On April 30, 2024, the Personal Information Protection Commission (“PIPC”) issued an updated version of the Privacy Policy Drafting Guidelines (the “Guidelines,” (available in Korean, link)) that reflect the recent amendments to the Personal Information Protection Act (“PIPA”) and the Enforcement Decree of the PIPA (the “Decree”). Pursuant to Article 30-2 of the amended PIPA, the PIPC may evaluate privacy policies and recommend improvements if it deems necessary, and the PIPC would use the Guidelines as the baseline for such evaluation.
1. |
Key Points of the Guidelines
|
-
Overseas Collection and Transfer of Personal Information
– |
If personal information is directly collected and processed outside of Korea, the data controller should provide the name of the country. If personal information is transferred (i.e., provided to a third party, delegated to a third party for processing, or stored by a third party) outside of Korea, the data controller should provide the legal grounds, as well as a statutory notification items for overseas transfer. |
-
Additional Use or Provision Within a Reasonable Scope
– |
The Guidelines provide guidance on disclosing the criteria for assessing the factors that the data controller needs to consider when it uses or provides personal information without consent of the data subject to the extent reasonably related to the original purpose of collection. |
-
Exercising Rights With Respect to Automated Decisions
– |
The Guidelines provide guidance on explaining data subjects and their legal guardians’ right to refuse an automated decision-making and to request an explanation of the automated decision. |
-
Targeted Advertisements
– |
If the data controller collects and uses behavioural data to provide targeted advertisements, the Guidelines provide guidance on how to explain to the data subjects their ability to block or allow targeted advertisements. |
-
Privacy Policy for Children
– |
The Guidelines advise the data controllers to use a clear and easy format and language for a privacy policy for children under the age of 14. |
2. |
Privacy Policy Evaluation System
If it deems improvement is necessary based on the results of an evaluation, the PIPC may recommend the data controller to take measures for improvement and publish the details and results of its recommendations, or the fact that the data controller has been subject to recommendations (Article 8, Paragraph (1) of the Notification). |
To prepare for compliance with the amended PIPA and evaluation by the PIPC, companies are advised to review their privacy policies in light of the Guidelines.