Skip Navigation
Menu
Newsletters

Personal Information Protection Commission Announces Amended Privacy Policy Drafting Guidelines

2024.05.02

On April 30, 2024, the Personal Information Protection Commission (“PIPC”) issued an updated version of the Privacy Policy Drafting Guidelines (the “Guidelines,” (available in Korean, link)) that reflect the recent amendments to the Personal Information Protection Act (“PIPA”) and the Enforcement Decree of the PIPA (the “Decree”). Pursuant to Article 30-2 of the amended PIPA, the PIPC may evaluate privacy policies and recommend improvements if it deems necessary, and the PIPC would use the Guidelines as the baseline for such evaluation.
 

1.

Key Points of the Guidelines

The amended PIPA has introduced a privacy policy evaluation system whereby the PIPC may evaluate whether a company’s privacy policy (i) properly includes matters as required under the PIPA, (ii) is easy to understand, and (iii) is readily accessible to data subjects. Based on such evaluation, the PIPC can recommend measures for improvement, if necessary (Article 30-2 of the PIPA). Below are key changes in the updated version.
 

  • Disclosure of the Privacy Policy

In a mobile environment, the privacy policy should be either available on the first page of the app or directly accessible from a menu within the app.
 

  • Legal Basis for Processing Personal Information

For personal information processed without the consent of the data subject, the data controller should inform the data subjects of the items of such personal information and the legal grounds for such processing, separately from the details regarding the personal information processed with consent.

If processing without consent has a statutory basis, the data controller should refer to the specific statutory provision in the privacy policy.
 

  • Overseas Collection and Transfer of Personal Information

If personal information is directly collected and processed outside of Korea, the data controller should provide the name of the country. If personal information is transferred (i.e., provided to a third party, delegated to a third party for processing, or stored by a third party) outside of Korea, the data controller should provide the legal grounds, as well as a statutory notification items for overseas transfer.
 

  • Additional Use or Provision Within a Reasonable Scope

The Guidelines provide guidance on disclosing the criteria for assessing the factors that the data controller needs to consider when it uses or provides personal information without consent of the data subject to the extent reasonably related to the original purpose of collection.
 

  • Exercising Rights With Respect to Automated Decisions

The Guidelines provide guidance on explaining data subjects and their legal guardians’ right to refuse an automated decision-making and to request an explanation of the automated decision.
 

  • Targeted Advertisements

If the data controller collects and uses behavioural data to provide targeted advertisements, the Guidelines provide guidance on how to explain to the data subjects their ability to block or allow targeted advertisements.
 

  • Privacy Policy for Children

The Guidelines advise the data controllers to use a clear and easy format and language for a privacy policy for children under the age of 14.
 

2.

Privacy Policy Evaluation System

Based on the Notification on Evaluation of Privacy Policy (the “Notification”), the PIPC has to prepare an evaluation plan that includes the evaluation targets at least 14 days before the commencement date of evaluation each year (Article 3 of the Notification). The PIPC may establish an evaluation committee comprised of 20 to 50 external experts for the evaluation (Article 6 of the Notification).

Criteria for Selecting Privacy Policy Evaluation Targets

The data controller’s sales revenue from the previous year is KRW 150 billion or more, and the data controller stored and managed the personal information of 1 million or more data subjects on a daily average basis during the last three months of the previous year.

The data controller stored and managed sensitive information or unique identification information of 50,000 or more data subjects on a daily average basis during the last three months of the previous year.

The data controller does not distinguish the items of personal information that it may process without the consent of the data subject and legal grounds for such processing from the personal information it processes with the consent of the data subject.

The data controller processes personal information using a fully automated system (including a system based on AI technology) or other new technology, such that there is a risk of personal information infringement.

The data controller suffered two or more data breaches in the last three years or has been subject to an administrative fine or penalty from the PIPC.

The data controller operates an online service that mainly targets children or young people under the age of 19.

 

If it deems improvement is necessary based on the results of an evaluation, the PIPC may recommend the data controller to take measures for improvement and publish the details and results of its recommendations, or the fact that the data controller has been subject to recommendations (Article 8, Paragraph (1) of the Notification).
 

To prepare for compliance with the amended PIPA and evaluation by the PIPC, companies are advised to review their privacy policies in light of the Guidelines.

 

[Korean Version]

Share

Close

Professionals

CLose

Professionals

CLose