On December 31, 2024, the Personal Information Protection Commission (the “PIPC”) announced the draft Consolidated Guidelines on Personal Information Processing (the “Guidelines”) (available in Korean, Link), which provide overall guidelines on personal information processing.
The Guidelines reflect the recently amended Personal Information Protection Act (the “PIPA”) and integrate the existing guidelines on personal information processing, including the Guidelines on Consent to Personal Information Processing and the Guidelines on Delegation of Personal Information Processing. Among others, the Guidelines provide more details on the improvement of mandatory consent practices announced by the PIPC last September[1] as well as guidance on the legal bases for lawful processing, destruction of personal information, restriction on personal information processing in delegation, and transfer of personal information through business transfers. Key details of the Guidelines are described below.
|
1.
|
Collection and Use of Personal Information (Article 15 of the PIPA)
The Guidelines provide specific standards for interpreting the legal bases for collection and use of personal information. In particular, the Guidelines explain the most commonly used legal bases for processing, such as “consent,” “contractual necessity” and “legitimate interest.”
|
-
The processing is necessary to perform a contract entered into with the data subject or take measures as requested by the data subject in the course of executing such contract (Article 15, Paragraph (1), Item 4 of the PIPA)
The Guidelines explain that, in determining whether the requirements for processing personal information under the contractual necessity exception to the consent requirement, set forth in Article 15, Paragraph (1), Item 4 of the PIPA, are met, the following factors should be comprehensively considered: (i) whether the contract has been validly executed; (ii) whether the collection and use of the personal information is foreseeable by the data subject; and (iii) whether the personal information is reasonably within the scope necessary for the execution or performance of the contract.
In addition, while standardized terms and conditions are also contracts, legally speaking, if it cannot be deemed that there was an agreement on the terms and conditions (e.g., services not actually provided are referred to in the terms and conditions), such terms and conditions would not be deemed to constitute a valid contract for the purpose of this contractual necessity exception. In addition, if there is any circumstance, such as if the services provided under the terms and conditions are beyond the scope that could have been expected by the data subject, personal information may not be collected and used without consent on the contractual necessity basis.
Considerations for Determining whether Contractual Necessity can be a Lawful Basis
|
Factor
|
Key Considerations
|
|
Formation of a Contract
|
|
|
Predictability by the Data Subject
|
|
|
Necessity of the Personal Information
|
|
-
It is necessary to achieve the legitimate interest of the data controller, and such necessity clearly takes precedence over the rights of the data subject (Article 15, Paragraph (1), Item 6 of the PIPA)
The Guidelines explain the requirements for legitimate interest basis, including legitimacy of the purpose of processing, necessity of processing, and the data subjects’ rights and balancing of interests. In doing so, the Guidelines provide that the following factors should be considered in balancing the interests: (i) the degree of sensitivity of the processed personal information; (ii) whether the personal information is processed in a manner that can be reasonably expected by the data subject, (iii) whether the data controller is implementing the means to guarantee the data subjects’ rights (e.g., request for access), and (iv) whether the data controller has a superior position over the data subject due to employment relationship, among others.
-
Where the data subject’s consent is obtained (Article 15, Paragraph (1), Item 1 of the PIPA)
The Guidelines explain that “consent” of a data subject can be validly obtained only when the data subject is fully aware of the fact that his/her personal information will be processed by the data controller and can freely decide whether to give consent to the processing and the scope of consent. The Guidelines add that processing based on the data subject’s freely given consent is still possible even if there is another lawful basis for processing.
|
2.
|
Restriction on Collection of Personal Information (Article 16 of the PIPA)
The Guidelines explain that when a data controller collects personal information of a data subject for any of the purposes set forth in Article 15, Paragraph (1) of the PIPA, the data controller should collect the minimum personal information to the extent necessary for such purpose. In this regard, the Guidelines provide that the data controller may collect and use information other than the minimum information required if the data subject freely gives his/her consent. However, in such case, the data subject should be specifically informed of the fact that he/she may refuse to give consent, and the data subject should not be denied of the goods or services based on his/her refusal to consent to the collection and use of personal information beyond the minimum scope.
However, since the PIPA distinguishes the types of personal information processing into collection, use, and third party provision, the principle of minimum collection applicable to “collection” of personal information is not applicable to other types of personal information processing.
The Guidelines note that the scope of the “minimum required personal information” should be determined based on (i) the details set forth in the privacy policy, consent forms, agreements, terms and conditions, and service-related guidelines; and (ii) the nature, purpose, and market/transaction environment of the relevant service, the status of technological development, and other relevant factors.
|
|
3.
|
Method of Obtaining Consent (Article 22 of the PIPA)
The Guidelines explain that the consent process should be reformed so that consent can be given based on the “free will” of the data subject, and consent should not be coerced by refusing to execute a contract based on the data subject’s refusal to give consent. The Guidelines add that whether the data subject’s consent based on free will is restricted should be determined on a case-by-case basis considering the circumstances, such as the nature of the service and the context in which consent is requested.
Notably, the Guidelines say that personal information necessary for the performance of a contract does not require mandatory consent, but instead, it is sufficient for the data controller to disclose such personal information in the privacy policy so that data subjects can easily understand what personal information is being collected to perform a contract. In the case of personal information unrelated to the relevant contract, the data controller should take measures to allow the data subject to freely decide whether to give consent to the processing of such information. If the data subject is restricted from freely deciding whether to give consent or the details of consent are not clearly notified to the data subject, this can be a violation of the requirements for lawful collection and use under Article 15 of the PIPA.
|
|
4.
|
Restriction on Sensitive Information Processing (Article 23 of the PIPA)
A data controller is obligated to inform the data subject of (i) the fact that his/her sensitive information may be disclosed; and (ii) how to choose non-disclosure of sensitive information.
However, the Guidelines provide that in the case of services, such as online public bulletin boards and social media services, which are clearly provided for the purpose of mutual communication, the data subject can reasonably be deemed to have expected that the personal information he/she voluntarily posts on such services will be disclosed to the public, and thus, the data controller can be deemed to have already informed the data subject of the above two notification items. In addition, the Guidelines state that if the data subject can choose between “public” and “private” setting on the information posted by the data subject, the default setting should be “private.”
|
|
5.
|
Restriction on Personal Information Processing in Delegation (Article 26 of the PIPA)
The Guidelines make clear that the scope of “delegatees” include not only the primary delegatees, but also sub-delegatees. Further, with regard to the obligation to manage and supervise delegatees, the Guidelines note that in relation to a professional delegatee delegated with personal information processing by multiple delegators, the delegator may perform its supervisory obligation by managing the notification given by the delegatee on a regular basis in the manner specified in the delegation documents. Such notification could include (i) the fact that the delegatee’s business is regularly inspected through ISMS-P, self-regulation through public-private partnerships (e.g., HR, Seller Tool sector), or the Chief Privacy Officer Council; or (ii) the results of self-inspection and improvement. To this end, a professional delegatee is required to specify in advance the inspection system, such as certification, and disclose the supervisory relationship with multiple delegators, in the relevant delegation agreements.
|
|
6.
|
Transfer of Personal Information in Business Transfers (Article 27 of the PIPA)
The Guidelines explain that in case of overseas transfer of personal information through a business transfer, Article 27 (Transfer of Personal Information in Business Transfer, etc.) and Article 28-8 (Overseas Transfer of Personal Information) of the PIPA will apply. Accordingly, the Guidelines clarify that in the event of an overseas transfer of personal information through a business transfer, the transferor is required to obtain a separate consent for overseas transfer under Article 28-8 (1) of the PIPA even though the transfer of personal information through a business transfer itself does not require a consent under Article 27.
However, if the personal information stays in Korea at the time of business transfer, and the acquirer later transfers the personal information overseas for delegation or storage for the purpose of performing a contract with the data subject, such transfer can be made without consent and only requires disclosure of the relevant matters in the privacy policy.
|
In addition to the Guidelines, the PIPC has announced nine guidelines (available in Korean, Link), including the Sectorial Guidelines for Protection of Personal Information, the Guidelines for Protection of Children and Juveniles’ Personal Information, the Guidelines for Protection of Biometric Information, and the Guidelines for Installation and Operation of Fixed Visual Data Processing Devices.
Although the above guidelines are not legally binding, companies should refer to them to better understand the PIPC’s interpretation of the PIPA. Further, as the Guidelines may be revised during the opinion canvassing process, companies should check the final version of the Guidelines when it is announced.
[1] Please refer to “Personal Information Protection Commission Announces Updated Principles and Plans Related to Consent” dated September 13, 2024 (Link).
[Korean Version]
