South Korea Privacy Law - Personal Information Protection Act

The official version of this text can be found on the Korean Legislature Research Institute website, available here.

PERSONAL INFORMATION PROTECTION ACT

Act No. 10465, Mar. 29, 2011
Amended by Act No. 11690, Mar. 23, 2013
Act No. 11990, Aug. 6, 2013
Act No. 12504, Mar. 24, 2014
Act No. 12844, Nov. 19, 2014
Act No. 13423, Jul. 24, 2015
Act No. 14107, Mar. 29, 2016
Act No. 14765, Apr. 18, 2017
Act No. 14839, Jul. 26, 2017

CHAPTER I GENERAL PROVISIONS

Article 1 (Purpose)

The purpose of this Act is to provide for the processing and protection of personal information for the purposes of protecting the freedom and rights of individuals, and further realizing the dignity and value of the individuals. <Amended by Act No. 12504, Mar. 24, 2014>

Article 2 (Definitions)

The terms used in this Act shall be defined as follows: <Amended by Act No. 12504, Mar. 24, 2014>

1. The term "personal information" means information relating to a living individual that makes it possible to identify the individual by his/her full name, resident registration number, image, etc. (including information which, if not by itself, makes it possible to identify any specific individual if combined with other information);

2. The term "processing" means the collection, generation, connecting, interlocking, recording, storage, retention, value-added processing, editing, retrieval, output, correction, recovery, use, provision, and disclosure, destruction of personal information and other similar activities;

3. The term "data subject" means an individual who is identifiable by the information processed hereby to become the subject of that information;

4. The term "personal information file" means a set or sets of personal information arranged or organized in a systematic manner based on a certain rule for easy access to the personal information;

5. The term "personal information controller" means a public institution, legal person, organization, individual, etc. that processes personal information directly or indirectly to operate the personal information files for official or business purposes;

6. The term "public institution" means any of the following institutions:

(a) The administrative bodies of the National Assembly, the Courts, the Constitutional Court, and the National Election Commission; the central administrative agencies (including agencies under the Presidential Office and the Prime Minister’s Office) and their affiliated entities; and local governments;

(b) Other national agencies and public entities prescribed by Presidential Decree;

7. The term "visual data processing devices" means the devices prescribed by Presidential Decree, which are continuously installed at a certain place to take pictures of persons or images of things, or transmit such pictures or images via wired or wireless networks.

Article 3 (Principles for Protecting Personal Information)

(1) The personal information controller shall specify and explicit the purposes for which personal information is processed; and shall collect personal information lawfully and fairly to the minimum extent necessary for such purposes.

(2) The personal information controller shall process personal information in a manner compatible with the purposes for which the personal information is processed, and shall not use it beyond such purposes.

(3) The personal information controller shall ensure personal information is accurate, complete, and up to date to the extent necessary in relation to the purposes for which the personal information is processed.

(4) The personal information controller shall manage personal information safely according to the processing methods, types, etc. of personal information, taking into account the possibility of infringement on the data subject rights and the severity of the relevant risks.

(5) The personal information controller shall make public its privacy policy and other matters related to personal information processing; and shall guarantee the data subject rights, such as the right to access their personal information.

(6) The personal information controller shall process personal information in a manner to minimize the possibility to infringe on the privacy of a data subject.

(7) The personal information controller shall endeavor to process personal information in anonymity, if possible.

(8) The personal information controller shall endeavor to obtain trust of data subjects by observing and performing such duties and responsibilities as provided for in this Act and other related statutes.

Article 4 (Rights of Data Subjects)

A data subject has the following rights in relation to the processing of his/her own personal information:

1. The right to be informed of the processing of such personal information;

2. The right to consent or not, and to elect the scope of consent, to the processing of such personal information;

3. The right to confirm the processing of such personal information, and to request access (including the provision of copies; hereinafter the same applies) to such personal information;

4. The right to suspend the processing of, and to request a correction, erasure, and destruction of such personal information;

5. The right to appropriate redress for any damage arising out of the processing of such personal information in a prompt and fair procedure.

Article 5 (Obligations of State, etc.)

(1) The State and a local government shall formulate policies to prevent harmful consequences of beyond-purpose collection, abuse and misuse of personal information, indiscrete surveillance and pursuit, etc. and to enhance the dignity of human beings and individual privacy.

(2) The State and a local government shall establish policy measures, such as improving statutes, necessary to protect the data subject rights as provided for in Article 4.

(3) The State and a local government shall respect, promote, and support self-regulating data protection activities of personal information controllers to improve irrational social practices relating to the processing of personal information.

(4) The State and a local government shall enact or amend any statutes or municipal ordinances in conformity with the purpose of this Act.

Article 6 (Relationship to other Acts)

The protection of personal information shall be governed by this Act, except as otherwise specifically provided for in other Acts. <Amended by Act No. 12504, Mar. 24, 2014>

CHAPTER II ESTABLISHMENT OF PERSONAL INFORMATION PROTECTION POLICIES, ETC.

Article 7 (Personal Information Protection Commission)

(1) The Personal Information Protection Commission (hereinafter referred to as the "Protection Commission") shall be established under the Presidential Office to deliberate and resolve on matters relating to the protection of personal information. The Protection Commission shall independently conduct functions belonging to its authority.

(2) The Protection Commission shall be comprised of not more than 15 Commissioners, including one Chairperson and one Standing Commissioner, who shall be a public official in political service.

(3) The Chairperson shall be commissioned by the President from among non-public official Commissioners.

(4) The Commissioners shall be appointed or commissioned by the President from among the following persons. In this case, five Commissioners shall be appointed or commissioned from among the candidates elected by the National Assembly, and other five Commissioners from among the candidates designated by the Chief Justice of the Supreme Court:

1. Persons recommended by the civil society organizations or consumer groups related to the protection of personal information;

2. Persons recommended by the trade associations comprised of personal information controllers;

3. Other persons who have abundant academic knowledge and experience related to personal information.

(5) The term of office for the Chairperson and Commissioners shall be three years, renewable for only one further term.

(6) Meetings of the Protection Commission shall be convened by the Chairperson when the Chairperson deems it necessary or not less than 1/4 of the Commissioners demand it.

(7) The resolution of a meeting of the Protection Commission shall be made by the affirmative votes of a majority of present Commissioners if not less than 1/2 of the Commissioners are present at the meeting.

(8) A secretariat shall be established within the Protection Commission to support the administration of the Protection Commission.

(9) Except as otherwise expressly provided for in paragraphs (1) through (8), matters necessary for the organizational structure and operation of the Protection Commission shall be prescribed by Presidential Decree.

Article 8 (Functions, etc. of Protection Commission)

(1) The Protection Commission shall deliberate and resolve on the following matters: <Amended by Act No. 13423, Jul. 24, 2015>

1. Matters concerning the assessment of data breach incident factors under Article 8-2;

1-2. Matters concerning the establishment of the Master Plan referred to in Article 9 and the Implementation Plans referred to in Article 10;

2. Matters concerning the improvement of policies, systems, and statutes;

3. Matters concerning the coordination of positions taken by public institutions with respect to the processing of personal information;

4. Matters concerning the interpretation and operation of statutes related to the protection of personal information;

5. Matters concerning the use and provision of personal information under Article 18 (2) 5;

6. Matters concerning the results of the privacy impact assessment under Article 33 (3);

7. Matters concerning the presentation of opinions under Article 61 (1);

8. Matters concerning recommendation on measures under Article 64 (4);

9. Matters concerning the publication of processing results under Article 66;

10. Matters concerning the preparation and submission of annual reports under Article 67 (1);

11. Matters referred to a meeting by the President, the Chairperson of the Commission, or at least two Commissioners of the Protection Commission with respect to the protection of personal information;

12. Other matters on which the Protection Commission deliberates or resolves pursuant to this Act or other statutes.
(2) The Protection Commission may take the following measures if necessary to deliberate and resolve on the matters provided for in paragraph (1): <Amended by Act No. 13423, Jul. 24, 2015>

1. Listening to the opinions of relevant public officials, specialists in data protection, civic organizations and related business operators;

2. Request of relevant materials from the relevant agencies or inquiry of facts.

(3) The relevant agencies in receipt of a request made under paragraph (2) 2, shall comply with the request, except in extenuating circumstances. <Newly Inserted by Act No. 13423, Jul. 24, 2015>

(4) Upon deliberating and resolving on the matters provided for in paragraph (1) 2, the Protection Commission may advise the improvement of such matters to the relevant agency. <Newly Inserted by Act No. 13423, Jul. 24, 2015>

(5) The Protection Commission may inspect whether its advice given under paragraph (4) has been implemented or not. <Newly Inserted by Act No. 13423, Jul. 24, 2015>

Article 8-2 (Assessment of Data Breach Incident Factors)

(1) The head of a central administrative agency shall request the Protection Commission to assess data breach incident factors where the policy or system in need of personal information processing is adopted or changed by the enactment or amendment of any statute under his/her jurisdiction.

(2) Upon receipt of a request made pursuant to paragraph (1), the Protection Commission may advise the head of the relevant agency of the matters necessary to improve the relevant statute by analyzing and reviewing the data breach incident factors of such statute.

(3) Necessary matters concerning the procedure and method to assess the data breach incident factors under paragraph (1) shall be prescribed by Presidential Decree.

[This Article Newly Inserted by Act No. 13423, Jul. 24, 2015]

Article 9 (Master Plan)

(1) The Protection Commission shall establish a Master Plan to protect personal information (hereinafter referred to as a “Master Plan”) every three years in consultation with the heads of relevant central administrative agencies to ensure the protection of personal information and the rights and interests of data subjects. <Amended by Act No. 11690, Mar. 23, 2013; Act No. 12844, Nov. 19, 2014; Act No. 13423, Jul. 24, 2015>

(2) The Master Plan shall include the following:

1. Basic goals and intended directions of the protection of personal information;

2. Improvement of systems and statutes related to the protection of personal information;

3. Measure to prevent personal information breaches;

4. How to vitalize self-regulation to protect personal information;

5. How to promote education and public relations to protect personal information;

6. Training of specialists in the protection of personal information;

7. Other matters necessary to protect personal information.

(3) The National Assembly, the Court, the Constitutional Court, and the National Election Commission may establish and implement its own Master Plan to protect personal information of relevant institutions, including affiliated entities.

Article 10 (Implementation Plan)

(1) The head of a central administrative agency shall establish an implementation plan to protect personal information each year in accordance with the Master Plan and submit it to the Protection Commission, and shall execute the implementation plan subject to the deliberation and resolution of the Protection Commission.

(2) Matters necessary for the establishment and execution of the implementation plan shall be prescribed by Presidential Decree.

Article 11 (Request for Materials, etc.)

(1) To efficiently establish the Master Plan, the Protection Commission may request materials or opinions regarding the status of regulatory compliance, personal information management, etc. by personal information controllers from personal information controllers, the heads of related central administrative agencies, the heads of local governments and related organizations or associations, etc. <Amended by Act No. 11690, Mar. 23, 2013; Act No. 12844, Nov. 19, 2014; Act No. 13423, Jul. 24, 2015>

(2) The Minister of the Interior and Safety may survey the level and status of personal information protection toward personal information controllers, the heads of related central administrative agencies, the heads of local governments and related organizations or associations, etc., if necessary to promote personal information protection policies, to assess outcomes of such policies, etc. <Newly Inserted by Act No. 13423, Jul. 24, 2015; Act No. 14839, Jul. 26, 2017>

(3) To efficiently establish and promote implementation plans, the head of a central administrative agency may request the materials referred to in paragraph (1) in the fields under his/her jurisdiction from personal information controllers. <Amended by Act No. 13423, Jul. 24, 2015>

(4) Any person in receipt of a request to furnish the materials under paragraphs (1) through (3) shall comply with the request except in extenuating circumstances. <Amended by Act No. 13423, Jul. 24, 2015>

(5) The scope and method to furnish the materials under paragraphs (1) through (3) and other necessary matters shall be prescribed by Presidential Decree. <Amended by Act No. 13423, Jul. 24, 2015>

Article 12 (Personal Information Protection Guidelines)

(1) The Minister of the Interior and Safety may establish the Standard Personal Information Protection Guidelines (hereinafter referred to as the "Standard Guidelines") regarding the personal information processing standard; types of personal information breaches; preventive measures, etc.; and may encourage personal information controllers to comply with the Standard Guidelines. <Amended by Act No. 11690, Mar. 23, 2013; Act No. 12844, Nov. 19, 2014; Act No. 14839, Jul. 26, 2017>

(2) The head of a central administrative agency may establish the personal information protection guidelines regarding the personal information processing in the fields under his/her jurisdiction in accordance with the Standard Guidelines; and may encourage personal information controllers to comply with such guidelines.

(3) The National Assembly, the Court, the Constitutional Court, and the National Election Commission may establish and implement its own or its affiliated entities’ personal information protection guidelines.

Article 13 (Promotion and Support of Self-Regulation)

The Minister of the Interior and Safety shall establish policies necessary for the following matters to promote and support self-regulating data protection activities of personal information controllers: <Amended by Act No. 11690, Mar. 23, 2013; Act No. 12844, Nov. 19, 2014; Act No. 14839, Jul. 26, 2017>

1. Education and public relations concerning protecting personal information;

2. Promoting and supporting agencies and organizations related to the protection of personal information;

3. Introducing and facilitating ePRIVACY Mark system;

4. Assisting personal information controllers in establishing and implementing self-regulatory rules;

5. Other matters necessary to support the self-regulating data protection activities of personal information controllers.

Article 14 (International Cooperation)

(1) The Government shall establish policy measures necessary to enhance the personal information protection standard in the international environment.

(2) The Government shall establish relevant policy measures so that the rights of data subjects may not be infringed on owing to the cross-border transfer of personal information.

CHAPTER III PROCESSING OF PERSONAL INFORMATION
SECTION 1 Collection, Use, Provision, etc. of Personal Information

Article 15 (Collection and Use of Personal Information)

(1) A personal information controller may collect personal information in any of the following circumstances, and use it with the scope of the purpose of collection:

1. Where the consent is obtained from a data subject;

2. Where special provisions exist in laws or it is inevitable to observe legal obligations;

3. Where it is inevitable so that a public institution may perform the duties under its jurisdiction as prescribed by statutes, etc.;

4. Where it is inevitably necessary to execute and perform a contract with a data subject;

5. Where it deems necessary explicitly for the protection, from impending danger, of life, body or economic profits of a data subject or a third party in case that the data subject or his/her legal representative is not in a position to express intention, or prior consent cannot be obtained owing to unknown addresses;

6. Where it is necessary to attain the justifiable interest of a personal information controller, which is explicitly superior to that of a data subject. In this case, it is allowed only when substantial relation exists with the justifiable interest of the personal information controller and it does not go beyond the reasonable scope.

(2) A personal information controller shall inform a data subject of the following matters when it obtains the consent under paragraph (1) 1. The same shall apply when any of the following is modified.

1. The purpose of the collection and use of personal information;

2. Particulars of personal information to be collected;

3. The period for retaining and using personal information;

4. The fact that the data subject is entitled to deny consent, and disadvantage affected resultantly from the denial of consent.

Article 16 (Limitation to Collection of Personal Information)

(1) A personal information controller shall collect the minimum personal information necessary to attain the purpose in the case applicable to Article 15 (1). In this case, the burden of proof that the minimum personal information is collected shall be borne by the personal information controller.

(2) A personal information controller shall collect personal information by informing a data subject of the fact concretely that he/she may deny the consent to the collection of other personal information than the minimum information necessary in case of collecting the personal information by the consent of the data subject. <Newly Inserted by Act No. 11990, Aug. 6, 2013>

(3) A personal information controller shall not deny the provision of goods or services to a data subject on ground that the data subject would not consent to the collection of personal information exceeding minimum requirement. <Amended by Act No. 11990, Aug. 6, 2013>

Article 17 (Provision of Personal Information)

(1) A personal information controller may provide (or share; hereinafter the same shall apply) the personal information of a data subject to a third party in any of the following circumstances:

1. Where the consent is obtained from the data subject;

2. Where the personal information is provided within the scope of purposes for which it is collected pursuant to Article 15 (1) 2, 3, and 5.

(2) A personal information controller shall inform a data subject of the following matters when it obtains the consent under paragraph (1) 1. The same shall apply when any of the following is modified:

1. The recipient of personal information;

2. The purpose for which the recipient of personal information uses such information;

3. Particulars of personal information to be provided;

4. The period for which the recipient retains and uses personal information;

5. The fact that the data subject is entitled to deny consent, and disadvantage affected resultantly from the denial of consent.

(3) A personal information controller shall inform a data subject of the matters provided for in paragraph (2), and obtain the consent from the data subject in order to provide personal information to a third party overseas; and shall not enter into a contract for the cross-border transfer of personal information in violation of this Act.

Article 18 (Limitation to Out-of-Purpose Use and Provision of Personal Information)

(1) A personal information controller shall not use personal information beyond the scope provided for in Article 15

(1), or provide it to any third party beyond the scope provided for in Article 17 (1) and (3).

(2) Notwithstanding paragraph (1), where any of the following subparagraphs applies, a personal information controller may use personal information or provide it to a third party for other purpose than the intended one, unless it is likely to infringe on unfairly the interest of a data subject or third party: Provided, That subparagraphs 5 through 9 are applicable only to public institutions:

1. Where additional consent is obtained from the data subject;

2. Where special provisions exist in other laws;

3. Where it is deemed necessary explicitly for protecting, from impending danger, life, body or economic profits of the data subject or third party where the data subject or his/her legal representative is not in a position to express his/her intention, or prior consent cannot be obtained owing to unknown addresses;

4. Where personal information is provided in a manner keeping a specific individual unidentifiable necessarily for such purposes as compiling statistics or academic research;

5. Where it is impossible to perform the duties under its jurisdiction as provided for in any Act, unless the personal information controller uses personal information for other purpose than the intended one, or provides it to a third party, and it is subject to the deliberation and resolution by the Commission;

6. Where it is necessary for providing personal information to a foreign government or international organization to perform a treaty or other international convention;

7. Where it is necessary for the investigation of a crime, indictment and prosecution;

8. Where it is necessary for the court to proceed the case;

9. Where it is necessary for punishment, probation and custody.

(3) A personal information controller shall inform the data subject of the following matters when it obtains the consent under paragraph (2) 1. The same shall apply when any of the following is modified.

1. The recipient of personal information;

2. The purpose of use of personal information (where personal information is provided, it means the purpose of use by the recipient);

3. Particulars of personal information to be used or provided;

4. The period for retaining and using personal information (where personal information is provided, it means the period for retention and use by the recipient);

5. The fact that the data subject is entitled to deny consent, and disadvantage affected resultantly from the denial of consent.

(4) Where a public institution uses personal information, or provides it to a third party under paragraph (2) 2 through 6, 8, and 9 for other purpose than the intended one, the public institution shall post the legal grounds for such use or provision, purpose and scope, and other necessary matters on the Official Gazette or its website, as prescribed by Ordinance of the Ministry of the Interior and Safety. <Amended by Act No. 11690, Mar. 23, 2013; Act No. 12844, Nov. 19, 2014; Act No. 14839, Jul. 26, 2017>

(5) Where a personal information controller provides personal information to a third party for other purpose than the intended one in any case provided for in paragraph (2), the personal information controller shall request the recipient of the personal information to limit the purpose and method of use and other necessary matters, or to prepare necessary safeguards to ensure the safety of the personal information. In such cases, the person in receipt of such request shall take necessary measures to ensure the safety of the personal information.

Article 19 (Limitation to Use and Provision of Personal Information on Part of Its Recipients)

A person who receives personal information from a personal information controller shall not use the personal information, or provide it to a third party, for any purpose other than the intended one, except in the following circumstances:

1. Where additional consent is obtained from the data subject;

2. Where special provisions exist in other laws.

Article 20 (Notification on Sources, etc. of Personal Information Collected from Third Parties)

(1) When a personal information controller processes personal information collected from third parties, the personal information controller shall immediately notify the data subject of the following matters at the request of such data subject:

1. The source of collected personal information;

2. The purpose of processing personal information;

3. The fact that the data subject is entitled to demand suspension of processing personal information.

(2) Notwithstanding paragraph (1), when a personal information controller satisfying the criteria prescribed by Presidential Decree taking into account the types and amount of processed personal information, number of employees, amount of sales, etc., collects personal information from third parties and processes upon obtaining consent as provided for in Article 17 (1) 1, the personal information controller shall notify the data subject of the matters referred to in paragraph (1): Provided, That this shall not apply where the information collected by the personal information controller does not contain any personal information, such as contact information, through which the notification can be given to the data subject. <Newly Inserted by Act No. 14107, Mar. 29, 2016>

(3) Necessary matters in relation to the timing, method, and procedure of giving notification to the data subject pursuant to the main sentence of paragraph (2), shall be prescribed by Presidential Decree. <Newly Inserted by Act No. 14107, Mar. 29, 2016>

(4) Paragraph (1) and the main sentence of paragraph (2) shall not apply to any of the following circumstances: Provided, That it is explicitly superior to the rights of data subjects under this Act: <Amended by Act No. 14107, Mar. 29, 2016>

1. Where personal information, which is subject to a notification request, is included in the personal information files referred to in Article 32 (2);

2. Where such notification is likely to cause harm to the life or body of any other person, or unfairly damages the property and other profits of any other person.

Article 21 (Destruction of Personal Information)

(1) A personal information controller shall destroy personal information without delay when the personal information becomes unnecessary owing to the expiry of the retention period, attainment of the purpose of processing the personal information, etc.: Provided, That this shall not apply where the retention of such personal information is mandatory by other statutes.

(2) When a personal information controller destroys personal information pursuant to paragraph (1), necessary measures to block recovery and revival shall be taken.

(3) Where a personal information controller is obliged to retain, rather than destroy, personal information pursuant to the proviso to paragraph (1), the relevant personal information or personal information files shall be stored and managed separately from other personal information.

(4) Other necessary matters, such as the methods to destroy personal information and its destruction process, shall be prescribed by Presidential Decree.

Article 22 (Methods of Obtaining Consent)

(1) To obtain the consent of a data subject (including his/her legal representative as stated in paragraph (6): hereafter in this Article the same applies) to the processing of his/her personal information pursuant to this Act, a personal information controller shall present the request for consent to the data subject in an explicitly recognizable manner which distinguishes matters requiring consent from the other matters, and obtain his/her consent thereto, respectively. <Amended by Act No. 14765, Apr. 18, 2017>

(2) To obtain the consent referred to in paragraph (1) in writing (including an electronic document defined in subparagraph 1 of Article 2 of the Framework Act on Electronic Documents and Transactions), a personal information controller shall state the significant matters prescribed by Presidential Decree, such as the purpose of collecting and using personal information and particulars of the personal information that he/she intends collect and use, as prescribed by Ordinance of the Ministry of the Interior and Safety in an explicit and easily recognizable manner. <Newly Inserted by Act No. 14765, Apr. 18, 2017; Act No. 14839, Jul. 26, 2017>

(3) To obtain the consent of a data subject to the processing of his/her personal information pursuant to Articles 15 (1) 1, 17 (1) 1, 23 (1) 1, and 24 (1) 1, a personal information controller shall distinguish personal information that requires the data subject’s consent to processing, from the personal information that requires no consent in executing a contract with the data subject. In such cases, the burden of proof that no consent is required in processing the personal information shall be borne by the personal information controller. <Amended by Act No. 14107, Mar. 29, 2016; Act No. 14765, Apr. 18, 2017>

(4) To obtain the consent of a data subject to the processing of his/her personal information in order to promote goods or services or solicit purchase thereof, a personal information controller shall notify the data subject of the fact in an explicitly recognizable manner, and obtain his/her consent thereto. <Amended by Act No. 14765, Apr. 18, 2017>

(5) A personal information controller shall not deny the provision of goods or services to a data subject on ground that the data subject would not consent to the matter eligible for selective consent pursuant to paragraph (3), or would not consent pursuant to paragraph (4) and Article 18 (2) 1. <Amended by Act No. 14765, Apr. 18, 2017>

(6) When it is required to obtain consent pursuant to this Act to process personal information of a child under 14 years of age, a personal information controller shall obtain the consent of his/her legal representative. In such cases, minimum personal information necessary to obtain the consent of the legal representative may be collected directly from such child without the consent of his/her legal representative. <Amended by Act No. 14765, Apr. 18, 2017>

(7) Except as otherwise expressly provided for in paragraphs (1) through (6), other matters necessary in relation to detailed methods to obtain the consent of data subjects and the minimum information referred to in paragraph (6) shall be prescribed by Presidential Decree, in consideration of the collection media of personal information. <Amended by Act No. 14765, Apr. 18, 2017>

SECTION 2 Limitation to Processing of Personal Information

Article 23 (Limitation to Processing of Sensitive Information)

(1) A personal information controller shall not process any information prescribed by Presidential Decree (hereinafter referred to as "sensitive information"), including ideology, belief, admission to or withdrawal from a trade union or political party, political opinions, health, sexual life, and other personal information that is likely to threat the privacy of any data subject noticeably: Provided, That this shall not apply in any of the following circumstances: <Amended by Act No. 14107, Mar. 29, 2016>

1. Where the personal information controller informs the data subject of the matters provided for in Article 15 (2) or 17 (2), and obtains the consent of the data subject apart from the consent to the processing of other personal information;

2. Where other statutes require or permit the processing of sensitive information.

(2) Where a personal information controller processes sensitive information pursuant to paragraph (1), the personal information controller shall take measures necessary to ensure safety pursuant to Article 29 so that the sensitive information may not be lost, stolen, divulged, forged, altered, or damaged. <Newly Inserted by Act No. 14107, Mar. 29, 2016>

Article 24 (Limitation to Processing of Personally Identifiable Information)

(1) A personal information controller shall not process any information prescribed by Presidential Decree that can be used to identify an individual in accordance with statutes (hereinafter referred to as "personally identifiable information"), except in any of the following cases:

1. Where the personal information controller informs a data subject of the matters provided for in Article 15 (2) or 17 (2), and obtains the consent of the data subject apart from the consent to the processing of other personal information;

2. Where other statutes require or permit the processing of personally identifiable information in a concrete manner.

(2) Deleted. <Act No. 11990, Aug. 6, 2013>

(3) Where a personal information controller processes personally identifiable information pursuant to paragraph(1), the personal information controller shall take measures necessary to ensure safety, including encryption, as prescribed by Presidential Decree, so that the personally identifiable information may not be lost, stolen, divulged, forged, altered, or damaged. <Amended by Act No. 13423, Jul. 24, 2015>

(4) The Minister of the Interior and Safety shall regularly inspect whether a personal information controller meeting the criteria prescribed by Presidential Decree based on the types and amount of processed personal information, number of employees, amount of sales, etc., has taken the measures necessary to ensure safety pursuant to paragraph (3), as prescribed by Presidential Decree. <Newly Inserted by Act No. 14107, Mar. 29, 2016; Act No. 14839, Jul. 26, 2017>

(5) The Minister of the Interior and Safety may authorize specialized institutions prescribed by Presidential Decree to conduct the inspection referred to in paragraph (4). <Newly Inserted by Act No. 14107, Mar. 29, 2016; Act No. 14839, Jul. 26, 2017>

Article 24-2 (Limitation to Processing of Resident Registration Numbers)

(1) Notwithstanding Article 24 (1), a personal information controller shall not process any resident registration number, except in any of the following cases: <Amended by Act No. 14107, Mar. 29, 2016; Act No. 14839, Jul. 26, 2017>

1. Where any Act, Presidential Decree, National Assembly Regulations, Supreme Court Regulations, Constitutional Court Regulations, National Election Commission Regulations, or Board of Audit and Inspection Regulations require or permit the processing of resident registration numbers in a concrete manner;

2. Where it is deemed explicitly necessary for protecting, from impending danger, life, body and property of a data subject or a third party;

3. Where it is inevitable to process resident registration numbers in line with subparagraphs 1 and 2 in circumstances prescribed by Ordinance of the Ministry of the Interior and Safety.

(2) Notwithstanding Article 24 (3), a personal information controller shall retain resident registration numbers in safety by means of encryption so that the resident registration numbers may not be lost, stolen, divulged, forged, altered, or damaged. In such cases, any necessary matters in relation to the scope of encryption objects, encryption timing by object, etc. shall be prescribed by Presidential Decree, based on the amount of personal information processed, data breach impact, etc. <Newly Inserted by Act No. 12504, Mar. 24, 2014; Act No. 13423, Jul. 24, 2015>

(3) A personal information controller shall provide data subjects with an alternative sign-up tool without using their resident registration numbers in the stage of being admitted to membership via the website while processing the resident registration numbers pursuant to paragraph (1).

(4) The Minister of the Interior and Safety may prepare and support measures, such as legislative arrangements, policy-making, necessary facilities, and system build-up to assist a personal information controller in providing the methods referred to in paragraph (3). <Amended by Act No. 12504, Mar. 24, 2014; Act No. 14839, Jul. 26, 2017>
[This Article Newly Inserted by Act No. 11990, Aug. 6, 2013]

Article 25 (Limitation to Installation and Operation of Visual Data Processing Devices)

(1) No one shall install and operate any visual data processing device at open places, except in any of the following circumstances:

1. Where statutes allow it in a concrete manner;

2. Where it is necessary for the prevention and investigation of crimes;

3. Where it is necessary for the safety of facilities and prevention of fire;

4. Where it is necessary for regulatory control of traffic;

5. Where it is necessary for the collection, analysis, and provision of traffic information.

(2) No one shall install and operate any visual data processing device so as to look into the places which is likely to threat individual privacy noticeably, such as a bathroom, restroom, sauna, and dressing room used by many unspecified persons: Provided, That the same shall not apply to the facilities prescribed by Presidential Decree, which detain or protect persons in accordance with statutes, such as correctional facilities and mental health care centers.

(3) The head of a public institution who intends to install and operate visual data processing devices pursuant to paragraph (1) and a person who intends to install and operate visual data processing devices pursuant to the proviso to paragraph (2) shall gather opinions of relevant specialist and interested persons through the formalities prescribed by Presidential Decree such as public hearings and information sessions.

(4) A person who intends to install and operate visual data processing devices pursuant to paragraph (1) (hereinafter referred to as "VDPD operator") shall take necessary measures including posting on a signboard the following matters, so that data subjects may recognize such devices with ease: Provided, That this shall not apply to military installations defined in subparagraph 2 of Article 2 of the Protection of Military Bases and Installations Act, important national facilities defined in subparagraph 13 of Article 2 of the United Defense Act, and other facilities prescribed by Presidential Decree: <Amended by Act No. 14107, Mar. 29, 2016>

1. The purpose and place of installation;

2. The scope and hours of photographing;

3. The name and contact information of the person in charge of its management;

4. Other matters prescribed by Presidential Decree.

(5) A VDPD operator shall not handle arbitrarily the visual data processing devices for other purposes than the initial one; direct the said devices toward different spots; nor use sound recording functions.

(6) Every VDPD operator shall take measures necessary to ensure safety pursuant to Article 29 so that the personal information may not be lost, stolen, divulged, forged, altered, or damaged. <Amended by Act No. 13423, Jul. 24, 2015>

(7) Every VDPD operator shall establish the appropriate policy to operate and manage the visual data processing devices, as prescribed by Presidential Decree. In this case, he/she may be discharged to make the Privacy Policy pursuant to Article 30.

(8) A VDPD operator may outsource the installation and operation of visual data processing devices to a third party: Provided, That the public institutions shall comply with the procedures and requirements prescribed by Presidential Decree when outsourcing the installation and operation of visual data processing devices to a third party.
Article 26 (Limitation to Personal Information Processing Subsequent to Outsourcing of Work)

(1) A personal information controller shall undergo paper-based formalities stating the following when outsourcing personal information processing to a third party:

1. Prevention of personal information processing for other purposes than the outsourced purpose;

2. Technical and managerial safeguards of personal information;

3. Other matters prescribed by Presidential Decree to manage personal information safely.

(2) A personal information controller that outsources personal information processing pursuant to paragraph (1) (hereinafter referred to as "outsourcer") shall disclose the details of the outsourced work and the entity that processes personal information (hereinafter referred to as “outsourcee”) under an outsourcing contract in the manner prescribed by Presidential Decree so that data subjects may recognize it with ease at any time.

(3) The outsourcer shall, in case of outsourcing the promotion of goods or services, or soliciting of sales thereof, notify data subjects of the outsourced work and the outsourcee in the manners prescribed by Presidential Decree. The same shall apply where the outsourced work or the outsourcee has been changed.

(4) The outsourcer shall educate the outsourcee so that personal information of data subjects may not be lost, stolen, leaked, forged, altered, or damaged owing to the outsourcing of work, and supervise how the outsourcee processes such personal information safely by inspecting the status of processing, etc., as prescribed by Presidential Decree. <Amended by Act No. 13423, Jul. 24, 2015>

(5) An outsourcee shall not use any personal information beyond the scope of the work outsourced by the personal information controller, nor provide personal information to a third party.

(6) With respect to the compensation of damage arising out of the processing of personal information outsourced to an outsourcee in violation of this Act, the outsourcee shall be deemed an employee of the personal information controller.

(7) Articles 15 through 25, 27 through 31, 33 through 38, and 59 shall apply mutatis mutandis to outsourcees.

Article 27 (Limitation to Transfer of Personal Information following Business Transfer, etc.)

(1) A personal information controller shall notify in advance the data subjects of the following matters in the manner prescribed by Presidential Decree in the case of transfer of personal information to a third party owing to the transfer of some or all of his/her business, a merger, etc.:

1. The fact that the personal information will be transferred;

2. The name (referring to the company name in case of a legal person), address, telephone number and other contact information of the recipient of the personal information (hereinafter referred to as "business transferee");

3. The method and procedure to withdraw the consent if the data subject would not want the transfer of his/her personal information.

(2) Upon receiving personal information, the business transferee shall, without delay, notify data subjects of the fact in the manner prescribed by Presidential Decree: Provided, That this shall not apply where the personal information controller has already notified the data subjects of the fact of such transfer pursuant to paragraph (1).

(3) Upon receiving personal information owing to business transfer, a merger, etc., the business transferee may use, or provide a third party with, the personal information only for the initial purpose prior to transfer. In this case, the business transferee shall be deemed the personal information controller.

Article 28 (Supervision of Personal Information Handlers)

(1) While processing personal information, a personal information controller shall conduct appropriate control and supervision against the persons who process the personal information under his/her command and supervision, such as an officer or employee, temporary agency worker and part-time worker (hereinafter referred to as "personal information handler") to ensure the safe management of the personal information.

(2) A personal information controller shall provide personal information handlers with necessary educational programs on a regular basis in order to ensure the appropriate handling of personal information.

CHAPTER IV SAFEGUARD OF PERSONAL INFORMATION

Article 29 (Duty of Safeguards)

Every personal information controller shall take such technical, managerial, and physical measures as establishing an internal management plan and preserving log-on records, etc. that are necessary to ensure safety as prescribed by Presidential Decree so that the personal information may not be lost, stolen, divulged, forged, altered, or damaged. <Amended by Act No. 13423, Jul. 24, 2015>

Article 30 (Establishment and Disclosure of Privacy Policy)

(1) Every personal information controller shall establish the personal information processing policy including the following matters (hereinafter referred to as "Privacy Policy"). In such cases, public institutions shall establish the Privacy Policy for the personal information files to be registered pursuant to Article 32: <Amended by Act No. 14107, Mar. 29, 2016>

1. The purposes for which personal information is processed;

2. The period for processing and retaining personal information;

3. Providing personal information to a third party (if applicable);

4. Outsourcing personal information processing (if applicable);

5. The rights and obligations of data subjects and legal representatives, and how to exercise the rights;

6. Contact information, such as the name of the privacy officer designated under Article 31 or the name, telephone number, etc. of the department which performs the duties related to personal information protection and handles related grievances;

7. Installing and operating an automatic collection tool of personal information, including Internet access data files, and the denial thereof (if applicable);

8. Other matters prescribed by Presidential Decree regarding the processing of personal information.
(2) Upon establishing or modifying the Privacy Policy, every personal information controller shall disclose the Privacy Policy in the way prescribed by Presidential Decree so that data subjects may recognize it with ease.
(3) Where there exist discrepancies between the Privacy Policy and the agreement executed by and between the personal information controller and data subjects, what is beneficial to the data subjects prevails.
(4) The Minister of the Interior and Safety may formulate the Privacy Policy Guidelines and encourage personal information controllers to comply with such Guidelines. <Amended by Act No. 11690, Mar. 23, 2013; Act No. 12844, Nov. 19, 2014; Act No. 14839, Jul. 26, 2017>

Article 31 (Designation of Privacy Officers)

(1) A personal information controller shall designate a privacy officer who comprehensively takes charge of personal information processing.

(2) Every privacy officer shall perform the following functions:

1. To establish and implement a personal information protection plan;

2. To conduct a regular survey of the status and practices of personal information processing, and to improve shortcomings;

3. To treat grievances and remedial compensation in relation to personal information processing;

4. To build the internal control system to prevent the divulgence, abuse, and misuse of personal information;

5. To prepare and implement an education program about personal information protection;

6. To protect, control, and manage the personal information files;

7. Other functions prescribed by Presidential Decree for the appropriate processing of personal information.
(3) In performing the functions provided for in paragraph (2), every privacy officer may inspect the status of personal information processing and systems frequently, if necessary, and may request a report thereon from the relevant parties.

(4) Where a privacy officer becomes aware of any violation of this Act or other relevant statutes in relation to the protection of personal information, the privacy officer shall take corrective measures immediately, and shall report such corrective measures to the head of the institution or organization to which he/she belongs, if necessary.

(5) A personal information controller shall not have the privacy officer give or take disadvantage without any justifiable ground while performing the functions provided for in paragraph (2).

(6) The requirements for designation as privacy officers, functions, qualifications, and other necessary matters, shall be prescribed by Presidential Decree.

Article 32 (Registration and Disclosure of Personal Information Files)

(1) When operating personal information files, the head of a public institution shall register the following matters with the Minister of the Interior and Safety. The same shall also apply where the registered matters are modified. <Amended by Act No. 11690, Mar. 23, 2013; Act No. 12844, Nov. 19, 2014; Act No. 14839, Jul. 26, 2017>

1. The titles of the personal information files;

2. The grounds and purposes for operating the personal information files;

3. Particulars of personal information recorded in the personal information files;

4. The method of processing personal information;

5. The period for retaining personal information;

6. The recipient of personal information, if it is provided routinely or repetitively;

7. Other matters prescribed by Presidential Decree.

(2) Paragraph (1) shall not apply to any of the following personal information files:

1. Personal information files that record the national security, diplomatic secrets, and other matters relating to grave national interests;

2. Personal information files that record the investigation of crimes, indictment and prosecution, punishment, and probation and custody, corrective orders, protective orders, security observation orders, and immigration;

3. Personal information files that record the investigations of violations of the Punishment of Tax Offenses Act and the Customs Act;

4. Personal information files exclusively used for internal job performance of public institutions;

5. Classified personal information files pursuant to other statutes.

(3) If necessary, the Minister of the Interior and Safety may review the registration and content of the personal information files referred to in paragraph (1), and advise the head of the relevant public institution to make improvements. <Amended by Act No. 11690, Mar. 23, 2013; Act No. 12844, Nov. 19, 2014; Act No. 14839, Jul. 26, 2017>

(4) The Minister of the Interior and Safety shall make public the status of personal information files registered under paragraph (1) so that anyone may access them with ease. <Amended by Act No. 11690, Mar. 23, 2013; Act No. 12844, Nov. 19, 2014; Act No. 14839, Jul. 26, 2017>

(5) Necessary matters regarding the registration referred to in paragraph (1), the method, scope, and procedure of public disclosure referred to in paragraph (4), shall be prescribed by Presidential Decree.

(6) The registration and public disclosure of the personal information files retained by the National Assembly, the Court, the Constitutional Court and the National Election Commission (including their affiliated entities) shall be prescribed by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, and the National Election Commission Regulations.

Article 32-2 (Certification of Personal Information Protection)

(1) The Minister of the Interior and Safety may certify whether the data processing and other data protection-related activities of a personal information controller abide by this Act, etc. <Amended by Act No. 14839, Jul. 26, 2017>

(2) The certification provided for in paragraph (1) shall be effective for three years.

(3) In any of the following cases, the Minister of the Interior and Safety may revoke the certification granted under paragraph (1), as prescribed by Presidential Decree: Provided, That it shall be revoked in cases falling under subparagraph 1: <Amended by Act No. 14839, Jul. 26, 2017>

1. Where personal information protection has been certified by fraud or other unjust means;

2. Where follow-up management provided for in paragraph (4) has been denied or obstructed;

3. Where the certification criteria provided for in paragraph (8) have not been satisfied;

4. Where personal information protection-related statutes are breached seriously.

(4) The Minister of the Interior and Safety shall conduct follow-up management at least once annually to maintain the effectiveness of the certification of personal information protection. <Amended by Act No. 14839, Jul. 26, 2017>

(5) The Minister of the Interior and Safety may authorize the specialized institutions prescribed by Presidential Decree to perform the duties related to certification under paragraph (1), revocation of certification under paragraph (3), follow-up management under paragraph (4), management of certification examiners under paragraph (7). <Amended by Act No. 14839, Jul. 26, 2017>

(6) Any person who has obtained certification pursuant to paragraph (1) may indicate or publicize the certification, as prescribed by Presidential Decree.

(7) Qualifications of certification examiners who conduct the certification examination pursuant to paragraph (1), grounds for disqualification, and other relevant matters, shall be prescribed by Presidential Decree based on specialty, career, and other necessary matters.

(8) Other matters necessary for the certification criteria, method, procedure, etc. subject to paragraph (1), including whether the personal information management system, guarantee of data subjects’ rights, and safeguards are consistent with this Act, shall be prescribed by Presidential Decree.

[This Article Newly Inserted by Act No. 13423, Jul. 24, 2015]

Article 33 (Privacy Impact Assessment)

(1) In the case of a probable breach of personal information of data subjects arising out of the operation of personal information files meeting the criteria prescribed by Presidential Decree, the head of a public institution shall conduct an assessment to analyze and improve risk factors (hereinafter referred to as "privacy impact assessment"), and submit the result thereof to the Minister of the Interior and Safety. In such cases, the head of the public institution shall request the privacy impact assessment from any of the institutions designated by the Minister of the Interior and Safety (hereinafter referred to as "PIA institution"). <Amended by Act No. 11690, Mar. 23, 2013;Act No. 12844, Nov. 19, 2014; Act No. 14839, Jul. 26, 2017>

(2) The privacy impact assessment shall cover the following matters:

1. The number of personal information being processed;

2. Whether the personal information is provided to a third party;

3. The probability to violate the rights of the data subjects and the degree of risks;

4. Other matters prescribed by Presidential Decree.

(3) The Minister of the Interior and Safety may provide his/her opinion subject to the deliberation and resolution by the Protection Commission upon receiving the results of the privacy impact assessment conducted under paragraph(1). <Amended by Act No. 11690, Mar. 23, 2013; Act No. 12844, Nov. 19, 2014; Act No. 14839, Jul. 26, 2017>

(4) The head of the public institution shall register the personal information files in accordance with Article 32 (1), for which the privacy impact assessment has been conducted pursuant to paragraph (1), with the results of the privacy impact assessment attached thereto.

(5) The Minister of the Interior and Safety shall take necessary measures, such as fostering relevant specialists, and developing and disseminating criteria for the privacy impact assessment, to promote the privacy impact assessment. <Amended by Act No. 11690, Mar. 23, 2013; Act No. 12844, Nov. 19, 2014; Act No. 14839, Jul. 26, 2017>

(6) Necessary matters in relation to the privacy impact assessment, such as the criteria for designation as PIA institutions, revocation of designation, assessment criteria, method and procedure, etc. pursuant to paragraph (1), shall be prescribed by Presidential Decree.

(7) Matters regarding the privacy impact assessment conducted by the National Assembly, the Court, the Constitutional Court and the National Election Commission (including their affiliated entities) shall be prescribed by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, and the National Election Commission Regulations.

(8) A personal information controller other than public institutions shall proactively endeavor to conduct a privacy impact assessment, if a breach of personal information of data subjects is highly probable in operating the personal information files.

Article 34 (Data Breach Notification, etc.)

(1) A personal information controller shall notify the aggrieved data subjects of the following matters without delay when he/she becomes aware their personal information has been divulged:

1. Particulars of the personal information divulged;

2. When and how personal information has been divulged;

3. Any information about how the data subjects can do to minimize the risk of damage from divulgence;

4. Countermeasures of the personal information controller and remedial procedure;

5. Help desk and contact points for the data subjects to report damage.

(2) A personal information controller shall prepare countermeasures to minimize the risk of damage where personal information is divulged.

(3) Where a breach of personal information above the scale prescribed by Presidential Decree arises, the personal information controller shall, without delay, report the results of notification given under paragraph (1) and the results of measures taken under paragraph (2) to the Minister of the Interior and Safety and the specialized institution designated by Presidential Decree. In such cases, the Minister of the Interior and Safety and the specialized institution designated by Presidential Decree may provide technical assistance for preventing or recovering further damage, etc. <Amended by Act No. 11690, Mar. 23, 2013; Act No. 12844, Nov. 19, 2014; Act No. 14839, Jul. 26, 2017>

(4) Necessary matters in relation to the timing, method and procedure for data breach notification pursuant to paragraph (1), shall be prescribed by Presidential Decree.
Article 34-2 (Imposition, etc. of Penalty Surcharges)

(1) The Minister of the Interior and Safety may impose and collect a penalty surcharge not exceeding 500 million won where a personal information controller has failed to prevent any loss, theft, divulgence, forgery, alteration, or damage of resident registration numbers: Provided, That this shall not apply where the personal information controller has fully taken measures necessary to ensure safety under Article 24 (3) to prevent any loss, theft, divulgence, forgery, alteration, or damage of resident registration numbers. <Amended by Act No. 12844, Nov. 19, 2014; Act No. 13423, Jul. 24, 2015; Act No. 14839, Jul. 26, 2017>

(2) The Minister of the Interior and Safety shall consider the following when imposing the penalty surcharge pursuant to paragraph (1): <Amended by Act No. 12844, Nov. 19, 2014; Act No. 13423, Jul. 24, 2015; Act No. 14839, Jul. 26, 2017>

1. Efforts being taken to perform the measures necessary to ensure safety under Article 24 (3);

2. Status of the resident registration numbers which have been lost, stolen, divulged, forged, altered or damaged;

3. Fulfillment of subsequent measures to prevent further damage.

(3) The Minister of the Interior and Safety shall collect a late-payment penalty prescribed by Presidential Decree in an amount not exceeding 6/100 per annum of the unpaid penalty surcharge for the period beginning on the day following the payment deadline and ending on the day immediately preceding the day the penalty surcharge is paid where a person liable to pay the penalty surcharge under paragraph (1) fails to pay it by the payment deadline. In such cases, the late-payment penalty shall be collected for a maximum period of 60 months. <Amended by Act No. 12844, Nov. 19, 2014; Act No. 14839, Jul. 26, 2017>

(4) Where a person liable to pay the penalty surcharge under paragraph (1) fails to pay it by the payment deadline, the Minister of the Interior and Safety shall give notice with the period of payment specified in it; and where the penalty surcharge and late-payment penalty are not paid within the specified period, the Minister of the Interior and Safety shall collect such penalty surcharge and late-payment penalty in the same manner as delinquent national taxes are collected. <Amended by Act No. 12844, Nov. 19, 2014; Act No. 14839, Jul. 26, 2017>

(5) Other matters necessary for imposing and collecting penalty surcharges shall be prescribed by Presidential Decree.

[This Article Newly Inserted by Act No. 11990, Aug. 6, 2013]

CHAPTER V GUARANTEE OF RIGHTS OF DATA SUBJECTS

Article 35 (Access to Personal Information)

(1) A data subject may request access to his/her own personal information, which is processed by a personal information controller, from the personal information controller.

(2) Notwithstanding paragraph (1), where a data subject intends to request access to his/her own personal information from a public institution, the data subject may request such access directly from the said public institution, or indirectly via the Minister of the Interior and Safety, as prescribed by Presidential Decree. <Amended by Act No. 11690, Mar. 23, 2013; Act No. 12844, Nov. 19, 2014; Act No. 14839, Jul. 26, 2017>

(3) Upon receipt of a request for access filed under paragraphs (1) and (2), a personal information controller shall permit the data subject to access his/her own personal information for the period prescribed by Presidential Decree. In such cases, if a personal information controller finds any good cause for not permitting access for such period, the personal information controller may postpone access after notifying the relevant data subject of the said cause. If the said cause ceases to exist, the postponement shall be lifted without delay.

(4) In any of the following cases, a personal information controller may limit or deny access after it notifies a data subject of the cause:

1. Where access is prohibited or limited by Acts;

2. Where access may probably cause damage to the life or body of a third party, or improper violation of property and other benefits of a third party;

3. Where a public institution has grave difficulties in performing any of the following duties:

(a) Imposition, collection or refund of taxes;

(b) Evaluation of academic achievements or admission affairs at the schools of each level established under the Elementary and Secondary Education Act and the Higher Education Act, lifelong educational facilities established under the Lifelong Education Act, and other higher educational institutions established under other Acts;

(c) Testing and qualification examination regarding academic competence, technical capability and employment;

(d) Ongoing evaluation or decision-making in relation to compensation or grant assessment;

(e) Ongoing audit and examination under other Acts.

(5) Necessary matters in relation to the methods and procedures for filing requests for access; for limiting access; for giving notification, etc. pursuant to paragraphs (1) through (4) shall be prescribed by Presidential Decree.

Article 36 (Correction or Erasure of Personal Information)

(1) A data subject who has accessed his/her personal information pursuant to Article 35 may request a correction or erasure of such personal information from the relevant personal information controller: Provided, That the erasure is not permitted where the said personal information shall be collected by other statutes.

(2) Upon receipt of a request by a data subject pursuant to paragraph (1), the personal information controller shall investigate the personal information in question without delay; shall take necessary measures to correct or erase as requested by the data subject unless otherwise specifically provided by other statutes in relation to correction or erasure; and shall notify such data subject of the result.

(3) The personal information controller shall take measures not to recover or revive the personal information in case of erasure pursuant to paragraph (2).

(4) Where the request of a data subject falls under the proviso to paragraph (1), a personal information controller shall notify the data subject of the details thereof without delay.

(5) While investigating the personal information in question pursuant to paragraph (2), the personal information controller may, if necessary, request from the relevant data subject the evidence necessary to confirm a correction or erasure of the personal information.

(6) Necessary matters in relation to the request of correction and erasure, notification method and procedure, etc. pursuant to paragraphs (1), (2) and (4) shall be prescribed by Presidential Decree.

Article 37 (Suspension, etc. of Processing of Personal Information)

(1) A data subject may request the relevant personal information controller to suspend the processing of his/her personal information. In this case, if the personal information controller is a public institution, the data subject may request the suspension of processing of only the personal information contained in the personal information files to be registered pursuant to Article 32.

(2) Upon receipt of the request under paragraph (1), the personal information controller shall, without delay, suspend processing of some or all of the personal information as requested by the data subject: Provided, That, where any of the following is applicable, the personal information controller may deny the request of such data subject:

1. Where special provisions exist in law or it is inevitable to observe legal obligations;

2. Where it may probably cause damage to the life or body of a third party, or improper violation of property and other benefits of a third party;

3. Where the public institution cannot perform its work as prescribed by any Act without processing the personal information in question;

4. Where the data subject fails to express explicitly termination of the contract even though it is impracticable to perform the contract such as provision of service as agreed upon with the said data subject without processing the personal information in question.

(3) When denying the request pursuant to the proviso to paragraph (2), the personal information controller shall notify the data subject of the reason without delay.

(4) The personal information controller shall, without delay, take necessary measures including destruction of the relevant personal information when suspending the processing of personal information as requested by data subjects.

(5) Necessary matters in relation to the methods and procedures to request the suspension of processing, to deny such request, and to give notification, etc. pursuant to paragraphs (1) through (3) shall be prescribed by Presidential Decree.

Article 38 (Methods and Procedures for Exercise of Rights)

(1) A data subject may authorize his/her representative to file requests for access pursuant to Article 35, correction or erasure pursuant to Article 36, and suspension of processing pursuant to Article 37 (hereinafter referred to as "request for access, etc.") in writing or by the methods and procedure prescribed by Presidential Decree.

(2) The legal representative of a child under 14 years of age may file a request for access, etc. to the personal information of the child with a personal information controller.

(3) A personal information controller may demand a fee and postage (only in case of a request to mail the copies), as prescribed by Presidential Decree, from a person who files a request for access, etc.

(4) A personal information controller shall prepare the detailed method and procedure to enable data subjects to file requests for access, etc., and publicly announce such method and procedure so that the data subjects may become aware of them.

(5) A personal information controller shall prepare, and guide towards, necessary procedure for data subjects to raise objections against its denial to a request for access, etc. from such data subjects.

Article 39 (Responsibility for Compensation)

(1) A data subject who suffers damage by reason of a violation of this Act by a personal information controller is entitled to claim compensation from the personal information controller for that damage. In this case, the said personal information controller may not be released from the responsibility for compensation if it fails to prove non-existence of his/her wrongful intent or negligence.

(2) Deleted. <by Act No. 13423, Jul. 24, 2015>

(3) Where a data subject suffers damage out of loss, theft, divulgence, forgery, alteration, or damage of his/her own personal information, caused by wrongful intent or negligence of a personal information controller, the Court may determine the damages not exceeding three times such damage: Provided, That the same shall not apply to the personal information controller who has proved non-existence of his/her wrongful intent or negligence. <Newly Inserted by Act No. 13423, Jul. 24, 2015>

(4) The Court shall take into account the following when determining the damages pursuant to paragraph (3): <Newly Inserted by Act No. 13423, Jul. 24, 2015>

1. The degree of wrongful intent or expectation of damage;

2. The amount of loss caused by the violation;

3. Economic benefits the personal information controller has gained in relation to the violation;

4. A fine and a penalty surcharge to be levied subject to the violation;

5. The duration, frequency, etc. of violations;

6. The property of the personal information controller;

7. The personal information controller’s efforts to retrieve the affected personal information exerted after the loss, theft, or divulgence of personal information;

8. The personal information controller’s efforts to remedy damage suffered by the data subject.

Article 39-2 (Claims for Statutory Compensation)

(1) Notwithstanding Article 39 (1), a data subject, who suffers damage out of loss, theft, divulgence, forgery, alteration, or damage of his/her own personal information, caused by wrongful intent or negligence of a personal information controller, may claim a reasonable amount of damages not exceeding three million won. In this case, the said personal information controller may not be released from the responsibility for compensation if it fails to prove non-existence of his/her wrongful intent or negligence.

(2) In the case of a claim made under paragraph (1), the Court may determine a reasonable amount of damages not exceeding the amount provided for in paragraph (1) taking into account all arguments in the proceedings and the results of examining evidence.

(3) A data subject who has claimed compensation pursuant to Article 39 may change such claim to the claim provided for in paragraph (1) until the closing of fact-finding proceedings.

[This Article Newly Inserted by Act No. 13423, Jul. 24, 2015]

CHAPTER VI PERSONAL INFORMATION DISPUTE MEDIATION COMMITTEE

Article 40 (Establishment and Composition)

(1) There shall be established a Personal Information Dispute Mediation Committee (hereinafter referred to as the "Dispute Mediation Committee") to mediate disputes over personal information.

(2) The Dispute Mediation Committee shall be comprised of not more than 20 members, including one chairperson, and the members shall be ex officio and commissioned members. <Amended by Act No. 13423, Jul. 24, 2015>

(3) The commissioned members shall be commissioned by the Chairperson of the Protection Commission from among the following persons, and public officials of the national agencies prescribed by Presidential Decree shall be ex officio members: <Amended by Act No. 11690, Mar. 23, 2013; Act No. 12844, Nov. 19, 2014; Act No. 13423, Jul. 24, 2015>

1. Persons who once served as members of the Senior Executive Service of the central administrative agencies in charge of data protection, or persons who presently work or have worked at equivalent positions in the public sector and related organizations, and have job experience in data protection;

2. Persons who presently serve or have served as associate professors or higher positions in universities or in publicly recognized research institutes;

3. Persons who presently serve or have served as judges, public prosecutors, or attorneys-at-law;

4. Persons recommended by data protection-related civic organizations or consumer groups;

5. Persons who presently work or have worked as senior officers for the trade associations comprised of personal information controllers.

(4) The chairperson shall be commissioned by the Chairperson of the Protection Commission from among Committee members except public officials. <Amended by Act No. 11690, Mar. 23, 2013; Act No. 12844, Nov. 19, 2014; Act No. 13423, Jul. 24, 2015>

(5) The term of office for the chairperson and commissioned members shall be two years, and their term may be renewable for only one further term. <Amended by Act No. 13423, Jul. 24, 2015>

(6) In order to conduct dispute settlement efficiently, the Dispute Mediation Committee may, if necessary, establish a mediation panel that is comprised of not more than five Committee members in each sector of mediation cases, as prescribed by Presidential Decree. In this case, the resolution of the mediation panel delegated by the Dispute Mediation Committee shall be construed as that of the Dispute Mediation Committee.

(7) The Dispute Mediation Committee or a mediation panel shall be open with a majority of its members present, and its resolution shall be made by the affirmative votes of a majority of the members present.

(8) The Protection Commission may deal with the administrative affairs necessary for dispute mediation, such as receiving dispute mediation cases and fact-finding. <Amended by Act No. 13423, Jul. 24, 2015>

(9) Except as otherwise expressly provided for in this Act, matters necessary to operate the Dispute Mediation Committee shall be prescribed by Presidential Decree.

Article 41 (Guarantee of Members’ Status)

None of the Committee members shall be dismissed or de-commissioned against his/her will except when he/she is sentenced to the suspension of qualification or a heavier punishment, or unable to perform his/her duties due to mental or physical incompetence.

Article 42 (Exclusion, Challenge, and Refrainment of Members)

(1) A member of the Dispute Mediation Committee shall be excluded from participating in the deliberation and resolution of a case requested for dispute mediation pursuant to Article 43 (1) (hereafter in this Article referred to as "case") if:

1. The member or his/her current or former spouse is a party to the case or is a joint right holder or a joint obligator with respect to the case;

2. The member is or was a relative of a party to the case;

3. The member has given any testimony, expert opinion, or legal advice with respect to the case;

4. The member is or was involved in the case as an agent or representative of a party to the case.

(2) When any party finds it impracticable to expect a fair deliberation and resolution from a Committee member, he/she may file a challenge application with the chairperson. In this case, the chairperson shall determine the challenge application without any resolution of the Dispute Mediation Committee.

(3) When any committee member falls under the case of paragraph (1) or (2), he/she may refrain from the deliberation and resolution of the case.

Article 43 (Application for Mediation, etc.)

(1) Any person, who wants a dispute over personal information mediated, may apply for mediation of the dispute to the Dispute Mediation Committee.

(2) Upon receipt of an application for dispute mediation from a party to the case, the Dispute Mediation Committee shall notify the counterparty of the application for mediation.

(3) When a public institution is notified of dispute mediation under paragraph (2), the public institution shall respond to it except in extenuating circumstances.

Article 44 (Time Limitation of Mediation Proceedings)

(1) The Dispute Mediation Committee shall examine the case and prepare draft mediation within 60 days from the date of receiving an application pursuant to Article 43 (1): Provided, That the Dispute Mediation Committee may pass a resolution to extend such period by reason of inevitable circumstances.

(2) When the period is extended pursuant to the proviso to paragraph (1), the Dispute Mediation Committee shall inform the applicant of the reasons for extending the period and other matters concerning the extension of such period.

Article 45 (Request for Materials, etc.)

(1) Upon receipt of an application for dispute mediation pursuant to Article 43 (1), the Dispute Mediation Committee may request disputing parties to provide materials necessary to mediate the dispute. In this case, such parties shall comply with the request unless any justifiable ground exists.

(2) The Dispute Mediation Committee may require disputing parties or relevant witnesses to appear before the Committee to hear their opinions, if deemed necessary.

Article 46 (Settlement Advice before Mediation)

Upon receipt of an application for dispute mediation pursuant to Article 43 (1), the Dispute Mediation Committee may present a draft settlement to disputing parties and recommend a settlement before mediation.

Article 47 (Dispute Mediation)

(1) The Dispute Mediation Committee may prepare a draft mediation including the following matters:

1. Suspension of the violation to be investigated;

2. Restitution, compensation and other necessary remedies;

3. Any measure necessary to prevent recurrence of the identical or similar violations.

(2) Upon preparing a draft mediation pursuant to paragraph (1), the Dispute Mediation Committee shall present the draft mediation to each party without delay.

(3) Each party presented with the draft mediation prepared under paragraph (1) shall notify the Dispute Mediation Committee of his/her acceptance or denial of the draft mediation within 15 days from the date of receipt of such draft mediation, without which such mediation shall be deemed denied.

(4) If the parties accept the draft mediation, the Dispute Mediation Committee shall prepare a written mediation, and the chairperson of the Dispute Mediation Committee and the parties shall have their names and seals affixed thereon.

(5) The mediation agreed upon pursuant to paragraph (4) shall have the same effect as a settlement before the court.

Article 48 (Rejection and Suspension of Mediation)

(1) Where the Dispute Mediation Committee deems that it is inappropriate to mediate any dispute in view of its nature, or that an application for mediation of any dispute is filed for an unfair purpose, it may reject the mediation. In this case, the reasons why it rejects the mediation shall be notified to the applicant.

(2) If one of the parties files a lawsuit while mediation proceedings are pending, the Dispute Mediation Committee shall suspend the dispute mediation and notify the parties thereof.

Article 49 (Collective Dispute Mediation)

(1) The State, a local government, a data protection organization or institution, a data subject, and a personal information controller may request or apply for a collective dispute mediation (hereinafter referred to as "collective dispute mediation") to the Dispute Mediation Committee where sufferings or infringement on rights take place to a multitude of data subjects in an identical or similar manner, and such incident is prescribed by Presidential Decree.

(2) Upon receipt of a request or an application for collective dispute mediation under paragraph (1), the Dispute Mediation Committee may commence, by its resolution, collective dispute mediation proceedings pursuant to paragraphs (3) through (7). In this case, the Dispute Mediation Committee shall publicly announce the commencement of such proceedings for a period prescribed by Presidential Decree.

(3) The Dispute Mediation Committee may accept an application from any data subject or personal information controller other than the parties to the collective dispute mediation to participate in the collective dispute mediation additionally as a party.

(4) The Dispute Mediation Committee may, by its resolution, select at least one person as a representative party, who most appropriately represents the common interest among the parties to the collective dispute mediation pursuant to paragraphs (1) and (3).

(5) When the personal information controller accepts a collective dispute mediation award presented by the Dispute Mediation Committee, the Dispute Mediation Committee may advise the personal information controller to prepare and submit a compensation plan for the benefit of the non-party data subjects suffered from the same incident.

(6) Notwithstanding Article 48 (2), if a group of data subjects among a multitude of data subject parties to the collective dispute mediation files a lawsuit before the court, the Dispute Mediation Committee shall not suspend the proceedings but exclude the relevant data subjects, who have filed the lawsuit, from the proceedings.

(7) The period for collective dispute mediation shall not exceed 60 days from the following day when public announcement referred to in paragraph (2) ends: Provided, That the period can be extended by the resolution of the Dispute Mediation Committee in extenuating circumstances.

(8) Other necessary matters, such as collective dispute mediation proceedings, shall be prescribed by Presidential Decree.

Article 50 (Mediation Proceedings, etc.)

(1) Except as otherwise expressly provided for in Articles 43 through 49, the method and proceedings to mediate disputes and matters necessary to deal with such dispute mediation shall be prescribed by Presidential Decree.

(2) Except as otherwise expressly provided for in this Act, the Judicial Conciliation of Civil Disputes Act shall apply mutatis mutandis to the operation of the Dispute Mediation Committee and dispute mediation proceedings.

CHAPTER VII CLASS-ACTION LAWSUIT OVER DATA BREACH

Article 51 (Parties to Class-Action Lawsuits, etc.)

Any of the following organizations may file a lawsuit (hereinafter referred to as "class-action lawsuit") with the court to prevent or suspend data breach if a personal information controller rejects or would not accept the collective dispute mediation under Article 49:

1. A consumer group registered with the Fair Trade Commission pursuant to Article 29 of the Framework Act on Consumers that meets all of the following criteria:

(a) Its by-laws shall state the purpose to augment the rights and interests of data subjects constantly;

(b) The number of full members shall exceed 1000;

(c) Three years shall have passed since the registration under Article 29 of the Framework Act on Consumers;

2. A non-profit, non-governmental organization referred to in Article 2 of the Assistance for Non-Profit, Non-Governmental Organizations Act that meets all of the following criteria:

(a) At least 100 data subjects, who experienced the same sufferings as a matter of law or fact, shall submit a request to file a class-action lawsuit;

(b) Its by-laws shall state the purpose of data protection and it has conducted such activities for the most recent 3 years;

(c) The number of regular members shall be at least 5000;

(d) It shall be registered with any central administrative agency.

Article 52 (Exclusive Jurisdictions)

(1) A class-action lawsuit shall be subject to the exclusive jurisdiction of the competent district court (panel of judges) at the place of business or main office, or at the address of the business manager in the case of no business establishment, of the defendant.

(2) Where paragraph (1) applies to a foreign business entity, the same shall be determined by the place of business or main office, or the address of the business manager located in the Republic of Korea.

Article 53 (Retention of Litigation Attorney)

The plaintiff of a class-action lawsuit shall retain an attorney-at-law as a litigation attorney.

Article 54 (Application for Certification of Lawsuit)

(1) An organization that intends to file a class-action lawsuit shall submit to the court an application for certification of lawsuit describing the following as well as the petition:

1. Plaintiff and his/her litigation attorney;

2. Defendant;

3. Detailed violation of the rights of data subjects.

(2) An application for certification of lawsuit filed under paragraph (1) shall be accompanied by the following materials:

1. Materials that prove that the organization which has filed a lawsuit meets all criteria provided for in Article 51;

2. Documentary evidence that proves that the personal information controller has rejected the dispute mediation or would not accept the mediation award.

Article 55 (Requirements for Certification of Lawsuit, etc.)

(1) The court shall certify in a decision a class-action lawsuit only when all of the following requirements are satisfied:

1. That the personal information controller has rejected the dispute mediation or would not accept the mediation award;

2. That none of the descriptions in the application for certification of lawsuit filed under Article 54 is incomplete.

(2) The court decision that certifies, or rejects to certify, a class-action lawsuit may be objected by an immediate appeal.

Article 56 (Effect of Conclusive Judgment)

When a judgment dismissing a plaintiff's complaint becomes conclusive, any other organizations provided for in Article 51 cannot file a class-action lawsuit regarding the identical case: Provided, That this shall not apply in any of the following circumstances:

1. Where, after the judgment became conclusive, new evidence has been found by the State, a local government, or a State or local government-invested institution regarding the said case;

2. Where the judgment dismissing the lawsuit proves to be caused intentionally by the plaintiff.

Article 57 (Application of the Civil Procedure Act, etc.)

(1) Except as otherwise expressly provided for in this Act, the Civil Procedure Act shall apply to class-action lawsuits.

(2) When a decision to certify a class-action lawsuit is made under Article 55, a preservation order provided for in PART IV of the Civil Execution Act may be issued.

(3) Matters necessary for class-action lawsuit proceedings shall be provided by the Supreme Court Regulations.

CHAPTER VIII SUPPLEMENTARY PROVISIONS

Article 58 (Partial Exclusion of Application)

(1) Chapter III through VII shall not apply to any of the following personal information:

1. Personal information collected pursuant to the Statistics Act for processing by public institutions;

2. Personal information collected or requested to be provided for the analysis of information related to national security;

3. Personal information processed temporarily where it is urgently necessary for the public safety and security, public health, etc.;

4. Personal information collected or used for its own purposes of reporting by the press, missionary activities by religious organizations, and nomination of candidates by political parties, respectively.
(2) Articles 15, 22, 27 (1) and (2), 34, and 37 shall not apply to any personal information that is processed by means of the visual data processing devices installed and operated at open places pursuant to Article 25 (1).
(3) Articles 15, 30 and 31 shall not apply to any personal information that is processed by a personal information controller to operate a group or association for friendship, such as an alumni association and a hobby club.
(4) In the case of processing personal information pursuant to paragraph (1), a personal information controller shall process the personal information to the minimum extent necessary to attain the intended purpose for a minimum period; and shall also make necessary arrangements, such as technical, managerial and physical safeguards, individual grievance treatment and other necessary measures for the safe management and appropriate processing of such personal information.

Article 59 (Prohibited Activities)

No person who processes or has ever processed personal information shall do any of the following activities:

1. To acquire personal information or to obtain consent to personal information processing by fraud, improper, or unjust means;

2. To divulge personal information acquired in the course of business, or to provide it for any third party’s use without authority;

3. To damage, destroy, alter, forge, or divulge other’s personal information without legal authority or beyond proper authority.

Article 60 (Confidentiality, etc.)

Any person who performs or has performed the following affairs shall not divulge any confidential information acquired in the course of performing his/her duties to any third party, nor use such information for any purpose other than for his/her duties: Provided, That, the same shall not apply where specific provisions exist in other Acts:

1. Affairs of the Protection Commission provided for in Article 8;

2. Impact assessments provided for in Article 33;

3. Dispute mediation of the Dispute Mediation Committee established under Article 40.

Article 61 (Suggestions and Advices for Improvements)

(1) The Minister of the Interior and Safety may suggest his/her opinion to any relevant agency subject to the deliberation and resolution by the Protection Commission, where he/she deems necessary with respect to the statutes or municipal ordinances containing provisions likely to affect the protection of personal information. <Amended by Act No. 11690, Mar. 23, 2013; Act No. 12844, Nov. 19, 2014; Act No. 14839, Jul. 26, 2017>

(2) The Minister of the Interior and Safety may advise a personal information controller to improve the status of personal information processing, where deemed necessary to protect personal information. In such cases, upon receiving the advice, the personal information controller shall endeavor to conscientiously comply with the advice; and shall inform the Minister of the Interior and Safety of its result. <Amended by Act No. 11690, Mar. 23, 2013; Act No. 12844, Nov. 19, 2014; Act No. 14839, Jul. 26, 2017>

(3) The head of a related central administrative agency may advise a personal information controller to improve the status of personal information processing pursuant to the Acts under his/her jurisdiction, where deemed necessary to protect personal information. In such cases, upon receiving the advice, the personal information controller shall endeavor to conscientiously comply with the advice; and shall inform the head of the related central administrative agency of its result.

(4) Central administrative agencies, local governments, the National Assembly, the Court, the Constitutional Court, and the National Election Commission may suggest their opinions, or provide guidance or inspection with respect to the protection of personal information to their affiliated entities and public institutions under their jurisdiction.

Article 62 (Reporting on Infringements, etc.)

(1) Anyone who suffers infringement on the rights or interests involving his/her personal information in the course of personal information processing by a personal information controller may report such infringement to the Minister of the Interior and Safety. <Amended by Act No. 11690, Mar. 23, 2013; Act No. 12844, Nov. 19, 2014; Act No. 14839, Jul. 26, 2017>

(2) The Minister of the Interior and Safety may designate a specialized institution to efficiently receive and handle the claim reports pursuant to paragraph (1), as prescribed by Presidential Decree. In such cases, such specialized institution shall establish and operate a personal information infringement call center (hereinafter referred to as "Privacy Call Center"). <Amended by Act No. 11690, Mar. 23, 2013; Act No. 12844, Nov. 19, 2014; Act No. 14839, Jul. 26, 2017>

(3) The Privacy Call Center shall perform the following duties:

1. To receive the claim reports and provide counseling in relation to personal information processing;

2. To investigate and confirm the incidents and hear opinions of interested parties;

3. Duties incidental to subparagraphs 1 and 2.

(4) The Minister of the Interior and Safety may, if necessary, dispatch its public official to the specialized institution designated under paragraph (2) pursuant to Article 32-4 of the State Public Officials Act to efficiently investigate and confirm the incidents pursuant to paragraph (3) 2. <Amended by Act No. 11690, Mar. 23, 2013; Act No. 12844, Nov. 19, 2014; Act No. 14839, Jul. 26, 2017>

Article 63 (Requests for Materials and Inspections)

(1) The Minister of the Interior and Safety may request the relevant materials, such as goods and documents, from a personal information controller in any of the following cases: <Amended by Act No. 11690, Mar. 23, 2013; Act No. 12844, Nov. 19, 2014; Act No. 14839, Jul. 26, 2017>

1. Where any violation of this Act is found or suspected;

2. Where any violation of this Act is reported or a civil complaint thereon is received;

3. In cases prescribed by Presidential Decree where it is necessary to protect personal information of data subjects.

(2) Where a personal information controller fails to furnish the materials pursuant to paragraph (1) or is deemed to have violated this Act, the Minister of the Interior and Safety may require its public official to enter the offices or places of business of the personal information controller and other persons involved in such violation to inspect the status of business operations, ledgers, documents, etc. In such cases, the public official who conducts the inspection shall carry a certificate indicating his/her authority and produce it to the interested persons. <Amended by Act No. 11690, Mar. 23, 2013; Act No. 12844, Nov. 19, 2014; Act No. 13423, Jul. 24, 2015; Act No. 14839, Jul. 26, 2017>

(3) The head of a related central administrative agency may request the materials from a personal information controller pursuant to paragraph (1); or may inspect the personal information controller and other persons involved in the violation of the relevant Act pursuant to paragraph (2) in accordance with the Acts under his/her jurisdiction. <Amended by Act No. 13423, Jul. 24, 2015>

(4) When finding or suspecting any violation of this Act, the Protection Commission may demand the Minister of the Interior and Safety or the head of a related central administrative agency to take measures provided for in paragraph (1) or (3). In such cases, upon receiving such demand, the Minister of the Interior and Safety or the head of the related central administrative agency shall comply therewith except in extenuating circumstances. <Newly Inserted by Act No. 13423, Jul. 24, 2015; Act No. 14839, Jul. 26, 2017>

(5) The Minister of the Interior and Safety and the head of a related central administrative agency shall not provide any third party with the documents, materials, etc. furnished or collected pursuant to paragraphs (1) and (2), nor make them public, except as otherwise required by this Act. <Amended by Act No. 11690, Mar. 23, 2013; Act No. 12844, Nov. 19, 2014; Act No. 13423, Jul. 24, 2015; Act No. 14839, Jul. 26, 2017>

(6) Where the Minister of the Interior and Safety and the head of a related central administrative agency receives the materials submitted via the information and communications networks, or make them digitalized, they shall take systematic and technical measures to prevent the divulgence of personal information, trade secrets, etc. <Amended by Act No. 11690, Mar. 23, 2013; Act No. 12844, Nov. 19, 2014; Act No. 14839, Jul. 26, 2017>

(7) The Minister of the Interior and Safety may inspect the status of personal information protection jointly with the head of a related central administrative agency for the prevention of personal information breach incidents and efficient response. <Newly Inserted by Act No. 13423, Jul. 24, 2015; Act No. 14839, Jul. 26, 2017>

Article 64 (Corrective Measures, etc.)

(1) Where the Minister of the Interior and Safety deems that any personal information breach is substantially grounded and negligence over such breach is likely to cause irreparable damage, he/she may order the violator of this Act (excluding the central administrative agencies, local governments, the National Assembly, the Court, the Constitutional Court, and the National Election Commission) to take any of the following measures: <Amended by Act No. 11690, Mar. 23, 2013; Act No. 12844, Nov. 19, 2014; Act No. 14839, Jul. 26, 2017>

1. To suspend personal information breach;

2. To temporarily suspend personal information processing;

3. Other measures necessary to protect personal information and to prevent personal information breach.

(2) Where the head of a related central administrative agency deems that any personal information breach is substantially grounded and negligence over such breach is likely to cause irreparable damage, he/she may order a personal information controller to take any of the measures provided for in paragraph (1) pursuant to the Acts under his/her jurisdiction.

(3) A local government, the National Assembly, the Court, the Constitutional Court, or the National Election Commission may order their affiliated entities and public institutions, which are found to violate this Act, to take any of the measures provided for in paragraph (1).

(4) When a central administrative agency, a local government, the National Assembly, the Court, the Constitutional Court, or the National Election Commission violates this Act, the Protection Commission may advise the head of the relevant agency to take any of the measures provided for in paragraph (1). In such cases, upon receiving the advice, the agency shall comply therewith except in extenuating circumstances.

Article 65 (Accusation and Advices for Disciplinary Action)

(1) Where reasonable grounds exist to suspect that a personal information controller has violated this Act or other data protection-related statutes, the Minister of the Interior and Safety may accuse the fact to the competent investigative agency. <Amended by Act No. 11690, Mar. 23, 2013; Act No. 12844, Nov. 19, 2014; Act No. 14839, Jul. 26, 2017>

(2) Where reasonable grounds exist to suspect that this Act or other data protection-related statutes are violated, the Minister of the Interior and Safety may advise the relevant personal information controller to take disciplinary action against the person responsible for it (including the representative and the executive officer in charge). In such cases, upon receiving the advice, the relevant personal information controller shall comply therewith; and shall notify the Minister of the Interior and Safety of the result. <Amended by Act No. 11690, Mar. 23, 2013; Act No. 11990, Aug. 6, 2013; Act No. 12844, Nov. 19, 2014; Act No. 14839, Jul. 26, 2017>

(3) The head of a related central administrative agency may accuse a personal information controller pursuant to paragraph (1), or advise the head of the relevant affiliated agency, organization, etc. to take disciplinary action pursuant to paragraph (2), in accordance with the Acts under his/her jurisdiction. In such cases, upon receiving the advice under paragraph (2), the head of the relevant affiliated agency, organization, etc. shall comply therewith; and shall notify the head of the related central administrative agency of the result.

Article 66 (Disclosure of Results)

(1) The Minister of the Interior and Safety may disclose the advice for improvement pursuant to Article 61; the corrective measures pursuant to Article 64; the accusation or advice for disciplinary action pursuant to Article 65; and the imposition of administrative fines pursuant to Article 75 and its result, subject to deliberation and resolution by the Protection Commission. <Amended by Act No. 11690, Mar. 23, 2013; Act No. 12844, Nov. 19, 2014; Act No. 14839, Jul. 26, 2017>

(2) The head of a related central administrative agency may disclose the matters provided for in paragraph (1) in accordance with the Acts under his/her jurisdiction.

(3) The method, criteria, and procedure for disclosure pursuant to paragraphs (1) and (2), and other related matters, shall be prescribed by Presidential Decree.
Article 67 (Annual Reports)

(1) The Protection Commission shall prepare a report each year, based on necessary materials furnished by related agencies, etc., in relation to the establishment and implementation of personal information protection policy measures, and submit (including transmission via the information and communications networks) it to the National Assembly before the opening of the plenary session

(2) The annual report referred to in paragraph (1) shall contain the following matters: <Amended by Act No. 14107, Mar. 29, 2016>

1. Infringement on the rights of data subjects and the status of remedies thereof;

2. Findings of the survey in relation to the status of personal information processing;

3. Status of implementation of the personal information protection policy measures and achievements thereof;

4. Overseas legislation and policy developments related with personal information;

5. Status of the enactment and amendment of the Acts, Presidential Decrees, the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, the National Election Commission Regulations, and the Board of Audit and Inspection Regulations, in relation to processing of resident registration numbers;

6. Other matters to be disclosed or reported in relation to the personal information protection policy measures.

Article 68 (Delegation and Entrustment of Authority)

(1) Authority of the Minister of the Interior and Safety or the head of a related central administrative agency under this Act may be partially delegated or entrusted, as prescribed by Presidential Decree, to the Special Metropolitan City Mayor, Metropolitan City Mayors, Do Governors, Special Self-Governing Province Governors, or the specialized institutions prescribed by Presidential Decree. <Amended by Act No. 11690, Mar. 23, 2013; Act No. 12844, Nov. 19, 2014; Act No. 14839, Jul. 26, 2017>

(2) The agencies to which authority of the Minister of the Interior and Safety or the head of a related central administrative agency has been partially delegated or entrusted pursuant to paragraph (1) shall notify the Minister of the Interior and Safety or the head of the related central administrative agency of the results of performing the affairs delegated or entrusted. <Amended by Act No. 11690, Mar. 23, 2013; Act No. 12844, Nov. 19, 2014; Act No. 14839, Jul. 26, 2017>

(3) Where delegating or entrusting a part of authority to a specialized institution pursuant to paragraph (1), the Minister of the Interior and Safety may grant a contribution to the specialized institution to cover expenses incurred in performing the affairs delegated or entrusted. <Amended by Act No. 11690, Mar. 23, 2013; Act No. 12844, Nov. 19, 2014; Act No. 14839, Jul. 26, 2017>

Article 69 (Persons Deemed to be Public Officials for Purposes of Penalty Provisions)

Any executive or employee of a relevant agency that performs the affairs entrusted by the Minister of the Interior and Safety or the head of a related central administrative agency shall be deemed a public official for the purposes of Articles 129 through 132 of the Criminal Act. <Amended by Act No. 11690, Mar. 23, 2013; Act No. 12844, Nov. 19, 2014; Act No. 14839, Jul. 26, 2017>

CHAPTER IX PENALTY PROVISIONS

Article 70 (Penalty Provisions)

Any of the following persons shall be punished by imprisonment with labor for not more than 10 years, or by a fine not exceeding 100 million won: <Amended by Act No. 13423, Jul. 24, 2015>

1. A person who causes the suspension, paralysis or other severe hardship of work of a public institution by altering or erasing the personal information processed by the public institution for the purpose of disturbing the personal information processing of such public institution;

2. A person who obtains any personal information processed by third parties by fraud or other unjust means or methods and provides it to a third party for a profit-making or unjust purpose, and a person who abets or arranges such conduct.

Article 71 (Penalty Provisions)

Any of the following persons shall be punished by imprisonment with labor for not more than 5 years, or by a fine not exceeding 50 million won: <Amended by Act No. 14107, Mar. 29, 2016>

1. A person who provides personal information to a third party without the consent of a data subject in violation of Article 17 (1) 1 even through Article 17 (1) 2 is not applicable, and a person who knowingly receives such personal information;

2. A person who uses personal information or provides personal information to a third party in violation of Articles 18 (1) and (2), 19, 26 (5), or 27 (3), and a person who knowingly receives such personal information for a profit-making or unfair purpose;

3. A person who processes sensitive information in violation of Article 23 (1);

4. A person who processes personally identifiable information in violation of Article 24 (1);

5. A person who divulges or provides a third party without authority with, the personal information acquired in the course of performing business in violation of subparagraph 2 of Article 59, and a person who knowingly receives such personal information for a profit-making or unfair purposes;

6. A person who damages, destroys, alters, forges, or divulges any third party's personal information in violation of subparagraph 3 of Article 59.

Article 72 (Penalty Provisions)

Any of the following persons shall be punished by imprisonment with labor for not more than 3 years, or by a fine not exceeding 30 million won:

1. A person who arbitrarily handles visual data processing devices for any purpose other than the initial one, directs such devices toward different spots, or uses a sound recording function in violation of Article 25 (5);

2. A person who acquires personal information or obtains consent to personal information processing by fraud or other unjust means in violation of subparagraph 1 of Article 59, and a person who knowingly receives such personal information for a profit-making or unfair purpose;

3. A person who divulges confidential information acquired while performing his/her duties, or uses such information for other purposes than the initial one in violation of Article 60.

Article 73 (Penalty Provisions)

Any of the following persons shall be punished by imprisonment with labor for not more than 2 years, or by a fine not exceeding 20 million won: <Amended by Act No. 13423, Jul. 24, 2015; Act No. 14107, Mar. 29, 2016>

1. A person who fails to take necessary measures to ensure safety in violation of Article 23 (2), 24 (3), 25 (6), or 29 and causes personal information to be lost, stolen, divulged, forged, altered, or damaged;

2. A person who fails to take necessary measures to correct or erase personal information in violation of Article 36 (2), and continuously uses, or provides a third party with, the personal information;

3. A person who fails to suspend processing of personal information in violation of Article 37 (2), and continuously uses, or provides a third party with, the personal information.

Article 74 (Joint Penalty Provisions)

(1) If the representative of a corporation, or an agent or employee of, or any other person employed by, a corporation or an individual commits any of the offense provided for in Article 70 in connection with the business affairs of the corporation or individual, not only shall such offender be punished, but also the corporation or individual shall be punished by a fine not exceeding 70 million won: Provided, That the same shall not apply where such corporation or individual has not been negligent in taking due care and supervisory duty concerning the relevant business affairs to prevent such offense.

(2) If the representative of a corporation, or an agent or employee of, or any other person employed by, a corporation or an individual commits any of the offense provided for in Articles 71 through 73 in connection with the business affairs of the corporation or individual, not only shall such offender be punished, but also the corporation or individual shall be punished by a fine prescribed in the relevant Article: Provided, That the same shall not apply where such corporation or individual has not been negligent in taking due care and supervisory duty concerning the relevant business affairs to prevent such offense.

Article 74-2 (Confiscation, Additional Collection, etc.)

Any money or goods or other profits acquired by a person who has violated Articles 70 through 73 in relation to such violation shall be confiscated, or, if confiscation is impossible, the value thereof may be collected. In this case, such confiscation or additional collection may be levied in addition to other penalty provisions.

[This Article Newly Inserted by Act No. 13423, Jul. 24, 2015]

Article 75 (Administrative Fines)

(1) Any of the following persons shall be subject to an administrative fine not exceeding fifty million won: <Amended by Act No. 14765, Apr. 18, 2017>

1. A person who collects personal information, in violation of Article 15 (1);

2. A person who fails to obtain the consent of a legal representative, in violation of Article 22 (6);

3. A person who installs and operates a visual data processing device, in violation of Article 25 (2).

(2) Any of the following persons shall be subject to an administrative fine not exceeding thirty million won: <Amended by Act No. 11990, Aug. 6, 2013; Act No. 12504, Mar. 24, 2014; Act No. 13423, Jul. 24, 2015; Act No. 14107, Mar. 29, 2016; Act No. 14765, Apr. 18, 2017>

1. A person who fails to notify a data subject of necessary information, in violation of Article 15 (2), 17 (2), 18 (3), or 26 (3);

2. A person who denies the provision of goods or services to a data subject, in violation of Article 16 (3) or 22 (5);

3. A person who fails to notify a data subject of the matters provided for in Article 20 (1) or (2), in violation of Article 20 (1) or (2);

4. A person who fails to destroy personal information, in violation of Article 21 (1);

4-2. A person who processes resident registration numbers, in violation of Article 24-2 (1);

4-3. A person who fails to adopt encryption, in violation of Article 24-2 (2);

5. A person who fails to provide a data subject with an alternative method without using his/her resident registration number, in violation of Article 24-2 (3);

6. A person who fails to take measures necessary to ensure safety, in violation of Article 23 (2), 24 (3), 25 (6), or 29;

7. A person who installs and operates a visual data processing device, in violation of Article 25 (1);

7-2. A person who indicates and promotes the certification by fraud despite a failure to obtain such certification, in violation of Article 32-2 (6);

8. A person who fails to notify a data subject of the facts provided for in Article 34 (1), in violation of the same paragraph;

9. A person who fails to report the results of measures taken, in violation of Article 34 (3);

10. A person who limits or denies access to personal information, in violation of Article 35 (3);

11. A person who fails to take necessary measures to correct or erase personal information, in violation of Article 36 (2);

12. A person who fails to take necessary measures, such as destruction of the personal information whose processing has been suspended, in violation of Article 37 (4);

13. A person who fails to comply with corrective measures taken under Article 64 (1).

(3) Any of the following persons shall be subject to an administrative fine not exceeding ten million won: <Amended by Act No. 14765, Apr. 18, 2017>

1. A person who fails to store and manage personal information separately, in violation of Article 21 (3);

2. A person who obtains consent, in violation of Article 22 (1) through (4);

3. A person who fails to take necessary measures including posting on a signboard, in violation of Article 25 (4);

4. A person who fails to undergo paper-based formalities stating the matter provided for in Article 26 (1) when outsourcing the work, in violation of the same paragraph;

5. A person who fails to disclose the outsourced work and the outsourcee, in violation of Article 26 (2);

6. A person who fails to notify a data subject of the transfer of his/her personal information, in violation of Article 27 (1) or (2);

7. A person who fails to establish, or disclose, the Privacy Policy, in violation of Article 30 (1) or (2);

8. A person who fails to designate a privacy officer, in violation of Article 31 (1);

9. A person who fails to notify a data subject of necessary information, in violation of Article 35 (3) and (4), 36 (2) and (4), or 37 (3);

10. A person who fails to furnish materials, such as goods and documents pursuant to Article 63 (1), or who submits false materials;

11. A person who refuses, interferes with, or evades access or an inspection pursuant to Article 63 (2).
(4) Administrative fines provided for in paragraphs (1) through (3) shall be imposed and collected by the Minister of the Interior and Safety and the head of a related central administrative agency, as prescribed by Presidential Decree. In such cases, the head of a related central administrative agency shall impose and collect administrative fines from the personal information controllers in the field under his/her jurisdiction. <Amended by Act No. 11690, Mar. 23, 2013; Act No. 12844, Nov. 19, 2014; Act No. 14839, Jul. 26, 2017>

Article 76 (Special Exemption to Application of Provisions on Administrative Fines)

For the purposes of the provisions on administrative fines provided for in Article 75, no additional administrative fine shall be imposed on any act subject to penalty surcharges pursuant to Article 34-2.

[This Article Newly Inserted by Act No. 11990, Aug. 6, 2013]

ADDENDA

Article 1 (Enforcement Date)

This Act shall enter into force six months after the date of its promulgation: Provided, That Articles 24 (2) and 75 (2) 5 shall enter into force one year after the date of its promulgation.

Article 2 (Repeal of other Acts)

The Act on the Protection of Personal Information Maintained by Public Institutions is hereby repealed.

Article 3 (Transitional Measures concerning Personal Information Dispute Mediation Committee)

An act performed by or against the Personal Information Dispute Mediation Committee under the previous Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. as at the time this Act enters into force shall be deemed an act performed by or against the Personal Information Dispute Mediation Committee corresponding thereto under this Act.

Article 4 (Transitional Measures concerning Personal Information being Processed)

Any personal information legitimately processed under other Acts before this Act enters into force shall be deemed to have been processed under this Act.

Article 5 (Transitional Measures concerning Application of Penalty Provisions)

(1) The application of the penalty provisions to a violation of the previous Act on the Protection of Personal Information Maintained by Public Institutions before this Act enters into force shall be governed by the previous Act on the Protection of Personal Information Maintained by Public Institutions.

(2) The application of the penalty provisions to a violation of the previous Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. before this Act enters into force shall be governed by the previous Act on Promotion of Information and Communications Network Utilization and Information Protection, etc.

Article 6 Omitted.

Article 7 (Relationship to other Acts)

Where the previous Act on the Protection of Personal Information Maintained by Public Institutions or the provisions thereof are cited in other statutes at the time this Act enters into force, and any provision corresponding thereto exists in this Act, this Act or the corresponding provision of this Act shall be deemed cited in lieu of the previous provision.

ADDENDA <Act No. 11690, Mar. 23, 2013>

Article 1 (Enforcement Date)

(1) This Act shall enter into force on the date of its promulgation.

(2) Omitted.

Articles 2 through 7 Omitted.

ADDENDA <Act No. 11990, Aug. 6, 2013>

Article 1 (Enforcement Date)

This Act shall enter into force one year after the date of its promulgation.

Article 2 (Transitional Measures concerning Limitation to Processing of Resident Registration Numbers)

(1) A person who processes resident registration numbers as at the time this Act enters into force shall destroy the resident registration numbers possessed, within two years after this Act enters into force: Provided, That any of the cases falling under the amended subparagraphs of Article 24-2 (1) shall be excluded from the destruction.

(2) Where resident registration numbers are not destroyed within the period referred to in paragraph (1), the amended provisions of Article 24-2 (1) shall be deemed to have been violated.

ADDENDUM <Act No. 12504, Mar. 24, 2014>

This Act shall enter into force on the date of its promulgation: Provided, That the amended provisions of Articles 24-2 and 75 (2) 5 of the Personal Information Protection Act (Act No. 11990) shall enter into force on January 1, 2016.

ADDENDA <Act No. 12844, Nov. 19, 2014>

Article 1 (Enforcement Date)

This Act shall enter into force on the date of its promulgation. (Proviso Omitted.)

Articles 2 through 7 Omitted.

ADDENDA <Act No. 13423, Jul. 24, 2015>

Article 1 (Enforcement Date)

This Act shall enter into force on the date of its promulgation: Provided, That the amended provisions of Articles 8 (1), 8-2, 9, 11 (1), 32-2, 39 (3) and (4), 39-2, 40, and 75 (2) 7-2 shall enter into force one year after the date of its promulgation, and the amended provisions of the former part of Article 24-2 (2) and Article 75 (2) 4-3 of the Personal Information Protection Act (Act No. 12504) shall enter into force on January 1, 2016, respectively.

Article 2 (Applicability to Compensation)

The amended provisions of Articles 39 (3) and (4) and 39-2 shall apply, beginning with the first claim for compensation for personal information suffering loss, theft, divulgence, forgery, alteration, or damage after this Act enters into force.

Article 3 (Transitional Measures concerning Personal Information Protection Certification)

Any person who has obtained the personal information protection certification from the Minister of the Interior before this Act enters into force shall be deemed obtained the personal information protection certification under the amended provisions of Article 32-2.

Article 4 (Transitional Measures concerning Qualifications for Certification Examiners of Personal Information Protection)

Any person qualified as a certification examiner of personal information protection before this Act enters into force shall be deemed qualified under this Act.

Article 5 (Transitional Measures concerning Terms of Office of Members of Personal Information Dispute Mediation Committee)

Members of the Dispute Mediation Committee appointed or commissioned by the Minister of the Interior before this Act enters into force shall be deemed members of the Dispute Mediation Committee commissioned by the Protection Commission under the amended provisions of Article 40.

Article 6 (Transitional Measures concerning Penalty Provisions, etc.)

The former provisions shall apply to the application of penalty provisions or imposition of administrative fines for offenses committed before this Act enters into force.

ADDENDA <Act No. 14107, Mar. 29, 2016>

Article 1 (Enforcement Date)

This Act shall enter into force six months after the date of its promulgation: Provided, That the amended provisions of Articles 24-2 (1) 1 and 67 (2) 5 shall enter into force one year after the date of its promulgation.

Article 2 (Applicability to Notification of Other Sources, etc. of Personal Information than Data Subjects)

The amended provisions of Article 20 (2) and (3) shall apply, beginning with the first case where any personal information is collected from a person other than the data subjects after this Act enters into force.

Article 3 (Transitional Measures concerning Privacy Policy)

(1) The Privacy Policy established under the former provisions as at the time this Act enters into force shall be deemed the Privacy Policy established under the amended provisions of Article 30 (1).

(2) Each personal information controller shall amend the Privacy Policy referred to in paragraph (1) to meet the purport of amending Article 30 (1) within six months after this Act enters into force.

ADDENDUM <Act No. 14765, Apr. 18, 2017>

This Act shall enter into force six months after the date of its promulgation.

ADDENDA <Act No. 14839, Jul. 26, 2017>

Article 1 (Enforcement Date)

This Act shall enter into force on the date of its promulgation: Provided, That any amendment to the Acts made pursuant to Article 5 of this Addenda, promulgated before this Act enters into force, which have not yet entered into force, shall enter into force on the date the corresponding Act takes effect.

Articles 2 through 6 Omitted.