subject and the agent as well as the identity verification
and a personal seal or, in the case of a legal representative, a document confirming that the person is a legal representative (copy of resident registration, family member
related certificates, etc.) must be additionally checked.

Or identification methods
The method of identification is not specifically specified. Therefore, in the case of the Internet, electronic signature, i-PIN,
You can check it by methods such as mobile phone number and date of birth, and in the case of offline, resident registration card,
Driver's license, passport, official ID card, etc. that is, objectively recognized as a reasonable means
do it by the method.

322

Page 329

C. Special Cases of Public Institutions
If the personal information controller is a public institution, joint administrative information under Article 36 (1) of the 「Electronic Government Act」
If identification is possible through use, it should be verified through joint use of administrative information. However, that
In the event that public institutions cannot jointly use administrative information or the information subject does not agree to the verification
Not so.

4. Request for viewing fee, etc. (Paragraph 3, Article 47 of the Enforcement Decree)
The charge reference (zero paragraph 1)
The personal information controller shall pay the fee and postage (in the case of requesting the mail of a copy) to the person requesting access, etc.
limited) can be claimed. However, the amount of fees and postage is not applicable for viewing, correction, or deletion of personal information.
You must claim within the range of actual expenses required. If the personal information controller is a local government, the local government
In accordance with the regulations of the local government.

Or payment method
① State institutions and local governments
Article 5 Chapter

National Assembly, the courts, the Constitutional Court, the National Election Commission, central administrative agencies and their affiliated institutions (hereafter in this Article)
In the case of paying a fee or postage to a personal information controller who is a “national institution”),
In the case of payment to the personal information controller, which is a local government, each payment is made with an

tablet
see
week
incomesieve
stamp.
of
volume

However, the personal information controller, which is a national institution or a local government, is subject to Article 2(11) Lee
of the 「Electronic Financial Transaction Act」.
see

Electronic payment means or pursuant to subparagraph 10 of Article 2 of the 「Act on Promotion of Information and Communications
chapter Network Utilization and Information Protection, etc.」
You can use the telecom billing service to pay a fee or postage.
② Other personal information controllers
In the case of paying a fee or postage to a personal information controller other than a national institution or local government
The method of payment of the fee shall be determined by the relevant personal information controller.

323

Page 330
Explanation of personal information protection laws and guidelines and announcements

C. Loss of collection right (Section 2 of the Decree)
If the reason for requesting access, correction, deletion, suspension of processing, etc. of personal information is in the personal information controller
In this case, fees and postage cannot be charged. The reason for requesting access, etc. here is the individual concerned
Being in the information controller means 'when there is an error (intentional or negligence) in the personal information controller'
should not be construed and the processing of the personal information is not for the benefit of the personal data controller or
It should be engraved in the sense that it occurred in the area of ​responsibility of the processor. Therefore, the personal information controller
In the case of processing personal information for the purpose of processing or there is an interest in the processing, the information subject
Cases where a request for viewing, etc. is made simply because 'I'm curious' or 'I want to check' without any special reason
We will not charge any fees or postage except for this.

5. Methods and procedures for exercising rights (paragraphs 4 and 5, Article 48 of the Decree)
A. Method and procedure for exercising rights (paragraph 4)
The personal information controller shall prepare specific methods and procedures for the subject of information to request access, etc.
This must be disclosed so that the data subject can know it. Many data subjects are unaware of their rights,
Even if they know it, the procedure is difficult and complicated, so there are many cases of giving up. Therefore, the exercise of the rights of the data subject
The method and procedure should be easy to understand and convenient at least according to the personal information collection procedure or membership registration procedure,
You must not ask for evidence or additional procedures that were not required when collecting personal information.
(Standard Guidelines Article 34 Paragraph 1). In addition, exercise various rights as much as possible so that the information subject can conveniently choose
There must be a way to provide it. For example, visit, written, telephone, e-mail, Internet website, etc.
In this way, information subjects should be able to request access, correction, deletion, suspension of processing, etc.

B Appeal Procedure (Section 5)
If there is any dissatisfaction with the refusal of a request for viewing, etc., the information subject may raise an objection.
The personal information controller shall prepare and guide the necessary procedures (paragraph 5). Appeal in this case
In order for the procedure to be operated fairly, external experts must be involved or internal checks must be in place.
do.

The building, including support systems view (Young Article 48)
The personal information controller may electronically handle the relevant business in lieu of a request for access, etc. and a notification thereof.
The relevant business may be processed by establishing and operating a system for

324

Page 331

The Minister of Government Administration and Home Affairs is responsible for the perusal, etc. of personal information held by public institutions among personal information controllers.
Personal information in order to efficiently support the performance of public institutions in relation to requests and notifications
A comprehensive protection portal has been built and operated.
< Comprehensive personal information protection portal (www.privacy.go.kr)>

6. Relationship with other laws
Article 5 Chapter
In the 「Information and Communications Network Act」, when a user requests a reading, etc. from an information and communication
service provider, etc., without delay

tablet

to take necessary action. However, since the “Information and Communications Network Act” is limited to users’ requests for viewing,
etc.,
see
week

In the event that a person other than the user requests access to personal information as a subject of information, the 「Personal Information
Protection Act」
sieve
of

You must take the necessary measures within 10 days.

volume
Lee

The “Credit Information Act” stipulates regulations on the method and procedure for exercising rights with respect to requestsseefor access, etc. of information subjects.
chapter

In this regard, credit information users and providers follow the 「Personal Information Protection Act」.

Article 30 (Rights of Users, etc.) ③ Information and communication service providers
If you withdraw, we will take necessary measures without delay, such as destroying the collected personal information so that it cannot be recovered or reproduced.
shall.
④ When the information and communications service provider, etc. is requested to read or provide pursuant to Paragraph 2,
action should be taken
⑤ When an information
and communications service provider, etc. is requested to correct an error pursuant to paragraph 2, it shall promptly correct the error.
Information and Communications
Network Act
Necessary measures shall be taken, such as correcting or notifying the user of the reason for the failure to correct, and
Until measures are taken, the relevant personal information shall not be used or provided. However, other laws
When requested to provide personal information, the personal information may be provided or used.

325

Page 332
Explanation of personal information protection laws and guidelines and announcements

⑥ The information and communications service provider, etc. shall withdraw consent under paragraph (1) or access or view personal information under paragraph (2).
The method of requesting provision or correction of errors should be easier than the method of collecting personal information.
Article 31 (Rights of Legal Representative) ② The legal representative is responsible for the personal information of the child in Article 30 (1)
and the rights of users pursuant to Paragraph 2 may be exercised.
Article 39 (Free Inspection Rights) A credit inquiry company shall be held for a certain period prescribed by Presidential Decree within one year.
Credit Information An
Actindividual credit information subject must be able to receive or view his/her personal information free of charge at least once.
do.

7. Q&A
Q

What is the standard for charging fees for private business operators?

A

The personal information controller may charge a fee and postage to a person who requests access, etc. Only for reading
In the case of follow-up measures, only the minimum actual cost should be calculated by calculating the printing cost, utility fee, labor cost, etc.
do.

326

Page 333

Article 39 Liability for Damages
Article 39 (Liability for Compensation for Damages) ① The information subject shall be liable for damages caused by the personal information controller's violation of this Act.
If you do, you can claim compensation from the personal information controller. In this case, the personal information
The processor cannot escape liability unless it proves that there is no intention or negligence.
② Delete
③ Personal information is lost, stolen, or lost due to the intentional or gross negligence of the personal information controller.
In the case of leakage, forgery, alteration, or damage to the information subject, the court shall
The amount of compensation may be determined within the range not exceeding three times the amount of damage. However, personal
This is not the case when the information controller proves that there is no intentional or gross negligence.
law

(4) When determining the amount of compensation under paragraph (3), the court shall consider the following matters:
1. The degree to which intentional or risk of damage was recognized
2. The amount of damage caused by the violation
3. Economic benefits acquired by the personal information controller due to illegal acts
4. Fines and surcharges for violations
5. Period and number of violations, etc.
6. Property status of personal information controller
7. After the personal information controller loses, steals, or leaks the personal information of the information subject, the personal information
degree of effort to recover
8. The degree to which the personal information controller has made efforts to remedy the damage of the data subject

Article 5 Chapter

As with general 'information' leakage or misuse cases, personal information leakage or misuse cases
Even in this case, it is difficult to know when, at what stage, and whose fault the incident occurred. therefore
In the event of a personal information leakage or misuse, the personal information is processed and profit is obtained.

tablet
see
week
sieve
of

volume
The right of the personal information controller to have the personal information controller prove that there is no intention or negligence
on his/her own
Lee

It is intended to practically guarantee the right to receive prompt and fair damage relief, which is one of them.

see
chapter

The Personal Information Protection Act provides not only the right to claim compensation for general actual damage, but also the personal information controller.
If there is an illegal act due to intentional or gross negligence, the adverse effect on society and the illegal act
Considering the strong deterrence effect against
The right to claim punitive damages was introduced so that a claim for damages can be made within three times the actual amount of damage.
ReferenceRequirements for the establishment of liability for damages
· Infringement must exist and be illegal
· Damage must have occurred
· There must be a causal relationship between the infringement and the damage.
· Must have intentional negligence and responsibility

327

Page 334
Explanation of personal information protection laws and guidelines and announcements

1. Requirements for the establishment of the right to claim damages (the former part of paragraph 1)
There must be a violation of this law
In order for the right to claim compensation under this Article to occur, the personal information controller must have violated this Act.
There must be facts (infringement). However, just by violating this law, liability for damages arises immediately.
it is not If the violation objectively contradicts or conflicts with the position of the entire legal order, that is, illegality
Responsible only when approved.
Normally, a violation of this law is judged to be illegal, but the violation
If it is deemed practically or socially acceptable under circumstances, that is,
If it is recognized that it does not go against the rules of society, such as public order and customs,
Illegality is sculpted. Personal information may be used to protect the life, body, and property of others.
Therefore, in determining the liability for damages, it is especially important to determine whether the
should be carefully considered.
Compensation for damages under this Article can be claimed only for violations of this Act, and the 「Information and Communications Network Act」, 「Location
Compensation for damages under this Article cannot be claimed for violations of the “Information Act” and “Credit Information Act”.
In that case, a claim for damages may be made pursuant to the relevant Act or the Civil Act.

I must have caused damage as a result of the violation
The data subject must have suffered damage as a result of the violation of this law. Damage is property damage or economic damage
It is not limited to damage but includes non-property damage, that is, mental damage. For example, property damage
Property loss due to fraudulent use of credit cards and illegal loans due to leakage of credit card numbers and resident registration numbers
In the case of an occurrence, and mental damage, the information subject's loss due to the leakage of e-mail addresses, phone numbers, etc.
It refers to a case where mental damage is caused by receiving spam emails or marketing advertisements against the will.
The data subject, the plaintiff, bears the burden of proof for the fact that damage has occurred and the amount of damage.

It will be a causal link between the damage and the law violation
There must be a substantial causal relationship between the violation of this law and the damage. Damage according to the Equivalent Causality Theory
The scope of compensation shall be limited to 'normal damage'. That is, there is a causal relationship between an action (cause) and damage (effect).
Instead of compensating for all damages as long as they exist, if compensation is made within the limit of 'normal damages'
do. The fact that a substantial causal relationship exists between the offense and the damage must be demonstrated by the information subject.

328

Page 335

Therefore, in principle, we are not responsible for compensation for 'damage due to special circumstances', but
If the processor knew or could have known the circumstances, he/she is responsible for compensation (Articles 393 and 763 of the Civil Act).
Regarding the fact that the personal information controller knew or should have known the circumstances, the plaintiff's information
The subject has the burden of proof.
ReferenceSignificant causation (相當因果關係
相當因果關係)
If there is a cause (act), the relationship that is usually recognized as such a result (damage) will occur according to the rule of law under the law.
It is said to be in a 'significant causal relationship'. The scope of the equivalent causal relationship may vary depending on who will be the basis for the judgment.
have. Whether to make a decision based on the actor or the general public (average person)
Accordingly, it is divided into subjective equivalent causation theory, objective equivalent causation theory, and eclectic equivalent causation theory. causal
Since a relationship belongs to a natural phenomenon, it should be objectively judged, but with regard to human behavior,
It is inappropriate to judge ignoring subjective circumstances at all, so it is not appropriate to judge causality based on objective criteria.
In principle, the eclectic equivalent causality theory that takes into account the subjective circumstances of the actor is currently in the prevailing position.

Articles 393 and 763 of the Civil Code
Article 393 (Scope of Compensation for Damages) (1 ) Compensation for damages resulting from default shall be limited to ordinary damages.
② In case of damage caused by special circumstances, the debtor is liable for compensation only when the debtor knew or could have known the circumstances.
have.
Article 763 (Provisions Applicable Mutatis Mutandis) The provisions of Articles 393, 394, 396, and 399 shall apply mutatis mutandis to compensation for damages caused by illegal acts.

LA high, fruit and accountability will exist

Article 5 Chapter

In order to ask the personal information controller to be liable for damages, he/she must be intentionally or negligent and
there should be

tablet
see
responsible.
week
sieve
of
volume

Intentional means that the personal information controller dares to act despite the knowledge of the violation of this law. certain
Lee action
see
chapter

The so-called unwritten act that dares to do it while doubting that doing so may lead to certain results
Intention is also included in intent.

Negligence is defined as a negligence required by the law of good faith in light of the social status such as career, experience and occupation of the personal information controller.
It refers to not being aware of a violation of this law because it lacks a degree of caution. i.e. personal information
It means that the processor did not fulfill his duty of care as a good manager.
In the case of contract liability, a person who is expected to be equated with the intentional or negligence of the personal information controller under the law of good faith
For example, the appointment, direction, and management of personal information controllers such as workers, employees, temporary workers, commissioned workers, part-time students, etc.
The intention or negligence of a performance assistant under supervision shall be deemed the intention or negligence of the personal information controller (Article 391 of the Civil Act).
Furthermore, the trustee violates this Act in the process of handling personal information in relation to the entrusted work.
Regarding the contractual liability for damages, the intention or negligence of the trustee also belongs to the personal information controller.

329

Page 336
Explanation of personal information protection laws and guidelines and announcements

It is regarded as intentional or negligence of the employee (Article 26 (6) of the Act). In the case of tort liability, according to the principle of self-responsibility, the individual
The information controller shall be held responsible for its own intentional or negligence. If the personal information controller is a corporation
The injurious acts of the directors and other representatives are the injurious acts of the corporation itself and are the responsibility of the corporation itself. Privacy
Appointment or appointment of an employee or supervisor under his or her supervision by the processor as an employer or supervisor;
If the supervisory duty is not fulfilled, the personal information controller's own negligence
take responsibility for Even in the case of tort liability, the trustee belongs to the personal information controller according to the law.
shall be regarded as an employee (Article 26 (6) of the Act).

2. Conversion of burden of proof for intentional or negligence (the latter part of paragraph 1)
In the case of a claim for damages due to default (non-performance of contract), the burden of proving intentional or negligent
In principle, the personal information controller who is the defendant (debtor) bears the responsibility of the claim for damages based on illegal acts.
In principle, the data subject, the plaintiff (victim), bears the burden of proving intentional or negligence.
However, in respect of claims for damages in violation of this Act, whether due to non-performance of contract or to torts
The burden of proof of intentional or negligence, whether by reason, shall be borne by the personal information controller of the accused. i.e. personal information
The processor must prove by himself that there is no intention or negligence on the part of the processor. personal information
It is practically difficult for the subject to prove the intention or negligence of a company, organization, or public institution, and therefore
If you have the data subject prove intentional or negligent, the data subject will actually be able to get relief from damage.
Because it results in blocking. Therefore, due to acts that violate the provisions of this Act, the information subject
In case of damage, by having the personal information controller prove that there is no intention or negligence on its own,
It substantially guarantees the right to receive prompt and fair damage relief, which is one of the rights, and at the same time
It will act as a mechanism to improve the law enforcement rate of the processor.

3. Punitive damages (paragraphs 3 and 4)
In addition to the provisions of Paragraph 1 regarding general actual damage compensation, the Personal Information Protection Act
In the case of damage caused by illegal acts, the deterrence and prevention of such malicious illegal acts, and personal information
In order to strengthen sanctions against the processor and remedies for damage to the information subject, within the scope of not exceeding three times the actual damage.
Punitive damages are allowed. However, for illegal acts that allow punitive damages, personal information
Not all acts that violate the protection law, but 'personal information
If personal information is lost, stolen, leaked, forged, altered, or damaged due to the intentional or gross negligence of the processor
case' only. When damage is caused to the information subject due to such malicious misconduct, the court shall
The amount of compensation may be determined within the range not exceeding three times the amount of damage. The data subject is a general loss

330

Page 337

As with the right to claim compensation, the intentional or gross negligence of the personal information controller, the existence of malicious misconduct, and the
The causal relationship between the illegal act and the occurrence of damage and the actual amount of damage must be proven. However, regarding compensation
To prevent unreasonable damage to the general principle of negligence, and to compensate for punitive damages with increased liability.
In order to prevent the personal information controller from being unreasonably liable for punitive damages due to
The processor is actively defending itself, i.e. that the personal data controller has no intentional or gross negligence on the part of the processor.
In the case of proof, it was allowed to escape from liability for punitive damages.
When determining the amount of punitive damages, punitive damages are allowed by increasing the amount up to three times the actual damage.
To avoid unreasonably excessive compensation by calculating the minimum amount of punitive damages suitable for the purpose
The court is obliged to make a judgment by comprehensively considering the following various factors.
Mandatory considerations when calculating the amount of punitive damages (Article 39 (4) of the Act)
1. The degree to which intentional or risk of damage was recognized
2. The amount of damage caused by the violation
3. Economic benefits acquired by the personal information controller due to illegal acts
4. Fines and surcharges for violations
5. Period and number of violations, etc.
6. Property status of personal information controller
7. The degree to which the personal information controller has made efforts to recover the personal information after loss, theft, or leakage of the personal information of the information subject
8. The degree to which the personal information controller has made efforts to remedy the damage of the data subject

Article 5 Chapter

4. Extinction of the right to claim compensation

tablet
see
week
sieve
of

Because the Personal Information Protection Act does not set a specific time limit for exercising the right to claim damages,
Information on whether general liability (paragraph 1) or punitive liability (paragraph 3) is applied as the general rules apply

volume
Lee

The fact that the subject (victim) or his/her legal representative suffered damage due to the violation of this Act and the perpetrator
see (personal information
chapter

3 years from the date of knowing the processor) or 10 years from the date of the illegal act, the right to claim damages
disappear (Article 766 of the Civil Act). Of these, 3 years is the prescription period and 10 years is the exclusion period. here
Knowing the damage is knowing not only the fact that the damage occurred, but also knowing that the inflicted act was an illegal act.
means there must be

331

Page 338
Explanation of personal information protection laws and guidelines and announcements

5. RELATIONSHIP TO OTHER LAWS
The “Information and Communications Network Act” and the “Credit Information Act” are respectively concerned with liability for damages (general damages and punitive damages).
There are separate regulations for this. Accordingly, information and communications service providers, etc. and credit information use/providers, credit
Information companies, etc. shall be liable for damages in accordance with each applicable law.
Article 32 (Compensation for Damages) ① The user shall be liable for damages caused by the information and communications service provider, etc. in violation of the provisions of this Chapter.
In the event of damage, the information and communication service provider, etc. may claim compensation for damage. In this case, the information
A communication service provider, etc. cannot be exempted from liability unless it proves that there is no intention or negligence.
② Personal information is lost, stolen, or lost due to intentional or gross negligence of the information and communications service provider, etc.
In the case of leakage, forgery, alteration, or damage to the user, the court shall determine the amount of the damage.
The amount of damages may be determined within the range not exceeding three times. However, information and communication services
This is not the case when the provider, etc. proves that there is no intentional or gross negligence.
(3) When determining the amount of compensation for damages under paragraph (2), the court shall consider the following matters:
Information and Communications
1. The degree Network
to which intentional
Act
or risk of damage was recognized
2. The amount of damage caused by the violation
3. Economic benefits acquired by information and communications service providers, etc. due to violations;
4. Fines and surcharges for violations
5. Period and number of violations, etc.
6. Property status of information and communications service providers, etc.
7. The information and communications service provider, etc. may lose, steal, or leak the user's personal information
degree of effort to recover
8. The extent to which information and communications service providers, etc. have made efforts to relieve damage to users.
Article 43 (Liability for Compensation for Damages) ① A credit information company, etc. and other credit information users violate this Act.
In the event of damage to the credit information subject, the credit information subject shall be liable for damages.
lose However, if the credit information company, etc. and other users of credit information prove that there is no intention or negligence,
In this case it is not so.
② Credit information companies, etc. or other credit information users (including trustees; hereafter the same in this Article)
Personal credit information is leaked, lost, stolen, leaked, intentionally or grossly negligent, in violation of this Act
In the case of alteration or damage to the subject of credit information,
It shall be liable for compensation to the extent that it does not exceed three times the damage. However, credit information companies, etc.
This shall not apply if the other credit information user proves that there is no intentional or gross negligence.
Credit Information Act
No.
(3) When determining the amount of compensation under paragraph (2), the court shall consider the following matters:
1. The degree to which intentional or risk of damage was recognized
2. The amount of damage caused by the violation
3. Economic benefits acquired by credit information companies, etc. or other users of credit information due to violations;
4. Fines and surcharges for violations
5. Period and number of violations, etc.
6. The financial status of credit information companies, etc. or other users of credit information
7. Applicable after loss, theft, or leakage of personal credit information of credit information companies, etc. or other users of credit information
Degree of effort to recover personal credit information

332

Page 339

8. Degree of damage relief efforts by credit information companies, etc. or other users of credit information
④ A debt collection company or a commissioned debt collector violates this Act to pay debtors and their related persons.
If damage is caused, the damage must be compensated. However, debt collection companies or commissioned claims
This is not the case when the collector proves that he was not intentionally or negligent.
⑤ The credit information company that has been commissioned for the work under Article 4 (1) to the client for reasons attributable to it
If damage is caused, the damage must be compensated.
⑥ A person entrusted with the processing of credit information pursuant to Article 17 (2) violates this Act,
In the event of damage to the subject, the consignor shall be jointly and jointly liable for damages.
⑦ Delegated claim collectors violate this Act or the 「Act on Fair Collection of Claims」, and
In case of damage to the debtor's related persons, the debt collection company shall jointly and jointly with the commissioned claims collector for the damage.
take responsibility for However, if the debt collection company proves that it was not intentionally or negligent,
Not so.

Article 5 Chapter

tablet
see
week
sieve
of
volume
Lee
see
chapter

333

Page 340
Explanation of personal information protection laws and guidelines and announcements

Article 39-2

Claim for statutory damages

Article 39-2 (Claim for statutory damages) ① Notwithstanding Article 39 (1), the subject of personal information
Personal information is lost, stolen, leaked, forged, falsified, or lost due to the intentional or negligence of the processor.
In the case of damage, compensation shall be made for a considerable amount within the range of not more than 3 million won.
can claim In this case, the personal information controller does not prove that there is no intention or negligence.
law

Otherwise, you cannot escape responsibility.
(2) When there is a request under paragraph (1), the court shall review the purport of the entire pleading and the result of the examination of evidence.
Considering that, a considerable amount of damage may be recognized within the scope of Paragraph 1.
③ The subject of information who has requested damages pursuant to Article 39 shall not be entitled to the conclusion of the pleadings of the factual trial (事實審).
The request may be changed to a request under paragraph (1) before the date.

In spite of a large amount of personal information leakage, the information subject is actually exposed to personal information leakage or misuse.
In the end, there are very few cases where relief is achieved through compensation for damages. No real damage relief
The biggest reason for the failure is that the victim, the data subject, did not succeed in proving the damage. individual
Damage caused by information leakage or misuse can be divided into property damage and mental damage,
Property damage is caused by illegal use of personal information to obtain illegal loans or illegal transactions.
As long as there is no loss of property, it is not easy to admit damage to property only by leaking personal information.
Even in the case of mental damage, what is the type and nature of the leaked personal information, and the information subject is determined by the leakage of personal information.
Whether the possibility of identification has occurred, whether a third party has read the leaked personal information, or whether a third party has read it
If it is not clear whether there was or will be a possibility of a third party reading it,
To what extent personal information has spread and whether additional legal interests have been violated due to personal information leakage;
The actual situation in which the person handling personal information has been managing personal information and the specific circumstances in which the personal information was leaked
What measures are taken to prevent the occurrence and spread of damage caused by leakage of personal information?
Whether or not mental damage is recognized according to a specific case, taking into consideration various circumstances, such as whether or not
Because it is judged individually, it is necessary to prove or acknowledge the occurrence of mental damage due to personal information leakage.
It's not easy. Alleviating the difficulties of relieving the data subjects and protecting the actual data subjects and
Together, in order to strengthen the responsibility of the personal information manager, to relieve the burden of proof of the amount of damage
A system of statutory damages was introduced.
ReferenceClaim requirements for statutory damage liability
· There must be loss, theft, leakage, forgery, alteration or damage of personal information due to the intentional or negligence of the personal information controller;
· Claim a substantial amount of damage within the range of 3 million won or less;
· Must have intentional negligence and responsibility

334

Page 341

1. Requirements for claiming damages (the former part of Paragraph 1)
A. Loss, theft, leakage, counterfeiting, or loss of personal information due to intentional or negligence of the personal information controller
There must be alteration or damage
In order for the right to claim statutory damages under this Article to occur, the personal information controller must be intentionally or negligently
Together with this, infringing acts such as loss, theft, leakage, forgery, alteration or damage of personal information
must exist Loss of personal information is the loss of personal information without your knowledge.
Theft means that your personal information has been stolen by someone, and leakage means that your personal information is stolen.
It means leaking out. In other words, if you lose your personal information without your knowledge,
If someone steals or steals your personal information, your personal information may leak out.
should happen Forgery refers to the creation of new personal information by an unauthorized person, and falsification is
It means making changes to existing personal information, and damage means making personal information unusable.
it means. Such actions must occur due to the intention or negligence of the personal information controller.

(b) to claim a substantial amount of damage within the range of not more than 3 million won;
Considering that it is difficult to prove the amount of damage in the case of general liability for damages, statutory damages are
Based on the fact that it is a system to alleviate the difficulty of proving the amount of damage to the data subject who is the victim,
The subject does not need to prove the specific amount of damage. In the event of a claim for statutory damages, the court

Article 5 Chapter

Considering the purpose of the pleadings as a whole and the results of the examination of evidence, a reasonable amount of damage
tabletmay be recognized within the limit of 3 million won.
see

can However, the information subject is responsible for the loss, theft, leakage, or loss of personal information due to the intentional
week or negligence of the personal information controller.
It must be claimed that damages (not specific damages) have occurred due to forgery, alteration, or damage.

sieve
of

do. The data subject is responsible for proving the specific amount of damage or determining the scope of the damage.

volume
Lee
see

It is not necessary to prove the scope. However, the information subject is subject to maximum damage within the scope of 3 million
chapterwon.
If you want to get compensation, the court will help you in calculating the amount of damage, including the probability of the occurrence of the damage.
It will be necessary to prove what is possible.

C. The causal relationship between the loss, theft, leakage, forgery, alteration, or damage of illegal personal information and damage
there will be a relationship
Statutory damage compensation is the right to claim damages in lieu of actual damage compensation under Article 39, and the scope of compensation is limited to that of actual damage.
limited to the scope In other words, even when the court calculates a substantial amount of damage as statutory damages, it
limited within the scope of the equivalent causal relationship between the listed offenses and damages. Therefore, 'normal damage'

335

Page 342
Explanation of personal information protection laws and guidelines and announcements

The court only needs to admit a substantial amount of damage based on the results of the evidence examination. Scope of damages
Or, as it is a system to alleviate the difficulty of proof in the calculation of specific damages, the information subject
It is not necessary to prove that there is a substantial causal link between the misconduct and the damage. However, 'special
In the case of 'damage due to circumstances', if the personal information controller knew or could have known the circumstances,
It is responsible for compensation (Articles 393 and 763 of the Civil Act), and the personal information controller knew or could not know the circumstances.
For the fact that there may have been, the plaintiff, the data subject, has the burden of proof.

Articles 393 and 763 of the Civil Code
Article 393 (Scope of Compensation for Damages) (1 ) Compensation for damages resulting from default shall be limited to ordinary damages.
(2) Damages due to special circumstances are subject to compensation only when the debtor knew or could have known the circumstances.
responsible

LA high, fruit and accountability will exist
In order to ask the personal information controller to be liable for statutory damages, he or she must be deliberately or negligently responsible.
there should be
Intentional means that the personal information controller dares to act despite the knowledge of the violation of this law. certain action
The so-called unwritten act that dares to do it while doubting that doing so may lead to certain results
Intention is also included in intent.
Negligence refers to the extent required by the law of good faith in light of the social status such as career, experience and occupation of the personal information controller.
Failure to recognize a violation of this law because of a lack of attention. That is, the personal information controller
It means that you have not fulfilled your duty of care as a good manager.
The intention or negligence of the trustee shall also be regarded as the intention or negligence of the employee belonging to the personal information controller (Article 26 (6) of the Act).

2. Conversion of burden of proof for intentional or negligence (the latter part of paragraph 1)
In the case of a claim for damages due to default (non-performance of contract), the burden of proving intentional or negligent
In principle, the personal information controller who is the defendant (debtor) bears the responsibility of the claim for damages based on illegal acts.
In principle, the data subject, the plaintiff (victim), bears the burden of proving intentional or negligence.
However, for claims for statutory damages, whether due to non-performance of contract or tort
Alternatively, the burden of proof of negligence is borne by the personal information controller of the accused. In other words, the personal information controller intentionally or
You must prove yourself that you are not at fault.

336

Page 343

3. Time of exercise of claim for statutory damages (paragraph 3)
Even if the information subject claims for damages pursuant to Article 39, until the pleadings of the factual trial are completed
The claim may be changed to a claim for statutory damages at any time. This is to strengthen the effectiveness of the rights remedy.
to clarify the purpose. Conversely, although there is no explicit provision, statutory damages
The information subject who has requested shall compensate for damages pursuant to Article 39 by proving the actual loss before the conclusion of the pleadings for the trial trial.
It is also possible to change to billing.

4. Extinction of the right to claim compensation
Unlike the “Information and Communications Network Act” or the “Credit Information Act,” this Act does not have any restrictions on the claim period for statutory damages.
Because there is no provision, the period for exercising the right to claim compensation for damages is limited according to the statute of limitations under the Civil Act of general corporations.
it is decided In other words, the right to claim compensation for statutory damages is the right of the victim or his/her legal representative to be aware of the damage and the perpetrator.
If it is not exercised within three years from the date of execution, the right to claim for statutory damages is extinguished (Civil Act, Article 766 (1)).
The same shall apply when ten years have elapsed from the date of committing the illegal act that is the basis for the claim for statutory damages.
(Civil Code Article 766 Paragraph 2).

5. RELATIONSHIP TO OTHER LAWS
Article 5 Chapter

The “Information and Communications Network Act” and the “Credit Information Act” each have separate provisions regarding liability for statutory damages.
Therefore, information and communications service providers, etc., and credit information use/providers, credit information
shall be liable for statutory damages accordingly.

tablet
see
companies,
week
sieve
of

Article 32-2 (Claim for Statutory Damages) ① In the event that a user falls under any of the following subparagraphs,
Compensation for damages under Article 32 to information and communications service providers, etc. within the period

etc. are subject to each applicable law.

volume
Lee
see
chapter
prescribed

by Presidential Decree

Instead of making a claim, you may claim compensation for a substantial amount of damage within the range of 3 million won or less.
can In this case, the information and communications service provider, etc. shall not prove that there is no intention or negligence.
Otherwise, you cannot escape responsibility.
Information and Communications
1. In case the Network
information
Actand communications service provider, etc. violates the provisions of this Chapter intentionally or negligently;
2. In case personal information is lost, stolen, leaked, forged, altered or damaged
(2) When there is a request under paragraph (1), the court shall review the purport of the entire pleading and the result of the examination of evidence.
Considering that, a considerable amount of damage may be recognized within the scope of Paragraph 1.
③ A user who has claimed compensation for damages pursuant to Article 32 shall not do so until the pleadings for the factual examination are completed.
A claim may be changed to a claim under paragraph (1).
Article 43-2 (Claim for Statutory Damages) (1 ) A credit information subject falls under any of the following subparagraphs:
Credit Information Act
Within the period prescribed by Presidential Decree, credit information companies, etc. or other users of credit information (the trustee

337

Page 344
Explanation of personal information protection laws and guidelines and announcements

include 3 million won instead of claiming compensation for damages under Article 43
Compensation may be claimed with a substantial amount as the amount of damage within the range below. in this case
The credit information company, etc. or other credit information users shall not prove that there is no intention or negligence.
If you do, you cannot escape responsibility.
1. A credit information company, etc. or other credit information users intentionally or negligently violate the provisions of this Act
in case of violation
2. When personal credit information is lost, stolen, leaked, altered or damaged
(2) When there is a request under paragraph (1), the court shall review the purport of the entire pleading and the result of the examination of evidence.
Considering that, a considerable amount of damage may be recognized within the scope of Paragraph 1.
(3) A person who has filed a claim under Article 43 shall file the request under paragraph (1) until the court concludes pleadings.
It can be changed by request.

338

Page 345

Chapter 6
Personal Information Dispute Mediation Committee
Article 40 Installation and Configuration
Article 41 Guarantee of member status
Article 42 Exclusion, challenge, and evasion of members
Article 43 Application for Mediation, etc.
Article 44 Processing period
Article 45 Request for data, etc.
Article 46 Recommendation of Agreement Before Conciliation
Article 47 Mediation of Disputes
Article 48 Rejection and Suspension of Mediation
Article 49 Collective Dispute Mediation
Article 50 Mediation Procedures, etc.

Page 347
346

Article 40 Establishment and Composition of Personal Information Dispute Mediation Committee
Article 40 (Establishment and Composition) ① Personal information disputes for mediation of personal information disputes
A mediation committee (hereinafter referred to as the “dispute mediation committee”) shall be established.
② The Dispute Mediation Committee shall be composed of no more than 20 members, including one chairperson,
The committee consists of ex officio members and commissioned members.
③ The commissioned member shall be the chairperson of the Protection Committee from among those who fall under any of the following subparagraphs:
A public official belonging to a state agency appointed by the Presidential Decree shall become an ex officio member.
1. As a public official belonging to the high-ranking public officials of the central administrative agency in charge of personal information protection
A person who has served or is in the position of an equivalent public sector or related organization;
A person who has or has worked for personal information protection
2. Served as an associate professor or higher or equivalent at a university or an accredited research institute;
person who has or has served
3. A person who is or has served as a judge, public prosecutor, or attorney-at-law;
4. A person who has been recommended by a civil society organization or consumer organization related to personal information protection
law

5. Those who are serving or have served as executives of business organizations composed of personal information controllers;
Person
④ The chairperson is a person who is not a public official from among the members and is appointed by the chairperson of the Protection Committee.
⑤ The term of office of the chairperson and commissioned members shall be two years, but they may be reappointed only once.
⑥ The Dispute Mediation Committee shall, if necessary, to efficiently carry out dispute mediation.
As prescribed by Presidential Decree, it shall be composed of not more than five members for each field of conciliation case.
You can have a coordinator. In this case, the conciliation division has been delegated by the Dispute Conciliation Committee and decided
Matters shall be deemed to have been decided by the Dispute Mediation Committee.
⑦ The Dispute Mediation Committee or the Conciliation Department shall open with the attendance of a majority of the enrolled members, and the members present
Decisions are made by a majority vote.
⑧ The Protection Committee is responsible for handling matters necessary for dispute mediation, such as receiving dispute mediation and confirming facts.
Article 6 Chapter

can
⑨ Matters necessary for the operation of the Dispute Mediation Committee other than those prescribed in
decide

dog
sign Act
this
tablet
see

shall be prescribed by Presidential Decree.

minute
Article 48-2 (Ex officio Member) Personal Information Dispute Mediation Committee under Article 40 (1 ) ofjeng
the Act (hereinafter referred to as “dispute”)
article
tablet
The ex officio members of the “Conciliation Committee”) are the Ministry of Government Administration and
Home Affairs, the Korea Communications Commission,
top
won
As a public official in general service belonging to the high-ranking public officials of the Protection Committee,
time

the Financial Services Commission and

Enforcement Decree
It shall be a person designated by the head of the institution to which he belongs from among those in charge of his/her duties.
Article 49 (Composition and Operation of Conciliation Division) (1 ) Conciliation Division under Article 40 (6 ) of the Act (hereinafter referred to as “Conciliation Division”)
shall be composed of no more than 5 members appointed by the chairperson of the Dispute Mediation Committee, among which
One member shall be a member with a lawyer's qualification.

341

Page 348
Explanation of personal information protection laws and guidelines and announcements

② The chairperson of the Dispute Mediation Committee convenes a meeting of the Conciliation Department.
③ The chairperson of the Dispute Conciliation Committee shall convene a meeting of the conciliation division on the date, time and place of the meeting.
and agendas should be decided and notified to each member of the mediation team at least 7 days prior to the meeting. but,
This is not the case in urgent circumstances.
④ The head of the conciliation division is elected from among the members of the conciliation division.
⑤ In addition to the matters stipulated in paragraphs 1 through 4, the composition and operation of the conciliation division, etc.
Necessary matters shall be decided by the chairman of the Dispute Mediation Committee after a resolution of the Dispute Mediation Committee.
Article 50 (Office Organization) Dispute mediation, such as receipt of dispute mediation and confirmation of facts pursuant to Article 40 (8 ) of the Act
Necessary administrative processing is carried out by the Secretariat of the Protection Committee.
Article 51 (Operation of Dispute Mediation Committee, etc.) ① The chairman of the Dispute Mediation Committee
Convenes and presides over a meeting.
② If the chairman of the Dispute Mediation Committee wishes to convene a meeting of the Dispute Mediation Committee, the date of the meeting;
The time, place, and agenda must be set and notified to each member 7 days prior to the meeting.
However, this is not the case in urgent circumstances.
③ The meeting of the Dispute Conciliation Committee and the Conciliation Division shall not be made public. However, it is necessary
In cases where it is recognized, the parties or interested parties are invited to listen by resolution of the Dispute Mediation Committee.
can do it

Most of the damage caused by personal information leakage, misuse, etc. is psychological damage, so damage through litigation
Salvation has its limits. In case of litigation, the burden of proof of intention or negligence is shifted to the personal information controller.
Even if there is a personal information infringement, the amount of damage, the causal relationship between the damage and the infringement, etc.
Because the data subject still has to bear the burden of proof, the probability of winning is low, and even if the
In most cases, the cost and time required for litigation is greater than the amount of compensation (win-win), so the information subject
It is difficult to bear this Therefore, the cost and time required for receiving damage relief are dramatically reduced while
In accordance with the litigation procedure, only personal information damage relief cases are available as a device to receive damage relief fairly.
An objective and independent dispute resolution body should be established to deal with it professionally.

1. Establishment and operation of the Personal Information Dispute Mediation Committee
A. Establishment of Dispute Mediation Committee (Paragraph 1)
The Personal Information Dispute Mediation Committee is established to mediate personal information disputes.
Conciliation is a dispute between the two parties based on the recommendation of the conciliation committee, not by a court decision.
The autonomy of the parties is guaranteed as much as possible as an independent dispute resolution procedure in which concessions are resolved by agreement.

342

Page 349

The conciliation committee only makes recommendations, and it is up to both parties to agree to the recommendations. but the party
If mediation is established by accepting the recommendation, it has the same effect as 'trial reconciliation', that is, the same effect as the final judgment of the court.
will take effect.

B. Composition of Dispute Mediation Committee (Paragraphs 2 to 5)
The Dispute Mediation Committee shall be composed of no more than 20 members, including one chairperson. However, members are ex officio
It is composed of members and commissioned members (Section 2). Ex officio members are the Ministry of Government Administration and Home Affairs, the Korea Communications Commission, and the Financial Services Commission.
As a public official in general service belonging to the high-ranking public officials of the Protection Committee, he/she conducts affairs related to personal information protection.
Among those in charge, it shall be a person designated by the head of the affiliated institution (Article 48-2 of the Decree). The commissioned member disputes
It is appointed by the chairman of the Protection Committee from among those who meet the qualifications of a mediator (paragraph 3). Public interest representative, professor
Professionals such as lawyers, representatives of consumers (information subjects), representatives of businesses (personal information controllers), etc.
It is intended to enable the participation of experts and stakeholders to make fair and objective decisions.
The chairperson appoints a person who is not a public official from among the members by the chairperson of the protection committee (paragraph 4), and the chairperson and
The term of office of the commissioned members is two years, but they may be reappointed only once.
Qualifications of Dispute Mediator (paragraph 3)
1. A person who served as a public official belonging to the senior civil service of a central administrative agency in charge of personal information protection; or
A person who is or has served in a position in the public sector or a related organization equivalent to this, and is responsible for the personal information protection business.
someone with experience
2. A person who is or has served as an associate professor or higher or an equivalent position at a university or an accredited research institute;
3. A person who is or has served as a judge, public prosecutor, or attorney-at-law;
4. A person who has been recommended by a civil society organization or consumer organization related to personal information protection
5. A person who is or has served as an executive of a business organization composed of personal information controllers;

Article 6 Chapter

2. Establishment and composition of the Personal Information Dispute Mediation Division (Section
6, Article 49 of the Decree)
dog
sign
tablet
see

The installation of the adjustment element (claim 6)

minute
jeng
article
tablet
top
won
time

The Dispute Mediation Committee shall, if necessary, to conduct dispute mediation efficiently by field of mediation case.
A conciliation division consisting of not more than 5 members may be established. In this case, the conciliation department
Matters decided by entrustment shall be deemed to have been decided by the Dispute Mediation Committee.

343

Page 350
Explanation of personal information protection laws and guidelines and announcements

B. Composition of Mediation Division (Article 49 Paragraphs 1 and 4 of the Decree)
The conciliation division shall consist of not more than five members appointed by the chairperson of the dispute conciliation committee, and one of them shall be
It shall be a member qualified as a lawyer (Article 49 (1) of the Decree). The head of the conciliation division is from among the members of the conciliation division.
Line (互選) (Article 49, Paragraph 4 of the Decree).

C Convocation of the Conciliation Department (Article 49 (2, 3) of the Decree)
The conciliation department is convened by the chairman of the Dispute Mediation Committee (Article 49 (2) of the Decree). Chairman of the Dispute Mediation Committee
To convene a meeting of the conciliation division, the date, time, place and agenda of the meeting must be determined and each meeting of the conciliation division
should inform the committee. However, this may not be the case in urgent circumstances (Article 49 (3) of the Decree).

La configuration and operation rules of the adjustment element (zero claim 49 Preparation 5)
In addition to the matters set forth in this Act and the Enforcement Decree, matters necessary for the composition and operation of the conciliation division are
It is decided by the chairperson of the Dispute Mediation Committee after a resolution of the committee.

3. Dispute conciliation committee and conciliation division open and decide (paragraph 7)
The Dispute Mediation Committee or the Conciliation Department shall open with the attendance of a majority of the enrolled members, and the majority of the members present
Decisions are made in favor (Section 7).

4. Management of Dispute Mediation Committee and Operation of Conciliation Division (Paragraph 8, Article 50 of the Decree)
A. Operational support of the Dispute Mediation Committee
The Protection Committee may handle matters necessary for dispute mediation, such as receiving dispute mediation and confirming facts.
(Article 40 Paragraph 8 of the Act).

B. Affairs of the Dispute Mediation Committee Secretariat
The Secretariat of the Protection Committee is responsible for receiving dispute mediation and confirming facts, such as receiving dispute mediation and confirming facts.
Office processing is carried out by the Secretariat of the Protection Committee (Article 50 of the Decree). other office activities

344

Page 351

Office work includes operation of the window for receiving dispute mediation cases, recommendation of agreement before mediation, service of mediation decision, preparation of minutes and
storage, etc.

5. Operation of the Dispute Mediation Committee, etc. (Paragraph 9, Article 51 of the Decree)
A meeting of the Dispute Mediation Committee is convened by the chairperson of the Dispute Mediation Committee (Article 51 (1) of the Decree).
If the chairperson of the Dispute Mediation Committee wishes to convene a meeting of the Dispute Mediation Committee, he/she shall specify the date, time, place and agenda of the meeting.
It must be decided and notified to each member at least 7 days prior to the meeting. However, in case of emergency
Not so (Article 51 (2) of the Decree).
Meetings of the Dispute Conciliation Committee and the Conciliation Division are not made public. However, if it is deemed necessary
By a resolution of the Dispute Mediation Committee, the parties or interested persons may be invited to listen. Privacy Disputes
The mediation case is intended to relieve damage caused by leakage or misuse of personal information.
It is a principle of non-disclosure for protection (Article 51 (3) of the Decree).

Article 6 Chapter

dog
sign
tablet
see
minute
jeng
article
tablet
top
won
time

345

Page 352
Explanation of personal information protection laws and guidelines and announcements

Article 41/42

Guarantee of member's identity, etc.

Article 41 (tenure of the committee) members to receive mental disorders on Suspension type sentenced to more than
Except in cases where he/she is unable to perform his/her duties, he/she shall not be dismissed or dismissed from his/her office against his will.
No.
Article 42 (Exclusion, Challenge, Avoidance of Members ) (1 ) Members of the Dispute Mediation Committee shall apply to any of the following subparagraphs:
Dispute mediation cases filed with the Dispute Mediation Committee pursuant to Article 43 (1), if applicable
(hereinafter referred to as “case” in this Article) is excluded from deliberation and resolution.
1. A member or his/her spouse or former spouse becomes a party to the case or participates in the case;
In the case of a relationship between a joint right holder or an obligor in relation to

law

2. Where the member is or was a relative of the party to the case;
3. Where a member has given testimony, appraisal, or legal advice regarding the case;
4. Where a member has been or was involved in the case as a representative of the party;
② If there are circumstances in which it is difficult for the parties to expect fair deliberation and resolution from the members,
An appeal may be made to the chairperson. In this case, the chairperson may dispute the application for challenge.
A decision is made without going through the resolution of the conciliation committee.
③ In the event that a member falls under the reasons under paragraph (1) or (2), he/she deliberates on the case by himself/herself
can be evaded by the decision.

Since the dispute mediation system is a quasi-judicial process, the independence and fairness of mediation must be guaranteed. Therefore
Accordingly, the Act guarantees the independence of dispute mediation by guaranteeing the status of the members, while the exclusion, avoidance, and evasion of members
The system has been introduced to ensure fairness in dispute mediation.

1. Guaranteeing the independence of dispute mediation (Article 41)
When a member is sentenced to a punishment greater than or equal to suspension of qualifications or is unable to perform his/her duties due to a mental or physical disability
Except for that, he shall not be dismissed or dismissed against his will. The types of punishments above suspension of qualification include:
There are death penalty, life imprisonment, life imprisonment, fixed-term imprisonment, and fixed-term prison. Death penalty, life imprisonment, and life imprisonment are disqualification
If it falls under the circumstances, fixed-term imprisonment or fixed-term prison shall not be eligible until the execution of the sentence is terminated or exempted.
It is a reason for suspension of qualifications (Article 43 of the Criminal Act). Therefore, on grounds of fine, detention, fine, confiscation, etc.
A member shall not be dismissed from office or dismissed against the will of a member.

346

Page 353

2. Ensuring fairness of dispute mediation (Article 42)
A. Reasons for Exclusion (Paragraph 1)
'Exclusion' means exclusion from deliberation and resolution of dispute mediation cases. Dispute Mediation Exclusion
The relevant members shall not be included in the deliberation and resolution of dispute mediation cases.
Grounds for Exclusion of Dispute Mediation (Paragraph 1)
1. A member or his/her spouse or former spouse becomes a party to the case, or has a joint right to the case;
or in the case of an obligor
2. Where the member is or was a relative of the party to the case;
3. Where a member has given testimony, appraisal, or legal advice regarding the case;
4. Where a member has been or was involved in the case as a representative of the party;

B. Reason for Avoidance (Section 2)
'Rejection' means that one or both parties exclude a specific member from the deliberation and resolution of a dispute mediation case.
It means asking for It is difficult for the parties to expect fair deliberation and resolution from specific members.
If there are circumstances, an application for challenge may be made to the chairperson. In this case, the chairperson may dispute the application for challenge.
A decision is made without going through the resolution of the conciliation committee.

The avoidance reasons (Claim 3)
'Avoidance' refers to cases where there is a reasonable reason to believe that it is difficult for a member to make a fair decision.
Refers to self-exclusion from deliberation and resolution of specific dispute mediation cases. A member must be aware that a specific case is related to Paragraph 1 or
Article 6 Chapter

In cases falling under paragraph (2), it may voluntarily evade the deliberation and resolution of the case.

dog
sign
tablet
see
minute
jeng
article
tablet
top
won
time

347

Page 354
Explanation of personal information protection laws and guidelines and announcements

Articles 43-48

Application and effect of dispute mediation, etc.

Article 43 (Application for Mediation, etc.) ① A person who wishes to mediate a dispute related to personal information shall mediate a dispute.
You can apply to the Committee for dispute mediation.
② When the Dispute Mediation Committee receives an application for dispute mediation from one of the parties, it
You must inform the other party.
③ When a public institution receives a notice of dispute mediation under paragraph (2), there is no special reason.
If not, it must respond to dispute mediation.
Article 44 (Processing Period) ① The Dispute Mediation Committee shall receive an application for dispute mediation under Article 43 (1).
Within 60 days from the date of review, an adjustment plan must be prepared. However, unavoidable
If there are circumstances, the processing period may be extended by a resolution of the Dispute Mediation Committee.
② If the Dispute Mediation Committee has extended the processing period pursuant to the proviso to paragraph 1, the
The reason and other matters concerning the extension of the period shall be notified to the applicant.
Article 45 (Request for Data, etc.) ① The Dispute Mediation Committee shall submit an application for dispute mediation pursuant to Article 43 (1).
Upon receipt, request the parties to the dispute for necessary data for mediation of the dispute.
can In this case, the parties to the dispute shall comply with the request unless there is a justifiable reason.
② If the Dispute Mediation Committee deems it necessary, the parties to the dispute or witnesses shall be referred to the Committee.
You can attend and have your opinion heard.
law
Article 46 (Recommendation of Settlement Before Conciliation) The Dispute Conciliation Committee shall submit an application for dispute conciliation pursuant to Article 43 (1).
Upon receipt, it may present the details to the parties and recommend an agreement prior to mediation.
Article 47 (Mediation of Disputes ) ① The Dispute Mediation Committee shall
You can draft a reconciliation plan.
1. Suspension of Infringement Subject to Investigation
2. Restoration, compensation for damages, and other necessary remedies
3. Measures necessary to prevent the recurrence of the same or similar infringement
② When the Dispute Mediation Committee prepares a mediation plan pursuant to paragraph (1), it shall notify each party without delay.
should be presented
③ Acceptance within 15 days from the date of presentation by the party who has been presented with the mediation proposal pursuant to Paragraph 1
If it is not notified, it shall be deemed that the mediation has been refused.
④ If the parties accept the mediation, the Dispute Mediation Committee prepares a mediation form, and
The chairperson of the conciliation committee and each party shall sign and seal.
(5) The content of mediation under paragraph (4) has the same effect as a judicial compromise.
Article 48 (Rejection and Suspension of Mediation ) (1 ) The Dispute Mediation Committee is not a member of the Dispute Mediation Committee due to the nature of the dispute.
If it is recognized that mediation is inappropriate or that mediation has been applied for improper purposes,

348

Page 355

If accepted, the mediation may be rejected. In this case, the reasons for refusal of mediation, etc.
The applicant must be informed.
② While the Dispute Mediation Committee is in the process of processing the mediation case requested, one party
When a party institutes a lawsuit, it shall stop the processing of the mediation and notify the party thereof.

1. Application for dispute mediation, etc. (Article 43)
A. Application for Dispute Mediation (Paragraph 1)
Anyone who wants to mediate a dispute related to personal information applies for dispute mediation to the Dispute Mediation Committee.
can do. Not only the data subject but also the personal information controller can apply for dispute mediation.
Dispute mediation must be submitted to the Dispute Mediation Committee, and must be submitted in person, by phone, fax, internet, postal mail, or e-mail.
You can apply in a variety of ways.
There are no special restrictions on the reasons for applying for dispute mediation, so the reasons for applying are
It is sufficient if there is a dispute between the parties in this regard.
The content of the application may be the prohibition or suspension of violations of laws and regulations, or it may be a claim for damages. Also
Active performance obligations such as the right to request access to personal information, the right to request correction, and the right to request deletion are also included.

B. Notification of the fact of application for mediation, etc. (Article 43 (2))
When the Dispute Mediation Committee receives an application for dispute mediation from one of the parties, it
You must inform the other party. In the case of an application by the information subject, the personal information controller
In case of application, each information subject shall be notified to prepare for mediation.
Article 6 Chapter

dog
sign
tablet
see

C. Special Cases of Public Institutions (Article 43 (3))
Dispute mediation is not a compulsory mediation process, so the other party who received the notice can decide
However, if a public institution receives a notice of dispute mediation, unless there are special reasons
Comply with dispute resolution procedures. Unlike private companies and organizations, public institutions do not

minute
jeng
whether or not
to participate freely in the mediation
article
tablet
top
won
protect the rights
and interests of the people.
time

process.

When an administrative agency receives an application for civil complaints, there are special provisions in other laws and regulations.
Except in cases where it is not possible to withhold or reject the
The purpose of the Act” (Article 9) was taken into consideration.

349

Page 356
Explanation of personal information protection laws and guidelines and announcements

2. Dispute Mediation Processing Period (Article 44)
In order to promptly settle disputes, the Dispute Mediation Committee shall hold the dispute within 60 days from the date of receipt of the application for dispute mediation.
Within this period, it shall be reviewed, and a mediation plan shall be prepared and presented. However, if there are unavoidable circumstances
The processing period may be extended by the resolution of the Dispute Mediation Committee, but in this case, the Dispute Mediation Committee shall
The reason and other matters concerning the extension of the period shall be notified to the applicant.

3. Request for data submission, attendance, etc. (Article 45)
In order to make a fair mediation decision based on objective facts, the Dispute Mediation Committee collects data necessary for dispute mediation.
You can request the parties to the dispute, and have the parties to the dispute or a witness appear in the committee to hear their opinions.
may be
A party to a dispute who has received a request for data submission shall comply with the request unless there is a justifiable reason. just
Reasons may include trade secret protection, protection of the privacy of others, and national security and diplomatic interests.

4. Recommendation of Agreement Before Conciliation (Article 46)
When the Dispute Mediation Committee receives an application for dispute mediation, it presents the details to the parties and
consensus may be recommended. Disputes are best handled independently by the voluntary agreement of the parties.
It is desirable and has little after-effects, so it is intended to provide an opportunity for independent dispute resolution between the parties.

5. Mediation of Disputes (Article 47)
A. Preparation and presentation of mediation proposals (paragraphs 1 and 2)
After the fact investigation, opinion hearing, expert advice, etc. have been completed, the Dispute Mediation Committee shall (1) suspend the infringement under investigation;
② Restoration, compensation for damages, and other necessary remedies; ③ To prevent recurrence of the same or similar infringement
Prepare a mediation plan including any of the necessary measures and send it to each party without delay
should be presented

350

Page 357

B. Acceptance and rejection of mediation proposals (Article 47 (3) and (4))
If the parties to a dispute do not notify whether or not to accept the mediation proposal within 15 days from the date of receipt of the proposal, the mediation proposal shall be rejected.
It is deemed to have been rejected (paragraph 3). If either party does not express their intention to accept, the mediation proposal will be
considered to be rejected. Therefore, if the parties wish to accept the mediation, dispute within 15 days
A declaration of acceptance must be made to the conciliation committee. If the parties accept the mediation, the Dispute Mediation Committee
A mediation agreement shall be prepared, and the chairperson of the Dispute Mediation Committee and each party shall sign and seal it.

The legal force of dispute resolution established (claim 47 Preparation 5)
If the parties to the dispute accept the mediation proposal and dispute mediation is established, the content of mediation is the same as that of the arbitral settlement.
have an effect Since the effect of reconciliation in court means the same effect as that of a final judgment, by accepting the conciliation proposal, the dispute cannot be resolved.
It is finally terminated and compulsory execution is also possible according to the conciliation protocol (Civil Procedure Act, Article 220).
In other words, even if a cause for dissatisfaction with the content of the mediation is discovered later, the effect cannot be contested through litigation.
Its effectiveness can only be contested through the quasi-review process (Civil Procedure Act Article 461).

6. Refusal and Suspension of Mediation (Article 48)
The Dispute Mediation Committee has determined that mediation by the Dispute Mediation Committee is inappropriate due to the nature of the dispute.
If it is recognized that mediation has been applied for or for illegal purposes, the mediation may be rejected.
In this case, the reason for refusal of mediation, etc. shall be notified to the applicant.
Cases of refusal to mediate

case

If it is not a dispute related to the processing of personal information, the applicant may maliciously apply for dispute mediation continuously in the same case.
In case there is no real benefit to mediation due to relevant laws or objective evidence, etc.

Article 6 Chapter

dog
sign
tablet
see

While the Dispute Mediation Committee is in the process of processing the mediation case requested, one party

minute
jeng
article
tablet
top
won
time

If it does, it shall stop the processing of the mediation and notify the parties thereof. In effect, the mediation process
Because they don't see a doctor.

351

Page 358
Explanation of personal information protection laws and guidelines and announcements

< Dispute Mediation Procedure Chart >

352

Page 359

Article 49 Collective Dispute Mediation
Article 49 (Collective Dispute Mediation) ① State and local governments, personal information protection organizations and institutions, information subjects,
The personal information controller shall determine that the damage or infringement of the rights of the data subject is the same for multiple data subjects.
Disputes with respect to cases prescribed by Presidential Decree that occur in a similar type
Request a comprehensive dispute mediation (hereinafter referred to as “collective dispute mediation”) to the Mediation Committee; or
can apply
② The Dispute Mediation Committee that has been requested or received an application for collective dispute mediation pursuant to paragraph (1) shall
The procedure for collective dispute mediation under paragraphs (3) through (7) may be initiated by a resolution.
have. In this case, the Dispute Mediation Committee shall delay the commencement of the procedure for the period prescribed by Presidential Decree.
should be announced
③ The Dispute Mediation Committee shall be the subject of information or personal information that is not a party to the collective dispute mediation.
to receive an application from the processor for additional inclusion as a party to the dispute mediation;
can
law

④ The Dispute Mediation Committee shall, by its resolution, be a party to collective dispute mediation under paragraphs (1) and (3).
Among them, one or several persons most suitable to represent the common interest as the representative party
can be appointed
⑤ In the Dispute Mediation Committee, the personal information controller shall be responsible for the content of the collective dispute mediation of the Dispute Mediation Committee.
In the case of acceptance, the information subject who has suffered damage as a person who is not a party to the collective dispute mediation
It may be recommended that a compensation plan be prepared and submitted to the Dispute Mediation Committee.
⑥ Notwithstanding Article 48 (2), the dispute mediation committee
If some of the data subjects file a lawsuit with the court, the procedure shall not be suspended.
However, some data subjects who have filed lawsuits are excluded from the procedure.
⑦ The period of collective dispute mediation shall be 60 days from the day following the date on which the public notice under paragraph (2) is terminated.
do it within However, in case of unavoidable circumstances, it is processed by the resolution of the Dispute Mediation Committee.
period may be extended.

Article 6 Chapter

(8) Necessary matters concerning the procedures, etc. of collective dispute mediation shall be prescribed by Presidential Decree.
dog
sign
tablet
see

Article 52 (Objects of Application for Collective Dispute Mediation) In Article 49 (1 ) of the Act, “the
“Case” means an event that meets all of the following requirements:
1. The number of data subjects
50 or more
Enforcement Decree
end. A data subject who has

minute
who have suffered damage or infringement of rights, except for the followingjeng
data subjects:
article
tablet
top
won
reached an agreement on dispute resolution or damage compensation with the
personal information
time

controller

I. Dispute conciliation procedures in the dispute conciliation body established under other laws and regulations for the same matter
Data subject in progress
All. The information subject who has filed a lawsuit with the court for damage caused by the infringement of the personal information
2. The important issues of the case shall be common de facto or legally;

353

Page 360
Explanation of personal information protection laws and guidelines and announcements

Article 53 (Commencement of Collective Dispute Mediation Procedures) ① In the latter part of Article 49 (2 ) of the Act, “by Presidential Decree
The term “fixed period” means a period of 14 days or more.
② The notice of the commencement of the collective dispute mediation procedure pursuant to the latter part of Article 49 (2) of the Act is for dispute mediation.
Disseminate nationwide in accordance with the Commission's Internet website and the 「Act on the Promotion of Newspapers, Etc.」
It shall be published in the general daily newspaper of the region.
Article 54 (Application for Participation in Class Dispute Mediation Procedures) ① Collective Dispute Mediation under Article 49 of the Act
(hereinafter referred to as “collective dispute mediation”), the information subject or personal information controller who is not a party to the
Article 49 of the Act to additionally participate as a party to collective dispute mediation pursuant to Article 49 (3) of the Act
The application for participation must be made in writing during the notice period at the latter part of Paragraph 2.
② When the Dispute Mediation Committee receives an application for participation as a party to a collective dispute mediation pursuant to Paragraph 1,
Within 10 days of the end of the application period in Paragraph 1, whether or not to participate must be notified in writing.
Article 55 (Procedure of Collective Dispute Mediation Procedures) (1) Subparagraph 1 of Article 52 after the commencement of collective dispute mediation procedures
Information subjects who fall under any of items (c) through (c) are excluded from the party.
② The Dispute Mediation Committee shall conduct a class dispute with respect to a case that satisfies all the requirements of each subparagraph of Article 52.
After the conciliation procedure is initiated, some of the parties to the collective dispute conciliation
Those who fall under any of items (a) through (c) do not meet the requirements of subparagraph 1 of the same article.
Even if it is not possible, the collective dispute mediation procedure will not be stopped.
Most of the personal information leakage and misuse/abuse accidents are of a collective nature,
The items of personal information or the type of damage are the same or similar. From as little as a few thousand to as many as tens of millions
Handling personal information leakage and misuse cases through individual dispute mediation procedures
It is a waste of time and money. Therefore, for such a collective dispute case, one dispute
It is convenient and efficient to collectively resolve the mediation procedure.

1. Request and application for collective dispute mediation
A. Requesters and applicants for collective dispute mediation (Article 49 (1))
A person who can request or apply for collective dispute mediation (collective dispute mediation) to the Dispute Mediation Committee is ①
and local governments, ② personal information protection organizations and institutions, ③ information subjects, and ④ personal information controllers. collective dispute
There are no restrictions on the qualifications of personal information protection organizations and institutions that can request mediation. Therefore, privacy
Any group or institution conducting business may request collective dispute mediation, and
Public institutions established by personal information protection organizations or national and local governments are also possible.

354

Page 361

B. Cases subject to application for collective dispute mediation (Article 49 (1), Article 52 of the Decree)
In order to be the subject of an application for collective dispute mediation, the damage or infringement of the rights of the data subject must be
It must have occurred in the same or similar type to the subject (Article 49 (1)), and must meet the requirements for applying for collective dispute mediation.
There must be two complete cases (Article 52 of the Decree).
Collective Dispute Mediation Application Requirements (Article 52 of the Enforcement Decree)
1. The number of data subjects who have suffered damage or infringement of rights shall be at least 50, excluding the data subjects in each of the following items;
end. A data subject who has reached an agreement on dispute resolution or damage compensation with the personal information controller
I. Data subjects who are undergoing dispute mediation procedures in the dispute mediation body established under other laws for the same matter
All. The information subject who has filed a lawsuit with the court for damage caused by the infringement of the personal information
2. The important issues of the case shall be common de facto or legally;

2. Commencement and public notice of collective dispute mediation procedures;
A. Commencement and announcement of collective dispute mediation procedures (Article 49 (2), Article 53 of the Decree)
The Dispute Mediation Committee, which has been requested or received a request for collective dispute mediation, shall, by its resolution, supervise the procedures for collective dispute mediation.
may be initiated (the former part of Article 49 (2)).
If the Dispute Mediation Committee intends to initiate a collective dispute mediation procedure, the
The initiation of the procedure must be made public (the latter part of Article 49 (2), Article 53 (1) of the Decree).
The notice of the commencement of the collective dispute mediation procedure is posted on the Internet website of the Dispute Mediation Committee and the 「Newspaper, etc.
In accordance with the Act, it shall be published in general daily newspapers nationwide as distribution areas (Article 53 (2) of the Decree).

B. Additional application for collective dispute mediation (Article 49 (3), Enforcement Article 54)

Article 6 Chapter

dog

The information subject or personal information controller who is not a party to collective dispute mediation may additionallysign
tablet

In order to participate as a party, an application for participation must be made in writing within the notice period of the commencement
of the collective dispute mediation procedure.
see
minute
When the Dispute Mediation Committee receives an application for participation as a party to collective dispute mediation, notice
period for the commencement of the collective dispute mediation procedure
jeng

Within 10 days after the (participation application period) is over, you must notify in writing whether participation is recognizedarticle
or not (Article 54 (2) of the Decree of the Enforcement Decree).
tablet
top
won
time

C. Appointment of representative parties (Article 49 (4))

The Dispute Mediation Committee, by its resolution, is the most appropriate to represent the common interest among the parties to the collective dispute mediation.
One or more suitable persons may be appointed as representative parties.

355

Page 362
Explanation of personal information protection laws and guidelines and announcements

3. Compensation to persons other than the party concerned (Article 49 (5))
The Dispute Mediation Committee shall, if the personal information controller accepts the contents of the collective dispute mediation of the Dispute Mediation Committee,
By preparing a compensation plan for the data subject who has suffered damage as a person who is not a party to collective dispute mediation,
It may be recommended to submit to the Dispute Mediation Committee.

4. Exclusion of collective dispute mediation procedures (Article 49 (6), Article 55 of the Decree)
Notwithstanding Article 48 (2) of the Act (Suspension of Dispute Mediation Proceedings Following Initiative), the Dispute Mediation Committee
If some of the data subjects who are parties to the dispute mediation file a lawsuit with the court, the
The mediation process shall continue without stopping the process. However, the data subjects who filed the lawsuit
It must be excluded from the procedure (Article 49 (6)).
The collective dispute mediation procedure commences when the case for application for collective dispute mediation meets all the requirements of Article 52 of the Decree.
Later, some of the parties to the application for collective dispute mediation were disqualified from the application for collective dispute mediation (from Article 52 subparagraph 1 (a) of the Decree).
Even if the person falls under item C), the collective dispute mediation procedure for the rest of the people will not be stopped.
No. However, a person who falls under the grounds for disqualification of an application for collective dispute mediation after the procedure for collective dispute mediation has commenced.
It must be excluded from the party (Article 55 Paragraph 1 of the Decree).

5. Legal Effect of Establishment of Collective Dispute Mediation
When collective dispute mediation is established, the legal effect is the same as in the case of general dispute mediation. That is, the parties
In case of acceptance, the same effect as a judicial settlement shall take effect. Only a few of the many data subjects
In the case of acceptance, the effect of reconciliation in court is limited to the person who accepted it.

6. Period of collective dispute mediation (Article 49 (7))
The period of collective dispute mediation is 60 days from the day following the end of the notice period for the commencement of the collective dispute mediation procedure.
do it within However, if there are unavoidable circumstances, the processing period may be extended by the resolution of the Dispute Mediation Committee.
can do.

356

Page 363

7. Similar legislation
「 Consumer Basic Act」
」
Article 68 (Special Cases for Dispute Mediation) (1) Notwithstanding the provisions of Article 65 (1), the State, local governments, Korea Consumer Agency, consumer organizations,
A consumer or business operator is a case in which consumer damage occurs to multiple consumers in the same or similar type.
For cases prescribed by Presidential Decree, collective dispute mediation (hereinafter referred to as “collective dispute mediation”) shall be made to the Mediation Committee.
You can request or apply.
② The mediation committee that has been requested or received a request for collective dispute mediation pursuant to paragraph (1) shall be determined by the mediation committee in paragraph (3).
and the procedures for collective dispute mediation pursuant to the provisions of paragraphs (5) through (7) may be initiated. In this case, the conciliation committee
The commencement of the procedure shall be announced during the period prescribed by the Presidential Decree.
③ The conciliation committee may additionally be a party to the dispute mediation from a consumer or business operator who is not a party to the collective dispute mediation.
Applications may be accepted for inclusion.
④ Delete
⑤ The mediation committee shall, if the business operator accepts the contents of the collective dispute mediation of the mediation committee, the parties to the collective dispute mediation
As a non-resident, it may be recommended to prepare a compensation plan for consumers who have suffered damage and submit it to the mediation committee.
⑥ Notwithstanding the provisions of Article 65 (5), the Conciliation Committee shall determine that some of the consumers who are parties to the collective dispute mediation
If a lawsuit is filed with the court, the proceedings shall not be suspended, and some consumers who have filed the lawsuit will be removed from the proceedings.
Exclude.
⑦ Notwithstanding Article 66 (1), collective dispute mediation shall be conducted within 30 days from the day following the date on which the public notice under paragraph (2) is terminated.
have to finish However, if dispute mediation cannot be completed within the relevant period due to unavoidable reasons, each
The period may be extended up to 30 days, and in this case, the reason and time limit shall be specified in detail to identify the person concerned and the person concerned.
The agent must be notified. <Revised 2011.5.19.>
(8) Necessary matters concerning the procedures, etc. of collective dispute mediation shall be prescribed by Presidential Decree.
Article 68-2 (Appointment, etc. of Representative Parties) (1 ) The parties who have an interest in collective dispute mediation shall represent not more than three of them.
may be appointed as a party.
② The Conciliation Committee shall, when the parties fail to appoint a representative party pursuant to paragraph (1),
In such cases, it may recommend the parties to appoint a representative party.
(3) The representative party may perform all acts related to the conciliation of the case for the parties who have appointed it. but,
The withdrawal of the application for mediation and the acceptance or rejection of the mediation proposal shall require written consent of the parties who have appointed them.
④ The parties who have appointed the representative party may conduct the act of conciliation of the case only through the representative party.
⑤ The parties who have appointed the representative party may dismiss or change the representative party if deemed necessary.

Article 6 Chapter

have. In this case, the parties shall notify the conciliation committee of the fact without delay.

dog
sign
tablet
see

「 Enforcement Decree of the Consumer Framework Act」
」

Article 56 (Objects of Application for Collective Dispute Mediation) In Article 68 (1 ) of the Act, “cases prescribed by Presidential Decree” means that the following requirements are met:
event that has it all.
1. Among consumers who have suffered the same or similar types of damage due to goods, etc., the consumer, except for the following:
Number of 50 or more
end. Voluntary dispute mediation pursuant to the main sentence of Article 31 (1) of the Act, recommendations by the Director of the Korea

minute
jeng
article
tablet
top
won
Consumer
time Agency

under Article 57 of the Act, and other

Consumers who have reached an agreement on dispute resolution or damage compensation with a business operator
I. Consumers whose dispute mediation is in progress in the dispute mediation body under each subparagraph of Article 25
All. A consumer who has filed a lawsuit with the court regarding damage caused by the relevant goods, etc.
2. The important issues of the case shall be common de facto or legally;

357

Page 364
Explanation of personal information protection laws and guidelines and announcements

Article 50 Mediation Procedures, etc.
Article 50 (adjustment procedures) ① of the conflict set by the addition to the provisions of claim 49 to claim from 43 The
Matters necessary for the mediation method, mediation procedure, and handling of mediation affairs, etc. shall be prescribed by Presidential Decree.

law

② The operation of the Dispute Mediation Committee and dispute mediation procedures other than those stipulated in this Act
The 「Civil Mediation Act」 shall apply mutatis mutandis to matters.
Article 56 (allowances and travel expenses), crabs, etc. Dispute Resolution Committee and one member attending the meeting of the adjuster
Allowances and travel expenses can be paid within the budget. However, a member who is a public official is under the jurisdiction

This is not the case when attending directly related to work.
Enforcement Decree
Article 57 (Detailed Rules for Dispute Mediation) Operation of the Dispute Mediation Committee in addition to the matters stipulated by the Act and this Decree
and the matters necessary for collective dispute mediation are subject to a resolution of the Dispute Mediation Committee.
It is decided by the chairperson of the conciliation committee.

1. Application mutatis mutandis of the Civil Mediation Act;
Regarding matters not stipulated in this Act regarding the operation of the Dispute Mediation Committee and procedures for dispute mediation,
The 「Civil Mediation Act」 shall apply mutatis mutandis.

2. Payment of allowances, etc. to mediators;
Allowance and travel expenses are provided within the budgetary limits to the members attending the meetings of the Dispute Conciliation Committee and the Conciliation Division.
can pay However, if a member who is a public official attends directly related to the affairs under his/her jurisdiction,
Not so (Article 56 of the Decree).

3. Enactment of 「 Dispute Mediation Bylaws」
」
In addition to the provisions of this Act and the Decree, necessary for the operation of the Dispute Mediation Committee and collective dispute mediation.
Matters are decided by the chairperson after a resolution of the Dispute Mediation Committee (Article 57 of the Enforcement Decree).

358

Page 365

< Current Status and Comparison of Similar Dispute Mediation Committee >
Personal Information Dispute Mediation
DisputeCommittee
Mediation Committee on ProvisionConsumer
of Public Dispute
Data Mediation Committee

division

(Personal Information Protection Act) (Public Data Act)

establish

(Consumer Act)

purpose

refusal to provide public data; and
between consumers and businesses
Mediation of disputes regarding personal information
Dispute settlement regarding discontinuation
settleof
disputes
provision

Phase

-

Affiliated with the Minister of Government
Korea
Administration
Consumer Agency
and Home Affairs

Committee 20 people including 1 chairperson
Configuration
members within

50 people including 1 chairperson
Less than 25 people including one chairperson
members within

commissioner
2 years (1st consecutive term only)

2 years (1st consecutive term only)
term of office
* Public officials are in office for the duration of their tenure.

3 years, renewable

commissioner
Appointed by the Chairman of the Fair Trade Commission
Appointed by the Chairman of the Protection
Appointed
Committee
by the Minister of Government Administration and Home Affairs
appointment
or commission
chairperson

Members who are not civil servants

Among the standing members, the Fair Trade Commissioner
As a person, the chairman of the protection
Appointed
committee
by the Minister of Government Administration and Home Affairs from among the members
appointment
appointment
appointment
standing

1 member of the board

1 member of the board

2 persons, including the chairperson, are standing

coordinating
reconciliation in court
validity

reconciliation in court

reconciliation in court

Whether

None (consensual recommendations from consumer resources, etc.)

before adjustment
have
consensus recommendation

have

One-year application for the predicated case
possible)

Public Data Utilization Support Center

secretariat protection committee

(Korea Information Society Agency)

- Adjustment period: 60 days

- Adjustment period: 30 days

Korea Consumer Agency
- Adjustment period: 30 days

- Refusal and suspension of mediation - Refusal and suspension of mediation - cessation of adjustment

Etc

- Guarantee the member's identity;

- Guarantee the member's identity;

- Guarantee the member's identity;

exclusion, avoidance, avoidance

exclusion, avoidance, avoidance

exclusion, avoidance, avoidance

Article 6 Chapter

dog
sign
tablet
see
minute
jeng
article
tablet
top
won
time

359

Page 367
366

Chapter 7
Personal Information Class Action
Article 51 Objects, etc. of Class Action
Article 52 Exclusive Jurisdiction
Article 53 Appointment of litigation representative
Article 54 Application for permission to litigate
Article 55 Requirements for permission to litigate, etc.
Article 56 Effect of Final Judgment
Article 57 Application, etc. of the Civil Procedure Act

Page 369
368

Article 7 Chapter

Articles 51-53

Subject, jurisdiction, etc. of personal information class action lawsuit

Article 51 (Objects of Class Action, etc.) Organizations falling under any of the following subparagraphs

dog
sign
tablet
see
only

The processor rejects the collective dispute mediation pursuant to Article 49 or the result of the collective dispute
mediation
sieve
small
In case of non-acceptance, a lawsuit seeking the prohibition or suspension of the act of infringement with the
court
Song

(hereinafter referred to as “group action”) may be brought.
1. As a consumer organization registered with the Fair Trade Commission under Article 29 of the Framework Act on Consumers, the following:
Organizations that meet all of the requirements in each item
end. It shall be an organization whose main purpose is to promote the rights and interests of information subjects on a regular basis in accordance with the articles of incorporation;
I. The number of regular members of the organization must be at least 1,000
All. 3 years have passed since registration under Article 29 of the Framework Act on Consumers
2. As a non-profit private organization under Article 2 of the 「Non-profit Private Organization Support Act」, the following:
Organizations that meet all requirements
end. From more than 100 data subjects who have suffered the same legal or de facto infringement

law

To be asked to file a class action lawsuit
I. After specifying personal information protection as the purpose of the organization in the articles of incorporation, for the past 3 years or more,
Must have activity
All. The number of regular members of the organization must be at least 5,000
la. Must be registered with a central administrative agency
Article 52 (Exclusive Jurisdiction) ① In case of a class action lawsuit, the main office or place of business of the defendant is located;
If there is no main office or business office, the location of the address of the person in charge of the main business.
It is exclusively under the jurisdiction of the Court of Appeals' Settlement Board.
② In case Paragraph 1 is applied to foreign business operators, their main offices and business offices in Korea
Or, it is determined according to the address of the person in charge.
Article 53 (Appointment of Litigation Representative) A plaintiff in a class action shall appoint an attorney as his/her attorney.
do.

1. Significance of Personal Information Class Action
The spread of damage caused by personal information infringement due to the continuous development of the market economy and the rapid development of IT
While the speed is increasing and the size of the damage is gradually increasing, the number of unspecified people who have been damaged
Individuals still remain in an unorganized and fragmented situation. In this way, the cause of personal information infringement and infringement
Due to the asymmetry between victims, remedies for personal information infringement are provided only to individuals who are information subjects.
If left unattended, it may be difficult to achieve actual damage relief. these problems
The litigation system for collective resolution and prevention of the occurrence and expansion of collective damage is largely based on the American style.
There is a 'class action system' and a European-style 'class action system'.

363

Page 370
Explanation of personal information protection laws and guidelines and announcements

Class Action recognizes the eligibility of an individual belonging to the victim class and makes him or her
It is a system that allows litigation to be carried out for all class members, and the class action (Verbandsklage) is
Grants a qualified body the right to sue for the benefit of all victims.
It is a system that grants Class action lawsuits are mainly for damages claims for small sums of money.
The class action lawsuit is a system of litigation for prohibition and suspension to ban and suspend illegal acts of business operators.
has developed However, in recent times, consumer groups have also suffered damages due to illegal acts of business operators in class action lawsuits.
There are differences between the two systems, such as legislative cases that file a claim for damages on behalf of the consumer.
is narrowing
Korea first introduced the collective action system in the Consumer Basic Act in 2006, and the 「Personal Information Protection Act」
In addition, by introducing a European-style class action system, only groups with certain qualifications
It grants the right to file a lawsuit, and the scope of claims for group lawsuits also covers the prohibition and suspension of rights infringing acts.
are limiting
< Difference between class action and class action >
division

Verbandsklage

Class Action

Consumer organizations that meet certain requirements,
Multiple
etc. victim groups with close interests

claimant

(Groups carry out litigation)

(Representative party carried out litigation)

Purpose of litigation
Prohibition and suspension of illegal acts
Benefit

Relief for financial damage (claim for damages)

Prevention and prevention of the spread of damage ex post remedy for damage
Judgment has no effect on all victims

effect of judgment Judgment has no effect on other organizations

(However, except for those who have applied for exclusion)

Articles 51 through 57 of the Act are stipulated in Articles 51 to 57 of the Personal Information Infringement Class Action, etc.
In order to make this concrete, the Supreme Court Rule, 「Personal Information Class Action Rule (Supreme Court Rule No. 2358, 2011. 9.
28. Enactment, 2011. 9. 30.)” was enacted and is being implemented.

2. Dispute settlement prepositionalism (Article 51 main text)
In order to file a personal information class action lawsuit, it is necessary to go through the personal information class dispute mediation procedure.
This is to prevent unnecessary litigation. If the personal information controller refuses to mediate a collective dispute by the mediation committee, or
You can file a personal information class action lawsuit only if you do not accept the results of class dispute mediation.

364

Page 371

3. Objects and scope of claims for personal information class action lawsuit

Article 7 Chapter

dog
sign
tablet
see

A. Subject of personal information class action lawsuit
The actions of the personal information controller who are the subject of a personal information class action suit are the
an act that infringes on rights. Personal information is not necessarily limited to violations of rights in violation of this Act.

only
sieve
actions
of
small
Song

the information subject related to the processing of personal information.

Any infringement of rights arising out of processing is subject to a class action lawsuit. However, the claim itself
Because it is a request to the court to ban or stop the infringement, at least the infringement of rights at the time of filing the complaint
Unless there are special circumstances, the act of infringing rights that was completed at the time of filing a lawsuit as a past act must be continuing.
It is not subject to a class action lawsuit.

B. Scope of Claims for Personal Information Class Action
The contents of the personal information group lawsuit are only the request for prohibition or suspension of the infringement of rights. For example, personal information
Prohibition of violations of rights, such as prohibition of use and provision for other purposes, and suspension of infringement of the right to request access to personal information
Only suspension can be requested (Article 51 main text). Therefore, compensation for damages caused by leakage or misuse of personal information
A lawsuit claiming money, such as a lawsuit for claiming money, or a lawsuit for the purpose of seeking restoration to the original state prior to infringement of rights;
A lawsuit cannot be brought through a class action lawsuit. When the information subject claims compensation for damages or restoration to its original state
For this, a separate civil action must be filed individually.

4. Eligibility for Plaintiff in Personal Information Class Action (Article 51 each)
Persons who can file a personal information group lawsuit are limited to registered consumer organizations and non-profit private organizations.
have.
In order for a consumer organization to file a personal information class action lawsuit, in accordance with Article 29 of the 「Basic Consumer Act」
As a consumer organization registered with the Trade Commission, ① mainly to promote the rights and interests of information subjects in accordance with the Articles of Incorporation.
It is an organization with a purpose, ② The number of regular members of the organization is 1,000 or more, ③ According to Article 29 of the 「Basic Consumer Act」
3 years must have elapsed after registration.
In order for a non-profit private organization to file a personal information group lawsuit, it is necessary to comply with Article 2 of the 「Non-profit and private organization support law」.
As a non-profit private organization ① from more than 100 data subjects who have suffered the same legal or de facto infringement
After receiving a request to file a class action suit, and ② specifying personal information protection as the purpose of the group in the articles of incorporation, for at least 3 years
There is a record of activities for this purpose, ③ the number of regular members of the group is 5,000 or more, ④ to the central administrative agency
must be registered

365

Page 372
Explanation of personal information protection laws and guidelines and announcements

Nonprofit Private Organization Support Act
Article 2 (Definition) In this Act, the term “non-profit private organization” refers to a non-profit organization whose main purpose is to perform public interest activities.
It refers to an organization that satisfies the requirements of each of the following subparagraphs as a private organization for the purpose.
1. The direct beneficiaries of the project shall be an unspecified majority;
2. No profit sharing among members;
3. In fact, the main purpose is to support, support, or oppose a specific political party or candidate for an elected office, or
It shall not be established or operated for the main purpose of disseminating the doctrine of religion;
4. The number of regular members must be 100 or more
5. Must have public interest activities for at least one year
6. In the case of an organization that is not a corporation, there must be a representative or a manager;

5. Exclusive jurisdiction for personal information class action (Article 52)
The lawsuit in the personal information class action lawsuit is based on the settlement of the main office of the district court in the place where the defendant's main office or business place is located.
subject to jurisdiction However, if there is no main office or sales office,
It is exclusively under the jurisdiction of the collegiate panel of the district court of the district. If the defendant is a foreign business operator,
The exclusive jurisdiction is determined according to the address of their main office/sales office or the person in charge of business.

6. Appointment of litigation representative (Article 53)
In order for a plaintiff in a personal information class action lawsuit to file a personal information class action lawsuit, a lawyer is
should be appointed In the case of collective dispute mediation, a representative party was selected from among the claimants.
(Article 49 (4)) In case of a class action lawsuit, a litigation agent must be appointed. Therefore, the lawyer
If you are not appointed as a litigation representative, it is a ground for incineration.
On the other hand, if all of the plaintiff's litigation agents die, resign, or are dismissed, the plaintiff may file a new lawsuit.
Proceedings are suspended until a representative is appointed. If the litigation procedure is suspended in this way, the court
It is ordered to appoint an attorney for a period of one month or more, and even after the plaintiff receives such an order,
If an attorney-at-law is not appointed within the prescribed period, the court shall dismiss the lawsuit by its ruling.
The plaintiff can immediately appeal against the above decision to incinerate (Article 11, Paragraph 4 of the Personal Information Class Action Rule).
ReferenceImmediate appeal (Civil Procedure Act Article 444)
Appeal refers to an appeal against a decision or order that dismisses an application for litigation procedures. Ordinary appeals are made during the period of appeal
On the other hand, for immediate appeal, the period for appeal is extended from the date of notification of the decision to dismiss
Limited to 1 week.

366

Page 373

Article 7 Chapter

Article 54/55 Litigation Permission Application and Permission Requirements, etc.
Article 54 (Litigation permit application) ① organizations that filed a class action lawsuit with the

dog
sign
followingtablet
subparagraphs
see

An application for permission to litigate should be submitted to the court.

Director

only
sieve
small
Song

1. Plaintiff and his/her litigation representative
2. Defendant
3. Contents of the data subject's infringed rights

② The application for permission to litigation under paragraph (1) shall be accompanied by the following materials:
1. Proof that the organization initiating a lawsuit meets the requirements falling under any of the subparagraphs of Article 51;
material to explain

law

2. that the personal information controller has refused mediation or has not accepted the mediation result;
document to prove
Article 55 (authorization requirements, litigation, etc.) ① court only if all of the following with each of the requirements
The decision authorizes a class action lawsuit.
1. If the personal information controller refuses to mediate or accept the mediation result of the Dispute Mediation Committee,
would not have
2. There shall be no defects in the matters stated in the application for permission to litigation under Article 54;
② An immediate appeal may be made against a decision to permit or disallow a class action lawsuit.

1. Application for litigation permission (Article 54 (1))
The group that intends to file a personal information class action shall, along with the complaint, ① the plaintiff and his/her legal representative, ② the defendant,
③ An application for permission to litigate stating the details of the infringed rights of the data subject shall be submitted to the competent court.

2. Attached documents when applying for litigation permission (Article 54 (2))
If an organization that intends to file a personal information group lawsuit wants to submit an application for permission to lawsuit to the competent court,
In this case, in the application for permission to litigate, ① the organization initiating a lawsuit must meet any of the subparagraphs of Article 51 (organization).
Documents demonstrating that the applicant has the qualifications for litigation plaintiff) and ② if the personal information controller refused to mediate or
Documents proving that the mediation result was not accepted must be attached.
The explanatory materials for class action suit are as follows, depending on who is the organization filing the class action suit.
different.

367

Page 374
Explanation of personal information protection laws and guidelines and announcements

< Attached documents when applying for litigation permission (Personal Information Class Action Rule Article 6) >
division

consumer groups

Non-profit private organization
1. Articles of Incorporation
2. Activities in the last 3 years related to personal information protection
Performance

1. Articles of Incorporation

3. The number of regular members of the group is 5,000 or more.

material that can be explained
2. The number of regular members of the organization is more than 1,000.
4. Those who certify that they are registered with the central administrative agency
calling
material that can be explained
written
material 3. In accordance with Article 29 of the Framework Act on Consumers
5. The information subject who has requested the filing of a class action lawsuit
the fact of registration as a consumer organization; and
Name, address and contact information (phone number, fax number)
A written statement stating the registration date
or e-mail address, etc.)
6. The information subjects in subparagraph 5 may not file a class action lawsuit.
Requested documents (the details of the infringement by each information subject and
must include signature or seal)

Note 1 Change of claim
A plaintiff may change the purport or cause of a claim as long as the basis of the claim does not change. In this case, Article 54 of the Act
and Article 55 do not apply, so there is no need to separately apply for permission for group action and obtain permission again.
(Personal Information Class Action Rule Article 13).

Note 2 Merge of Arguments
When multiple personal information class actions are pending in the same court with the same basis of claim and the defendant personal information controller
In principle, these will be combined and tried. However, in consideration of the psychological situation or other circumstances, the combined trial is not appropriate.
If not, separate deliberation will be conducted (Personal Information Collective Procedure Rule Article 14).

3. Requirements for litigation permission (Article 55)
If there is a defect in the contents of the application or the attached documents, the court shall set a reasonable period for that period.
Correction of defects shall be ordered within In spite of this correction command, correction is not made
In this case, the court will disallow the class action by its decision.
Permit requirements are specified.
The court shall ensure that ① there are no flaws in the information in the application for permission to litigate, and ② that the personal information controller
If it is confirmed that mediation has been rejected or the result of mediation has not been accepted, a class action lawsuit may be filed by decision.
should be permitted When the court deems it necessary to decide whether to permit the lawsuit, the plaintiff's
Representatives, employees, members or members, defendants and data subjects may be interrogated.

368

Page 375

In the case of a decision to permit litigation and a decision not to permit litigation, a certified copy of the decision is served on
the plaintiff and the defendant.
Article 7 Chapter
When the decision becomes final and conclusive, it shall be deemed that no class action has been filed. In this way, the class action

dog
sign
tablet
see

An immediate appeal may be made against the decision to grant or disapprove.

only
sieve
small
Song

369

Page 376
Explanation of personal information protection laws and guidelines and announcements

Article 56 Effect of Final Judgment
Article 56 (Effect of final judgment) if the decision to dismiss the claims of plaintiffs confirmed these same
No other group pursuant to Article 51 may file a class action lawsuit with respect to a case. but,
law

This is not the case in any of the following cases:
1. After the judgment becomes final and conclusive, the State, local government, or state or local government in relation to the case;
When new evidence appears by an institution established by the organization
2. When it is found that the dismissal was due to the plaintiff's intention

1. Effect of Judgment to Dismiss the Claim
If the judgment rejecting the plaintiff's claim is finalized, other consumer organizations or
Non-profit organizations cannot file a class action lawsuit again. In other words, the final judgment effect of a class action is extended to other groups.
go crazy (Article 56 main text). The effect of the judgment is not only in the case of a judgment in favor of the plaintiff but also in the case of a judgment in which the plaintiff loses.
It extends to consumer groups and non-profit organizations. However, individual data subjects may not be affected by the outcome of a personal information class action lawsuit.
File a lawsuit for the prohibition or cessation of the infringing act, or a claim for damages
can do.

2. Suspension of the effect of final judgment
Even if the plaintiff receives a judgment to dismiss the claim, ①After the judgment becomes final and conclusive, the state/local government
When new evidence appears by an organization or an institution established by the state or local government, or ②
If it is found that this was due to the plaintiff's intention, another group may file a class action suit again for the same matter.
(provided in Article 56).

370

Page 377

Article 7 Chapter

Article 57 Application, etc. of the Civil Procedure Act
Article 57 (Application of the "Civil Procedure", etc.) ① about the collective action, unless otherwise

dog
sign
tablet
provided
see for

In this case, the Civil Procedure Act shall apply.
② If there is a decision to permit a class action pursuant to Article 55, it shall be referred to in Part 4 of

law

only
sieve
small
the Song
Civil

in this Act,

Execution Act.

Conservation measures may be taken accordingly.
(3) Necessary matters concerning the procedure of a class action shall be prescribed by the Supreme Court Regulations.

1. Application of 「 Civil Procedure Act」
」
Where there are no special provisions in this Act regarding class action, the Civil Procedure Act shall apply. therefore immediately
A number of civil litigation rules, such as the period and method of appeal, are also applied to the personal information class action procedure.

2. Application of 「 Civil Execution Act」
」
If there is a decision to permit the group action by the court, a preservative measure may be taken under Part 4 of the Civil Execution Act.
have. However, in a consumer group lawsuit, only the prohibition or suspension of the infringement of rights can be requested.
There is no room for provisional seizure-related regulations for the purpose of preservation, and only provisional disposition-related regulations can be used.

3. Establishment and operation of 「 Personal Information Class Action Rules」
」
Necessary matters concerning the procedure of a class action shall be prescribed by the Supreme Court Regulations. 「Personal Information Class Action Rules」
Method of filing a lawsuit and application for permission to litigation, information in the complaint, information in the application for permission to litigation, permission to litigation
Materials to be attached to the application form, examination of the application for litigation permission, delivery of a copy of the litigation permission application,
Hearing, decision on whether to permit litigation, resignation of litigation agent, participation in joint litigation, change of claim, consolidation of pleadings
etc are included.
< Personal Information Class Action Rule (Supreme Court Rule No. 2358, enacted on September 28, 2011) >
Article 1 (Purpose) This rule is prohibited or suspended pursuant to Article 51 of the 「Personal Information Protection Act」 (hereinafter referred to as the “Act”).
It is a business that determines necessary matters regarding the procedure of a lawsuit (hereinafter referred to as 'personal information group lawsuit') regarding a claim.
aim to
Article 2 (Application of 「 Rules of Civil Procedure」
」) Unless there are special provisions in this rule regarding personal information class action, 「 Civil Procedure Rules」
」
Rules of Procedure” apply.

371

Page 378
Explanation of personal information protection laws and guidelines and announcements

Article 3 (Method of filing a lawsuit and application for permission to litigation ) The complaint and the application for permission to litigation must be prepared and submitted in separate documents.
do.
Article 4 ( Matters to be entered in the complaint ) The following items should be written in the complaint.
1. Plaintiff and his/her litigation representative
2. Defendant
3. Purpose and cause of claim
Article 5 ( Matters to be Entered in Application for Litigation Permission ) The following matters shall be entered in the application for litigation permission.
1. Plaintiff and his/her litigation representative
2. Defendant
3. Purpose and cause of application for permission
4. Contents of the data subject's infringed rights
Article 6 (Data to be attached to the application for litigation permission) (1) Organizations stipulated in Article 51, subparagraph 1 of the Act shall apply for litigation permission in the following cases:
materials, etc., should be attached.
1. Articles of Incorporation
2. Data proving that the number of regular members of the organization is 1,000 or more;
3. A document stating the fact and date of registration as a consumer organization pursuant to Article 29 of the Framework Act on Consumers
② An organization stipulated in subparagraph 2 of Article 51 of the Act shall attach the following materials to the application for permission to litigate:
1. Articles of Incorporation
2. Activities related to personal information protection for the past 3 years
3. Data proving that the number of regular members of the organization is 5,000 or more
4. A document stating that it is registered with the central administrative agency
5. The name, address, and contact information (phone number, facsimile number or e-mail address of the information subject who requested the filing of a class action lawsuit)
address, etc.)
6. A document in which the information subjects in subparagraph 5 have requested to file a class action (the details of the infringement by each information subject and their signature or seal)
should be included)
③ In accordance with Article 54 (2) 2 of the Act, in the application for permission for litigation, the organization initiating a lawsuit shall have a personal information controller in accordance with Article 49 of the Act.
You must attach documents proving that you did not reject the collective dispute mediation or accept the results of the collective dispute mediation.
do.
Article 7 (Review of the proceedings permit application) ① the documents attached to the items mentioned in the application form and legal proceedings Application for flawed
In such cases, the presiding judge shall set a reasonable period and order the defect to be corrected within the period.
(2) If the plaintiff fails to rectify the flaws despite the presiding judge's order under paragraph (1), the court shall
Class action lawsuits are not permitted.
Article 8 (Service of Copies of Application for Litigation Permission ) A copy of the application for litigation permission shall be served on the defendant together with a copy of the complaint.
Article 9 ( Trial of Application for Litigation Permission )
Representatives, employees, members or members, defendants and data subjects may be interrogated.
Article 10 ( Decision on Whether to Permission to Litigation ) ① The following matters must be applied to the decision to permit litigation and to disallow litigation.
It must be written and sealed by the judge who made the decision.
1. Plaintiff and his/her litigation representative
2. Defendant
3. Order
4. Reason
(2) The reasons for the decision not to permit litigation shall specify the requirements for permission for litigation with flaws.
③ For a decision to permit a lawsuit and a decision not to permit a lawsuit, a certified copy of the decision shall be served on the plaintiff and the defendant.
(4) When a decision not to permit a lawsuit has become final and conclusive, it shall be deemed that no class action has been filed.

372

Page 379

Article 11 (Resignation, etc. of Litigation Agents ) ① When all of the plaintiff's litigation agents dies, resigns, or is dismissed, the plaintiff

Article 7 Chapter

Proceedings are suspended until a new litigation representative is appointed.
② If the litigation procedure is suspended pursuant to paragraph (1), the court may appoint an attorney for the plaintiff for a period of not less
should be ordered

dog
sign
than
one
tablet
see

month.

only
sieve
small
Song

③ If the plaintiff fails to appoint an attorney within the prescribed period even after receiving the order under paragraph (2), the court shall
The lawsuit must be dismissed by decision.
④ An immediate appeal may be made against the decision under paragraph (3).

Article 12 (Participation in Joint Litigation) (1 ) An organization falling under any of the subparagraphs of Article 51 of the Act shall be a member of the court under Article 55 (1) of the Act.
According to Article 83 of the 「Civil Procedure Act」, in a personal information class action pending between another organization and a personal information controller with permission
You can participate as a co-litigator. In this case, the application for participation in joint litigation and the application for permission to participate in joint litigation shall be
The complaint under Article 54 (1) and the application for permission to litigation shall be regarded.
② In the case of Paragraph 1, the provisions of Article 54 (2) 2 and 55 (1) 1 of the Act do not apply.
Article 13 (Change of Claim ) The plaintiff may change the purpose or cause of the claim within the limit that the basis of the claim does not change.
In this case, the provisions of Articles 54 and 55 of the Act shall not apply.
Article 14 (Consolidation of pleadings) Multiple personal information with the same personal information controller as the basis for a claim to the same court
When a class action lawsuit is pending, it shall be tried in combination. However, psychological or other circumstances
This shall not be the case when the combined trial is not justified in consideration of the circumstances.

373

Page 381
380

Chapter 8 Supplement
Partial exclusion from application of Article 58
Article 59 Prohibited acts
Article 60 Confidentiality, etc.
Article 61 Presentation of opinions and recommendations for improvement
Article 62 Report, etc. of Infringement
Article 63 Request for Data Submission and Inspection
Article 64 Corrective measures, etc.
Article 65 Accusation and Recommendation of Discipline
Article 63 Publication of results
Article 67 Annual Report
Article 68 Delegation and Entrustment of Authority
Article 69 Agenda for Public Officials at the Time of Application of Penalty Provisions

Page 383
382

Partial exclusion from application of Article 58
Article 58 (Partial exclusion of application) ① Regarding personal information falling under any of the following subparagraphs,
Chapters 3 through 7 do not apply.
1. Personal information collected in accordance with the 「Statistics Act」 among personal information processed by public institutions
Article 8 Chapter

2. Individuals requested to be collected or provided for the purpose of analyzing information related to national security
see

Information

Chick

3. It is temporarily necessary for public safety and well-being, such as public health.
Personal data processed
4. The media, religious groups, and political parties each have their own purposes, such as coverage and reporting, missionary work, and recommendation of candidates for elections.
Personal information collected and used to achieve
② Install and operate an image information processing device in a public place pursuant to each subparagraph of Article 25 (1)

law

Regarding the processed personal information, Articles 15, 22, 27 Paragraphs 1 and 2, Article 34 and
Article 37 shall not apply.
③ In order for the personal information controller to operate an organization for promoting friendship, such as alumni associations and clubs
Articles 15, 30 and 31 do not apply to the processing of personal information.
④ Even when processing personal information in accordance with each subparagraph of Paragraph 1, the personal information controller shall
To the extent necessary for this purpose, only the minimum amount of personal information should be processed for the minimum period.
Technical, administrative, and physical protection measures necessary for safe management of personal information;
Necessary for handling grievances related to information processing and other appropriate processing of personal information
Measures should be put in place.

The right to privacy to be protected through personal information protection is a basic right that everyone should enjoy and a democracy.
It is the cornerstone of society. In addition, the right to privacy includes political freedom, freedom of expression, freedom of assembly, freedom of religion,
Freedom of the body, protection of private property, and other rights that our society grants to individual freedom and private autonomy.
It is the foundation of all values.
However, overemphasizing personal information protection will result in the constitutional damage to national security and public safety and order.
Basic values ​and other constitutional rights such as freedom of speech, freedom of missionary activity, and freedom of party activity
On the contrary, it can lead to debilitating results. Therefore, while adequately protecting personal information,
Part of the law for the processing of certain types of personal information for certain purposes in order to balance the values
application needs to be excluded.

377

Page 384
Explanation of personal information protection laws and guidelines and announcements

1. Exclusion of application to personal information processed for statistical purposes (paragraph 1 item 1)
From Chapter 3 of the Act, personal information collected in accordance with the 「Statistics Act」 among personal information processed by public institutions
Chapter 7 does not apply. Statistics prepared in accordance with the 「Statistics Act」 are not only used by the state but also by the private sector
It is playing a role as a public good that is used as basic data to make decisions, and is a key factor in economic and social development.
It is very important to prepare timely and accurate statistics because they are the basis.
However, in accordance with the Statistical Act, statistics are prepared by a statistician, a former statistician, or a statistics collecting agency.
A person who engages in or has been engaged in all or part of a business entrusted with the business shall disclose the matters he/she has learned in the course of his/her duties.
It must not be used for purposes other than business or provided to others (Statistics Act Article 34), and statistics must not be prepared.
Matters that are known in the process and that belong to the confidentiality of individuals, corporations, or organizations must be protected and
Data belonging to the confidentiality of individuals, corporations, or organizations collected for the purpose of compiling statistics shall not be used for the purpose of compiling statistics.
It must not be used for any purpose (Article 33 of the Statistical Act), and the head of a statistics collecting institution
When providing statistical data to the head, it is in a form that cannot identify a specific individual, corporation, or organization.
Statistical data shall be provided after processing (Statistics Act Article 30 Paragraph 2).

2. Exclusion of application to personal information processed for national security purposes
(Paragraph 1 No. 2)
For personal information requested to be collected or provided for the purpose of analyzing information related to national security,
Chapters 3 through 7 of the Act shall not apply. tracking terrorists, finding spies, preventing attempts to subvert the state,
Information collection, analysis and management tasks of information and investigation agencies for national security such as prevention of leakage of national secrets
Since it must be carried out in secret, it is necessary to collect and provide personal information for the purpose of national security, etc.
Some applications of this Act are excluded.

Q

Is it possible to provide CCTV video information from the integrated control center to the Capital Defense Command?

A

In accordance with Article 18 (1) of the Personal Information Protection Act, the personal information controller uses personal information for purposes other than the intended purpose.
It must not be used or provided to a third party. Therefore, the video information of the CCTV installed by the local government is
It cannot be used at all times by the military base for military operations and disaster response purposes, and security measures are in place.
Even so, the constant control of CCTV video information of the ward office in the bunker of the Capital Defense Command is personal information.
It is a violation of the protection law.
However, in Article 58 (1) 2 of the Personal Information Protection Act, 'for the purpose of analyzing information related to national security
In order not to apply some of the provisions of this Act to 'personal information requested to be collected or provided'
As an exception is recognized, the Subangsa may request CCTV video information from the ward office for a reason that falls under this circumstance.
In some cases, it will be possible to provide.

378

Page 385

In this case, in order to protect the right to self-determination of personal information, the 'purpose of data analysis related to national security' is
It should be construed strictly as a 'specific' and 'clear' case. Therefore, simply for training
CCTV video information must not be provided for the purpose of
The control of CCTV images by military personnel, etc. is also a factor in the use of personal information for purposes other than the purpose and provision of third parties.
Therefore, as described above, there are exceptions for the purpose of 'analysis of information related to national security'.
It should be regarded as not permitted unless there is a reason for it.
Article 8 Chapter

see

3. Exclusion of application to personal information processed for public health, etc.

Chick

(Paragraph 1 No. 3)
Individuals who are temporarily processed as urgently necessary for public safety and well-being, such as public health
Chapters 3 through 7 of the Act do not apply to information. Isolation of patients to prevent the spread of various infectious diseases,
Activities such as tracking the source of infection and activities for rescue and relief from natural disasters and emergency disasters
Because there are many quarrels with the village and the safety of people's lives, bodies and property is threatened.
This is because it is difficult for the personal information controller to comply with the standards according to the law. However, in this case, to prevent abuse
For the purpose of temporary processing of personal information, the application of the law is excluded.

4. Exclusion of application to media, religious groups, political parties, etc. (Paragraph 1 No. 4)
Media, religious groups, and political parties each achieve their own goals, such as coverage and reporting, missionary work, and recommendation of candidates for elections.
Chapters 3 through 7 do not apply to personal information collected and used for this purpose.
Part of this Act is excluded from application only to personal information processed to achieve its own purpose,
The application of this Act to all personal information processed by media organizations, religious organizations, political parties, etc. is excluded.
no. For example, the person DB project of media organizations, social welfare projects of religious organizations, and the female politicians training project of political parties are
It cannot be said to be the unique purpose of a media organization, religious organization, or political party.
Activities aimed at achieving its own purpose, such as reporting or reporting by the media.
It refers to the act of collecting basic data or information necessary for writing an article for the purpose of disseminating information, etc.
What the press obtains through the coverage is made available to the general public through media such as newspapers, magazines, broadcasting, or the Internet.
refers to the act of conveying

379

Page 386
Explanation of personal information protection laws and guidelines and announcements

< Types of publications >
Kinds

Contents
Newspapers registered pursuant to Article 9 (1) of the 「Act on the Promotion of Newspapers, Etc.」, general daily newspapers and special daily newspapers

newspaper

Newspapers, general weekly newspapers, special weekly newspapers, etc. Politics, economy, society, culture, industry, science, religion, education, sports, etc.
In order to disseminate reports, comments, public opinion, and information on the entire field or a specific field, under the same name
Publications published at least twice a month
「Act on Media Arbitration and Damage Relief」 Article 2, subparagraph 10, 「Act on Promotion of Newspapers, etc.」 Article 2
Information processing capability, such as computers, as stipulated in subparagraph 2 and Article 2 of the Enforcement Decree of the Act on the Promotion of Newspapers, etc.
Reports, comments, public opinion and information on politics, economy, society, culture, current affairs, etc.
As an electronic publication published to disseminate

Internet
newspaper

meeting all criteria
• Reporting and editing personnel, including three or more reporters, as a requirement for independent article production
It employs 5 or more people on a regular basis and produces more than 30% of weekly articles on its own.
to be published as an article
• Publish new articles on a weekly basis as a continuous publication requirement.
Once a month under the same title as stipulated in subparagraph 1 (a) of Article 2 of the 「Act on the Promotion of Periodicals such as Magazines」

magazine As a publication in the form of a booklet issued on a regular basis as follows, in accordance with Article 2 of the 「Newspapers, etc. Promotion Act」
Magazines and other publications other than newspapers

The term 'media' refers to the following organizations.
1. Daily newspapers, weekly newspapers, Internet newspapers and
A person who publishes a monthly magazine registered pursuant to Article 15 (1) of the 「Act on the Promotion of Periodicals such as Magazines」
2. A corporation that broadcasts under subparagraph 1 of Article 2 of the Broadcasting Act, which plans and organizes a broadcast program called broadcasting;
Or it is produced and transmitted to the public (including the recipient under an individual contract) through a telecommunication facility.
Radio broadcasting, data broadcasting, mobile multimedia broadcasting
3. A corporation that operates a news and communications business registered pursuant to Article 8 of the News and Communications Promotion Act;
※ News communication means foreign news by obtaining permission from a radio station or using other information and communication technologies in accordance with the Radio Waves Act.
Sign a news communication contract with a telecommunication company, and report, comment, and public opinion on domestic and foreign politics, economy, society, culture, and current affairs.
Transmission and reception including wired and wireless for the purpose of radio waves or publications issued for this purpose

4. In addition, reporting on politics, economy, society, culture, current affairs, etc. as stipulated in Article 8-5 (1) of the Public Official Election Act;
Reporting, editing, or writing articles through the Internet for the purpose of disseminating comments, public opinion and information
A person who manages and manages an Internet website that provides or mediates, and a similar function of the press.
A person who manages and manages the Internet website
'Religious groups' include the spread of religions such as Catholicism, Protestantism, Daejonggyo, Buddhism, Won Buddhism, Confucianism, Islam, and Chondoism.
To other religious groups, religious groups, religious groups, or other religious groups established for the purpose of indoctrination.
As an affiliated corporation or organization, it is an individual organization established for the purpose of dissemination of religion or other reformation, and is subject to Article 32 of the Civil Act.
Based on this, a corporation registered with the Ministry of Culture, Sports and Tourism or a religious organization registered with the competent Si/Gun/Gu office
It may be an organization that has been given a unique number and registered as a business with the competent tax office.

380

Page 387

Activities for religious groups to achieve their own purposes such as missions include: 1) organizing the church, organizing the internal discipline of the church,
Registration of affiliated religious groups, personal management of clergy, production of newsletters, publicity, and religious organizations making decisions or providing advice
Denomination maintenance of religious organizations, such as convening various meetings and managing the website of the denomination, 2)
Missionary activities for the propagation of doctrine or reconstruction and reconciliation of the inhabitants of war or disasters (Constitutional Constitutional Court 2008.6.26.
2007 Heonma 1366), 3) Education that serves the purpose of disseminating the doctrine of religion and disseminating religion, and other religions
Article work
8 Chapter
Youth movement, anti-corruption civil movement, environmental movement, etc. conducted as incidental activities for missionary

There are public interest activities and volunteer activities.

see
Chick

The term 'party' means the promotion of responsible political claims or policies for the benefit of the people and
People whose purpose is to participate in the formation of the people's political will by recommending or supporting candidates
It refers to an organization registered with the National Election Commission under Article 4 (1) of the Political Parties Act as a voluntary organization.
In activities for a political party to achieve its own purpose, such as recommending candidates for an election, a political party is a candidate for a public office election.
The act of supporting or recommending (including those who want to become candidates), or the policy of a political party or a political issue
The act of promoting the position of the Republic of Korea using printed materials, facilities, advertisements, etc.
Activities (excluding door-to-door visits), etc. are included.

5. Exclusion of application to social groups such as alumni associations and clubs (paragraph 3)
The personal information controller collects personal information in order to operate an organization for promoting friendship, such as alumni associations and clubs.
In the case of processing, Article 15 (Collection and Use of Personal Information), Article 30 (Establishment and Disclosure of Personal Information Processing Policy)
and Article 31 (Designation of Person in Charge of Personal Information Protection) shall not apply. Fellowship organizations rather than business nature
Because of the strong nature of private gatherings, some applications of this law were excluded.
Therefore, it is possible for a friendly organization to collect and use members' personal information without the consent of the information subject.
However, in the case of use and provision beyond the purpose of establishment of a friendly organization, in accordance with Articles 15, 30, and 31,
should be dealt with
The current law aims to promote friendship with a certain legal group (friendship group according to the law), or
Membership fees are not considered as donations under the 「Act on the Solicitation and Use of Donations」
It only stipulates that donations that are subject to regulation under the Public Official Election Act are not considered as donations.
In this regard, there is no separate concept definition clause. In the dictionary, 'school, region, company, internet
It is composed of communities, etc., and has common interests or goals such as volunteering, hobbies, politics, and religion.
It is understood as a 'group for promoting friendship between people who have
It should be seen that it cannot be However, members of non-friendly organizations such as the relevant for-profit organization are also members of the group.
It will be said that you can freely form a social group within.

381

Page 388
Explanation of personal information protection laws and guidelines and announcements

< Regulations related to social groups under the Act >
law name

Contents

Defoliation sequelae
Patient support, etc.

Article 9 (1) promotes mutual friendship with patients suffering from defoliation sequelae, etc.
Clarify that it is a corporation for the purpose of mutual aid

law

Article 17 (1) requires a public official to conduct congratulations and condolences to a person related to a job or a public official related to a job.
Code of Conduct for Public
not Officials
to inform. As an exception, “religious organizations to which public officials are affiliated, social groups, etc.
Notice to members” is allowed
Article 112, Paragraph 2, Item 2 (e) states, “People’s associations, family associations, family associations, class reunions, etc.
public office election law
As a member of an organization or social organization, the organization's articles of incorporation, bylaws, or its operating practices
“The act of paying membership dues within the previous scope” is excluded from donations.
of donations

“Corporations, political parties, social groups, fraternities, social groups, etc.

Recruitment and use
law

for subscription fee, lump sum, membership fee, or common interests of members
Collected money” is excluded from donations subject to the above law

< Jurisprudence related to friendship groups >
Classification of precedents

Contents

Supreme Court 2010.10.28. sentencing
External activities that have the character of compulsory control exercised by a friendly group on its members
2010Dou 14084 judgment

Regulations on Korea should be viewed as an act that goes beyond the scope of promoting friendship.

Supreme Court 2010.9.30.

A member of a friendly organization must comply with the rules of self-government, such as the articles of association or bylaws,
Regarding the membership fee, etc. to be paid, please refer to 「Regarding the solicitation and use of donations」
Sentencing 2010 degree 5954 judgment
It shall not be regarded as a donation under the Act.
Expenditure of a certain amount for internal members improves the smoothness of the relationship between members.
Supreme Court 2010.6.24. sentencing
If it is for the purpose of promoting friendship, it is not subject to taxation.
2007Dou 18000 judgment

In the case of targeting outsiders, the advertisement is outside the scope of authenticity.
It applies to propaganda expenses.

The principle of minimum collection of personal information, even when processing personal information within the scope of the purpose of establishment of a friendly organization;
Technical and administrative protection measures for personal information, restrictions on processing of uniquely identifiable information and sensitive information,
Regulations such as management/supervision, obligation to notify and report personal information leakage, destruction of personal information, and protection of rights of information subjects
all apply as is.

382

Page 389

6. Take technical and administrative protective measures, etc. (paragraph 4)
Even if the personal information controller processes personal information in accordance with each subparagraph of Paragraph 1, it is necessary for that purpose.
Only the minimum personal information necessary within the scope should be processed. In addition, for the safe management of personal information
Necessary technical, administrative and physical protection measures must be taken, and grievances related to personal information processing must be handled.
In addition, necessary measures shall be prepared for the proper processing of personal information.

Article 8 Chapter

see
Chick

< Exclusions from Foreign Personal Information Protection Act >
division
OECD

Contents
• if it is processed for purely private purposes;

"privacy

• For national sovereignty, national security, and public policy

guideline"

• For activities that are purely private and for domestic purposes
EU

• In the case of activities for public safety, defense and national security

「Personal Information Protection
• State activities
Guidelines」
in the area of ​criminal law (investigation, etc.)
• For press purposes, literary or artistic creative activities or expressions
• The collection, production and use of personal information is only within the scope of personal or familial activities.
Case (Article 3 (3))
• Provisions of law, consent of information subjects, prevention of public welfare and public safety violations, criminal and administrative matters
Germany "Federal Personal Information
In case of execution (Article 14 (2))
protection law
• Purpose of contract, important legal interests of data subjects, advertising, market research, public opinion survey, academic research, scientific research
Research (in the case that it is greater than the interest of the data subject and there is no other way), the legal interest of a third party, or
Public interest protection, political, philosophical, religious or trade union purpose (Article 28)
• Purpose of reporting (broadcasting agencies, newspapers, news agencies, and other press agencies)
Japan

• Purpose of writing activities (those who engage in writing as a business)

「Personal Information Protection
• Academic
Act」
research purpose (university or other academic research institution, organization, or its members)
(Article 76)

• Purpose of religious activity (religious organization)
• Purpose of political activity (political organization)

7. Q&A
Q

Are Internet community sites included in social groups?

A

Judging by the type of operation of the blog, the membership agreement, etc., purely for the purpose of friendship or
If it is operated for the purpose of sharing hobbies, it can be regarded as a social group. But formally, friendship,
While claiming to be a hobby, it is practically used as a profit-making means such as product sales, joint purchases, student recruitment, and advertisement orders.
If it is being used, it cannot be regarded as a friendly organization.

383

Page 390
Explanation of personal information protection laws and guidelines and announcements

Article 59 Prohibited acts
Article 59 (Prohibited Acts) A person who has processed or processed personal information shall be subject to any of the following subparagraphs:
You must not engage in the relevant act.
1. Acquisition or processing of personal information by false or other unlawful means or methods
law

Act of obtaining consent
2. To disclose personal information learned in the course of business or to allow others to use it without permission.
act of providing
3. Damage other people's personal information without legitimate authority or exceeding the permitted authority;
Acts of loss, alteration, counterfeiting or disclosure

1. Persons subject to obligations of prohibited acts (Article 59 main text)
In this Article, the person obligated to conduct prohibited acts is 'a person who has processed or processed personal information'. Therefore, individual
Former and current executives and employees who belong to the information controller and are processing or have processed personal information, dispatched employees,
trustee, etc.

2. Acquisition of personal information by fraudulent methods and obtaining consent for processing (No. 1)
A person who has processed or processed personal information is 'personal information by false or other unlawful means or methods.
Acquire information or obtain consent for processing'.
'False' refers to an act that deceives people in the same sense as fraud or deception, and 'other unlawful
'Means or methods' includes blackmail, intimidation, etc., as well as inducing misunderstandings and misunderstandings. Fraud, blackmail, intimidation
There is no limit to the means or methods such as. Active actions or passive omissions, whether verbal or written
(不作爲) or not. Recently, financial institutions, the National Police Agency, tax offices, post offices, courts, national pension management
Impersonating the Corporation, etc. to steal personal information such as card number, resident number, and password from the information subject
Internet phishing (intertet scam) and voice phishing (telephone scam) are typical examples.

3. Unfair use and provision of personal information learned in the course of business (No. 2)
A person who has processed or processed personal information 'discloses personal information learned in the course of work or without authority'
You must not engage in the act of providing for others to use.

384

Page 391

'Personal information learned in the course of business' means that it is sufficient to know by chance in the course of conducting business widely.
It does not necessarily have to be something that you have legitimately learned in the course of performing the task assigned to you.
'Leakage' means providing personal information to others without permission or publicly disclosing it to the outside.
the act of leaking. Individuals who do not have access to personal information may access the personal information.
the act of making it possible
Article 8 Chapter

see
Chick

4. Damage, loss, alteration, counterfeiting, or leakage of other people's information without legitimate authority (Subparagraph 3)
The person who has processed or processed personal information is 'without a legitimate authority or in excess of the permitted authority.
Do not damage, destroy, change, forge or leak personal information of a person. 'just
'Without authority' means as if in a state in which authority was not granted from the beginning or the authority granted was deprived.
It refers to an act done as if you had authority, and even though you were given the authority to 'exceed the permitted authority',
Exercising more than the authority granted to you.
ReferenceGlossary
· Damage: By manipulating, erasing, or otherwise changing the personal information of others, the characteristics, utility and
Acts that damage or infringe on social values
· Destruction: The act of erasing personal information by deleting, disposing, incineration, etc.
· Change: The act of changing the contents of personal information to be different from the original one.
· Forgery: The act of pretending to be real in order to deceive others.

5. RELATIONSHIP TO OTHER LAWS
The “Information and Communications Network Act” provides that a person who handles or has handled user’s personal information has become aware of it in the course of his/her duties.
There are regulations prohibiting the leakage of personal information. Therefore, in this case, the information and communication service provider
You must comply with the obligation to prohibit leakage of personal information in accordance with the Communications Network Act. However, in the 「Personal Information Protection Act」

In addition, the person who processed or processed personal information may damage personal information without legitimate authority, or
In contrast to the prohibition of obtaining consent for personal information processing by other illegal means,
The Communications Network Act does not stipulate this, so information and communications service providers
You must comply with the prohibition obligation under the 「Personal Information Protection Act」.
The “Credit Information Act” stipulates that an executive or employee who has been entrusted with the processing of credit information with a credit information company, etc.
divulge or use personal secrets, such as credit information and privacy, of others that you have learned through business, for other than business purposes
There are rules prohibiting it. Accordingly, credit information companies, etc. are obliged to prohibit leakage under the Credit Information Act.

385

Page 392
Explanation of personal information protection laws and guidelines and announcements

must be complied with. However, in the 「Personal Information Protection Act」, other persons who have processed or processed personal information
Damage to personal information without legitimate authority or consent to processing personal information by false or other illegal means
While it is prohibited to obtain, the “Credit Information Act” does not provide for this.
An executive or employee who has been entrusted with the processing of credit information with a credit information company, etc.
You must comply with the prohibition obligation under the 「Personal Information Protection Act」.
Article 28-2 (Prohibition of Leakage of Personal Information ) ① A person who handles or has handled users' personal information
You must not damage, infringe, or leak personal information that you have learned in the course of your job.
Information and Communications Network Act
② Anyone who is aware of the circumstances in which the personal information has been leaked can use it for profit or unlawful purposes.
No information should be provided.
Article 42 (other business purposes, such as inhibition leakage) ① of credit information in accordance with the credit company and the like Article 17 (2)
Persons who were or were employees of the person entrusted with processing (hereinafter referred to as “person related to the credit information business”)
Credit Information Act
Personal secrets such as credit information and privacy of others (hereinafter referred to as “personal secrets”)
It must not be leaked or used for other than business purposes.

6. Penal provisions
violation

penalty

Personal information by false or other unlawful means or methods
A person who has acquired or obtained consent for the processing of personal information
Imprisonment for not more than 3 years or a fine not exceeding 30 million won
and, knowing the circumstances, use personal information for profit or fraudulent purposes.
(Article 72, subparagraph 2)
recipient
(violation of subparagraph 2 of Article 59)
divulge personal information learned in the course of business or prevent the use of others
Knowing the person who provided it and the circumstances, for profit or forImprisonment
any unlawful for
purpose
not more than 5 years or a fine not exceeding 50 million won
Persons to whom personal information has been provided

(Article 71, subparagraph 5)

(violation of subparagraph 2 of Article 59)
Damage, loss, alteration, counterfeiting, or leakage of other people's personal information
Imprisonment for not more than 5 years or a fine not exceeding 50 million won
one who did the act
(Article 71, subparagraph 6)
(violation of subparagraph 3 of Article 59)

386

Page 393

Article 60 Confidentiality, etc.
Article 60 (confidentiality, etc.) and then find the person who engaged in duties or engage in each of the business
Do not divulge confidential information to others or use it for any purpose other than your duties.
No. However, this is not the case where there are special provisions in other laws.

law

Article 8 Chapter

1. Duties of the Protection Committee under Article 8;

see

2. Impact assessment under Article 33;

Chick

3. Dispute mediation work of the Dispute Mediation Committee under Article 40;

Persons engaged in the work of investigation, inspection, deliberation, evaluation, mediation, etc. under this Act
There are many opportunities to deal with privacy or trade secrets. Accordingly, this Article imposes on them the duty of confidentiality in business.
This is to ensure that the public can cooperate with data submission, opinions, and facility disclosure with confidence.

1. Persons subject to obligations such as confidentiality
Those who are obligated to ensure confidentiality under this Article are the personal information protection committee work, personal information impact assessment work,
Personal Information Dispute Mediation Committee A person who is or has been engaged in dispute mediation. For example, privacy
Former and current members and executives and employees of the Committee or Personal Information Dispute Mediation Committee, former and former personal information impact assessment agencies
Current employees, etc. I am not a former or current member or employee of these organizations, but I
Participate in business as an advisory member or expert member, or participate in tasks such as appraisal, technical advice, and legal advice
Including those who participated.

2. Secrets learned during the job
'Secrets learned on the job' are not only classified as secrets under various laws, but are also classified as secrets according to the prevailing social norms.
Anything that can be recognized is included. That is, from the point of view of the individual, company, or country,
It should be something worthwhile.
For example, according to personal privacy, business secrets, and other political, military, diplomatic, economic and social needs.
Anything that should be treated as confidential can be included. A person engaged in personal information impact assessment
Find out the security vulnerabilities of the organization's information system and leak it in lectures and presentations, or prevent hacking or threats.
Abusing it as a means is a violation of this Act.

387

Page 394
Explanation of personal information protection laws and guidelines and announcements

What secrets did you learn on the job?

case

The current status of personal information files owned by national intelligence agencies, which became known during the deliberation process of the Protection Committee, or investigations in progress
Related content, information on sensitive personal life learned during the mediation process of the Dispute Mediation Committee, and personal information impact assessment work
It refers to matters related to business secrets or information systems, etc., that have been learned in the course of execution.

3. Special provisions in other laws
In cases where there are 'special regulations in other laws', there are exceptions to the disclosure of confidential information and use for other purposes.
allowed For example, in accordance with the 「Act on Testimony and Appraisal, etc. in the National Assembly」 (Article 2), as a witness or reference
If you are requested to appear or give an appraisal, you will be referred to as a witness or reference person in accordance with the Criminal Procedure Act (Articles 146 and 221).
When summoned, etc.
Reference 1 Act on Testimony and Appraisal in the National Assembly
Article (testimony, submission of documents relating to the officially secret) 4000000000000 ① the needs of the witness who was a civil servant or public official from the National Assembly
In the event that a state agency is requested to submit documents, the facts to testify or the contents of documents to be submitted
You cannot refuse to submit testimony or documents on the grounds that they are confidential. However, countries in military/diplomatic/North Korea relations
It is a matter of confidentiality, and the Minister in charge (President and
In the institution to which the Prime Minister belongs, the vindication of the head of the relevant government office) must be submitted within 5 days from the date of receiving the request for testimony, etc.
In this case it is not so.
② If the National Assembly does not accept the clarification under the proviso to paragraph (1), by a resolution of the plenary session, and during the adjournment, the relevant committee
A statement by the Prime Minister to the effect that the submission of testimonies or documents requested by the National Assembly by resolution will harm the vital interests of the State;
You may ask for a name.
③ In case the Prime Minister fails to publish the statement within 7 days from the date of receipt of the request for the statement under paragraph (2)
cannot refuse to submit testimony or documents.

Note 2 Criminal Procedure Law
Article 147 trillion (officially a secret, and Witness eligible) ① civil servants or former civil servants who know the facts about his job
When the person or the public office in question reports that the matter belongs to the official secret, the public office to which he belongs or the supervisor
A witness cannot be questioned without the consent of the public office.
② The public office to which it belongs or the supervisory authority concerned shall not approve, except in cases where it harms the national interest.
can't refuse
Article 149 (Business Secrets and Refusal to Testify) Attorney, patent attorney, notary public, certified public accountant, tax accountant, public accountant, doctor, oriental medical doctor,
Dentist, pharmacist, apothecary, midwife, nurse, person who holds a religious office, or a person who has held such office
You may refuse to testify about other people's secrets as facts that you have learned through a consignment relationship. However, your
Exceptions are made when there is consent or when it is necessary for the serious public interest.

388

Page 395

4. Penalty Regulations
violation

penalty

divulging confidential information or using it for non-official purposes
Imprisonment for not more than 3 years or a fine not exceeding 30 million won
(Violation of Article 60)

(Article 72 subparagraph 3)
Article 8 Chapter

see
Chick

389

Page 396
Explanation of personal information protection laws and guidelines and announcements

Article 61 Presentation of opinions and recommendations for improvement
Article 61 (presenting opinions and recommendations to improve) ① Minister of Government Administration and Home Affairs is affecting privacy
If it is deemed necessary for laws or ordinances containing the contents, the Protection Committee will deliberate and
Opinions may be presented to the relevant authorities through resolution.
② The Minister of the Interior and Home Affairs shall process personal information if deemed necessary for the protection of personal information.
It can recommend improvement of the personal information processing status to the person concerned. In this case, the individual who has been advised
The information controller shall make sincere efforts to implement this, and the results of the measures shall be reviewed.
law

The Minister of Government Administration and Home Affairs should be notified.
③ If the head of the relevant central administrative agency deems it necessary for personal information protection, he/she has jurisdiction
In accordance with the law, the personal information controller may be advised to improve the personal information processing status.
In this case, the personal information controller who has received the recommendation must make a sincere effort to implement it.
and the results of the measures shall be notified to the head of the relevant central administrative agency.
④ Central administrative agencies, local governments, the National Assembly, the courts, the Constitutional Court, and the National Election Commission
To present an opinion on the protection of personal information to the affiliated institution and the public institution under its jurisdiction;
Guidance and inspection are possible.
Article 58 (Recommendation for Improvement and Recommendation for Disciplinary Action) ① Recommendation for improvement and the Act under Article 61 (2) and (3) of the Act
Recommendations for disciplinary action pursuant to Article 65 (2) and (3) shall be made in response to recommendations, reasons for recommendations, and results of actions taken
It should be in a document clearly stating the period, etc.

Enforcement Decree
② A person who has received a recommendation under paragraph (1) shall take necessary measures according to the contents of the recommendation, and report the result.
The Minister of the Interior and Home Affairs or the head of a related central administrative agency shall be notified in writing. but,
If there are special circumstances that make it difficult to take action according to the recommendations,
The reason must be notified.

1. Presentation of opinions on laws and ordinances (paragraph 1)
The Minister of the Interior and Home Affairs shall be responsible for any laws or ordinances containing information affecting the protection of personal information.
If deemed necessary, opinions may be presented to relevant agencies after deliberation and resolution of the Protection Committee. Opinion
Examples of presentation include opinions on the enactment/amendment of laws and regulations of other ministries, local ordinances, and guidelines in the areas under the jurisdiction of each department.
There are proposals, opinions on the enactment and revision of treaties and conventions, etc.
Opponents of opinions are related organizations such as central administrative agencies and local governments. According to the principle of separation of powers
It is prohibited to present opinions to constitutional institutions such as the National Assembly, the courts, the Constitutional Court, and the National Election Commission.
will have to see

390

Page 397

2. Recommendation for improvement of personal information processing status (paragraphs 2 and 3)
A. Recommendation for improvement under the 「Personal Information Protection Act」 (Section 2)
If the Minister of Government Administration and Home Affairs deems it necessary for the protection of personal information, he/she shall send personal information to the personal information controller.
Improvement of treatment conditions can be recommended. Personal information controller’s business practices, internal rules,Article
personal
8 Chapterinformation processing agreement,
Personal information processing policy, transaction terms and conditions, notices, internal training materials, etc. may be subjectsee
to improvement recommendations. Ministry of Government Administration and Home Affairs
Chick

In order to maintain the unity and consistency of law enforcement, the Minister

It can also make recommendations for improvement, and it can be used by other ministries such as financial institutions, medical institutions, educational institutions, and telecommunication companies.
Improvement recommendations can also be made to private companies and organizations. Recommendations for improvement and Article 65 (2) and (3) of the Act
Disciplinary recommendations should be made in a document specifying the recommendations, the reasons for the recommendations, and the period for replying to the results of the measures.

B. Recommendation for improvement under the 'competent law' (paragraph 3)
If there is an individual law related to the protection of personal information, the head of the relevant central administrative agency
It may recommend improvement of the personal information processing status to the information controller. The head of the relevant central administrative agency makes recommendations for improvement
In order to do this, there must be a separate jurisdictional law related to personal information protection, so according to the 「Personal Information Protection Act」
Improvement recommendations cannot be made. Granting the right to recommend improvement to the head of the relevant central administrative agency is unique to that field.
This is to respect specificity and autonomy.

The notification requirements of action results (claim 2, claim 3)
The personal information controller who has received a recommendation for improvement from the Minister of the Interior and Safety or the head of a related central administrative agency
In order to implement this, efforts shall be made in good faith, and the results of the measures shall be reported to the Minister of the Interior or the Ministry of Home Affairs respectively.
The head of the relevant central administrative agency shall be notified. The personal information controller takes necessary measures in accordance with the recommendation for improvement,
Notification of the results shall be in writing. However, if it is judged that it is difficult to take action according to the
In case of special circumstances, the reason must be notified (Article 58 of the Enforcement Decree).

3. Suggestion of opinions on affiliated institutions, etc., guidance and inspection (paragraph 4)
Central administrative agencies, local governments, the National Assembly, the courts, the Constitutional Court, and the National Election Commission are affiliated agencies
and public institutions under the jurisdiction to present opinions on personal information protection, or provide guidance and inspection.
This is to ensure the autonomy of constitutional institutions according to the principle of separation of powers.

391

Page 398
Explanation of personal information protection laws and guidelines and announcements

Article 62 Report, etc. of Infringement
Article 62 (Report, etc. of Infringement) ① When the personal information controller processes personal information,
A person whose rights or interests have been infringed shall notify the Minister of the Interior and Safety of the infringement.
can report
② The Minister of Government Administration and Home Affairs shall efficiently carry out duties related to the reception and processing of reports under paragraph (1).
Specialized institutions may be designated to carry out the work, as prescribed by Presidential Decree.
In this case, the specialized agency establishes and installs a personal information infringement reporting center (hereinafter referred to as “reporting center”).
law

should operate
③ The Reporting Center performs the following tasks:
1. Reception and consultation of reports related to the processing of personal information
2. Investigation and confirmation of facts and listening to the opinions of those concerned;
3. Businesses incidental to business under subparagraphs 1 and 2;
④ The Minister of the Interior and Home Affairs shall efficiently carry out the work of fact investigation and confirmation under paragraph (3) 2.
If necessary for this purpose, in accordance with Article 32-4 of the National Public Officials Act,
It can be sent to a specialized agency.
Article 59 (Report, etc. of Infringement) The Minister of the Interior and Home Affairs shall protect personal information in accordance with Article 62 (2) of the Act.

Enforcement Decree
Efficiently conduct business related to receipt and processing of reports of violations of rights or interests
The Korea Internet & Security Agency is designated as a specialized institution for implementation.
Article 30 (Processing of Reporting of Infringement of Personal Information, etc.) ① Due to the processing of personal information by the personal information controller
A person whose rights or interests regarding personal information have been infringed due to this shall be subject to Article 62 (2) of the Act.
You can report the infringement to the Personal Information Infringement Report Center.
② The Personal Information Infringement Report Center under Paragraph 1 shall perform the following tasks:
1. Reception and consultation of reports related to the processing of personal information
standard guidelines
2. Investigating and confirming facts about the personal information infringement report and listening to the opinions of related parties
3. Guidance of personal information infringement to the personal information controller and inducement of correction
4. As a result of the fact-finding, it is determined that there is no violation of the rights or interests of the information subject.
Closing of the report if judged
5. Resolving grievances through personal information dispute mediation committee mediation guidance, etc. in accordance with Article 43 of the Act
support

1. Report of personal information infringement damage (paragraph 1)
A person whose rights or interests regarding personal information have been infringed by the processing of personal information by the personal information controller
You may report the infringement to the Minister of the Interior and Safety. In addition to the subject of information whose rights and interests have been infringed
However, his/her legal representative or his/her voluntary representative may report on behalf of the data subject.

392

Page 399

2. Establishment and operation of the Personal Information Infringement Report Center (Paragraphs 2 and 3)
In order to efficiently perform duties related to the reception and processing of reports of personal information infringement, the Minister of the Interior and Safety
The Korea Internet & Security Agency (KISA) has been designated as a specialized agency (Article 59 of the Enforcement Decree), and accordingly, Korea Internet
The Agency has established and operates the Personal Information Infringement Report Center (http://privacy.kisa.or.kr). Infringement of personal information
Article 8 Chapter
The Reporting Center receives and consults on reports related to the processing of personal information, and investigates and confirms
facts about the received cases.

and listen to the opinions of stakeholders, and perform other incidental tasks associated with these tasks.

see
Chick

3. Dispatch of public officials belonging to (paragraph 4)
The Minister of the Interior and Home Affairs shall efficiently conduct affairs such as fact-finding and confirmation of the received case (paragraph 3, subparagraph 2).
If it is necessary to perform the duties, the public officials under Article 32-4 of the 「National Public Officials Act」 can be transferred to the Korea Internet
It can be dispatched to the Promotion Agency.
< Personal Information Infringement Report Center website (http://privacy.kisa.or.kr) >

393

Page 400
Explanation of personal information protection laws and guidelines and announcements

Article 63 Request for Data Submission and Inspection
Article 63 (Request for Submission of Data and Inspection) (1 ) The Minister of the Interior and Home Affairs shall submit to any of the following subparagraphs:
In cases where applicable, the personal information controller may be required to submit related materials, documents, etc.
can
1. In the event that a violation of this Act is discovered or it becomes known that there is an allegation
2. When a report or complaint is received for a violation of this Act
3. Other cases necessary for the protection of personal information of information subjects as prescribed by Presidential Decree.
If you decide
② The Minister of Government Administration and Home Affairs shall determine that the personal information controller fails to submit data under paragraph (1), or
If it is recognized that there has been a violation of this Act, the public official under the
You can have them enter an office or business place to inspect the business situation, books, or documents.
In this case, the public official conducting the inspection shall carry a certificate indicating his/her authority and give it to the relevant person.
have to show
③ The head of the relevant central administrative agency shall notify the personal information controller pursuant to paragraph (1) in accordance with the relevant laws.
law

To request the submission of data, or to the personal information controller and related persons related to the violation of the applicable law.
In accordance with paragraph (2), the inspection may be conducted.
④ When the Protection Committee discovers a matter that violates this Act or becomes aware that there is a suspicion,
To the Minister of the Interior and Home Affairs or the head of a related central administrative agency, any part other than each subparagraph of paragraph (1) or paragraph (3)
You may be asked to take action. In this case, the Minister of Government Administration and Home Affairs in receipt of such request; or
The head of the relevant central administrative agency shall comply therewith, unless there are special circumstances.
⑤ The Minister of Government Administration and Home Affairs and the heads of related central administrative agencies receive submissions pursuant to paragraphs (1) and (2), or
Provide the collected documents, data, etc. to a third party, except in cases pursuant to this Act;
It must not be disclosed to the public.
⑥ The Minister of Government Administration and Home Affairs and the heads of related central administrative agencies submit data through information and communications networks.
Personal information, trade secrets, etc. are stored in the case of receiving such information or electronically collecting the collected data.
Institutional and technical supplementary measures should be taken to prevent leakage.
⑦ The Minister of Government Administration and Home Affairs is responsible for the prevention and effective response of personal information infringement incidents.
The personal information protection status can be checked jointly with the head of the central administrative agency.
Article 60 (Request for Submission of Data and Inspection) ① In Article 63 (1) 3 of the Act, “the
In case of infringement of the rights or interests of the information subject, such as personal information leakage,

An event or accident has occurred or is highly likely to occur.
Enforcement Decree
② The Minister of Government Administration and Home Affairs shall request and inspect the submission of data pursuant to Article 63 (1) and (2) of the Act.
Provide necessary support, such as providing technical advice to the head of the Korea Internet & Security Agency for
you can request

394

Page 401

The request for data submission under Article 63 of the Act is to investigate and confirm violations of the Act.
It is distinguished from data submission for information protection policy establishment.

1. Request to submit materials such as goods and documents (paragraphs 1 and 3)
Article 8 Chapter

A Request for data submission in accordance with the 「Personal Information Protection Act」 (paragraph
1)
see
Chick

When the Minister of the Interior and Safety discovers a violation of this Act or detects a suspected violation, he/she shall report and
In the case of receiving a civil complaint, an incident or accident that infringes on the rights or interests of the information subject (personal information leakage)
accident, etc.), in the event that there is a significant possibility of infringement of personal information in the future, to the personal information controller
You can have them submit materials such as related items and documents. The Minister of Government Administration and Home Affairs is responsible for public institutions as well as private companies.
Organizations may also be requested to submit data, and financial institutions, medical institutions, educational institutions, telecommunication companies, etc.
You can also request data submission from private companies or organizations under the jurisdiction of other ministries. This is law enforcement
This is to maintain unity and consistency.

B. Request for data submission under the 'competent law' (paragraph 3)
The head of the relevant central administrative agency has a separate law (Information and Communications Network Act, Credit Information Act, etc.) related to personal information protection.
In this case, the personal information controller may request the submission of data pursuant to Paragraph 1 in accordance with the relevant laws. but,
The head of the relevant central administrative agency cannot request data submission pursuant to the 「Personal Information Protection Act」. relationship center
Granting the right to request the submission of improvement materials to the head of an administrative agency is to respect the specificity and autonomy of the field.
it is for

2. Entry and inspection of offices and workplaces (paragraphs 2 and 3)
A. Access and inspection in accordance with the 「Personal Information Protection Act」 (Section 2)
The Minister of the Interior and Home Affairs may find that the personal information controller has failed to submit data or has violated this Act.
If it is recognized, the public official under his/her authority can enter the office or business place of the personal information manager to determine the business situation,
You can have books or documents inspected. In addition, the Minister of Government Administration and Home Affairs is responsible for not only public institutions but also private companies
Organizations can also request access and inspection, and financial institutions, medical institutions, educational institutions, telecommunication companies, etc.
You can also request access and inspection from private companies or organizations under the jurisdiction of other ministries. This is law enforcement
This is to maintain unity and consistency.

395

Page 402
Explanation of personal information protection laws and guidelines and announcements

B. Entry and inspection according to the 'competent law' (paragraph 3)
The head of the relevant central administrative agency must comply with the relevant laws (Information and Communications Network Act, Credit Information Act, etc.) related to personal information protection.
If there is, in accordance with the relevant laws, the office of the personal information manager and the person concerned in relation to the violation of the relevant law
You can have them enter the workplace and inspect the business status, books, or documents. However, related central administration
The head of the institution is not allowed to enter and inspect based on the 「Personal Information Protection Act」. of related central administrative agencies
The right to request the submission of improved materials was given to the chapter to respect the specificity and autonomy of the field.

C. Obligation to present proof to related persons (the latter part of Paragraph 2)
When a public official enters the office or business place of the personal information controller and related persons related to the violation of the applicable law,
If you wish to inspect the business situation, books or documents, you must bring a certificate indicating the authority
This must be shown to the concerned person.

3. Request for data submission and recommendation for access/inspection (paragraph 4)
If the Protection Committee finds a violation of this Act or becomes aware that there is a suspicion, the Ministry of Government Administration and Home Affairs
To have the Minister or the head of a related central administrative agency take measures other than in each subparagraph of Paragraph (1) or under Paragraph (3);
can request In this case, the Minister of the Interior and Home Affairs or the head of a related central administrative agency in receipt of such request
If there is no circumstance, you must respond.

4. Prohibition of provision and disclosure of documents, materials, etc. (Paragraph 5)
The Minister of Government Administration and Home Affairs and the heads of related central administrative agencies may receive or collect documents submitted or collected from the personal information controller.
Except in cases in accordance with this Act, data, etc. shall not be provided to a third party or disclosed to the public.
No.

5. Protection of personal information and trade secrets (paragraph 6)
The Minister of the Interior and Home Affairs and the heads of related central administrative agencies have received data submissions, etc. through the information and communications network.
In case of electronic cases or collected data, personal information, trade secrets, etc. are not leaked.
Institutional and technical supplementary measures should be taken.

396

Page 403

6. Prohibition of provision or disclosure of documents, data, etc. (Paragraph 7)
In order to prevent and effectively respond to personal information infringement incidents, the Minister of the Interior and Home Affairs is responsible for the management of relevant central administrative agencies.
You can check the status of personal information protection jointly with the chapter. This is to minimize overlapping regulations between ministries.
will be.
Article 8 Chapter

see

7. Support from specialized institutions such as technical advice (Article 60 (2) of the Decree)Chick
The Minister of the Interior and Home Affairs shall, if necessary for the request for data submission and inspection, etc.,
You can request the necessary support, such as consulting the chief on technical matters.

8. RELATIONSHIP TO OTHER LAWS
The ｢Information and Communications Network Act｣ is a case in which a violation of the law is discovered or it is known that there is a suspicion of a violation of the law.
When a report is received or a civil complaint is received, the information and communication service provider, etc. shall submit related items, documents, etc.
There are regulations on the request for data submission so that this can be done. However, the Korea Communications Commission
In order to request information and communication service providers, etc. to submit data on matters in violation of the Communications Network Act
In the event that violations of the Personal Information Protection Act are found, the Minister of the Interior and
Service providers, etc. may be requested to submit data in accordance with the Personal Information Protection Act.
In accordance with the Credit Information Act, the Financial Services Commission requires that credit information companies, etc., comply with orders under the Credit Information Act.
It is possible to supervise whether a credit information company, etc. is doing business and to order a report on the status of its assets for this purpose.
In case of refusing, obstructing, or evading the inspection and request of the Financial Services Commission, a fine of less than 10 million won may be imposed.
are being charged However, this applies to matters in which the Financial Services Commission violates the Credit Information Act.
Since it is to make an order, it is possible for credit information companies, etc., to find violations of the Personal Information Protection Act.
In this case, the Minister of the Interior and Home Affairs may request data submission in accordance with the Personal Information Protection Act.

Article 64 (Submission of Data, etc.) ① The Minister of Science, ICT and Future Planning or the Korea Communications Commission shall
In cases falling under one of the following cases, information and communications service providers, etc. (including persons subject to mutatis mutandis pursuant to Article 67;
Hereinafter, the same shall apply in this Article) to submit related articles, documents, etc.
1. In the event that a violation of this Act is discovered or it is known that there is an allegation
Information and Communications Network Act
2. When a report or complaint is received for a violation of this Act
2 of 2. An incident or accident that significantly impairs the security and reliability of user information has occurred; or
If it is likely to happen
3. Other cases prescribed by Presidential Decree as necessary for the protection of users.

397

Page 404
Explanation of personal information protection laws and guidelines and announcements

Article 45 (Supervision, Inspection, etc.) (1 ) The Financial Services Commission shall, with respect to credit information companies, etc., comply with this Act or this Act;
Supervise compliance with orders.
② The Financial Services Commission shall, if necessary for supervision under paragraph (1), provide its business and property to credit information companies, etc.
It can give necessary orders, such as reporting on the situation.
⑦ The Financial Services Commission shall prevent the credit information business in violation of this Act or an order issued under this Act by a credit information company, etc.
If it is recognized that there is a risk of harming sound management and the rights and interests of credit information subjects, any of the following
take measures falling under any of the preceding items, or have the Governor of the Financial Supervisory Service comply with the provisions of subparagraphs 1 through 3;
appropriate action can be taken.
1. Cautions or warnings to credit information companies, etc.
Credit Information Act
2. Cautions or Warnings to Officers
3. Responsibilities such as caution and honesty, reduction of wages, and reprimands to employees
4. Recommendations for dismissal of executives, requests for suspension of duties, or requests for dismissal of employees
5. Order to correct violations
6. Suspension of Credit Information Provision
Article 52 (Fine for Negligence) (4 ) A person who falls under any of the following subparagraphs shall be subject to a fine for negligence not exceeding 10 million won.
charge
13. Failing to comply with an order under Article 45 (2) through (4) or complying with an inspection or request
A person who refuses, interferes with or evades

398

Page 405

Articles 64 to 66

Corrective action, accusation and recommendation of disciplinary action, etc.

Article 64 (Corrective Measures, etc.) (1 ) The Minister of Government Administration and Home Affairs shall determine that personal information has been infringed.
There is evidence that there is a risk of irreparable damage if left unattended.
If recognized, a person who violates this Act (central administrative agency, local government, National Assembly,
court, Constitutional Court,
Article 8 Chapter
(excluding the National Election Commission) to take measures falling under each of the following subparagraphs:
see

can

Chick

1. Suspension of Personal Information Infringement
2. Temporary suspension of personal information processing
3. Other measures necessary to protect personal information and prevent infringement
② The head of the relevant central administrative agency has substantial grounds to determine that personal information has been infringed and
If it is recognized that there is a risk of irreparable damage if neglected,
Accordingly, the personal information controller may be ordered to take measures falling under each subparagraph of paragraph (1).
③ Local governments, the National Assembly, the courts, the Constitutional Court, and the National Election Commission are affiliated organizations
and when the competent public institution violates this Act, measures falling under each subparagraph of Paragraph 1 shall be taken.
can be ordered
④ The Protection Committee consists of central administrative agencies, local governments, the National Assembly, the courts, the Constitutional Court, and the central election.
When the management committee violates this Act, it shall notify the head of the relevant institution in each subparagraph of paragraph (1).
Appropriate action may be recommended. In this case, the institution receiving the recommendation
law

If there is no reason, this should be respected.
Article 65 (Accusation and Recommendation of Disciplinary Action) ① The Minister of the Interior and Safety shall notify the personal information controller to personal information such as this Act.
A substantial amount that can be recognized as a crime due to a violation of laws and regulations related to information protection
If there is a good reason, you may file a complaint with the competent investigation agency.
② If the Minister of the Interior and Home Affairs has violated laws related to personal information protection, such as this Act,
When there is a good reason to be recognized, the person responsible (representative and responsible person)
(including executives) may be recommended to the personal information controller. in this case
The person who received the recommendation should respect it and notify the Minister of the Interior and Home Affairs of the result.
shall.
③ The head of the relevant central administrative agency shall comply with Paragraph (1) regarding the personal information controller in accordance with the relevant laws.
A person may file an accusation in accordance with paragraph (2) or make a disciplinary recommendation to the head of an affiliated institution or organization.
have. In this case, a person who has received a recommendation under paragraph (2) shall respect it, and the result
The head of the relevant central administrative agency shall be notified.
Article 66 (Publication of Results) ① The Minister of the Interior and Safety shall recommend improvement under Article 61 and
Corrective action order, accusation or disciplinary recommendation under Article 65, and a fine for negligence under Article 75
The contents and results of the imposition may be announced after deliberation and resolution of the Protection Committee.
② The head of the relevant central administrative agency may make a public announcement pursuant to paragraph (1) in accordance with the competent laws.
③ Methods, standards and procedures for publication pursuant to paragraphs (1) and (2) shall be prescribed by Presidential Decree.

399

Page 406
Explanation of personal information protection laws and guidelines and announcements

Article 61 (Publication of Results) ① The Minister of Government Administration and Home Affairs and the heads of related central administrative agencies are Article 66 (1) of the Act
In accordance with Paragraph 2, the following matters are applied to the Internet homepage or to the promotion of newspapers, etc.
In accordance with the “Act on the Promotion of Public Relations,” published in general daily newspapers, etc.
can do.
1. Details of the violation
2. A person who has committed a violation
Enforcement Decree
3. Contents and results of recommendations for improvement, orders for corrective actions, accusations, recommendations for disciplinary action, and imposition of fines for negligence
② The Minister of the Interior and Safety and the heads of related central administrative agencies shall comply with Article 66 (1) and (2) of the Act.
In the case of public announcement of the matters falling under each subparagraph of Paragraph 1, the content and degree of the violation, and the duration of the violation
and the number of violations, the scope of damage caused by the violation, and the consequences.
③ Protection under Article 66 (1) of the Act by the Minister of the Interior and Home Affairs and the heads of related central administrative agencies
Before requesting the committee for deliberation and resolution, inform the subject of the announcement that he/she is the subject of the announcement.
Opportunities must be given to submit explanatory materials or to state opinions.

The Personal Information Protection Act takes corrective action when it is confirmed that the personal information controller has violated the law through reporting and investigation.
Violation of the law by correcting illegal acts through orders, etc., and making prosecution and punishment for criminal acts, etc.
Various post-remedies and sanctions are in place to prevent repeated actions.

1. Corrective Action Order (Article 64 Paragraph 1, Paragraph 2, Paragraph 3)
The Minister of Government Administration and Home Affairs or the head of a related central administrative agency may report, investigate, etc.
If a violation is confirmed, corrective measures may be ordered to correct the violation. corrective action, etc.
There are substantial grounds to believe that personal information has been infringed due to a violation of this Act.
If left unattended, it should be recognized that there is a risk of damage that is difficult to recover from.
The Minister of the Interior and Home Affairs or the head of a related central administrative agency shall suspend the infringement of personal information,
Temporary suspension or other necessary measures to protect personal information and prevent infringement may be ordered.
'Other measures necessary to protect personal information and prevent infringement' include blocking personal information leakage sites;
It may include technical and administrative protection measures, revision of the privacy policy or terms and conditions.
The Minister of the Interior and Home Affairs may order corrective measures not only for public institutions but also for private companies, organizations, and individuals.
However, with respect to central administrative agencies, local governments, the National Assembly, courts, the Constitutional Court, and the National Election Commission,
Corrective action cannot be ordered. In addition, the Minister of Government Administration and Home Affairs issues an order for corrective measures to local governments.
However, corrective measures may be ordered for local public corporations, local governments, etc. of the relevant local government.

400

Page 407

The head of the relevant central administrative agency has substantial grounds to determine that personal information has been infringed, and
If it is recognized that there is a risk of irreparable damage if left unattended,
If there is an individual law, corrective measures may be ordered according to the competent law.
Local governments, the National Assembly, the courts, the Constitutional Court, and the National Election Commission are
When this Act is violated, measures falling under each subparagraph of paragraph (1) may be ordered.
Article 8 Chapter

see
Chick

2. Recommendation of corrective measures (Article 64 (4))

Central administrative agencies, local governments, the National Assembly, the courts, the Constitutional Court, and the National Election Commission have violated this Act.
In this case, the Protection Committee shall notify the head of the relevant institution to suspend the infringement of personal information and temporarily suspend the processing of personal information.
Suspension or other measures necessary to protect personal information and prevent infringement may be recommended. protect
The institution that has received the committee's recommendation for corrective action shall respect it unless there is a special reason. the protection committee
In order to recommend corrective measures to central administrative agencies, local governments, etc., in accordance with Article 8 of this Act,
It must go through deliberation and resolution.

3. Prosecution of Law Violators and Recommendation of Disciplinary Action (Article 65)
Provisional complaint to the investigation agency (paragraphs 1 and 3)
The Minister of the Interior and Home Affairs shall notify the personal information controller for any violations of laws related to personal information protection such as this Act.
When there is a good reason to believe that a crime is suspected, it may be reported to the competent investigative agency.
can
The head of the relevant central administrative agency may also file an accusation pursuant to Paragraph 1 against the personal information controller in accordance with the relevant laws.
can do. However, since the head of the relevant central administrative agency can only file an accusation in accordance with the 'competent law',
If there is no relevant provision in a separate competent law, an accusation cannot be made.

B. Recommendation of disciplinary action against affiliated organizations (paragraphs 2 and 3)
The Minister of the Interior and Home Affairs shall be responsible for any violations of laws related to the protection of personal information such as this Act.
When there is a good reason, it is recommended that the responsible person (including the representative and responsible executives) be disciplined.
It can be recommended to the head of the affiliated institution, organization, etc.

401

Page 408
Explanation of personal information protection laws and guidelines and announcements

The head of a related central administrative agency has a law related to personal information protection (Information and Communications Network Act, Credit Information Act).
Only in such cases, disciplinary action may be recommended to the head of the affiliated institution or organization in accordance with the relevant laws. relationship center
The head of an administrative agency can only recommend disciplinary action in accordance with the 'competent law', so
Without regulations, disciplinary action cannot be recommended.
Disciplinary recommendations pursuant to Article 65 (2) and (3) of the Act include recommendations, reasons for recommendations, and the period for replying to the results of measures.
It must be documented clearly. A person who has received a disciplinary recommendation must respect it, and according to the contents of the recommendation, it is necessary to
take action and notify the result in writing to the Minister of the Interior and Safety or the head of a related central administrative agency.
do. However, if there are special circumstances that make it difficult to take action according to the recommendations,
should be notified

4. Publication of results of corrective action orders, etc. (Article 66 (1) and (2))
The Minister of the Interior and Home Affairs shall make recommendations for improvement (Article 61), orders for corrective measures (Article 64), accusations or disciplinary actions under this Act.
The contents and results of the recommendation (Article 65) and the imposition of a fine for negligence (Article 75) may be published on the Internet website, etc. administration
The disposition result disclosure system aims to raise awareness by disclosing the results of administrative dispositions for violations of the Personal Information Protection Act.
It is a system introduced for
The head of the relevant central administrative agency makes recommendations for improvement (Article 61), orders for corrective measures (Article 64), and accusations in accordance with the relevant laws.
Alternatively, the contents and results of the disciplinary recommendation (Article 65) and the imposition of a fine for negligence (Article 75) may be published on the Internet website, etc.
have. The head of the relevant central administrative agency may publish the results of the order for corrective measures, etc. in accordance with the 'competent law'.
Recommendation for improvement (Article 61), order for corrective action (Article 64), accusation or disciplinary action in accordance with this Act
The results cannot be published unless there is a separate provision that is equivalent to the recommendations (Article 65) and the imposition of a fine for negligence (Article 75).
none.

5. Method, procedure, etc. of publication of results (paragraph 3)
Provisional method of result announcement (Article 61 (1) of the Decree)
If the Minister of the Interior and Home Affairs or the head of a related central administrative agency intends to announce the results of the order for corrective measures, etc.
In this case, the details of the violation, the person who committed the violation, recommendation for improvement, order for corrective action, accusation, recommendation for disciplinary action, and
The contents and results of the imposition of a fine for negligence are distributed nationwide on the Internet website or in accordance with the 「Newspapers, etc. Promotion Act」.
It may be published in general daily newspapers, etc.

402

Page 409

B. Considerations for publication of results (Article 61 (2) of the Decree)
If the Minister of the Interior and Home Affairs or the head of a related central administrative agency intends to announce the results of the order for corrective measures, etc.
In some cases, the content and degree of the violation, the period and number of violations, and the extent of damage caused by the violation
and results should be considered.
Article 8 Chapter

see

The procedure of the published results (claim 1, wherein the Young claim 61, paragraph 3)

Chick

If the Minister of the Interior and Home Affairs or the head of a related central administrative agency intends to announce the results of the order for corrective measures, etc.
In this case, it must go through deliberation and resolution of the Protection Committee (paragraph 1). In addition, the Minister of Government Administration and Home Affairs or the relevant central
The head of an administrative agency informs the person subject to disclosure of the fact that he or she is the subject of disclosure before requesting the Protection Committee for deliberation and resolution.
An opportunity to submit explanatory materials or make a statement of opinion shall be given by notification (Article 61 (3) of the Decree).

6. Relationship with other laws
The 「Information and Communications Network Act」 provides that the Korea Communications Commission shall take corrective measures against information and communication service providers, etc. who have violated this Act.
There are rules that can be ordered. However, if the information and communication service provider, etc. has violated the 「Personal Information Protection Act」
In this case, the Ministry of Government Administration and Home Affairs may order corrective measures in accordance with the Personal Information Protection Act.
The “Credit Information Act” requires the Financial Services Commission and the Financial Supervisory Service to require that credit information companies, etc. comply with this Act or this Act.
There is a risk of harming the sound management of the credit information business and the rights and interests of the credit information subject in violation of the order.
If recognized, caution or warning to credit information companies, etc., caution or warning to executives, or to employees
Demand for caution and suspension, wage reduction, reprimand, etc., recommendation for dismissal of executives, request for suspension of duties, or request for employee reprimand, etc.
It may take measures such as a request for removal from office, a correction order for violations, and suspension of the provision of credit information.
However, even in this case, if a credit information company, etc. violates the Personal Information Protection Act, the Ministry of Government Administration and Home Affairs
Corrective measures may be ordered in accordance with the Personal Information Protection Act.
Article 64 (Submission of Data, etc.) ④ The Minister of Science, ICT and Future Planning or the Korea Communications Commission shall
Provide the information and communications service provider, etc. with corrective measures necessary to stop or correct the violation.
order to take corrective action, and to issue a corrective action order to the information and communications service provider, etc. who received the corrective action order.
You can make it publicly available. In this case, matters necessary for the method, standards, procedures, etc. of publication shall be
Information and Communications Network Act
determined by Presidential Decree.
⑤ The Minister of Science, ICT and Future Planning or the Korea Communications Commission shall order necessary corrective measures pursuant to paragraph (4).
In this case, the fact that corrective measures have been ordered may be disclosed. In this case, the method, standard and procedure of disclosure, etc.
Necessary matters shall be prescribed by Presidential Decree.

403

Page 410
Explanation of personal information protection laws and guidelines and announcements

Article 45 (Supervision, Inspection, etc.) (1 ) The Financial Services Commission shall, with respect to credit information companies, etc., comply with this Act or this Act;
Supervise compliance with orders.
② The Financial Services Commission shall, if necessary for supervision under paragraph (1), provide its business and property to credit information companies, etc.
It can give necessary orders, such as reporting on the situation.
⑦ The Financial Services Commission shall prevent the credit information business in violation of this Act or an order issued under this Act by a credit information company, etc.
If it is recognized that there is a risk of harming sound management and the rights and interests of credit information subjects, any of the following
take measures falling under any of the preceding items, or have the Governor of the Financial Supervisory Service comply with the provisions of subparagraphs 1 through 3;
appropriate action can be taken.
1. Cautions or warnings to credit information companies, etc.
Credit Information Act
2. Cautions or Warnings to Officers
3. Responsibilities such as caution and honesty, reduction of wages, and reprimands to employees
4. Recommendations for dismissal of executives, requests for suspension of duties, or requests for dismissal of employees
5. Order to correct violations
6. Suspension of Credit Information Provision
Article 52 (Fine for Negligence) (4 ) A person who falls under any of the following subparagraphs shall be subject to a fine for negligence not exceeding 10 million won.
charge
13. Failing to comply with an order under Article 45 (2) through (4) or complying with an inspection or request
A person who refuses, interferes with or evades

404

Page 411

Article 67 Annual Report
Article 67 (Annual Report) ① The Protection Committee receives necessary data from the relevant agencies, etc.
Every year, a report on the establishment and implementation of personal information protection policies is prepared and the regular National Assembly is held.
It must be submitted to the National Assembly (including submission through information and communications networks) before the due date.
② The report under paragraph (1) shall include the contents of each of the following subparagraphs:

Article 8 Chapter

see

1. Infringement of rights of data subjects and their remedies

Chick

2. Results of fact-finding investigations on personal information processing, etc.
3. Current status and performance of personal information protection policies
4. Overseas legislation and policy trends related to personal information
5. Other matters to be disclosed or reported regarding personal information protection policies
[Enforcement Date: March 30, 2017] Article 67 (2) 5

law

Article 67 (Annual Report) ① The Protection Committee receives necessary data from the relevant agencies, etc.
Every year, a report on the establishment and implementation of personal information protection policies is prepared and the regular National Assembly is held.
It must be submitted to the National Assembly (including submission through information and communications networks) before the due date.
② The report under paragraph (1) shall include the contents of each of the following subparagraphs:
1. Infringement of rights of data subjects and their remedies
2. Results of fact-finding investigations on personal information processing, etc.
3. Current status and performance of personal information protection policies
4. Overseas legislation and policy trends related to personal information
5. Acts related to resident registration number processing, Presidential Decree, National Assembly Rules, Supreme Court Rules, Constitutional Court Rules,
The enactment and revision of the National Election Commission Rules and the Board of Audit and Inspection Rules
6. Other matters to be disclosed or reported regarding personal information protection policies

Annual report refers to a report prepared every year on the establishment and implementation of personal information protection policies.
The annual report contains information on infringement of rights of information subjects and their remedies, as well as an investigation into the actual condition of personal information processing, etc.
As a result, the current status and performance of personal information protection policies, overseas legislation and policy trends related to personal information, and other
Matters to be disclosed or reported on the personal information protection policy should be included.
The annual report is submitted by the Protection Committee to related organizations (Ministry of Government Administration and Home Affairs, related central administrative agencies, local governments, constitutional agencies,
Personal Information Dispute Mediation Committee, etc.)
submitted to the parliament

405

Page 412
Explanation of personal information protection laws and guidelines and announcements

Article 68 Delegation and Entrustment of Authority

Article 68 (Delegation and Entrustment of Authority) (1 )
The powers of the head of the mayor, as prescribed by Presidential Decree, are in part to the Special Mayor, Metropolitan City Mayor, Do Governor,
It may be delegated or entrusted to the Special Self-Governing Province Governor or a specialized agency prescribed by Presidential Decree.
② Delegating the authority of the Minister of Public Administration and Security or the head of a related central administrative agency pursuant to paragraph (1);

law

The entrusted institution shall report the results of the delegated or entrusted tasks to the Minister of the Interior and Safety or the
The head of the relevant central administrative agency shall be notified.
③ The Minister of the Interior and Home Affairs may delegate or entrust part of his/her authority to a specialized institution under paragraph (1).
In this case, the expenses necessary for the performance of the relevant specialized institution may be contributed.
Article 62 (Entrustment of Authority) ① Deletion
② The Minister of the Interior and Home Affairs shall be responsible for the provision of alternative subscription means pursuant to Article 24-2 (4) of the Act.
Authority may be entrusted to any of the following organizations.
1. Korea Regional Information Development Institute under Article 72 (1) of the 「Electronic Government Act」;
2. Korea Internet & Security Agency
3. Technical and financial resources that can safely perform development, provision, and management of alternative subscription means;
A corporation recognized by the Minister of Government Administration and Home Affairs recognized as possessing the capabilities and facilities;
Institutions and organizations

③ The Minister of Government Administration and Home Affairs entrusts the following authority to the Korea Internet & Security Agency.
Enforcement Decree
1. Education and publicity regarding the protection of personal information under subparagraph 1 of Article 13 of the Act;
2. Development of criteria for nurturing relevant experts and impact assessment under Article 33 (5) of the Act;
3. Reception and processing of requests for inspection pursuant to Article 35 (2) of the Act;
4. Request for data submission and inspection pursuant to Article 63 of the Act (infringement of personal information pursuant to Article 62 of the Act)
Only matters related to the reception, processing and consultation of reports received at the Report Center)
5. Receipt of an application for designation of an evaluation institution under Article 37 (2) and pursuant to paragraph (6) of the same Article;
Reception of reports
④ In cases where the Minister of the Interior and Safety entrusts authority pursuant to paragraph (2), the trustee and entrustment
work should be announced.

1. Delegation of authority to local governments (paragraph 1)
The powers of the Minister of the Interior and Home Affairs or the heads of related central administrative agencies are partially as prescribed by Presidential Decree.
It may be delegated to the Special Mayor, Metropolitan City Mayor, Do Governor, or Special Self-Governing Province Governor.

406

Page 413

2. Entrustment of authority to specialized institutions (paragraph 3, Article 62 of the Decree)
The Minister of Government Administration and Home Affairs grants the following powers to specialized institutions such as the Korea Local Information Development Institute and the Korea Internet & Security Agency.
entrust However, support for the provision of alternative means of subscription pursuant to Article 24-2 (4) of the Act is currently limited to local information in Korea.
It is entrusted only to the development institute.
Article 8 Chapter

When the Minister of the Interior and Home Affairs delegates or entrusts part of his/her authority, he/she shall supervise the performance of the relevant specialized agency.
see

The necessary expenses may be contributed.

Chick

specialized institution

Consignment authority details

Korea area information
· Support for provision of alternative subscription means pursuant to Article 24-2 (4) of the Act
developer
· Education and publicity related to personal information protection pursuant to Article 13 (1) of the Act
· Development of criteria for nurturing relevant experts and impact assessment in accordance with Article 33 (5) of the Act
· Reception and processing of requests for inspection pursuant to Article 35 (2) of the Act

Korea Internet
promotion agency

· Request and inspection of data submission pursuant to Article 63 of the Act (infringement of personal information pursuant to Article 62 of the Act)
Only matters related to the reception, processing and consultation of reports received at the Report Center)
· Reception of application for designation of evaluation agency pursuant to Article 37 (2) of the Act and in paragraph (6) of the same Article
Receipt of reported matters

3. Notification of results of delegation and entrusted work (paragraph 2)
Institutions delegated or entrusted with the authority of the Minister of the Interior or the head of a related central administrative agency
The results of the entrusted work shall be notified to the Minister of the Interior and Safety or the head of a related central administrative agency.

407

Page 414
Explanation of personal information protection laws and guidelines and announcements

Article 69 Agenda for Public Officials at the Time of Application of Penalty Provisions
Article 69 (Legend of Public Officials in Application of Penal Provisions) The Minister of the Interior and Home Affairs or the head of a related central administrative agency
law

From Article 129 of the Criminal Act, executives and employees of related organizations engaged in entrusted duties
In applying the provisions of Article 132, he/she shall be deemed a public official.

of the relevant institutions engaged in the affairs entrusted by the Minister of the Interior and Home Affairs or the head of the relevant central administrative agency;
Executives and employees are subject to Article 129 (bribery, pre-acceptance), Article 130 (bribery to a third party), Article 131 (Corruption after bribery) of the Criminal Act.
In the application of the provisions of Article 132 (receipt of acceptance), he shall be regarded as a public official. of the entrusted work
This is because the duty of integrity equivalent to that of public officials is imposed by its nature. 'Seeing as a public official' means that the general public
In this case, it means that even if it is an act that will not be punished, it will be considered as a public official and punished.
criminal law
Article 129 (Acceptance, Advance Acceptance) ① When a public official or arbitrator accepts, demands or promises a bribe in relation to his/her duties;
In this case, imprisonment for not more than 5 years or suspension of qualifications for not more than 10 years shall be imposed.
② A person who will be a public official or an arbitrator receives a solicitation in connection with his/her duties and accepts, demands, or receives a bribe
If he or she becomes a public official or arbitrator after making an appointment, he or she shall be punished by imprisonment for not more than 3 years or suspension of qualifications for not more than 7 years.
Article 130 (Offering of Bribes to Third Parties ) A public official or arbitrator receives an improper solicitation in connection with his/her duties to a third party
A person who makes a bribe pay, demands or promises to pay a bribe, imprisonment for not more than 5 years or a person not exceeding 10 years
put to a standstill
Article 131 (Corruption after Acceptance, Acceptance after Acceptance) (1 ) When a public official or arbitrator commits the crime of the preceding 2 Articles and commits an unjust act;
In this case, he shall be sentenced to fixed-term imprisonment of not less than one year.
② After a public official or arbitrator has committed an unlawful act in the course of his/her duties, accepting, demanding, or promising a bribe;
The same penalty as in the preceding paragraph applies to the case of having a third party donate it, or requesting or promising to donate it.
③ A person who used to be a public official or an arbitrator receives a solicitation while in office and commits an unjust act in the course of his/her duties and then accepts a bribe
When receiving, demanding or promising, imprisonment for not more than 5 years or suspension of qualifications for not more than 10 years.
④ In the case of the preceding 3 paragraphs, suspension of qualifications for not more than 10 years may be concurrently imposed.
Article 132 (Conciliation of Mediation) With respect to mediation of matters pertaining to the duties of other public officials using their position
A person who accepts, demands or promises a bribe shall be punished by imprisonment for not more than three years or suspension of qualifications for not more than seven years.

408

Page 415

Chapter 9 Penalties
Article 70 Penalty
Article 71 Penalty
Article 72 Penal Provisions
Article 73 Penalty
Article 74 Concession provisions
Article 74-2 Confiscation, Additional Collection, etc.
Article 75 Fine for Negligence
Article 76 (Special Cases of Application of Regulations on Fines for Negligence)

Page 417
416

Articles 70~73

penalty

Article 70 (Penalty Provisions) A person who falls under any of the following subparagraphs shall be punished by imprisonment with labor for not more than 10 years or by 100 million won.
be subject to the following fines:
1. Any information that is being processed by a public institution for the purpose of interfering with the personal information processing business of the public institution;
By changing or erasing personal information, serious problems such as suspension or paralysis of the performance of public institutions
person who caused trouble
2. An individual being processed by another person by fraudulent or other unlawful means or methods;

Article 9, Chapter

A person who obtains information and provides it to a third party for profit or fraudulent purposes

bee
Chick

teacher, facilitator

Article 71 (Penalty Provisions) A person who falls under any of the following subparagraphs shall be punished by imprisonment for not more than five years or 50 million won.
be subject to the following fines:
1. Even though it does not fall under Article 17 (1) 2, in violation of subparagraph 1 of the same paragraph,
A person who provided personal information to a third party without consent and knowing the circumstances
person to whom information has been provided
2. Individuals in violation of Article 18 (1) and (2), 19, 26 (5) or 27 (3);
The person who uses the information or provides it to a third party and the person who is aware of the situation
A person who has been provided with personal information for the purpose
3. A person who has processed sensitive information in violation of Article 23 (1);
law

4. A person who has processed uniquely identifiable information in violation of Article 24 (1);
5. In violation of subparagraph 2 of Article 59, personal information acquired in the course of business is leaked or without authority
The person who provided it for others to use and the circumstances of the person knowingly but making a profit or dishonest
A person who has been provided with personal information for the purpose
6. In violation of subparagraph 3 of Article 59, damage, loss, alteration, forgery, or falsification of another person's personal information;
leaker
Article 72 (Penalty Provisions) A person who falls under any of the following subparagraphs shall be punished by imprisonment for not more than three years or 30 million won.
be subject to the following fines:
1. In violation of Article 25 (5), a video image for a purpose different from the purpose of installation of the image information processing device;
A person who arbitrarily manipulates an information processing device or illuminates other places, or a person with a recording function
who used it
2. In violation of subparagraph 1 of Article 59, an individual by fraud or other unlawful means or methods;
A person who has obtained information or obtained consent for the processing of personal information and the circumstances thereof
A person who knowingly received personal information for profit or unlawful purposes
3. In violation of Article 60, divulging secrets learned on the job or other than for the purpose of official duties;
person who used
Article 73 (Penalty Provisions) A person who falls under any of the following subparagraphs shall be punished by imprisonment for not more than two years or 2,000
shall be punished by a fine not exceeding ten thousand won.

411

Page 418
Explanation of personal information protection laws and guidelines and announcements

1. To secure safety in violation of Article 23 (2), 24 (3), 25 (6) or 29;
Failure to take necessary measures may result in loss, theft, leakage, forgery, falsification, or loss of personal information.
the damaged one
2. Individuals without taking necessary measures, such as correction or deletion, in violation of Article 36 (2);
A person who continues to use the information or provides it to a third party
3. Continue to use personal information without stopping the processing, in violation of Article 37 (2);
A person who provided it to a third party
Violations of this law are subject to the importance of protection, the size of the expected damage, and the social cost.
It stipulates that criminal penalties are imposed in four stages.

condolences

violation

penalty level

1. Personal information processing of public institutions
public institutions for the purpose of interfering with

Reason for sanctions
☞ Interruptions in the performance of various public duties of administrative agencies
may occur, and due to the occurrence of administrative errors

change the personal information we process; or
The potential for infringement of the rights and interests of the general public is very high.
10 years or less
Canceled to prevent public institutions from performing their duties
In addition, the obstruction of the work of administrative agencies
imprisonment or
Article 70
a person who has caused serious disturbance
Strong sanctions for intentional or malicious intent
less than 100 million won
2. By false or other unlawful means or methods;
☞ Personal information processed by others
After obtaining personal information, for-profit Fine
or
Due to illegally acquired and illegally distributed
to a third party for an unlawful purpose

The act of obtaining huge unfair profits is strictly prohibited.

A person who provides or arranges for it

raise the need to punish

1. Personal information without the consent of the information subject
A person who provided it to a third party

(Including those who were provided with knowledge of the circumstances)
2. Knowing the circumstances of illegal information and personal information
☞ In case of leakage of sensitive information and unique identification information
A person who uses or provides
Possibility of infringement of rights and interests of information subjects such as privacy
(Knowing the circumstances, smart or unjust
It is very high and needs to be strictly regulated
(including those provided for the purpose) 5 years or less
☞ Use, provision, leakage, or leakage of personal information other than the purpose
imprisonment
or
3. A person who violates the standards for handling
sensitive information
Article 71
etc. that the information subject can reasonably expect
4. A person who violates the standards for processing
unique
information
5 million
won identification
or less
Personal information is processed beyond the scope
5. Leakage of personal information learned in the course
Fine of work
Data subjects can take appropriate countermeasures
or allow others to use it without permission.
No, there may be no distribution of personal information, etc.
The person who provided it (knowing the circumstances and being smart
Strictly regulated as there is great concern
or a person who has been provided for an unlawful purpose
include)
6. Damage, loss, or damage to other people's personal information;
Changed, forged, leaked
3 years or less
1. The purpose of installation of the image information processing
☞device
Enlargeis or
different
rotate the
from
image
the information processing device, or
imprisonment or
Article 72
arbitrarily manipulated for the purpose of
Recording may infringe on a person's sensitive privacy.
30 million won or less
A person who illuminates or uses a recording function
Regulatory needed as concerns are high
Fine

412

Page 419

condolences

violation

penalty level

Reason for sanctions
☞ Personal information is stolen by illegal means such as phishing.

2. false or other unlawful means;
How to acquire personal information

The act of acquiring or obtaining consent is other than the purpose

or consent to the processing of personal information

The punishment is weaker than the use and provision

the person who took the action

We take seriously the right to self-determination of personal information

(Knowing the circumstances, smart or unjust

Imprisonment for not more than 3 years

(including those provided for the purpose)

prescribed
☞ Personal information controller subject to this Act

3. divulging secrets learned in the course of work; or

Unlike acts such as leaking secrets, committee members

Article 9, Chapter

A person who uses it for purposes other than for official purposesSimilar legislative practices as regulating acts such as
bee

refer to the regulations

Chick

☞ Because it is important to prevent personal information in advance

1. Take protective measures necessary to secure safety;
Loss of personal information by not taking

In case of leakage due to violation of safety measures

A person who has been stolen, leaked, forged, altered or damagedStrict punishment with criminal punishment
2 years
or less information
2. In response to a request for correction or deletion
of personal
☞ Take necessary measures in response to the data subject's request for correction.
not taking necessary action

Article 73

imprisonment or

to use or provide incorrect information without taking

continue to use your personal information; or 20 million won
A person who provided it to a third party

In this case, the data subject may suffer unexpected damage

the following fines can be strictly regulated

☞ The information subject is responsible for the handling of personal information
3. In response to a request to suspend processing of personal information
Despite the objection and request to suspend processing,
Continue without interruption of processing
In the case of use or provision, the rights and interests of the information subject may be infringed.
A person who uses or provides to a third party
Because it is large, it is strictly regulated

According to the Personal Information Protection Act, in principle, the person responsible for the duty is the personal information controller, and
We are asking for related legal responsibilities, but as an exception, considering that the personal information controller is a corporation,
Criminal penalties are also imposed on those who actually process personal information for business purposes. For example, some residents
The manager of the apartment building, who kept the letter of dismissal of the dong representative with the name, phone number, signature, etc.
In the case of providing the representative Dong, who is the subject of dismissal, for reading, the lower court said that the head of the apartment management department
As it is not the processor, it was considered that it was not responsible for the violation of the law, but the Supreme Court destroyed it and
A person who has actually processed or processed personal information, even if it is not the processor, is subject to Article 71, Item 5 of the Act.
It was decided that criminal responsibility was borne (Supreme Court 2016. 3. 10. 2015 decision 8766).
Case 1 Scope of Criminal Liability Subjects under Article 71 No. 5 of the Act (1)
Persons subject to Article 71 No. 5 of the Personal Information Protection Act, who are the obligatory subject of Article 59 No. 2, 'process or process personal information'
'person who used to' is the 'personal information controller' in Article 2, Item 5, that is, to operate personal information files for the purpose of business or
Not limited to public institutions, corporations, organizations and individuals that process personal information through other people,
This includes persons who have 'processed' or 'processed' the 'personal information' of Article 2, Item 1 by the method of Article 2, Item 2.
(Supreme Court 2016. 3. 10. 2015 Do 8766 judgment)

413

Page 420
Explanation of personal information protection laws and guidelines and announcements

Case 2 Scope of Persons Subject to Criminal Liability under Article 71 No. 5 of the Act (2)
The name of 甲, which the defendant, an Internet newspaper reporter, found out during his coverage activities while posting an article about 甲 on a news site;
Prosecution for violating Articles 71, 5 and 59 of the Personal Information Protection Act for divulging personal information such as status and address
In this case, the defendant pleaded not guilty on the grounds that he was not a data controller, but the court found that the defendant
Judgment that even if you are not a processor, you can be punished for violating Article 71 (5) (Seoul Western District Court declared on December 18, 2015)
2015 fixed 1144 judgment).

For reference, in the case of the Internet newspaper reporter in the above case, the defendant in Article 58, Paragraph 1, No. 4 of the Act
From Chapter 3 of the Act on personal information collected and used to achieve its own purpose, such as reporting and reporting
It is stipulated that Chapter 7 does not apply, and the 'use' of personal information is not due to the nature of the media.
The Personal Information Protection Act does not apply because it means 'reporting' the personal information collected during the interview process.
claimed to do. However, the court (1) the exception to Article 58, Paragraph 1, Item 4 of the Act begins in Chapter 3 of the Act.
Contrary to the fact that it does not apply up to Chapter 7, Article 58, Paragraph 1, Item 4 of the Act, which is the punishment provision for the accused,
It is a regulation that belongs to Chapter 8, ② The exception to Article 58, Paragraph 1, No. 4 of the Act applies to the 'collection' and 'use' of personal information.
There are limited exceptions, but in the Personal Information Protection Act, 'collection', 'use', 'provision', and 'disclosure'
3) In light of the purpose of the Personal Information Protection Act, the media
Even if personal information is used, the use includes reporting personal information to the general public.
This claim was not accepted for reasons such as difficulties in viewing.
Case 1 Scope of Criminal Liability Subjects under Article 71 (5) of the Act (3)
According to the report of the victim 乙, the defendant 甲, a police officer, cracked down on the gambling scene of the defendant 丙, etc.
After that, when the defendant 丙 asked for the reporter's phone number, he entered the last four digits of 乙's mobile phone number.
In a case indicted for violating the Personal Information Protection Act for giving information, the defendant 甲 is the person who processed personal information and
On the grounds that he had leaked the personal information he had learned, the defendant 丙 was aware of this situation from the defendant 甲, but he did it for an unjust purpose.
It was decided that each person could be punished as a violation of Article 71 (5) of the Personal Information Protection Act on the grounds that personal information was provided.
(Daejeon District Court Nonsan Branch Judgment 2013. 8. 9. 2013 Godan 17 Judgment).

Case 2 Meaning of “false or other unlawful means or methods” in Article 72 No. 2 of the Act
Article 23 Paragraph 3 of the Act on the Protection of Personal Information of Old Public Institutions refers to “false and other unlawful methods” in the procedure under the Act.
Even though the processing information cannot be viewed or provided from the processing information holding institution by the
Information related to access or provision of processing information that is recognized as an unlawful method in terms of hierarchies and other social norms
It is reasonable to think that it refers to active and passive actions that can influence decision-making, and therefore Article 23 (3) of the Act
The offense of violation is when the head of the processing information holding institution uses or can provide the processed information (each subparagraph of Article 10 (3) of the Act);
In relation to this, it is not established only when processing information is read or provided using 'false or other unlawful methods'.
(Supreme Court 2014. 2. 27. 2013 Do 10461 judgment).

414

Page 421

Article 74 Concession provisions
Article 74 (Penalty Provisions) ① Representatives of corporations, agents of corporations or individuals, employees, and others
If an employee commits a violation under Article 70 in relation to the business of the corporation or individual,
In addition to punishing the offender, the corporation or individual shall be punished by a fine not exceeding 70 million won.
However, in order to prevent the violation by a corporation or individual,
This is not the case if due attention and supervision are not neglected.
Article 9, Chapter

② Representatives of corporations, agents of corporations or individuals, employees, and other employees of the corporation

law

bee

Or a violation falling under any of Articles 71 through 73 in relation to personal business.

Chick

If an act is committed, in addition to punishing the perpetrator, the corporation or individual
impose a fine. However, in order to prevent the violation by a corporation or individual
This shall not be the case if he/she has not neglected due care and supervision with respect to the relevant business.
No.

A representative of a corporation or an agent, employee, or other employee of a corporation or individual
If a person commits a violation falling under Articles 70 through 73 in relation to his/her business, the perpetrator is not only punished.
It also imposes fines on the corporation or individual.
This applies to not only the relevant actors but also the personal information controller for violations of the law by executives and employees, agents, etc.
To raise awareness of personal information controllers regarding the handling of business by executives and employees, agents, etc. by punishing them
This is to strengthen supervision.
Criminal responsibility of the trustee for the trustee's violation of the law

case

The court concluded a delivery consignment contract with A delivery company and transported the parcels entrusted by the company to customers.
In the case where the person in charge leaked personal information managed by Company A, the person in charge is the ‘user of the corporation’ as stipulated in Article 66 of the 「Information and Communications Network Act」.
In relation to the business of a corporation, the violation was committed, and in order to prevent Company A from violating
Since it is difficult to believe that attention and supervision have been exercised, Company A's criminal responsibility is absolved in accordance with Article 24 (2) and Article 62 (2) of the same Act.
(Sentenced on July 29, 2005, Suwon District Law, 2005 Gohap 160 judgment)

However, for violations of the personal information controller’s executives and employees, agents, etc., the personal information controller must be unconditionally
Imposing criminal penalties can result in heavy sanctions, so the personal information controller (corporate or individual) is responsible for the violation.
In the case of not neglecting due attention and supervision with respect to the relevant business in order to prevent
take no criminal responsibility

415

Page 422
Explanation of personal information protection laws and guidelines and announcements

ReferenceCases of unconstitutionality of concession provisions
If there is an employee's work-related unlicensed medical practice, it is not clear whether the business owner has acted against it.
It is stipulated that the business owner is automatically punished regardless of
In the case of negligence of the business owner (other reasons attributable to the business owner) in the case of
As it is beyond the scope of literal interpretation and cannot be accepted, the above provisions of the law ultimately apply to the crimes of others.
By imposing a penalty irrespective of whether the person is responsible or not, the basic principle of criminal law, 'without responsibility'
It goes against the principle of responsibility that no punishment can be imposed on anyone. (Constitutional Court Decided on Nov. 29, 2007)

416

Page 423

Article 74-2 Confiscation, Additional Collection, etc.
Article 74-2 (confiscation, additional collection, etc.) A person who has committed a crime falling under any of Articles 70 through 73
Money or other profits acquired by the person in connection with the violation may be confiscated,

law

If it is impossible to confiscate it, the value may be additionally collected. In this case, confiscation or additional collection
It may be imposed in addition to other penalties.
Article 9, Chapter

bee Act.
In July 2015, the Personal Information Protection Act actively seeks to recover illegal profits obtained through violations of the
Chick

The system for confiscation and collection was introduced.
The term confiscation refers to a crime related to criminal activity for the purpose of preventing repetition of crimes or prohibition of gains from crimes.
It refers to a type of property whose content is the deprivation of property. Types of confiscation include ① voluntary confiscation and
② There is a necessary confiscation, and for confiscation, voluntary confiscation is the principle (Article 48 of the Criminal Act). In each provision of the special law
Even if the requirements for confiscation and additional collection are not met, if the requirements of Article 48 of the Criminal Act are met,
Arbitrary confiscation and additional collection according to the general provisions of the Criminal Act are also possible (Supreme Court's judgment of 74 352 on June 11, 1974, etc.).
Additional collection (追徵) means that when it is impossible to confiscate an object subject to confiscation, the value of the object is reduced in lieu of confiscation.
Refers to a judicial disposition that orders payment (Article 48 (2) of the Criminal Act). Regarding the legal nature of additional collection,
A kind of “judicial disposition” to carry out the purpose, or an “additional punishment” in lieu of confiscation
It is considered to have character (Supreme Court's decision of 88° 551 on June 21, 1988, etc.).
judicial precedent
Confiscation Requirements and Limits
Confiscation pursuant to Article 48 Paragraph 1, Item 1 of the Criminal Act is voluntary.
Whether to confiscate or not is left to the discretion of the court, but it is based on the principle of proportionality applied to punishment in general.
is restricted, and this legal principle applies even in the case of Article 8 Paragraph 1 of the Act on the Regulation and Punishment of Concealment of Crime Proceeds.
The same applies. And in order to determine whether the forfeiture violates the principle of proportionality,
(hereinafter referred to as 'things') the extent and scope of the use of this crime, its significance in the crime, and the extent to which the owner of the object is involved in the crime.
degree of role and responsibility, the degree of infringement of legal interests due to the commission of the offense, the motive for committing the offense, the proceeds obtained from the offense;
The possibility of separate separability of the part related to the crime of the object, the correlation and balance between the actual value of the object and the crime,
Whether it is indispensable to the actor, and if the object is not confiscated, the actor may use the object again
All circumstances such as the presence or absence of risk of committing a crime of the same type and the degree to which it is committed must be considered (Supreme Court on May 23, 2013)
2012 also 11586 judgment).

417

Page 424
Explanation of personal information protection laws and guidelines and announcements

Article 75 Fine for Negligence
Article 75 (Fine for Negligence) (1 ) A person who falls under any of the following subparagraphs shall be paid 50 million won or less.
impose a fine
1. A person who collects personal information in violation of Article 15 (1);
2. A person who fails to obtain consent from a legal representative, in violation of Article 22 (5);
3. A person who installs and operates an image information processing device, in violation of Article 25 (2);
② Any person who falls under any of the following subparagraphs shall be subject to a fine for negligence not exceeding 30 million won.
do.
1. In violation of Article 15 (2), 17 (2), 18 (3) or 26 (3);
A person who fails to inform the subject of information
2. Provision of goods or services in violation of Article 16 (3) or 22 (4);
one who refused
3. In violation of Article 20 (1) or (2), the facts of each subparagraph of the same paragraph
who did not inform
4. A person who fails to destroy personal information in violation of Article 21 (1)
4 of 2. A person who has processed a resident registration number in violation of Article 24-2 (1)
4 of 3. A person who fails to take encryption measures in violation of Article 24-2 (2)
5. In violation of Article 24-2 (3), the subject of information may not use the resident registration number;

law

A person who has not provided a method
6. Safety in violation of Article 23 (2), 24 (3), 25 (6) or 29
A person who fails to take necessary measures to secure
7. A person who installs and operates an image information processing device, in violation of Article 25 (1);
7 of 2. In violation of Article 32-2 (6), even though the certification was not obtained, the
A person who displayed or promoted the content
8. In violation of Article 34 (1), the information subject shall not be notified of the facts of each subparagraph of the same paragraph.
one who didn't
9. A person who fails to report the results of measures in violation of Article 34 (3);
10. A person who restricts or refuses access in violation of Article 35 (3)
11. A person who fails to take necessary measures, such as correction or deletion, in violation of Article 36 (2);
12. Destruction of personal information whose processing has been suspended in violation of Article 37 (4)
who did not take action
13. A person who fails to comply with a correction order under Article 64 (1);
③ Any person who falls under any of the following subparagraphs shall be subject to a fine for negligence not exceeding 10 million won.
charge
1. A person who fails to separate, store and manage personal information in violation of Article 21 (3);

418

Page 425

2. A person who has obtained consent in violation of Article 22 (1) through (3);
3. A person who fails to take necessary measures, such as installation of notice boards, in violation of Article 25 (4);
4. When entrusting work in violation of Article 26 (1), the document containing the contents of each subparagraph of the same paragraph
one who is not dependent
5. A person who fails to disclose the details of entrusted work and the trustee, in violation of Article 26 (2);
6. Notifying the information subject of the transfer of personal information in violation of Article 27 (1) or (2);
who did not inform
7. Failure to establish a personal information processing policy in violation of Article 30 (1) or (2);

Article 9, Chapter

who did not disclose this

bee
Chick

8. A person who fails to designate a person in charge of personal information protection, in violation of Article 31 (1)
9. Information in violation of Articles 35 (3) and (4), 36 (2) and (4) or 37 (3);
A person who fails to inform the subject of matters to be informed
10. Failing to submit materials, such as related articles and documents under Article 63 (1), or falsely
who submitted
11. A person who refuses, interferes with, or evades access and inspection under Article 63 (2);
④ Administrative fines under paragraphs (1) through (3) shall be imposed as prescribed by Presidential Decree.
It is imposed and collected by the Minister of the Interior and Home Affairs and the heads of related central administrative agencies. In this case, the relationship central
The head of an administrative agency imposes and collects a fine for negligence on the personal information controller in the field under his jurisdiction.
Article 76 (Special Cases of Application of Regulations on Fines for Negligence ) When the provisions of Article 75 on fines for negligence apply
A fine for negligence may not be imposed on an act for which a penalty surcharge has been imposed pursuant to Article 34-2.
Article 63 (based on the charged fine) of fines in accordance with the provisions of the method from claim 75, wherein (1) to claim 3, wherein
Enforcement Decree
The levying standards are as in Attached Table 2.

1. Difference between fines and penalties
'Fine for negligence' is 'administrative fine' directly imposed by an administrative agency for an act that violates certain standards or order.
Since this is not a punishment as an 'orderly punishment', no criminal record is left behind. 'Penalty' (penalty) refers to the Criminal Act or other
Criminal punishment imposed by the court for criminal acts stipulated by law, including
imprisonment and fines.
A fine for violating certain standards, such as not designating a personal information protection officer or not disclosing personal information processing policy
The use of personal information for purposes other than the purpose of consent without consent and provision to a third party are subject to penalties.
The components of a crime subject to criminal punishment and the subject of a fine for negligence are those subject to punishment or sanctions.
Acts as basic facts are different, and criminal punishment is considered to be illegal

419

Page 426
Explanation of personal information protection laws and guidelines and announcements

In contrast to punishment, a fine for negligence imposes sanctions to ensure the effectiveness of administrative actions.
Since there are differences in the protection legal interests and purposes, criminal punishment and the imposition of fines for negligence are generally
It cannot be said that it falls under the double punishment prohibited by Article 13 (1).
judicial precedent
Whether or not the principle of prohibition of double punishment is violated
The “principle of the prohibition of double punishment” established in Article 13, Paragraph 1 of the Constitution
This is to ensure the basic rights of the people, especially the freedom of the body, by preventing the repeated exercise of the right to punishment.
The “punishment” means, in principle, punitive punishment as the exercise of the state’s right to penalize a crime
It cannot be said that all sanctions or disadvantageous dispositions taken are included in it (Constitutional Court 1994.
6. 30. 92 Heonba 38 decision)

2. Imposition and collection of fines for negligence;
Imposition and collection of fines for negligence in violation of the Act shall be made by the Minister of the Interior and Home Affairs and the heads of related central administrative agencies.
Public institutions are also subject to fines for negligence. Regarding procedures such as the imposition and collection of fines for negligence, trial and execution, etc.
Except as provided for in this Act, the Act on the Regulation of Violations of Order shall apply.

3. Details of fines
condolences

violation

penalty level

Reason for sanctions

1. A person who violates the standards for collecting personal information
☞ Safe personal information processing order of the personal information controller
2. When collecting personal information of children under the age of 14 Establishment and right of information subject to self-determination of personal information
5 million won or less
A person who violates the duty to obtain the consent of the legal representative
50 million won as it is an important matter for guarantee
Section 1
fine for negligence
3. Image information processing equipment such as changing rooms and bathrooms
Imposition of the following fines

Article 75

A person who violates the duty to prohibit installation
1. When obtaining consent to collect, use, and provide personal information,
☞ Obligation to destroy personal information, obligation to take safety measures, residents
When obtaining consent for use and provision for other purposes, directly
Obligation to provide alternative means of registration number, information subject
Personal information due to marketing entrustment

When requesting access, etc., the obligation to implement necessary measures is information

Information to be notified to the information subject when providing Strengthen the subject's personal information protection and exercise rights
who did not inform

As it is an obligation imposed to ensure

Article 75 2. Individuals other than the minimum necessary personal
30 million
information
won or lessImposing a higher fine for negligence than for violations of procedural rules
Because you do not consent to the collection of information
fine for negligence
☞ To ensure the effectiveness and enforcement power of law enforcement

Section 2

A person who refuses to provide goods or services

Non-compliance with corrective action is higher than violation of simple procedure rules.

3. Personal information collected from outside the information subject

fine for negligence

who did not notice
4. A person who has not destroyed personal information
4-2. A person who has processed a resident registration number in violation of the law

420

Page 427

condolences

violation

penalty level

Reason for sanctions

4-3. A person who has not taken encryption measures
5. A person who fails to provide a resident registration number
6. Obligation to take measures necessary to secure safety
who did not comply
7. Standards for installation and operation of image information processing equipment
violators
7-2. Falsely display or promote the certification details

Article 9, Chapter

8. A person who fails to notify the leakage of personal information
bee

9. A person who has not reported the leakage of personal information

Chick

10. Unfairly requesting the information subject to read
Restriction/refusal
11. Take necessary measures in accordance with the data subject's request for correction
not drunk
13. A person who fails to comply with a request for a correction order

☞ Simple procedures such as notification, disclosure, notification duty, designation duty, etc.

1. Separate duty to preserve undestroyed personal information

Since it is an act in violation of the

violators

fine for negligence
2. A person who has obtained consent in violation of the method of obtaining consent;
3. Installation of information boards for image information processing equipment, etc.
A person who does not take necessary measures
4. Doing business without legal documents
person who entrusted
5. A person who violates the duty of disclosure when entrusting work
6. Transfer of personal information due to business transfer, etc.
10 million won or less
A person who has not notified the fact
Section 3
fine for negligence
7. Failure to establish a personal information processing policy or

Article 75

who did not disclose
8. Do not designate a person in charge of personal information management
one who didn't
9. Reading, correction/deletion, and suspension of processing of information subjects
A person who does not fulfill the duty to notify when a request is rejected
10. Failure to submit related goods, documents, etc.; or
who submitted false information
11. A person who refuses, interferes with or evades entry/examination

421

Page 428
Explanation of personal information protection laws and guidelines and announcements

4. Criteria for imposition of fines for negligence
In order to ensure fairness and transparency in the imposition of fines, the number of violations of the law should be taken into account.
Detailed standards are stipulated as follows (Article 63 of the Enforcement Decree).
The standard for the imposition of fines is the 「Measures to Rationalize Penalties and Negligence Fines」 (Ministry of Legislation, Ministry of Justice, National Competitiveness Reinforcement Committee,
2009), the number of violations was 3rd, and the weighting ratio according to the number of violations was 1:2:4.
< Standards for Imposition of Negligence Fines (Related to Article 63 of the Enforcement Decree) >
1. General standards
end. The standard for imposition of a fine for negligence according to the number of violations applies to cases where a fine for negligence has been imposed for the same violation in the last three years.
apply In this case, the date on which the imposition of a fine for negligence is imposed for the violation and the date on which the same violation is again detected.
Count the number of violations based on each.
I. The Minister of the Interior and Safety or the head of a related central administrative agency shall, in any of the following cases, fall under subparagraph 2
The amount may be reduced within the limit of 1/2 of the imposed amount of the fine for negligence. However, paying the fine
This is not the case in the case of an offender who has
1) If the offender falls under any of the subparagraphs of Article 2-2 (1) of the 「Enforcement Decree of the Violation of Order Act」
2) If the violation is recognized as due to minor negligence or error
3) If the offender has corrected or resolved the consequences of the illegal act
4) In addition, it is necessary to reduce the fine for negligence in consideration of the severity of the violation, the motive of the violation, and its consequences.
If recognized
All. The Minister of the Interior and Safety or the head of a related central administrative agency shall, in any of the following cases, fall under subparagraph 2
The amount may be aggravated within the limit of 1/2 of the imposed amount of the fine for negligence. However, there are several reasons
Even an individual may not exceed the upper limit of the amount of a fine for negligence under Article 75 (1) through (3) of the Act.
1) When it is recognized that the damage to consumers, etc. is large due to the seriousness and severity of the violation
2) In case the period of violation of the law is 3 months or more
3) In addition, it is necessary to increase the fine for negligence in consideration of the severity of the violation, the motive of the violation, and its consequences.
If recognized

2. Individual standards
fine amount
violation

statutory text

end. When personal information is collected in violation of Article 15 (1) of the Act

1 Violation 2 Violations

Article 75 of the Act1000

3 or more times
violation

2000

4000

1200

2400

1200

2400

1200

2400

Paragraph 1 No. 1
I. Article 15 (2), 17 (2), 18 (3) or 26 (3) of the Act

Article 75 of the Act 600

In case the information subject is not informed of the matters to be notified in violation
Paragraph 2 No. 1
All. In violation of Article 16 (3) or 22 (4) of the Act, goods or

Article 75 of the Act 600

In case of refusal to provide services

Paragraph 2 No. 2

la. In violation of Article 20 (1) or (2) of the Act, the same paragraph

Article 75 of the Act 600

If the facts of each subparagraph are not notified

Paragraph 2 No. 3

422

Page 429

fine amount
violation

statutory text

1 Violation 2 Violations

hemp. In case personal information is not destroyed in violation of Article 21 (1) of the Act
Article 75 of the Act 600

3 or more times
violation

1200

2400

400

800

400

800

2000

4000

1200

2400

1200

2400

1200

2400

1200

2400

1200

2400

2000

4000

roughness. In violation of Article 25 (4) of the Act, necessary measures such as installation
Article
of notice
75 of
boards
the Act
are200
not taken. 400

800

Paragraph 2 No. 4
bar. Do not separate, store and manage personal information in violation of Article 21 (3) Article
of the Act.
75 of the Act 200
if not

Paragraph 3 No. 1

four. In violation of Article 22 (1) through (3) of the Act, consent was obtained

Article 75 of the Act 200

Occation

Paragraph 3 No. 2

Ah. In violation of Article 22 (5) of the Act, the consent of the legal representative is not obtained.
Article 75 of the Act1000
Occation

Article 9, Chapter

Paragraph 1 No. 2
bee

character. In case the resident registration number is processed in violation of Article 24-2Article
(1) of the
75 of
Actthe Act 600

Chick

Paragraph 2, 4-2
car. In case of not taking encryption measures in violation of Article 24-2 Paragraph 2 of the
Article
Act 75 of the Act 600
Paragraph 2, 4-3
k. In violation of Article 24-2 (3) of the Act, the subject of information obtains the residentArticle
registration
75 of the
number
Act 600
If you haven't provided a way to disable it

Paragraph 2 No. 5

ta. Article 23 (2), 24 (3), 25 (6) or 29 of the Act

Article 75 of the Act 600

In case of non-compliance with measures necessary to secure safety

Paragraph 2 No. 6

wave. Installing and operating an image information processing device in violation of Article
Article
25 (1)
75 of the Act 600
Occation

Paragraph 2 No. 7

ha. Installing and operating an image information processing device in violation of ArticleArticle
25 (2) 75
of the
of the
ActAct1000
Occation

Paragraph 1 No. 3

if not

Paragraph 3 No. 3

you. In case of entrustment of work in violation of Article 26 (1) of the Act, each subparagraph
Articleof75
theofsame
the Act
paragraph
200
If it is not according to the document containing the content

400

800

400

800

400

800

400

800

Paragraph 3 No. 4

more. In violation of Article 26 (2) of the Act, the contents of entrusted work and the
if not disclosed

Article 75 of the Act 200
Paragraph 3 No. 5

r. In violation of Article 27 (1) or (2) of the Act, personal

Article 75 of the Act 200

If you do not inform us of the transfer of your information

Paragraph 3 No. 6

what. In violation of Article 30 (1) or (2) of the Act, the personal information processing policy
Article 75 of the Act 200
If not specified or not disclosed

Paragraph 3 No. 7

Bur. In violation of Article 31 (1) of the Act, the person in charge of personal informationArticle
protection
75 of
shall
the not
Actbe designated.500
if not

Paragraph 3 No. 8

book. Despite not receiving certification in violation of Article 32-2 (6) of the Act

Article 75 of the Act 600

In the case of falsely displaying or promoting the contents of the certification

1200

2400

1200

2400

1200

2400

1200

2400

400

800

Paragraph 2, 7-2

uh. In violation of Article 34 (1) of the Act, the information subject in each subparagraph Article
of the same
75 ofparagraph
the Act 600
If you do not tell the truth

Paragraph 2 No. 8

that. In case the result of the measure is not reported in violation of Article 34 (3) of the Act
Article 75 of the Act 600
Paragraph 2 No. 9
wife. In case of restricting or refusing access in violation of Article 35 (3) of the Act

Article 75 of the Act 600
Paragraph 2 No. 10

big. Article 35 (3) and (4), 36 (2) and (4) or 37 (3) of the Act

Article 75 of the Act200

423

Page 430
Explanation of personal information protection laws and guidelines and announcements

fine amount
violation

statutory text

1 Violation 2 Violations

3 or more times
violation

In case the information subject is not informed of the matters to be notified in violation
Paragraph 3 No. 9
foundation. Failure to take necessary measures such as correction or deletion in violation of
Article
Article
7536
of (2)
the of
Actthe
600
Act
if not

1200

2400

1200

2400

Paragraph 2 No. 11

fur. Regarding personal information whose processing has been suspended in violation of Article
Article 75
37 of
(4)the
of Act
the 600
Act
If necessary measures such as destruction have not been taken

Paragraph 2 No. 12

Huh. Do not submit related materials, documents, etc., pursuant to Article 63 (1) of the Act.
Article 75 of the Act
or submitted falsely

Paragraph 3 No. 10

1) If you do not submit data

100

200

400

2) In case of submitting false data

200

400

800

Go. A person who refuses, interferes with, or evades access or inspection pursuant to Article
Article
63 (2)
75of
ofthe
theAct;
Act 200

400

800

1200

2400

Occation

Paragraph 3 No. 11

furnace. In case of non-compliance with the correction order under Article 64 (1) of the Act
Article 75 of the Act 600
Paragraph 2 No. 13

424

Page 431

Article 76 (Special Cases of Application of Regulations on Fines for Negligence)

law

Article 76 (Special Cases of Application of Regulations on Fines for Negligence ) When the provisions of Article 75 on fines for negligence apply
A fine for negligence may not be imposed on an act for which a penalty surcharge has been imposed pursuant to Article 34-2.

Failure to take measures to ensure the safety of the resident registration number causes the resident registration number to be lost, stolen, leaked, forged,
Penalties related to falsification or damage are as follows.

Article 9, Chapter

bee

division
Non-compliance with safety measures and resident number
Lost, stolen, leaked, forged, altered or damaged
Occation

Sanctions

Chick

Imprisonment for not more than 2 years or a fine not exceeding 20 million won
A fine of not more than 30 million won
A fine of not more than 500 million won

However, if three sanctions are imposed on the personal information controller: a penalty, a fine, and a fine for negligence,
Since imposing a penalty surcharge together is to combine penalties with different legal characteristics and administrative penalties, double
Although not subject to punishment, it may violate the rule of excessive prohibition due to overlapping sanctions. and fines

Since the penalty surcharge is a monetary sanction in the nature of the same administrative punishment for the violation of duty, even in this case, due to the overlapping sanction,
It may violate the excessive prohibition rule. Therefore, in order to minimize this possibility, the personal information controller
The resident registration number is lost, stolen, leaked, forged,
In the case of being subject to a penalty surcharge due to alteration or damage, there is a special provision that prevents the imposition of a fine for negligence.
was newly established.
ReferenceHealth Functional Food Act
Article 48 (Special Cases of Application of Regulations on Fines for Negligence ) When applying the provisions of Article 47 on fines for negligence, in accordance with Article 37
A fine for negligence cannot be imposed on an act for which a fine has been imposed.

425

Page 433
432

Appendix

Enforcement Decree and Enforcement Rules of the Personal Information Protection Act,
Notices and Guidelines Asterisk/Form

Page 435
434

■ Enforcement Decree of the Personal Information Protection Act [Annex 1] <Amended on November 19, 2014>

Qualification standards for professional manpower (related to Article 37 (1) 2)

1. The Korea Internet & Security Agency under Article 52 of the 「Act on Promotion of Information and Communications Network Utilization and Information Protection, etc.」
After acquiring the information security expert (SIS) qualification, work in the field of personal information impact assessment for at least one year
person with experience
2. Personal information impact assessment for more than one year after obtaining the ISA qualification under Article 60 of the 「Electronic Government Act」
A person with experience in the field

part
rock

3. Information management engineer, computer system among the national technical qualifications in the field of information and communication jobs under the National Technical Qualifications Act
Applied engineer, information and communication engineer, electronic calculator organization application engineer, information processing engineer or information and communication engineer
A person who has worked in the field of personal information impact assessment for at least one year after obtaining the qualification
4. Accredited by the International Information Systems Audit and Control Association
After acquiring the information system auditor (CISA) qualification, work in the field of personal information impact assessment for at least one year
person with experience
5. International Information System Security Certification
Consortium), personal information impact for more than one year after obtaining the CISSP qualification
Persons with experience performing work in the field of evaluation
6. Other qualifications related to personal information protection for at least one year after obtaining qualifications determined by the Minister of the Interior and Safety
A person who has experience in the field of personal information impact assessment

※ Remarks
“Person with experience in performing work in the field of personal information impact assessment” refers to executives and employees of public institutions, corporations and organizations.
Common base technology for personal information protection (referring to encryption technology, authentication technology, etc.), system/network protection (system protection, hacking/
Virus response, network protection, etc.) or application service protection (electronic transaction protection, application service protection, information protection)
standardization, etc.) planning, analysis, design, development, operation, maintenance, supervision, consulting, or research and development
Refers to a person who has experience performing work, etc.

429

Page 436
Explanation of personal information protection laws and guidelines and announcements

■ Enforcement Decree of the Personal Information Protection Act [Attachment 1-2] <Newly established on Aug. 8, 2014>

Standards for Imposition of Penalty Surcharges (Related to Article 40-2 (1))

1. Decision on whether to impose a penalty surcharge
The penalty surcharge is imposed after comprehensively considering the matters under each subparagraph of Article 34-2 (2) of the Act and the details of the violation.
decide whether However, in the event that measures necessary to secure safety pursuant to Article 24 (3) of the Act have been exhausted,
No penalty is imposed.

2. Criteria for calculating penalty surcharges;
The penalty surcharge shall be assessed by comprehensively considering the matters in each subparagraph of Article 34-2 (2) of the Act and matters affecting them.
Efforts to implement measures necessary to secure safety in item B in the calculation standard amount according to the degree of violation of item A
Adjustment according to the degree, etc. (hereinafter referred to as “primary adjustment”), according to the period and number of violations in item (c), etc.
After adjustment (hereinafter referred to as “second adjustment”), the imposed penalty surcharge is calculated according to item D. However, the calculated penalty
If it exceeds 500 million won, it shall be 5 million won.

end. Basic Calculation Criteria
degree of violation

calculation standard

remark

More than 100,000 resident registration numbers have been lost or lost due to intentional or gross negligence.

very serious

350 million won

violation

In case of theft, leakage, alteration or damage (hereinafter referred to as “lost, etc.”)
say
Loss of less than 100,000 resident registration numbers due to intentional or gross negligence

serious

2.3 billion won

violation

100,000 or more resident registration numbers
In case of loss, etc.

If less than 100,000 resident registration numbers have been lost, etc.
100 million won
say the case

general offense

I. 1st adjustment
The degree of effort to implement measures necessary to secure safety pursuant to Article 24 (3) of the Act, and to minimize damage
50/100 of the calculation standard in consideration of whether follow-up measures to prevent the spread of damage, such as preparation of countermeasures, are implemented.
Aggravate or reduce in range.

430

Page 437

All. secondary adjustment
Period and number of violations, whether or not to cooperate with investigation into violations, and additional damage due to violations
The amount of the first-adjusted amount is comprehensively taken into account, whether or not there is any
Weighted or reduced in the range of 50/100.

la. Calculation of Imposed Penalty Surcharges
Due to the actual burden of the personal information controller, the effect of the violation, or the violation
If it is deemed excessive in consideration of the size of the acquired profits, the secondly adjusted amount
It may be reduced within the limit of 50/100 to determine the imposed penalty surcharge.
part
rock

431

Page 438
Explanation of personal information protection laws and guidelines and announcements

■ Enforcement Decree of the Personal Information Protection Act [Attached Table 2] <Amended September 29, 2016>

Standards for Imposition of Fines for Negligence (Related to Article 63)
1. General standards
end. The standard for imposing a fine for negligence according to the number of violations is the same as for the last 3 years.
applied when charged. In this case, the date of imposition of a fine for negligence for the violation;
The number of violations is counted based on the date on which the same violation is detected again.
I. The Minister of the Interior or the head of a related central administrative agency, in any of the following cases:
The amount may be reduced within the limit of 1/2 of the amount imposed under subparagraph 2 of the fine for negligence. but,
This is not the case for offenders who are in arrears with a fine for negligence.
1) Violators must comply with any of the subparagraphs of Article 2-2 (1) of the 「Enforcement Decree of the Violation of Order Act」
If applicable
2) If the violation is recognized as due to minor negligence or error
3) If the offender has corrected or resolved the consequences of the illegal act
4) In addition, the fine for negligence may be reduced in consideration of the severity of the violation, the motive for the violation, and its consequences.
If it is deemed necessary
All. The Minister of the Interior or the head of a related central administrative agency, in any of the following cases:
The amount may be aggravated within the limit of 1/2 of the imposed amount of a fine for negligence under subparagraph 2. but,
Even if there are multiple reasons for aggravation, the provisions of Article 75 (1) through (3) of the Act
The upper limit of the fine amount cannot be exceeded.
1) If the content and severity of the violation is serious and it is recognized that the damage to consumers, etc. is large
Occation
2) In case the period of violation of the law is 3 months or more
3) Other fines for negligence may be aggravated in consideration of the severity of the violation, the motive for the violation, and its consequences.
If it is deemed necessary

432

Page 439

2. Individual standards
(Unit: 10,000 won)
fine amount
violation

statutory text

3 or more times

1 Violation 2 Violations

end. When personal information is collected in violation of Article 15 (1) of the Act Article 75 of the Act
1000

violation

2000

4000

1200

2400

1200

2400

1200

2400

Paragraph 1 No. 1
I. Article 15 (2), 17 (2), 18 (3) or 26 of the Act

Article 75 of the Act600

Failure to notify the information subject in violation of Paragraph 3

Paragraph 2 No. 1

Occation
All. In violation of Article 16 (3) or 22 (4) of the Act, goods or

Article 75 of the Act600

In case of refusal to provide services

Paragraph 2 No. 2

la. In violation of Article 20 (1) or (2) of the Act, the same

Article 75 of the Act600

In case the fact of each subparagraph of the paragraph is not notified

part
rock

Paragraph 2 No. 3

hemp. In case personal information is not destroyed in violation of Article 21 (1) of the
Article
Act 75 of the Act600

1200

2400

400

800

400

800

2000

4000

1200

2400

1200

2400

1200

2400

1200

2400

1200

2400

2000

4000

400

800

you. In case of entrustment of work in violation of Article 26 (1) of the Act, each subparagraph
Article 75 of
ofthe
theAct
same
200 paragraph
400

800

Paragraph 2 No. 4
bar. Separate storage and management of personal information in violation of ArticleArticle
21 (3) 75
of the
of the
ActAct200
if not

Paragraph 3 No. 1

four. Consent in violation of Article 22 (1) through (3) of the Act

Article 75 of the Act200

if received

Paragraph 3 No. 2

Ah. In violation of Article 22 (5) of the Act, the consent of the legal representative isArticle
not obtained.
75 of the Act
1000
Occation

Paragraph 1 No. 2

character. In case the resident registration number is processed in violation of ArticleArticle
24-2 (1)
75of
ofthe
theAct
Act600
Paragraph 2, 4-2
car. In case of not taking encryption measures in violation of Article 24-2 Paragraph Article
2 of the75
Act
of the Act600
Paragraph 2, 4-3
k. In violation of Article 24-2 (3) of the Act, the subject of information obtains the resident
Article registration
75 of the Act
number
600
If you haven't provided a way to disable it

Paragraph 2 No. 5

ta. Article 23 (2), 24 (3), 25 (6) or 29 of the Act

Article 75 of the Act600

In case of non-compliance with measures necessary to secure safety

Paragraph 2 No. 6

wave. Installing and operating an image information processing device in violation of
Article
Article
7525
of(1)
theofAct
the
600Act
Occation

Paragraph 2 No. 7

ha. Installing and operating an image information processing device in violation of Article
Article25
75(2)
of of
thethe
Act
1000
Act
Occation

Paragraph 1 No. 3

roughness. In violation of Article 25 (4) of the Act, necessary measures, such as

Article 75 of the Act200

if not

Paragraph 3 No. 3

If it is not according to the document containing the content

Paragraph 3 No. 4

433

Page 440
Explanation of personal information protection laws and guidelines and announcements

fine amount
violation

statutory text

3 or more times

1 Violation 2 Violations

more. In violation of Article 26 (2) of the Act, the contents of entrusted work and theArticle 75 of the Act200
if not disclosed

violation

400

800

400

800

400

800

Paragraph 3 No. 5

r. In violation of Article 27 (1) or (2) of the Act, personal

Article 75 of the Act200

If you do not inform us of the transfer of your information

Paragraph 3 No. 6

what. In violation of Article 30 (1) or (2) of the Act, the personal information processing
Article
policy
75 of the Act200
If not specified or not disclosed

Paragraph 3 No. 7

Bur. In violation of Article 31 (1) of the Act, the person in charge of personal information
Articleprotection
75 of the shall
Act not be designated.
500
if not

Paragraph 3 No. 8

book. Despite not receiving certification in violation of Article 32-2 (6) of the Act Article 75 of the Act600

1200

2400

1200

2400

1200

2400

1200

2400

400

800

1200

2400

1200

2400

In the case of falsely displaying or promoting the contents of the certificationParagraph 2, 7-2
uh. In violation of Article 34 (1) of the Act, the information subject in each subparagraph
Article
of75
theofsame
the Act
paragraph
600
If you do not tell the truth

Paragraph 2 No. 8

that. In case the result of the measure is not reported in violation of Article 34 (3) of Article
the Act75 of the Act600
Paragraph 2 No. 9
wife. In case of restricting or refusing access in violation of Article 35 (3) of the ActArticle 75 of the Act600
Paragraph 2 No. 10
big. Article 35 (3) and (4), 36 (2), (4) or 37 of the Act

Article 75 of the Act200

Failure to notify the information subject in violation of Paragraph 3

Paragraph 3 No. 9

Occation
foundation. In violation of Article 36 (2) of the Act, necessary measures such as correction
Article and
75 of
deletion
the Act600
if not

Paragraph 2 No. 11

fur. Personal information whose processing has been suspended in violation of Article
Article
37 (4)75ofofthe
theAct
Act600
If necessary measures such as destruction are not taken

Paragraph 2 No. 12

Huh. Do not submit related materials, documents, etc., pursuant to Article 63 (1) of the
Article
Act.75 of the Act
or submitted falsely

Paragraph 3 No. 10

1) If you do not submit data

100

200

400

2) In case of submitting false data

200

400

800

400

800

1200

2400

Go. A person who refuses, interferes with, or evades access or inspection pursuant toArticle
Article75
63of(2)
theofAct
the
200
Act;
Occation

Paragraph 3 No. 11

furnace. In case of non-compliance with the correction order under Article 64 (1) of Article
the Act 75 of the Act600
Paragraph 2 No. 13

434

Page 441

■ Enforcement Rules of the Personal Information Protection Act [Appendix Form No. 1]

Non-purpose use of personal information and third party provision ledger
personal information or
Personal information file name
Classification of use or provision
[ ] Non-purpose use

[ ] Provided by a third party

The name of the user organization other than the purpose
manager

(In case of use for other purposes)

small

genus

castle

persons

Phone number
castle

persons

small

genus

part
rock

Name of the receiving institution
manager

(In case of provision by a third party)

Phone number

used or provided
date, cycle or duration

form used or provided
Legal of use or provision
Evidence
purpose of use; or
Purpose of being provided
used or provided
Items of personal information

「Personal Information Protection Act」
pursuant to Article 18 (5);
limited or necessary
to take action
If requested, the
Contents

210mm×297mm [Printing Paper (Express) 34g/㎡]

435

Page 442
Explanation of personal information protection laws and guidelines and announcements

■ Enforcement Rules of the Personal Information Protection Act [Appendix No. 2] <Amended November 19, 2014>

Personal Information File ([ ] Registration [ ] Change Registration) Application
※Please fill out the 'Change information and reason for change' only when registering a change.
Registration Number

date of receipt

processing period
7 days

Name of public institution address

registrar

Registration items

Phone number

Properties

Change information and reason for change

Personal information file name
The basis and purpose of the operation of personal information files
recorded in the personal information file
Items of personal information
How to handle personal information
Retention period of personal information
Personal information on a regular or repeated basis
If provided, the recipient
managing personal information files
Name of public institution
held as personal information files
Number of data subjects of personal information
Personal information processing by the relevant public institution
Department in charge of related work
Receiving requests for access to personal information
department that handles
Reading in personal information file
restrictive or refusal
Scope of personal information and its reasons

In accordance with Article 34 (1) of the Enforcement Decree of the same Act as Article 32 (1) of the Personal Information Protection Act, the personal information file as above
([ ] Registration [ ] Change registration)
year
Application institution

month

Work

(Signature or Seal)

Minister of Government
You
Administration and Home Affairs
210mm×297mm [plain paper 70g/m2 (recycled materials)]

436

Page 443

■ Enforcement Rules of the Personal Information Protection Act [Annex No. 3] <Amended on November 19, 2014>

Application for designation of personal information impact assessment agency
Registration Number

date of receipt

2 months processing period

Name of corporation and representative

incorporation date

Applicant location

Phone number

Number of Personnel Performing Personal Information Impact Assessment
persons

part
rock

In accordance with Article 37 (2) of the 「Enforcement Decree of the Personal Information Protection Act」, I apply for the designation of a personal information impact assessment agency as above.
year
Applicant

month

Work

(Signature or Seal)

Minister of Government
You
Administration and Home Affairs

1. Documents under Article 37 (2) 1 through 3 of the 「Personal Information Protection Act Enforcement Decree」
2. The following documents under Article 37 (2) 4 of the 「Enforcement Decree of the Personal Information Protection Act」
end. Current status of personnel carrying out personal information impact assessment in Annex Form 4 of 「Personal Information Protection Act Enforcement Rules」
I. Office related to personal information impact assessment in Annex Form 5 of 「Personal Information Protection Act Enforcement Rules」
attached document

and facility ownership

All. Administrative documents that can prove the facts under Article 37 (1) 1 of the 「Enforcement Decree of the Personal Information Protection Act」
Documents prescribed by the Minister of Home Affairs
3. Certificate of alien registration under Article 88 (2) of the 「Immigration Control Act」 (「Enforcement Decree of the Personal Information Protection Act」
It is attached only if it falls under the partial proviso other than each subparagraph of Article 37 (3))

processing procedure
Fill out the application
→ form

→

Receipt
processing body

Applicant

→

Review

Payment

→

Issuance of designation

processing body
processing body
(Ministry of Government Administration
(Ministry
andofHome
Government
Affairs)Administration and Home Affairs)

(Korea Informatization
promotion agency)

210mm×297mm [plain paper 70g/m2 (recycled materials)]

437

Page 444
Explanation of personal information protection laws and guidelines and announcements

■ Enforcement Rules of the Personal Information Protection Act [Annex Form 4]

Current status of personnel who perform personal information impact assessment
Name of corporation and representative
Total number of personnel performing impact assessment

persons

holding certificate After obtaining a certificate
series
number

(Acquisition Date) work experience
date of birth date of employment

name

Specialty Degrees and Departments

remark

( Years and Months)

Notice
Specialized field refers to the field of work in accordance with each item of Article 37 (1) 1 of the 「Enforcement Decree of the Personal Information Protection Act」.

210mm×297mm [Plain paper 60g/㎡ (recycled materials)]

438

Page 445

■ Enforcement Rules of the Personal Information Protection Act [Appendix Form 5]

Current status of office and facility holdings related to personal information impact assessment
※ Please read and write the following instructions.
Name of corporation and representative
location

① Offices equipped with facilities for identification and access control
[

]has exist

[

]none

part
rock

② Identity verification and access control facilities
name

Details of equipment, etc.

Quantity

Details of equipment, etc.

Quantity

remark

③ Safety management facilities for records and data
name

remark

How to write
If there is an office equipped with the facilities for identification and access control in ①, mark [✓] in the 'Yes' column, and
In this case, mark [ ✓ ] in the 'None' field.

210mm×297mm [Plain paper 60g/㎡ (recycled materials)]

439

Page 446
Explanation of personal information protection laws and guidelines and announcements

■ Enforcement Rules of the Personal Information Protection Act [Annex Form 6] <Amended November 19, 2014>

My

arc

Personal information impact assessment agency designation
1. Representative:
2. Date of birth or business registration number:
3. Corporate name:

4. State

cattle:

5. Phone number:
6. Designation requirements:

In accordance with Article 37 (4) of the Enforcement Decree of the Act, such as Article 33 (1) of the Personal Information Protection Act,
Since it has been designated as an impact assessment agency, a personal information impact assessment agency designation letter is issued.

year

month

Work

seal
Minister of Government
Administration and Home Affairs

210mm×297mm [Retention paper 120g/㎡]

440

Page 447

■ Enforcement Rules of the Personal Information Protection Act [Appendix No. 7] <Amended November 19, 2014>

Personal information impact assessment agency change report
Registration Number

Date of receipt

7 days processing period

corporate name
Representative name
declarant

date of birth

Address (Location of main office)
(Phone number :

)

date of change
part

division

bell ex

change

rock

performing personnel
office and equipment
Bell corporate name
I'm Representative name

date of birth

address
method
sign
Transfer or takeover of the evaluation institution; or
merger, etc.

(Phone number :

)

side corporate name
circa Representative name

date of birth

address
method
sign

(Phone number :

)

Corporate name/address/phone number
and change of representative
In accordance with Article 37 (6) of the Enforcement Decree of the Act, such as Article 33 (6) of the 「Personal Information Protection Act」, the changes of the evaluation institution are reviewed as above.
Report it.
year
Reporter's Representative

month

Work

(Signature or Seal)

Minister of Government
You
Administration and Home Affairs

attached document

1. In case of transfer, acquisition, merger, etc., one copy of the contract of transfer, acquisition or merger, etc.
2. One copy of each document proving other changes

Notice
Detailed information regarding the above changes can be submitted in a separate sheet or by attaching related documents.

210mm×297mm [Plain paper 60g/㎡ (recycled materials)]

441

Page 448
Explanation of personal information protection laws and guidelines and announcements

■ Enforcement Rules of the Personal Information Protection Act [Annex No. 8]

Personal information ([ ] Reading [ ] Correction/Deletion [ ] Suspension of processing) request form
※ Please read the instructions below and write only the details inside the bold line.
Registration Number

date of receipt

Within 10 days of processing

name
data subject

(front)

Phone number

date of birth
address

agent

name

Phone number

date of birth

Relationship with data subject

address

[ ] Items and contents of personal information
[ ] Purpose of collection and use of personal information
[ ] Browse

[ ] Period of retention and use of personal information
[ ] Status of provision of personal information to third parties

Requirements

[ ] Facts and contents of consent to processing of personal information
[ ]Correction/Deletion ※ Write down the item of personal information you want to correct/delete and the reason.
[ ] Suspension of processing ※ Write down the subject, content, and reason for which you wish to suspend processing of personal information.

Article 41 (1) of the Enforcement Decree of the Act such as Article 35 (1) and (2), 36 (1) or 37 (1) of the 「Personal Information Protection Act」;
In accordance with Article 43 (1) or 44 (1), the above request is made.
year
claimant
OOOO

month

Work

(Signature or Seal)

You

How to write
1. Fill in the 'Agent' column only when the agent is the requestor.
2. If you wish to request access to personal information, mark [✓] in the 'View' field and select the item you wish to view.
[ ✓ ] is marked. If it is not marked, it means that you have not requested to view the item.
processed.
3. If you wish to request correction/deletion of personal information, mark [✓] in the 'Correction/Deletion' box and correct or
Write down the item of personal information you want to delete and the reason.
4. If you want to request the suspension of processing of personal information, mark [✓] in the 'Processing Suspension' column and
Write down the subject, content and the reason.
210mm×297mm [plain paper 70g/m2 (recycled materials)]

442

Page 449

■ Enforcement Rules of the Personal Information Protection Act [Annex No. 9]

Notice of Personal Information ([ ] Reading [ ] Partial Reading [ ] Postponement of Reading [ ] Refusal of Reading)
(front)
Recipient (Postal Code:

, address:

)

Requirements
Reading date

reading place

Notice content

part

([ ] read

rock

[ ] Partial reading
[ ] Postponement of reading
[ ] Refusal to read)

Reading form [ ]Reading/viewing [ ] Copies/prints

[ ]Electronic files [ ]Replicas/prints

[ ]Etc

How to read [ ]Direct visit

[ ]fax

[ ]Etc

View form and method
[ ]post

① Fee

[ ]e-mail

②The postage
won

Total (①+②)
won

won

Fee calculation specification

payment amount

Reason
How to make an objection
※ The personal information controller writes down the objection method.
In accordance with Article 35 (3), (4) or (5) of the 「Personal Information Protection Act」, Article 41 (4) or Article 42 (2) of the Enforcement Decree
Accordingly, we will notify you of your request for access to your personal information as above.
CHAPTER years
month

origination name

Work

seal

210㎜×297㎜[Newspaper 54g/㎡]

443

Page 450
Explanation of personal information protection laws and guidelines and announcements

■ Enforcement Rules of the Personal Information Protection Act [Annexed Form No. 10]

Notification of results of requests for personal information ([ ] correction/deletion, [ ] suspension of processing)

receiver

(Zip code:

, address:

)

Requirements

□ Correction/deletion
□ Stop processing
Action Details

□ Correction/deletion
□ Stop processing
Reason for decision

※ The personal information controller shall indicate the method of objection.
How to make an objection

「Personal Information Protection Act」 Article 36 (6) and Article 43 (3) of the Enforcement Decree of the same Act or Article 37 (5) of the same Act and the Enforcement Decree of the same Act
In accordance with Article 44 (2), we will notify you of the result of your request as above.
CHAPTER years
month

Work

seal of the sender 's name

Notice

If the personal information controller is notified of a decision to request correction, deletion, or suspension of processing of personal information, the personal information manager may
There are fewer ways to appeal.

210㎜×297㎜[Newspaper 54g/㎡]

444

Page 451

■ Enforcement Rules of the Personal Information Protection Act [Appendix Form 11]

power of attorney
name

Phone number

date of birth

Relationship with data subject

delegated person
address

name

Phone number

part
rock

date of birth
delegator
address

In accordance with Article 38 (1) of the 「Personal Information Protection Act」, as above, (□ viewing, □ correction/deletion, □ suspension of processing) of personal information
Delegate requests to those above.

year

delegator

OOOO

month

Work

(Signature or Seal)

You

210mm×297mm [Printing Paper (Express) 34g/㎡]

445

Page 452
Explanation of personal information protection laws and guidelines and announcements

■ Standard Personal Information Protection Guidelines [Annexed Form No. 1]

Criteria for determining the retention period of personal information files
Retention period

Target personal information file

1. Permanent preservation of personal information files operated to prove the status, identity, and property of citizens
personal information file

everlasting

2. Permanent preservation of personal information files operated to perform tasks related to public health promotion
Required personal information file

1. An individual dies or abolishes personal information files operated to prove national identity and property
Joon Young-gu

Personal information files that do not need to be permanently preserved because they are destroyed for other reasons
2. A system established and operated by an administrative agency for identification of citizens, the imposition of obligations, and the management of specific subjects.
Personal information file composed of data set of administrative information system

1. In accordance with the relevant laws and regulations, for a period of 10 years or more but less than 30 years. Criminal or Administrative Liability
30 years

Or personal information files whose prescription continues or whose value as proof data continues
1. In accordance with relevant laws and regulations, for a period of 5 years to less than 10 years. Criminal or Administrative Liability

10 years

Or personal information files whose prescription continues or whose value as proof data continues
1. In accordance with relevant laws and regulations, for a period of not less than 3 years but less than 5 years. criminal or administrative liability; or

5 years

Personal information files whose prescription continues or whose value as evidence continues

1. For the reference of administrative work or proof of fact, it shall be preserved for a period of not less than 1 year but less than 3 years.
Necessary personal information files
2. In accordance with relevant laws and regulations, for a period of 1 year to less than 3 years. criminal or administrative liability; or

3 years

Personal information files whose prescription continues or whose value as evidence continues
3. Personal information files related to the issuance of various certificates (however, other laws related to certificate issuance are retained
If the period is separately stipulated, it is in accordance with applicable laws)

1 year

1. Personal information file created for simple reporting at the request of a higher institution (department)

446

Page 453

■ Standard Personal Information Protection Guidelines [Appendix Form No. 1]

Personal information leakage report
Organization name
to the data subject
Whether to notify

of leaked personal information
Item and scale
part
rock

when it leaked and
the process

Minimize spill damage
Countermeasures, Measures and Results

data subjects can
minimal damage
Methods and Remedies
name

Department

spot

Contact

Privacy
Department, person in charge, and
protection officer
Contact
Privacy
handler

Organization name

Contact person

Contact

Leak Report Receiving Agency

447

Page 454
Explanation of personal information protection laws and guidelines and announcements

■ Standard Personal Information Protection Guidelines [Appendix No. 2 Form]

(front)

Personal image information (□ existence confirmation □ viewing)
invoice
processing
deadline
within 10 days

※ Please read the notes below and write only the information inside the bold line.
name
claimant

Phone number

date of birth

Relationship with data subject

address
name

Phone number

data subject

date of birth
Personal Information
address
(Example: 2011.01.01 18:30 ~ 2011.01.01 19:00)
video information
record period

Claim details
(Example: CCTV near 00:00, 00-gu, 00-daero 0)
video information

(Specifically
if not requested

processing device

difficult to handle

installation place

can)

billing purposes and
Reason

In accordance with Article 44 of the 「Standard Personal Information Protection Guidelines」, we request confirmation of the existence of and viewing of personal image information as above.
year

month

Work
claimant

(Signature or Seal)

○ ○ ○ ○ You

Confirmation signature of the claimant by the person in charge

448

Page 455

■ Standard Personal Information Protection Guidelines [Annex 3 Form]

Personal image information management manager
Use·
number

division

Pause

file name/
shape

manager

provided

purpose/

third party

Reason

/read, etc.

Use·

Use·

offer
basis for provision
shape

term

claimant
□ Use
□ Offer

One

□ Reading
part

□ Destroy

rock

□ Use
□ Offer

2

□ Reading
□ Destroy
□ Use
□ Offer

3

□ Reading
□ Destroy
□ Use
□ Offer

4

□ Reading
□ Destroy
□ Use
□ Offer

5

□ Reading
□ Destroy
□ Use
□ Offer

6

□ Reading
□ Destroy
□ Use
□ Offer

7

□ Reading
□ Destroy

449

Page 456
Explanation of personal information protection laws and guidelines and announcements

■ Standard Personal Information Protection Guidelines [Appendix No. 4 Form]

Request for destruction of personal information file
Date Created

Writer

to destroy
personal information file

Creation date

personal information handler

Main target business

Current number of archives

Reason for destruction

destruction schedule

Remarks

Approver

Destruction Approval Date

(Personal Information Protection Officer)

place of destruction

How to destroy

destroyer

entrant

How to confirm disposal

Is there any backup action?

Whether to discard the media

450

Page 457

■ Standard Personal Information Protection Guidelines [Appendix Form 5]

Personal information file destruction management ledger
number

Privacy

type of material

file name

creation dateRetirement Date
Reason for disposal
Head of processing department

part
rock

451

Page 458
Explanation of personal information protection laws and guidelines and announcements

■ Standard Personal Information Protection Guidelines [Appendix Form 6]

Ledger of use and provision for purposes other than personal information
division

Main Content

① Personal information file name

② Organizations that use/receive

③ Date of use and provision

④ Period of use and provision

⑤ Usage/Provision Type

⑥ Purpose of use and provision

⑦ Basis for use and provision

⑧ Items to be used and provided

⑨ Remarks

452

Page 459

■ Regulations on the designation of self-regulating organizations for personal information protection [Annex Form 1]

Application for designation of a self-regulating organization for personal information protection
Registration Number

date of receipt

2 months processing period

Name of association/organization and name of representative
Date of establishment of association
Applicant
address

Phone number

Cooperatives and organizations

Responsible department person in charge

part

rock
associations and organizations
Phone number of the person in charge of the relevant department
All member companies
Member company (personal information controller)
matters
(personal information controller)Sectors

Responsible organization and personnel
management ability

Budget size for personal information use

·
Contact person's name
group competency

Contact phone number

I apply for the designation of a self-regulatory organization for personal information protection as above.
year
Applicant

month

Work

(company seal or seal)

Minister of Government Administration and Home Affairs Inquiry

attached document
Personal information protection self-regulation implementation plan (will for implementation, execution organization and financial resources, activity performance and plan, etc.)

processing procedure

Application Guide →

→ form Receipt
Fill out the application

Korea Internet

→
Requirements review

Korea Internet

Applicant

promotion agency

→

Designation and publication

self-regulation
council

promotion agency

Ministry of Government Administration and Home Affairs

453

Page 460
Explanation of personal information protection laws and guidelines and announcements

■ Regulations on the designation of self-regulatory organizations for personal information protection [Annex Form 2]

My

arc

Personal information protection self-regulatory organization designation

1. Association (group) name:

2. Business registration number:

3. State

cattle:

4. Representatives:

5. Designation conditions:

In accordance with Article 7 (3) of the 「Regulation on Designation of Self-Regulatory Organization for Personal Information Protection, etc.」, your association (organization)
Designated as a self-regulating organization.

year

month

Work

seal
Minister of Government Administration
and Home Affairs

210mm×297mm [Retention paper 120g/㎡]

454

Page 461

■ Standards for measures to ensure the safety of personal information

Standards for safety measures according to the type of personal information controller and the amount of personal information retained
type

Applies to

Safety Measure Standards

• Article 5: Paragraphs 2 through 5
• Article 6: Paragraphs 1, 3, 6 and 7
• Article 7: Paragraphs 1 through 5, Paragraph 7
Type 1

• Personal information about less than 10,000 data subjects
• Article 8
Small business owners, organizations, and individuals• Article 9

(ease)

part

• Article 10

rock

• Article 11
• Article 13

• Article 4: Paragraph 1, 1 through 11, and

• Regarding data subjects of less than 1 million

No. 15, Paragraphs 3 through 4

SMEs with personal information

• Article 5
• Article 6: Paragraphs 1 through 7

• Regarding data subjects of less than 100,000

• Article 7: Paragraphs 1 through 5, Paragraph 7
Large corporations, medium-sized businesses that hold personal information,
• Article 8
Public institutions
• Article 9

Type 2
(Standard)

• Article 10
• Personal information about 10,000 or more data subjects
• Article 11
Small business owners, organizations, and individuals
• Article 13

• About 100,000 or more data subjects
Large corporations, medium-sized businesses that hold personal information,
Type 3

Public institutions

• Articles 4 through 13

(reinforce)
• For more than 1 million data subjects
SMEs and organizations with personal information

455

Page 462
Explanation of personal information protection laws and guidelines and announcements

■ Notice of Personal Information Protection Management System Certification, etc. Attached Table 1

Documents to be submitted in accordance with the requirements for work performance and competency examination regulations (related to Article 3 (3))

phrase

minute

documents to be submitted

end. system
Performance of Participation in Personal Information Protection Management System Certification Examination According to Attachment No. 4 Form
1. Personal information protection management
Certification audit participation performanceSpecifications and documents proving them (certification audit participation notice documents, etc.)
Documents required to verify

I. Evidence of Certification Auditor Qualifications

2. Review work performance requirements and competency
end. Calculation details of debt ratio and return on equity
documents required for
(Related documentary evidence such as details of accounting and settlement of accounts)
I. Regulations and guidelines related to the certification audit operation system, etc.
o Quality control of the operating system of the auditing body and certification
o Internal regulations such as operation management for employees who perform certification audit tasks
o Methods and procedures for conducting certification audits

456

Page 463

■ Notice of Personal Information Protection Management System Certification, etc. Attached Table 2

Detailed standards for job performance requirements and competency screening (related to Article 4 (1))

end. Detailed criteria for review of business performance requirements

evaluation item

Detailed evaluation criteria

1. 5 or more certification auditorso At least 5 certification auditors must be employed at all times
Full-time employment

- However, it is necessary to secure at least one senior auditor at the level of the audit team leader.
part
rock

o An institution that wants to be designated as a personal information protection management system certification body must
2. Securing the fairness of the certification body
In order to secure objectivity, fairness, and reliability, it is related to the establishment of a personal information protection management system.
Whether
Not to engage in consulting work

I. Detailed criteria for job performance evaluation
evaluation

Evaluation items
evaluation factor
points
1. Within the organization
Privacy
of employees

Detailed evaluation method

Indicators

10

Ratio o Number of people who are more than auditors

work expertise

number of judges

Privacy
protect
professionalism

score

5 or more

100% of points

less than 5

χ% of points

※ χ = (Number of judges/5) × 100

(30)
5

Ratio o Number of (personal) information protection-related Ph.D.
Number of Ph.D. Holders and Technicians

score

5 or more

100% of points

less than 5

χ% of points

※ χ = (Number of Ph.D. holders / Engineers / 5) × 100
5

Ratio o Number of CISM, SIS, CISSP, CISA, CPPG, Information Security Engineer/Industrial Engineer Certificate Holders
number of certificate holders

score

5 or more

100% of points

less than 5

χ% of points

※ χ = (Number of certificate holders/5 persons) × 100

457

Page 464
Explanation of personal information protection laws and guidelines and announcements

evaluation

Evaluation items
evaluation factor
points
Privacy

Detailed evaluation method

Indicators

10

Percentage o Personal information protection management system in which a certified auditor who is always employed has participated in the past 3 years

management system

The performance of participation in certification audits is recognized and the evaluation score is the total date of participation by adding up individual participation performances.

Certification audit

Calculate by number

Participation performance

Total participation days (unit: days)

score

more than 200 days

100% of points

less than 200 days

χ% of points

※ χ = (total participation days/200 days) × 100
2. Facilities (10)

office space

10

evaluation

Certification audit

Detailed evaluation factors
o Two offices required for certification audit consultation and certification audit work

document storage

o Securing office-related equipment

2 points

security equipment

o Facilities for identification and access control for office occupants

2 points

Securing facilities

o Storage locations for safe management of records and materials

2 points

o Security facilities to prevent loss or theft of certification examination documents

2 points

place and

3. Reliability and

score

score

Debt Ratio

5

Ratio o Debt ratio of the previous year as of the designated announcement date (total liabilities/equity equity)

financial condition

ratio

dryness

less than 50%

5 points

More than 50% ~ Less than 100%

4 points

More than 100% ~ Less than 150%

3 points

More than 150% ~ Less than 200%

2 points

(10)
※Non-profit organization
Excluding evaluation

score

200% or more
equity capital

5

1 point

Ratio o Return on equity capital of the previous year as of the designated announcement date (net income/equity capital)

profit margin

ratio

score

20% or more

4. Certification work certification body

20

(50)

Less than 20% ~ More than 15%

4 points

Less than 15% ~ More than 10%

3 points

Less than 10% ~ 5% or more

2 points

less than 5%

1 point

evaluation

operating system
operating system and

5 points

Detailed evaluation factors

score

score

o Measures to guarantee fairness, objectivity, reliability, and independence of the certification
5 pointsbody

certified quality

o Measures for the implementation and review of internal audits by the certification body
5 points

management

o Quality assurance and management measures for certification

5 points

o Adequacy of the record and documentation management system of certification work5 points
certification work

10

evaluation

performing

Detailed evaluation factors

score

for the staff

score

o Retaining regulations for employees performing certification tasks and complying with these regulations

operation and management

Relevance and effectiveness

5 points
- Observances such as duties and responsibilities of employees performing certification tasks

inside of the back
Rule

- Tips for self-security management and supervision of employees performing certification tasks
o Measures for training and evaluation of employees performing certification tasks

5 points

and the appropriateness and feasibility of the measures.

458

Page 465

evaluation

Evaluation items
evaluation factor
points

Detailed evaluation method

Indicators

Certification work 5

evaluation

how to do it and

Detailed evaluation factors

score

score

o Appropriateness and validity of methods and procedures for performing certification tasks

step

- Procedure and method of certification audit
- Certification fee and its collection method

5 points

- Principles of the formation of the certification audit team
- Certification audit follow-up management plan, etc.
Certification work 15

evaluation

support system

score

Detailed evaluation factors

score

o Level of ownership and maintenance of corporate bankbooks for operating funds 5 points
o Compensation for damage to the applicant organization due to designation cancellation, bankruptcy, dissolution, etc.
5 points
Whether related measures are in place
o Support measures to improve the quality of certification
5. Points and

5 points

Certification audit 5

possesiono Establish an organization in charge of performing certification audit tasks, and apply for employees belonging to the organization in charge.
part
work
(additional points)
personnel Recognition
rock
dedicated
Number
division
score
Certification Auditor
10 or more
5 points
number of holdings
Less than 10 to 5 or more
χ% of points

deduction

less than 5

none

※ χ = (Number of people/10 people) × 100
Privacy

2

certification
o When the personal information protection management system certification is obtained and the certification is maintained

management system
(additional points)
acquisition
Acquisition of certification

and

and keep

maintain

revocation

5

Actually

cancel

o Within 10 years from the date of the designated announcement, the Ministry of Government Administration and Home Affairs and the Korea Communications Commission

(additional points)
Actually

When the (personal) information protection-related performance qualification is revoked

and

- (Personal) information protection management system certification institution, safety diagnosis institution, etc.

cancel

※ For each cancellation: 5 points

collection

<Remarks>
1. The detailed evaluation score for each evaluation element for evaluation items is rounded to the second decimal place.
2. For each evaluation element for evaluation items, the average of the scores excluding the lowest and highest points of the evaluation results is given.
However, if there are two or more lowest or highest points, only one of each is excluded.
3. Even if the sum of the additional points exceeds 100 points, it is indicated as 100 points.
4. The criteria for granting detailed evaluation points for each evaluation element for 'facility' and 'certification operation system' are based on the evaluation result of each evaluation element.
(Coefficient) is multiplied and the resulting scores are summed.
Detailed evaluation score for each evaluation element

Evaluation grade (coefficient)

100 points or less ~ 90 points or more

Excellent (1.0)

Less than 90 points to more than 80 points

Medium (0.6)

less than 80 points

Poor (0.2)

not submitted

no score(0)

459

Page 466
Explanation of personal information protection laws and guidelines and announcements

■ Notice of Personal Information Protection Management System Certification, etc. Attached Table 3

Qualification requirements for certification auditors (related to Article 7)

1. Requirements to apply for certification as an auditor
□ Basic Requirements
A person who has graduated from a four-year university or has obtained an equivalent academic background, and must have information technology-related experience or information security-related experience
Possess more than 6 years of experience in total, of which 2 years or more of personal information protection work experience

end. “Equal educational background” means 4 or more years of work experience for high school graduates, and 2 years or more work experience for 2-year college graduates.
say
I. “Information technology-related experience” means information and communication services (key communication,
Special communication, value-added communication, broadcasting service, etc.), information communication equipment (information equipment, broadcasting equipment, parts)
etc.) or software and computer-related services (packaged software, computer-related
service, digital content, database production and search, etc.)
Experience in planning, analysis, design, development, operation, maintenance, consulting, supervision, or R&D
or information technology related legal advice.
All. “Information security-related experience” means a common basis for information protection in public institutions, corporations, and educational and research institutions.
Technology (encryption technology, authentication technology, etc.) field, system/network protection (system protection, hacking/virus)
Response, network protection, etc.) field, application service protection (electronic transaction protection, application service protection, information
protection, standardization, etc.) in the field of planning, analysis, design, development, operation, maintenance, consulting, supervision or research
It refers to the experience of performing tasks such as development work or legal advice related to information protection.
la. “Personal information protection practical experience” means performing personal information protection tasks in public institutions and corporations, etc.
Refers to the experience of performing tasks such as protection consulting and personal information protection-related legal advice.
hemp. In the case of a lawyer under the Attorney Act, 6 years of information technology-related experience or information protection-related experience is required.
deemed to have
bar. All relevant work experience is recognized only within the last 10 years from the date of application, and within the last 5 years
At least 2 years of relevant work experience must be included.

460

Page 467

□ Career replacement requirements
division

Experience Recognition Requirements Applicable Qualifications
accreditation period
end. Those who have obtained a doctoral degree in “information security” or “information technology”

I. Technician in the field of 'Information Technology' in Attached Table 2 of the Enforcement Rules of
2 years
the National Technical Qualification Act
information protection
All. Information Systems Supervisor (ISA)
or information technology
Relevant career

end. Those who have obtained a master’s degree in “information security” or “information technology”
accreditation requirements
I. Articles in the field of 'Information Technology' in Annex 2 of the Enforcement Rules of the National Technical Qualifications Act
(Duplicate work experience recognized
All. Information security engineer (information security expert)
1 year
not allowed)
la. International Certified Information System Auditor (CISA)
hemp. International Certified Information System Security Specialist (CISSP)
Privacy

end. Those who have obtained a doctoral degree related to “personal information protection”
practical experience

2 years

part
rock

accreditation requirements
end. Those who have obtained a master’s degree in “personal information protection”
(Duplicate work experience recognized
I. Personal Information Protection Manager (CPPG)
not allowed)

1 year

2. Qualification requirements for each level of certification auditor
division

Eligibility Criteria

o A person who satisfies the educational background and experience requirements of the certification auditor and is implemented by the Internet & Security Agency.
Judge's Assistant
Those who have completed the certification auditor training course and passed the evaluation

judge

o A person who has acquired the qualification of assistant auditor, participated in the certification audit more than 4 times and the total number of audit days is 20 days or more

seniority

o A person who has acquired the qualifications of an auditor, has performed overall audits at least 3 times and the total number of audit days is 15 or more

judge

461

Page 468
Explanation of personal information protection laws and guidelines and announcements

■ Notice of Personal Information Protection Management System Certification, etc. Attached Table 4

Criteria for calculating the personal information protection management system certification fee (related to Article 15)
1. How to Calculate the Certification Fee

Certification fee = direct labor cost + direct cost + administrative cost + technology fee

① Direct labor cost is calculated as the labor cost for certification auditors who are involved in certification audits. Labor cost is SW business
The information security consulting fee of the cost calculation guide applies mutatis mutandis.
Certification auditor level

consultant rating

Senior Judge
full-time consultant or more
judge
Judge's Assistant

consultant

② Direct expenses are covered for certification examination tasks such as transportation expenses, lodging expenses, and meals, etc.
Estimate the direct expenses incurred.
③ Expenses are calculated at the maximum (direct labor cost × 120%).
④ Technological fee is calculated at the maximum {(direct labor cost + administrative expenses) × 40%｝.

462

Page 469

■ Notice of Personal Information Protection Management System Certification, etc. Attached Table 5

Personal information protection management system certification standards (related to Article 16)
Application type
Certification Criteria

type

type

type

(4)

(3)

(2)

Detail

type
(One)

public major company
small and
small
medium
wounds
Agency

Enterprise
Authorized

Establish personal information protection policy and enforcement documents to protect organizational personal information
1.1.

policy

One

establish

policy and

1.1

range

1.1.

Maintenance

1.1.

range setting

3
One.
management
1.2.

management
1.2
system

Personal information protection policy and enforcement documents comply with relevant laws and regulations, and

policy

2

executive's

○
○
Establishment, revision, and management of history, and creation and maintenance of operational records.
Consistency must be maintained. In addition, it is reviewed regularly and, if necessary,

Considering the impact on the organization, important tasks, services, organizations, assets, etc.
○
○
The scope of the included personal information protection management system should be established.

○

part
rock

○

Personal information carried out by the organization, such as establishment and operation of the personal information protection management system

Reporting and reporting to ensure management’s involvement throughout protection activities
○
Participation
A decision system should be established.

responsibility One
of

establish

The policy and direction should be clearly presented. In addition, personal information protection (management)
○
○
○
○
It must be disclosed to executives and employees and related persons after obtaining approval from the management including the person in charge.
do.

○

Privacy

(7)

1.3.
One

protection (management)
Personal information protection for continuous operation of personal information protection management system
○
○
○
responsible
(Management) A person in charge must be designated.

○

appointed

1.3

group

Review and make decisions on important privacy-related matters throughout the organization
organizationalAn organization (conciliation body) should be formed. In addition, the personal information protection management system
○
○
○
It is necessary to secure the resources (budget and manpower) necessary to carry out the operation activities.
Configuration

1.3.
2

do.
individual

The person in charge of personal information management (protection) and the person in charge of each department handling personal information;
Define roles and responsibilities for personnel and evaluate their activities.
○
○
○
responsibilityA system should be established. In addition, a reporting system that can communicate
should be defined

1.3.

Information

role and

3

protect
management

2.1.

process

After assigning the security level, the handling procedure according to it shall be defined and○ implemented.
○
discrimination
In addition, the responsibilities of each asset should be clearly defined.

individual One
2.1

By identifying the organization's personal information and personal information-related assets and determining the importance

Privacy

○

○

Information
discrimination
2.1.

Privacy

2

flow grasp

By identifying the flow of personal information in the organization's personal information-related services and tasks,
Create a personal information flow chart (table) and review it periodically to keep it up to date
○
○
○
should be maintained

2.
risk management
To enable risk identification and evaluation in all areas of the organization's personal information protection
method and
○
○
○
One
A risk management method should be selected and a risk management plan should be established.
plan

Execution

2.2.

and
operation
(5)
danger

2.2

Risk identification and evaluation at least once a year according to risk management methods and plans
Hazard identification
In accordance with the results, the organization sets an acceptable level of risk.
○
○
and evaluation
should be managed

2.2.

2
management

implementation plan
privacy measures to reduce the risk to an acceptable level;
establishment and
It should be selected and an implementation plan should be established and approved by the○management.
Also,
○
○
protection measures
Protection measures shall be implemented according to the established implementation plan.
avatar

2.2.
3

3.1.
individual One

3.
Review

Information

and

3.1

○

legal requirement
Continue to comply with the privacy-related legal requirements that organizations must comply with.
matters
○
○
It must be identified and kept up-to-date, and compliance must be continuously reviewed.
Compliance review

○

protect

monitor

systematic 3.1.

ring(2)

Review

internal audit

2

Checking whether the personal information protection management system is being operated effectively
For this purpose, an internal audit plan should be established and carried out at least once a year.
○ inside
○

○

Problems discovered through the audit should be supplemented and reported to the management.

463

Page 470
Explanation of personal information protection laws and guidelines and announcements

Application type
Certification Criteria

Detail

type

type

type

(4)

(3)

(2)

type
(One)

public major company
small and
small
medium
wounds
Agency
calibration and
Privacy
Personal information protection activities that must be performed periodically or on a regular basis
4.1.
Improving
improved protection
Management such as continuous inspection and improvement of the operation status by documenting
○
○it
One
shall.
activity
activity

4.1
4. Calibration
and
Improving
(2)

Enterprise
Authorized

inside

4.2

share and
education

4.2.

○

internal share

Identify the department and person in charge to operate or implement the personal information management plan
○
○
○
and education Relevant contents should be shared and educated.

One

We must collect only the minimum information necessary to provide services. individual
In order to distinguish between mandatory and optional information when collecting information,
○
One Collection limitsservice due to not providing optional information
The offer must not be refused.

5.1.

Privacy

Information

5.1.

subject

2

agree

○

○

○

○

Personal information is the subject of information, except where there are special provisions in laws and regulations.
○
○
○
○
It must be collected after obtaining the consent of the (user).

court
5.1.

agent
consent and

3

When collecting personal information of children under the age of 14, it is necessary for a legal representative to
○
○
○
Notice must be given and consent must be obtained.

○

notice
sensitive information
and unique Unique identification information and sensitive information require separate consent from the information subject (user) or

individual5.1.
5.1

○

○

resident registration
number
If the law allows the collection and use of the resident registration number of the information subject (user),
○
○
○
Collection and use
Except for cases, resident registration numbers cannot be collected or used.
limit

○

resident registration
If the law allows the collection and use of the resident registration number of the information subject (user),
number
○
○
○
In this case, an alternative means of resident registration number must be provided.
alternative means

○

indirect collection
Indirect collection generated through collection by the system or processing of personal information
○
○
Appropriate protection measures for personal information shall be established and implemented.
protective measures

○

○

○

○

discrimination
We will not collect it except where other laws require and allow processing.

Information4

○

○

of informationcan't
Collection limits

upon collection
protect
measure
5.1.
5

5.1.
6
life
Cycle
and
rights

5.Personal
5.1.

Information

7

life lord
group

Privacy

5.1.

management
guarantee
(16)

By establishing a personal information processing (handling) policy, the information subject (user) can
processing (handling)
○
○
It should be disclosed in an appropriate way so that it can be verified.
policy

8

Privacy

5.2.

third party

One

When providing personal information to a third party, the relevant information is notified and consent is obtained.
must be provided afterward, and if access to personal information is allowed to a third party○
○
○

○

It must be controlled in accordance with the protection procedure to safely protect personal information.

offer
provided

If you receive personal information, do not use it for any purpose other than the purpose for which it was provided.
individual
and must not provide it to a third party, and manage personal information safely
○
○
○
of information
shall.
management

5.2.
individual 2
Information

5.2

use and

Privacy

offer

Do not deviate from the scope of notification and consent of the information subject (user) of personal information
out of purpose If it is out of the scope of consent, the information subject
○
○
○
You must obtain additional consent from (user) and take appropriate protective measures.
use and

5.2.
3

○

do.

offer

individual Appropriate protection in case of transfer of personal information due to business transfer, merger, etc.

5.2.

of informationMeasures should be established and implemented. In addition, when transferring personal information
○
○ abroad ○

4

Previous

○

Appropriate protection measures for personal information shall be established and implemented.

Privacy
Collected personal information must be safely stored and managed, accuracy,
individual5.3.
InformationOne quality assuranceCompleteness and up-to-dateness must be maintained.
5.3

○

○

○

○

○

holding
protect

5.3.

measure

2

Privacy

Public institutions that operate personal information files register their status with the Ministry of Government Administration and Home Affairs.
○

In case of change, it should be notified.
file management

464

Page 471

Application type
Certification Criteria

Detail

type

type

type

(4)

(3)

(2)

type
(One)

public major company
small and
small
medium
wounds
Agency

Enterprise
Authorized

Privacy
Establish internal regulations related to the retention period and destruction of personal information and destroy
5.4.
destruction
rules
Relevant protective measures should be in place. In addition, consent to collection of personal
etc.
○ information,
○
○
individual One
Records
about
the
company
must
be
kept
safely
until
withdrawal.
and
procedures
Information
5.4

upon destruction
protect

individual

5.4.

measure

6.1.

Privacy

One
6.1.
Subject
rights

6.1

guarantee

When the purpose of collecting personal information has been achieved, without delay in a safe way

It shall be destroyed and related matters shall be recorded and managed. Purpose of collection of personal information
of information
○
○
○
○
Even after achievement, if it is necessary to retain the information according to related laws, etc., the information subject
destruction
(Users) must be notified and the minimum items must be kept.

2

6.Information

○

browse

Provide methods and procedures for viewing, correcting, and deleting personal information, and information subjects
○
○
○
○
(Users) should be allowed to read upon request.
When the information subject (user) requests correction or deletion of personal information, without delay

Privacy

○

process and keep records. In addition, the details of personal information use are
Correction/deletion
should be notified periodically.

2

○

○

○

rights
guarantee 6.1.

Privacy

Informing the information subject (user) of the method and procedure for suspending the processing of personal information
○
○
○
○
stop processing In case of request to stop processing, it shall be processed without delay, and records shall be kept.

3

(4)

rights
of event

6.1.
4

method and

The information subject (user) objected to measures such as refusal of requests such as reading
○
○
Necessary procedures, such as a counseling window, should be established so that complaints can be made.

○

○

○

○

○

A list of data handlers shall be managed. In addition, personal information protection responsibility
○
○
Reward and punishment rules should be prepared for faithful performance.

○

○

step

7.1

education and Establish an annual personal information protection education plan, and

education and
7.1.
training

One

training

director

individual
Information
7.2.
handler

Limit employees and outsiders handling personal information to a minimum, and

handler

One

7.2

security

2

pledge

management
7.2.

○

should be kept and the results evaluated and reflected in the next training.
Implementation Records
and evaluation
Privacy

7.2.

Periodic training should be conducted. In addition, for the implementation of education

Security to personal information handlers, temporary employees, and outsiders who handle personal information
○
○
○
You must get an oath.

○

retirement and Asset return, account and authority in case of retirement or job change of personal information handler
Establish personnel management procedures for personal information handlers such as collection/adjustment
and
of results
○
○
○ confirmation
○
managementshould be implemented

job change

3

In case of outsourcing personal information processing,
outside consignment
Responsibilities for requirements, management and supervision, and liability for violations of
○ laws and
○ regulations
○
○
One
contract
It should be documented in the contract, etc.
Consignment
7.3.
data subject When consigning personal information processing work, the information subject is the trustee, the purpose of the entrustment, etc.
task
○
○
○
○
(User) must be notified and consent must be obtained if necessary.
2
notice
management
7.3.

7. Management
enemy
individual
protection group
7.3
Informationchi
(10)
protect

7.3.

Measures

consigner
Entrusted company specified in contract, service level agreement, related laws and regulations, etc.
○
○
○
management andIt supervision
should be managed and supervised regularly to ensure that the requirements are sufficiently implemented.

3

○

intrusion
7.4.
One

prejudice
7.4

accident 7.4.
management2

Establish a procedure for responding to personal information infringement incidents, and
Response procedure
Establish a response system so that it can be done quickly, and
and
A cooperative system with experts should be established.
system construction
intrusion

○

○

○

In order for employees to familiarize themselves with the infringement incident response procedures,

Mock training should be conducted. The simulation training results are used in the incident response
procedure.
○
○
○
Improving It should be reflected and improved periodically.

training and

In the event of an incident of personal information infringement, promptly perform recovery according to the procedure;
7.4.

intrusion

3

Response

Vulnerabilities discovered after accident analysis are shared with related organizations and employees, and similar
○
○
○
Response to infringement incidents by establishing measures to prevent recurrence
should be reflected in the system.

8.Technology
enemy 8.1
protection group

Access
authority

8.1.

access control Access to unauthorized persons can be controlled based on privacy requirements.

○

One policy making Access control policies for personal information handlers should be established.
management

○

465

Page 472
Explanation of personal information protection laws and guidelines and announcements

Application type
Certification Criteria

Detail

type

type

type

(4)

(3)

(2)

type
(One)

public major company
small and
small
medium
wounds
Agency

8.1.
2

8.1.
3

Privacy

Enterprise
Authorized

Personal information to control access to personal information and personal information processing system

Procedures for registration and cancellation of handlers shall be established. In addition, the○handling○of personal
○ information
○
Enrollment It should be defined and recognized that the security responsibility of the PC lies with the user.

handler

Privacy
The right to access the personal information processing system is limited to the minimum number of business performers.
○
○
○
○
grant and keep the history of permission changes.
Permission management
handler

part
rock

8.1.

special rights Accounts assigned to personal information and personal information processing systems for special purposes
○
○
○
managementand authority should be identified and controlled separately.

4

○

Privacy
8.1.

handler

5

access rights

Personal information handlers who use personal information and personal information processing systems
○
○
The status of access rights should be checked regularly.

○

Review
Privacy
handler

8.1.

If necessary, a strengthened authentication method is applied in consideration of legal requirements,
etc.
○
○
certification and
Should be.
discrimination

6

In consideration of legal requirements and external threat factors,
Establish and implement password management procedures for users and information subjects
○ (users)○
management
shall.

8.1.

password

7

Privacy
process

8.2.
One
connect
8.2

management
8.2.

(32)

2

○

○

○

Protective measures must be applied to prevent forgery or falsification of access records, and
connection record
Monitoring should be performed to prevent misuse of information. Also
○
monitoring
In the event of a problem, appropriate follow-up actions should be taken in a timely manner.

○

○

To ensure that relevant equipment and systems must be synchronized with standard time

○

Network to control unauthorized access to wired and wireless networks
Establish access control management procedures and manage services, user groups, and personal
information
assets
○
○
○

network
Access

8.3.

Users allowed access by server, access restriction methods, safe access methods, etc.
It should be defined and applied.

Applications
Applications that handle personal information according to the user's job or job
program
Access rights should be restricted.
Access

8.3.
3

control

data
Base

8.3.

4
management

○

Networks should be segregated according to their importance and legal requirements.

server access

2

domain

○

○

One

8.3

○

connection record
do.
management

8.3.

Access

○

We keep the access records of the personal information processing system and ensure the accuracy of the access records.

system

record

chi

When accessing the personal information processing system, it is controlled according to a secure authentication procedure,

The applications and user functions that allow database access.
Clearly define and establish access control policies for each application and job function

Access

○

○

○

○

○

○

○

○

○

○

○

○

should be implemented
When managing the personal information processing system through the internal network,
Restrict access to only the terminal, and through the external network

8.3.
5

remote
Management of the personal information processing system is prohibited in principle. inevitable
○
○
operational approach
If it is permitted for any reason, protection measures are established in accordance with the relevant laws.

○

shall.
8.3.
6

access control

8.4.
One
management
8.4

The personal information handler's PC with access to the personal information processing system is

Internet

○

Restrict and control access or services, and, if necessary,
should be monitored.

○

○

operating procedure
Re-operation, recovery, and error when a problem occurs in the operation of the personal information processing system
○
○
establish
Procedures for system operation such as handling and exception handling should be established.

within

Establishment and separation of duties standards to prevent misuse of personal information processing system

8.4.
2

separation of duties
In special cases where separation of duties is difficult, separate protective measures are prepared.
○

○

shall.

466

Page 473

Application type
Certification Criteria

type

type

type

(4)

(3)

(2)

Detail

type
(One)

public major company
small and
small
medium
wounds
Agency
8.4.

Information systems and personal information from malicious codes such as viruses, worms, and Trojan horses
Protection measures are in place to protect information handler terminals (PCs, laptops, etc.)○
○
○

malware

3

control

8.4.

weakness

4

check

8.4.
5

Enterprise
Authorized

○

should be established
In order to prevent unauthorized access attempts to the personal information processing system, etc.
Regularly perform technical vulnerability checks and discover vulnerabilities
○
○
action should be taken

○

Privacy
In the case of personal information inquiry and printing, the personal information is processed through masking technology, etc.
○
○
○
display restrictions
Information display should be limited.
security
system

8.4.
6

Intrusion prevention and detection function to prevent illegal access and intrusion accidents
The system must be installed and operated. In addition, the security system operation procedure
○

○

○

Installation and Establish
operation and manage the policy application status for each security system.

8.4.

When information is disclosed on the website, etc.

public server

7

Establishing permission and posting procedures, and physical and technical protection of public
○ servers
○
Measures should be established.

security

○

○

part
rock

8.4.

mobile

8

Connecting mobile devices to internal and external networks for business purposes

○

Device Management
In this case, mobile device access control measures should be established.

8.4.
9

8.4.
10

○

The impact on the system on software, operating system, security system, etc.
patch management
Analyze and periodically apply the latest patch.

○

○

○

○

○

○

encryption

In order to safely manage personal information,

encryption One policy making Encryption policy should be established.
control

8.5.
2

encryption
apply

8.6.

○

To maintain the integrity of data and the availability of personal information processing systems
Backup Management
○
Backup procedures should be established to periodically back up and manage.

8.5.
8.5

○

○

In accordance with the encryption policy, personal information is stored and transmitted, and encryption is performed for remote access.
○
○
○
○
and securely manage the encryption key.

Privacy

Infringement of personal information of information subjects due to the operation of personal information files
○
Impact Assessment
In case of concern, an impact assessment should be performed.

One

When developing or changing the personal information processing system, the results of the personal information impact assessment
8.6.

in developmentDeveloped including security requirements, implemented and implemented according to secure coding methods
○
○
security measures
We conduct tests and check whether we are exposed to vulnerabilities and
Protection measures should be established.

2

development department
In principle, the development and test system is separated from the operating system, and

8.5.
Development
3
security

8.6

operating environment
Migration to the environment must be done according to a controlled procedure, and the executable
code
○
○ must be
Separation Test and acceptance procedures should be followed.
exam
data and
sauce

8.5.
4

When using operational data as test data, follow the procedure for protection measures.
should be established and implemented. In addition, only authorized users

program
security

8.5.

○

○

Access should be controlled and not stored in the operating environment.

Outsourcing development
Security to be observed when outsourcing development of personal information processing system
○
○
security
Requirements should be specified in the contract and management/supervised whether or not they are implemented.

5

video information
9.1.

of processing equipment
When installing and operating image information processing equipment, legal requirements depending on the purpose of installation
○
○
○
○
video
One Installation and operation
(Installation of information boards, etc.) must be observed and appropriate protective measures must be prepared.
Information
limit

9.
physical
protect

9.1

process

measure

video information
processing device
In the case of entrusting affairs related to the installation and operation of image information processing equipment, appropriate
Installation and operation
○
A consignment procedure should be established.
clerical

device
9.1.
management
2

(8)

consignment management

467

Page 474
Explanation of personal information protection laws and guidelines and announcements

Application type
Certification Criteria

type

type

type

(4)

(3)

(2)

Detail

type
(One)

public major company
small and
small
medium
wounds
Agency
Designate and protect protected areas to protect major equipment and systems
Protective measures should be established and implemented, including working procedures within the area.

protect
9.2.
One

territorial
Protective equipment should be equipped and operated according to the characteristics of the
○ protected
○ area. Also
○
designation and
When entrusting and operating an external integrated information and communication facility,
management
It should be reflected in the contract and reviewed periodically.

physical
9.2

Enterprise
Authorized

Protected areas are controlled so that only authorized persons can access, and
access control
Access history should be reviewed periodically. Also in the office
and office
Protects important information from leaking from office equipment, etc.
security
measures should be taken.

security 9.2.
management2

○

○

personal work
Do not leave important documents or storage media on the desk, and important information is not exposed.
Environment
○
○
Protective measures should be established and implemented to prevent this from happening.
security

9.2.
3

○

○

○

○

Privacy
process
system

9.3.
One

storage mediumIt must be completely removed to make it impossible.
management

media
9.3

Establish and operate personal information processing system storage media management procedures,
When the information processing system is discarded and reused, the personal information recorded
on
○
○ the media
○ is recovered.

Portable
Personal information leakage or malicious code through portable storage media
storage mediumIt is managed not to be infected, and the portable storage medium containing personal information
is ○
○

management
9.3.
2

○

managementIt should be stored in a safe place.
move

9.3.
3

Entry and exit of mobile computing by employees and outsiders within the protected area is prohibited.
○
○
Control, record and manage.
management

○

computing

468

Page 475

■ Notice of Personal Information Protection Management System Certification, etc. Attached Table 6

Indication of personal information protection management system certification (related to Article 25)
1. Design model

part
rock

Authentication Type:
Validity :
Certification scope:

2. Notes on certification marks
end. In order to promote the fact of acquiring the personal information protection management system certification, a personal information protection management system certificate is issued.
It can be used only as long as the effect is maintained from the date of receipt. If authentication is revoked,
The publicity of the company and the use of the personal information protection management system certificate should be stopped.
I. In case of using the certification mark, the certification type, validity period, and certification scope shall be indicated together.
All. When specifying the type of certification, the type of agency that corresponds to the certified agency among the types of application agencies under Article 13 (1)
The type should be stated.
la. A person who has obtained certification may not advertise the fact of certification using exaggerated or ambiguous expressions.

3. How to use the certification mark
end. Certification marks are available in designated colors. In addition, the background color on which the color can appear clearly
It can be used in black and white above or as the main monochromatic color of the printed material shown.
I. The size of the certification mark can be adjusted according to the size of the object of the mark or the conditions of the place where it is displayed.
It can be displayed by reducing or enlarging the ratio.
All. of the fact of acquiring the personal information protection management system certification in general documents, the top of letters, invoices, and publicity brochures
You can promote your content.

469

Page 476
Explanation of personal information protection laws and guidelines and announcements

4. Precautions to be taken when making a certification nameplate
end. The material should be made of copper plate as much as possible (total thickness 1.0cm, background 0.4cm, frame width 0.5cm)
I. The background color should be unpolished brass as much as possible.
All. The design mockup places the mark of the certification in the center.
la. Letters and figures should be embossed.
hemp. The size is rectangular and can be adjusted to a certain ratio by setting the horizontal and vertical ratio of 3:2.

470

Page 477

■ Notification Form 1 on Personal Information Protection Management System Certification, etc.

Application for designation of personal information protection management system certification body
※ There are not many applicants for dark colors.
Registration Number

Date of receipt

processing period

Within 3 months

company name

Company Registration Number

address

Phone number

Applicant
representative

total number of employees

part

Number of certification auditors

rock
Application Category

□ New

□ Reassignment

about certification
Scope of work

In accordance with Article 32-2 of the 「Personal Information Protection Act」 and Article 47-3 of the 「Act on Promotion of Information and Communications Network Utilization and Information Protection, etc.」 and Article 53-2 of the Enforcement Decree of the same Act
In accordance with the above, we apply for the designation of a personal information protection management system certification body.

year

Applicant (representative)

month

Work

(Signature or Seal)

Ministry of Government Administration and Home Affairs
preciousness
or the Korea Communications Commission

1. One copy of the Articles of Incorporation or Bylaws.
Applicant (reporter)
2. The status of holding of the certification examiner in Attachment No. 2 form and one copy of the document proving it.
fees
Documents to be submitted
3. One copy of the documents required for the examination of job performance requirements and abilities in Attached Table 1.
none
public official
Certificate of corporate registration
Checklist

processing procedure

Fill out the application→form
Applicant

judge

→ Decide whether to designate→

processing body

processing body

→

Receipt
processing body

Issuance of designation letter
processing body

210mm×297mm [White Paper (80g/㎡)]

471

Page 478
Explanation of personal information protection laws and guidelines and announcements

■ Notification Form 2 on Personal Information Protection Management System Certification, etc.

Status of certification auditors

God

(Page 1)

company name

Company Registration Number

address

Phone number

blue
representative

sign

number of employees

Number of certification auditors

address

series

last educational background

name

number

Applicable requirements
date of birth

date of entry

Acquired degree and department

Notice

1. In the “Requirements” column, write the requirements for senior auditor, auditor, and assistant auditor.
2. A copy of the employee's graduation or degree certificate that can prove the final degree listed must be submitted.
3. An employee who meets the 「Qualification requirements for certification auditors」 in Attached Table 3 must provide a copy of the technical qualification certificate, etc., to confirm that they have acquired the qualifications.
Documents must be submitted together.
4. A career certificate that can prove information and communication-related experience or information protection-related experience (the work department or task in charge, etc. must be listed)
must) and a certificate of employment confirming that the employee is currently working for the applicant company.

210mm×297mm [White Paper (80g/㎡)]

472

Page 479

■ Notification Form 3 on Personal Information Protection Management System Certification, etc.

(Page 2)
Current status of employees in charge of certification audits

address

series

last educational background

name

number

Applicable requirements
date of birth

date of entry

Acquired degree and department

part
rock

210mm×297mm [White Paper (80g/㎡)]

473

Page 480
Explanation of personal information protection laws and guidelines and announcements

■ Notification Form 4 on Personal Information Protection Management System Certification, etc.

Certification Performance Report

company name

Company Registration Number

address

Phone number

Privacy

representative
management system
initial examination
Personal information protection management system certification audit results
follow-up examination
sum
renewal review

certification

Etc

key

Etc

key

Etc

key

division
series
number

Certification Number Target institution (company) name

Certification scope

Validity

first

posthumously
renewal

judge

judge

year

judge

month

Applicant (representative)

Work

(Signature or Seal)

Ministry of Government Administration and Home Affairs or
preciousness
Korea Communications Commission

Documents to be submitted
1. 1 copy of detailed certification performance report.

210mm×297mm [White Paper (80g/㎡)]

474

Page 481

■ Notification Form 5 on Personal Information Protection Management System Certification, etc.

Personal Information Protection Management System Certification Examiner Qualification Application

applicant

castle

persons

small

genus

week

small

date of birth

(Right:

Picture

)

Personal Information
Cell Phone
e-mail
Application field
□
last educational background
□ High school graduate
□ University graduate
□ Master
college graduate

Educational History

□ Doctor
part

① Information protection or
gun

year

gun
year
month
information technology
(Alternative career: year included)
Relevant career

month

(①+②)

rock

total career

Career

②Personal information protection
gun
year
month
※ Duplicate work experience is not accepted.
relevant career
(Alternative career: year included)

※ as documents
verifiable

□ Information Security or Information Technology

content only

Career Alternatives

career replacement

□ Personal information protection experience

history

substitute

Submit this application to apply for the personal information protection management system certification examiner qualification. What is written in this application
It is not true, or does not meet the qualification requirements for certification auditors according to Attached Table 3 of the 「Personal Information Protection Management System Certification, Etc.」
If not, we will not raise any objection even if the pass or qualification is revoked.
year
applicant
Korea Internet & Security Agency

month

Work

(Signature or Seal)
preciousness

1. Statement of application for certification auditor qualification
2. Evidence of Eligibility
① Degree certificate
② A detailed career certificate or detailed employment certificate detailing relevant career matters

Applicant

Documents to be submitted③ Certificate of technical performance (if applicable)
④ Certificate of Eligibility (if applicable)
3. Information Protection Pledge
4. Personal information use agreement, etc.

475

Page 482
Explanation of personal information protection laws and guidelines and announcements

■ Notification Form 6 on Personal Information Protection Management System Certification, etc.

Certification Auditor Qualification Certificate

Issue number:
castle

Person:

date of birth :

year

month Work

Qualifications:
Validity :

..

~

.

.

The person above is a person for personal information protection pursuant to Article 9 of the 「Public Information Protection Management System Certification, Etc.」
It proves that you are a management system certification auditor.

year

month

Work

sealSecurity Agency
Director, Korea Internet &

210mm×297mm [White Paper (120g/㎡)]

476

Page 483

■ Notification Form 7 on Personal Information Protection Management System Certification, etc.

Application for personal information protection management system certification
※ In [ ], mark ✓ where applicable, and the applicant does not fill in the dark areas.
Registration Number

Date of receipt

Applicant

Issue date

processing period

company name

Company Registration Number

address

Phone number

representative

Classification of certification application
[ ] Initial examination

[ ] Post review

[ ] Renewal review

part
□ To small business owners under subparagraphs 1 and 2 of Article 2 of the 「Act on the Protection and Support of Small Businesses」
rock
Eligible Businesses and Other Businesses
□ Entrepreneurs who fall under the category of small and medium-sized enterprises under Article 2 of the 「Framework Act on Small and Medium Enterprises」
Applicant type

□ Applicable to large enterprises under subparagraph 2 of Article 2 of the 「Act on Promotion of Coexistence with Large and Small Businesses」
In accordance with subparagraph 2 of Article 2 of the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc.
Information and communication service providers according to
□ Public institutions under subparagraph 6 of Article 2 of the 「Personal Information Protection Act」

Scope of personal information protection management system

within the scope of the personal information protection management system
number of persons included
within the scope of the personal information protection management system
Number of systems included

In accordance with Article 32-2 of the 「Personal Information Protection Act」, I apply for the certification of the personal information protection management system as above. or,
In accordance with Article 47-3 (1) of the 「Act on Promotion of Information and Communications Network Utilization and Information Protection, etc.」 and Article 47 of the Enforcement Decree of the same Act, personal information as above
Apply for certification of the protection management system.
year
Applicant (representative)

month

Work

(Signature or Seal)

(Korea Internet & Security Agency or
preciousness
Personal information protection management system certification body)

Applicant (reporter)
One copy of the statement of the personal information protection management system.
Documents to be submitted

fees
none

public official
Certificate of corporate registration
Checklist

210mm×297mm [White Paper (80g/㎡)]

477

Page 484
Explanation of personal information protection laws and guidelines and announcements

■ Notification Form 8 on Personal Information Protection Management System Certification, etc.

Personal Information Protection Management System (PIMS) Certificate

Certification Number :

company name :

representative :

address :

Authentication Type:

Scope of Certification:

Validity :

In accordance with Article 32-2 of the 「Personal Information Protection Act」, we certify the personal information protection management system as above. or,
In accordance with Article 47-3 (1) of the 「Act on Promotion of Information and Communications Network Utilization and Information Protection, etc.」 and Article 47 of the Enforcement Decree of the same Act
Accordingly, we certify the personal information protection management system as above.

year

month

Work

Director, Korea Internet & Security Agency
seal
or privacy
Head of management system certification body

478

Page 485

CERTIFICATE

OF
Personal Information Management System

Certificate Number:

Name of Organization:
part
rock

Name of Representative :

Address :

Certification Type:

Scope of Certification:

Period of Validity:

This is to certify that the above mentioned organization is compliant to the
assessment standard for Personal Information Management System certification in
in accordance with Article 32-2 of 「Personal Information Protection Act」 or, This is
to certify that the above mentioned organization is compliant to the assessment
standard for Personal Information Management System certification in accordance
with Article 47-3 Paragraph 1 of 「Act on Information Network Utilization and Data
Protection, etc.” and Article 47 of the Enforcement Decree of the Act.

Date of Issuance:

Signed by the
President of Korea Internet & Security Agency or, certification body
210mm×297mm [White Paper (120g/㎡)]

479

Page 486
Explanation of personal information protection laws and guidelines and announcements

■ Notification of personal information protection management system certification, etc. Form 9

Application for reissuance of personal information protection management system certificate
※ There are not many applicants for dark colors.
Registration Number

Date of receipt

Applicant

Issue date

processing period

company name

Company Registration Number

address

Phone number

representative

Reason for reissuance

As above, apply for reissuance of personal information protection management system certificate.

year

Applicant (representative)

month

Work

(Signature or Seal)

(Korea Internet & Security Agency or
preciousness
Personal information protection management system certification body)

fees
Documents to be submitted
Not applicable
none

210mm×297mm [White Paper (80g/㎡)]

480

Page 487

■ Notification Form 10 on Personal Information Protection Management System Certification, etc.

Personal Information Protection Management System Certificate Change Application
※ There are not many applicants for dark colors.
Registration Number

Applicant

Date of receipt

Issue date

processing period

company name

Company Registration Number

address

Phone number

representative
part
rock

(Korean)
Before change
(English)

change
Contents

(Korean)
after change
(English)

Reason for change

Apply for the change of the personal information protection management system certificate as above.

year
Applicant (representative)

month

Work

(Signature or Seal)

(Korea Internet & Security Agency or
preciousness
Personal information protection management system certification body)

fees
Documents to be submitted
Not applicable
none

210mm×297mm [White Paper (80g/㎡)]

481

Page 488
Explanation of personal information protection laws and guidelines and announcements

■ Notice of Personal Information Impact Assessment Annex 1

Detailed evaluation criteria for personal information impact evaluation performance evaluation (related to Article 7)

(Page 1)
Category Evaluation items

Detailed evaluation items

points

evaluation index

Impact assessment for the last 5 years
Related fields

Detailed evaluation criteria

• 500 million won or more: 100% of points
contract amount
• Less than 500 million won: χ% of points
Total amount
※ χ = (total contract amount / KRW 500 million) × 100

15

performance
1. Experience
(25)

• More than 5 cases:

Contract amount for the last 2 years
over 1 million won

10

100%

number of executions
• Less than 5 cases: χ% of points
※ χ = (Number of executions/5 cases) × 100

Performance in the field of impact assessment
I.
dose

• Number of people × 1 point (maximum 15 points)
Number of people

Number of advanced execution personnel 15

evaluation
(60)
• Points × (specialized training on personal information protection)

2. Professionalism Personal Information Impact Assessment Professional Training

Number of certified test passers/ all evaluation institutions

(25)

Certification exam

10

ratio
Average number of successful applicants for certification exam*)

number of successful applicants
※ Average number of applicants who passed the evaluation agency certification exam

• Rating based on credit ratings

3.
reliability

credit rating

10

rank

※ Notice on personal information impact assessment

(10)

Attachment criteria in Table 1
• Impact assessment quality improvement activities
impact assessment performance

II.

non-metering • Institutions subject to impact assessment

20
Impact Assessment
qualitative
evaluation
Qualitative
performance capability
evaluation
(40)
of the personnel performing the impact assessment
(40)
10
Qualities and experience

• Excellence in how to conduct impact assessment

non-metering ※ Evaluation through application documents and on-site inspection

482

Page 489

(Page 2)

influence

II.

• Relevance of risk analysis
of the corporation applying for designation
10
non-metering• Appropriateness of personal information impact assessment
Independent Personal Information Impact Assessment Measures
• Effectiveness of personal information impact assessment

end
Qualitative
train station
evaluation
amount
(40)

(40)
part
rock

「Act on Special Measures for Promotion of Venture Businesses」
Confirm
Confirmation as a venture company pursuant to Article
extra25
points
Whether
received company

III.

Confirm
Local companies (excluding metropolitan areas)
extra points
Whether

Etc

※ Venture confirmed company: 5 points

※ The location of the head office is located in a province other than the metropolitan area.
Location: 5 points

bidding
According to the procurement law for the past 3 years
attend
Participation in the bidding was designated as an illegal
deduction
business operator※ Limited number of months per month: 0.5 points
limit
limited period
number of months

remark
1. Scores for each detailed evaluation item in the above table are rounded to the second decimal place.
2. Among the detailed evaluation criteria, the reliability item can be replaced by the submission of a corporate credit evaluation report, and the scoring criteria for this is
[Attachment] Follow the evaluation criteria based on credit ratings.
3. The 'recent' date of counting shall be based on the designated announcement date.

483

Page 490
Explanation of personal information protection laws and guidelines and announcements

■ Notice of Personal Information Impact Assessment Attached Table 2

Detailed evaluation criteria for personal information impact evaluation agency renewal (related to Article 7)
(Page 1)
Category Evaluation items

Detailed evaluation items

points

evaluation index

contract amount

Impact assessment performance over the past two
10years

Total amount

Detailed evaluation criteria

• Over 300 million won: 100% of points
• Less than 300 million won: χ% of points
※ χ = (total contract amount/300 million won) × 100

• 5 or more: 100% of points awarded
Number of impact assessments performed in the 10
last two years
number of executions
• Less than 5 cases: χ% of points
※ χ = (Number of executions/5 cases) × 100

1. Experience
(30)

• 500 million won or more: 100% of points
contract amount

5

Total amount

• 500 million won ~ 200 million won: χ% of points
• Less than 200 million won: not qualified (Enforcement Decree)
Article 37 (1) No. 1)

Impact assessment for the last two years

※ χ = (total contract amount / KRW 500 million) × 100

Performance in related fields

I.
dose

• 5 or more: 100% of points awarded

evaluation

5

number of executions
• Less than 5 cases: χ% of points

(60)

※ χ = (Number of executions/5 cases) × 100

• More than 10 people: 100% of points
• Less than 10 people: x% of points
Number of people

Number of advanced execution personnel
10

※ x = (total number of high-level personnel/10)x100%

2. Professionalism
• Points × (specialized training on personal information protection)

(20)
Personal Information Impact Assessment

Number of certified test passers/total

Professional Education Certification Test
10

ratio

Average number of applicants who passed the evaluation agency certification exam*)
※ Number of applicants who passed the evaluation agency certification exam

number of successful applicants

Average

• Rating based on credit ratings

3.
reliability

credit rating

10

※ Notice on personal information impact assessment

rank

(10)

Attachment criteria in Table 1

1. Influence

II.

evaluation

Qualitative

• Impact assessment quality improvement activities

impact assessment performance

non-metering • Institutions subject to impact assessment

20

qualitative evaluation

• Excellence in how to conduct impact assessment

Perform

evaluation

ability

(40)

of the personnel performing the impact assessment
※ Through application documents, on-site inspection, etc.
10
non-metering
Qualities and experience (interview)
evaluation

(40)

484

Page 491

(Page 2)

1. Influence

II.

• Relevance of risk analysis
of the corporation applying for designation
10
non-metering • Appropriateness of personal information impact assessment
Independent Personal Information Impact Assessment Measures
• Effectiveness of personal information impact assessment

evaluation
Qualitative
Perform
evaluation
ability
(40)
(40)

「Act on Special Measures for Promotion of Venture Businesses」
part

※ Venture confirmed company: 5 points

Confirmation as a venture company pursuant to Article
extra25
points
Confirmation
received company

rock

Impact Assessment on Local Public Institutions

※ Per number of executions: 1 additional point

extra points
Confirmation

number of executions
III.
Etc

Conducting an impact assessment using an unqualified person
number of cases

※ Per number of executions: 1 point deduction

deduction Confirmation

(Number of violations in Article 5 of the Notice)

According to the procurement law for the past 3 years

Participate in bidding
Participation in the bidding was designated as an illegal
deduction
business operator ※ Limited number of months per month: 0.5 points
limited number of months
limited period

remark
1. Scores for each detailed evaluation item in the above table are rounded to the second decimal place.
2. Among the detailed evaluation criteria, the reliability item can be replaced by the submission of a corporate credit evaluation report, and the scoring criteria for this is
[Attachment] Follow the evaluation criteria based on credit ratings.
3. The 'recent' date of counting shall be based on the designated announcement date.

485

Page 492
Explanation of personal information protection laws and guidelines and announcements

[Attachment]

Evaluation criteria based on credit ratings
Rating (points)

on corporate bonds
in commercial paper
About

About

credit rating

Corporate credit rating

credit rating

AAA

10 points

AAA

-

AA+, AA0,

(Rating equivalent to AAA credit rating for corporate bonds)
AA+, AA0, AA-

A1

AA-

A+

A2+

A0

A20

A-

A2-

BBB+

A3+

BBB0

A30

BBB-

A3-

BB+, BB0

(Ratings equivalent to AA+, AA0, AA- for corporate bonds)
A+

10.0

(A grade equivalent to the credit rating A+ for corporate bonds)
A0
(Rating equivalent to A0 credit rating for corporate bonds)
A(A grade equivalent to the credit rating A- for corporate bonds)
BBB+
(Rating equivalent to the credit rating of BBB+ for corporate bonds)
BBB0

8.0

(Rating equivalent to BBB0 credit rating for corporate bonds)
BBB(Rating equivalent to the BBB- rating for corporate bonds)
BB+, BB0

B+

(Rating equivalent to BB+, BB0 credit ratings for corporate bonds)
7.0

BB-

BB-

B0

B+, B0, B-

(Rating equivalent to the BB- rating for corporate bonds)
B+, B0, B-

B-

CCC+ or lower

6.0

(Ratings equivalent to credit ratings B+, B0, B- for corporate bonds)
CCC+ or lower

C or less

3.0

(Credit rating equivalent to CCC+ for corporate bonds)

486

Page 493

■ Notice of Personal Information Impact Assessment Annex 3

Main contents of personal information impact assessment agency protection measures (related to Article 8)
term

neck

week

Yo

of mine

for

I.
Impact Assessment
1. The area in which the impact assessment is to be carried out is to be designated. This area is not accessible by persons other than the personnel performing the impact assessment.
execution area
should be limited
and
2. Control measures according to risk analysis shall be devised for information and communications networks that process, transmit, and store impact assessment and analysis data;
in the facility
do. In this case, control measures for notebook computers and other portable information processing devices shall be included.
About
protection measures

part
rock

3. The personnel performing the impact assessment should be aware of and comply with all obligations, including the duty to maintain confidentiality, in accordance with relevant laws and regulations.
Guidelines and procedures for writing a pledge of commitment should be prepared.
II.

4. Guidelines and procedures should be prepared for qualification screening when hiring impact assessment personnel and management of retirees when they retire.
Impact Assessment
do.
to the number of attendees
5. Internal regulations on sanctions and handling of impact assessment personnel who violate the security measures of the assessment agency should be prepared.
About
do.
protection measures
6. Employees, including personnel performing impact assessments, will receive training on personal information impact assessments inside and outside the company on a regular basis.
should be able to

7. In order to protect impact assessment analysis data (including ancillary data), in accordance with the standard personal information protection guidelines in Article 12 of the Act.
Security measures should be prepared.

III.

8. Persons other than impact assessment personnel are prohibited from accessing, viewing, editing, exporting, or discarding impact assessment analysis data.

document

Control measures should be devised.

and

in computerized data9. Take control measures according to risk analysis for impact assessment analysis data processed, transmitted, and stored through information and communications networks;
About

should be insisted on

protection measures
10. Storage, copying, distribution, and storage of impact assessment analysis data in the form of printed materials, such as papers, drawings, microfilm, and computerized output
Control measures for disposal, etc. shall be devised.

IV.

11. The representative publishes the basic policy of the evaluation institution on impact assessment in writing and includes the personnel performing the impact assessment

Normal

Employees should be aware of this.

management
12. The management and operation status of risk analysis and control measures for impact assessment work shall be periodically checked and evaluated.

Measures

487

Page 494
Explanation of personal information protection laws and guidelines and announcements

■ Notice of Personal Information Impact Assessment Attached Table 4

Evaluation area and field of personal information impact assessment (related to Articles 10 to 11)
(Page 1)

evaluation area

evaluation field

specific field
Designation of the person in charge of personal information protection

1. Personal information protection organization
Acting as a personal information protection officer
Establishment of internal management plan

I.
2. Privacy plan

object

Establish an annual plan for personal information protection

Agency
Privacy

Information on how to report an infringement incident

management

3. Response to Personal Information Infringement

system

Leakage incident response
Establishment of procedures for guaranteeing the rights of data subjects
4. Guarantee of information subject rights
Information on how to guarantee the rights of information subjects
Designation of personal information handler
5. Management of personal information handlers
Management and supervision of personal information handlers

II.
of the target system

Personal information file ledger management

Privacy

6. Personal information file management
Personal information file registration

management
system

Disclosure of Privacy Policy
7. Privacy Policy
Preparation of personal information processing policy
Suitability of Personal Information Collection
8. Collect
Appropriateness of the method of obtaining consent
9. Retention

Retention period calculation
Appropriateness of Provision of Personal Information

10.Use/Provision

Restrictions on use and provision for other purposes

III.
Securing safety when providing

Personal information processing
Step-by-step protection

Disclosure of consignment

measure
11. Consignment

consignment contract
Management and supervision of the trustee
Establish a destruction plan

12. Destroy

Establish a separate storage plan
Write a record of destruction

488

Page 495

Account Management
13. Manage access rights

Authentication Management
Permission Management
Access Control Measures

14. Access Control

Internet homepage protection measures
Protective measures for mobile devices for work
encryption at rest

15. Encryption of personal information
Encryption in transit
IV.

part

Access record storage

rock

target system
16. Storage and inspection of access records

of temp

Connection history check

technical

Access record storage and backup

protect
Vaccine installation and operation

measure
17. Prevention of malicious programs, etc.

Apply security update
Establishment of access control procedures
18. Physical Access Prevention
Establishment of import/export control procedures
19. Destruction of personal information

safe destruction
Development Environment Control

20. Other technical protection measures

Personal information processing screen security
Protective measures when printing

21. Protection of personal information processing areaDesignation of protected areas
Gathering opinions when installing CCTV
CCTV installation guide
22. CCTV
Restrictions on CCTV use
V.

Consignment for CCTV installation and management

certain
IT technology
When using

RFID User Guide
23. RFID
RFID tag attachment and removal

Privacy
protect

24. Bio information

Protection measures when storing original information
Consent to collection of personal location information

25. Location information
Guidelines for providing personal location information

489

Page 496
Explanation of personal information protection laws and guidelines and announcements

■ Notification Form 1 on Personal Information Impact Assessment

Statement of performance in areas related to personal information impact assessment
(Page 1)
company name

term

Total performance performance
outside

Project name
series

Participating manpower
execution period

number

gun (gun

(Target institution
task manager
(Total participation M/M)
(company) name)

One thousand won)

remark

Price
(Individual participation rate (M/M), (whether infrastructure,
(One thousand won)
field of professional participation)
impact assessment stake, etc.)

remark
1. The performance of impact assessment-related fields includes the performance of personal information impact assessment, information protection consulting, information system and information protection
Information security consulting ratio among system construction performance (indicated in % of separate amount), information security consulting ratio among supervisory performance performance (separately)
expressed as a percentage of the amount), etc.
2. The performance specification for impact assessment-related fields shall be prepared by the target institution that has performed impact assessment-related fields, but if it is unavoidable,
It can be replaced with a contract with the target organization, a project completion report, a delivery certificate, and a completion report.
3. For the details of the performance in the field of impact assessment, the amount of the amount is set so that the performance of the field related to the impact assessment can be briefly checked.
By classification, the performance of impact assessment, the number and amount of information security consulting performed (or among the information system and information security system construction performance)
The number and amount of information security consulting cases and ratio of information security consulting cases and amount among the results of supervision) are indicated.

210mm×297mm [Plain paper 60g/㎡ (recycled materials)]

490

Page 497

Details of performance in areas related to impact assessment
Impact Assessment Impact Assessment
Impact Assessment Performance
Field number of casesField Amount
amount of money
(Sum)
(Sum)

Impact Assessment Impact Assessment Impact Assessment Impact Assessment
number of executionsperformance amountnumber of cases

Amount ratio

over 100 million won

part
rock

over 5 million won

over 3 million won

over 10 million won

Total/Average Ratio

remark
1. The performance of impact assessment-related fields includes the performance of personal information impact assessment, information protection consulting, information system and information protection
Information security consulting ratio among system construction performance (expressed as a percentage of separate amount), information security consulting ratio among audit performance performance
(expressed in % of the amount separately), etc.
2. The performance specification for impact assessment-related fields shall be prepared by the target institution that has performed impact assessment-related fields, but if it is unavoidable,
It can be replaced with a contract with the target organization, a project completion report, a delivery certificate, and a completion report.
3. For the details of the performance in the field of impact assessment, the amount of the amount is set so that the performance of the field related to the impact assessment can be briefly checked.
Classification, impact assessment performance, number and amount of information security consulting (or information system and information security system establishment performance)
Indicate the number and amount of information security consulting among the number and percentage of the amount of information security consulting among the results of supervision).

210mm×297mm [Plain paper 60g/㎡ (recycled materials)]

491

Page 498
Explanation of personal information protection laws and guidelines and announcements

■ Notification Form 2 on Personal Information Impact Assessment

Personal information impact assessment performance management card
company name

performance performance
Performance performanceDate
name
of creation of performance
Target
results
institution nameDate of disposal of performance results (method)
remark
Control Number

remark
1. Personal information impact assessment performance results refer to the evaluation result report of personal information impact assessment.

210mm×297mm [Plain paper 60g/㎡ (recycled materials)]

492

Page 499

■ Notification Form 3 on Impact Assessment of Personal Information

Certificate of experience and performance of personnel performing the personal information impact assessment
※ This form is used for the designation of a personal information impact assessment agency in accordance with Article 37 of the 「Enforcement Decree of the Personal Information Protection Act」
human

castle

persons

matters (One

character)

week

date of birth

small

career

Responsibilities
working department

matters

employment period

Position (Title)
part

(specify)

rock

Performance

manager
Project name

matters

execution period

Target institution name

remark
Phone number

We confirm that there are no false facts in the information in this certificate, and we do not object to any disadvantages caused by false information.
I will not raise

year

Applicant

month

Work

(Signature or Seal)

Minister of Government Administration You
and Home Affairs

210mm×297mm [plain paper 70g/m2 (recycled materials)]

493

Page 500
Explanation of personal information protection laws and guidelines and announcements

■ Notification Form 4 on Impact Assessment of Personal Information

Personnel Management Card for Personal Information Impact Assessment
(Page 1)
corporate name
name

date of birth

Department name
address

date of entry

Manpower Enrollment Date

resignation date

manpower deletion date

Personnel Classification: General / Advanced

Grade Acquisition Date:

Institution Name (School Name)group

liver

Grade change record:

Affiliated Department

Qualifications

(position, title)

(acquisition date)

remark

Education
and
Record
matters

210mm×297mm [Plain paper 60g/㎡ (recycled materials)]

494

Page 501

■ Notification Form 5 on Impact Assessment of Personal Information

Personal information impact assessment performance detailed review data

I. Ratio of sales in areas related to personal information impact assessment to total sales

(1) Total sales for the closing period immediately before the application for designation:

One thousand won

(2) Sales in the field of personal information impact assessment in the closing session immediately before the application
One thousand
for designation:
won
(3) Ratio of sales in areas related to personal information impact assessment to total sales:

%
part
rock

II. Debt Ratio and Return on Equity Ratio

(1) Debt Ratio

= (total liabilities / total equity) × 100

=

%

(2) Return on Equity = (Net Income / Average Equity) × 100 =

%

Ⅲ. Etc

(1) Whether or not venture businesses have been identified in accordance with the 「Act on Special Measures for the Promotion of Venture Businesses」 ( ○ , × )
(2) Whether or not you have experience in designation of an illegal business operator in accordance with procurement-related laws ( ○ , × )

remark
1. In Paragraphs Ⅰ and Ⅱ, the calculation details signed and sealed by a certified public accountant or a person in charge of accounting for the designated company shall be attached.
(If it is not possible to accurately determine the sales volume related to the personal information impact assessment, the estimated amount shall be used).

210mm×297mm [Plain paper 60g/㎡ (recycled materials)]

495

Page 502
Explanation of personal information protection laws and guidelines and announcements

■ Notification Form 6 on Personal Information Impact Assessment

List of technical assets related to personal information impact assessment
corporate name

turn

Technical asset name technical asset version

Use of technical assets Technical asset creation date
Disposal Date (Method)

remark

remark
1. Technology assets refer to personal information impact assessment consulting-related patents, system development, program development, etc.

210mm×297mm [Plain paper 60g/㎡ (recycled materials)]

496

Page 503

■ Notification Form 7 on Impact Assessment of Personal Information

Overview of the Personal Information Impact Statement
Public institution name
propel
calendar

system name
flat
Promotion overview
and purpose

end
versus
Prize

Eligibility

city

Promotion budget

s

driving personality propelling entity

temp

basis for promotion

dog

part
remark
rock

Yo
Main Content
Purpose of collecting personal information
file name

Number of data subjects

File and scope description

individual
Information

Evaluation target file

file

...

summary
Key personal information

...

o Total ( ) items:
- Required Collection:

Collection Status

- Select collection:
Main Content

Main evaluation items

effect

change history
Indicators to be added
evaluation
(78 indicators in the performance guide)
Item

-

Indicator deletion items -

Usage history description)

week
Yo

○
of mine
evaluation

evaluation results and for
Improvements

result
and
Improving

Infringement factor Improvement measures

Improvement Plan

number of cases

number of establishments

number of cases

key

plan

key

key

Action completed
number of cases
key

Action to be taken
number of cases
key

○
Major improvement plan and schedule
○
○
rating agency

Evaluation period

appraisal budget

210mm×297mm [Plain paper 60g/㎡ (recycled materials)]

497

Page 504
Explanation of personal information protection laws and guidelines and announcements

■ Notification Form 8 on Personal Information Impact Assessment

Personal Information Impact Assessment Report Confirmation of Implementation of Improvement Plan
evaluation area

Improvement task name

Improvement request

action plan

Due date
(or due date)

manager
Confirm

498

Page 505

2016 Personal Information Protection Act Commentary Writers and Advisory Group
Director of Research

ChangbeomMember
Lee
of Kim & Chang Law Firm

Privacy

Minho KimProfessor, Sungkyunkwan University

Protection Law Society Kim Hyun-kyung
Professor, Seoul National University of Science and Technology
Kyungjin Choi
Professor at Gachon University
high environment
Attorney at Law Firm Gwangjang
Baek Dae-yong
Attorney at Sejong Law Firm
Kim Joo-heeAttorney at Kim & Chang Law Firm

External Advisory Committee
Jinhwan Kim
Attorney at Kim & Chang Law Firm
Yun Yong Attorney at Yulchon Law Firm
Kang Tae-wook
Attorney at Pacific Law Firm
Oh Byung-chul
Professor at Yonsei University
Myung-Hyun
Professor
Jung at Korea University
Hwang Chang-geun
Professor at Hongik University
Kwon Gun-bo
Professor at Ajou University

Commentary on the 2016 Personal Information Protection Act and Guidelines/Notice
published date December 2016
Publisher

Ministry of Government Administration and Home Affairs

home page

www.moi.go.kr

Production and editing
Korea Internet & Security Agency

※This manual is posted on the comprehensive personal information protection portal (www.privacy.go.kr)

Page 506

