On December 31, 2024, the Personal Information Protection Commission (the “PIPC”) released the draft Consolidated Guidelines on Personal Information Processing, which provided comprehensive guidelines on personal information processing, and invited public opinion. After receiving opinions from the interested parties, the PIPC announced on July 14, 2025 the final version of the Consolidated Guidelines on Personal Information Processing (the “Guidelines”) (available in Korean, Link).
The Guidelines incorporate the PIPC’s latest interpretations and decisions, as well as relevant court precedents regarding key provisions of the Personal Information Protection Act (the “PIPA”). With this release, previous guidelines, including the Guidelines on Consent to Personal Information Processing, Guidelines on Delegation of Personal Information Processing, Guidelines on Personal Information Protection Measures, and Guidelines on Protection of Automatically Processed Personal Information, have been abolished. The key points from the Guidelines are outlined below.
|
1.
|
Legal Bases for Collection and Use of Personal Information (Article 15)
The Guidelines provide detailed clarification on the principal legal bases for the collection and use of personal information, such as consent, contractual necessity, and legitimate interest.
|
|
(1)
|
Consent of the Data Subject (Article 15, Paragraph (1), Item 1 of the PIPA)
The Guidelines clarify that processing based on valid, voluntary consent remains possible even when another legal basis is available. However, if the data subject’s ability to make a free choice is impaired or impossible, an alternative legal basis other than consent should be relied upon.
If consent is obtained despite the availability of another legal basis, the Guidelines recommend increasing both the transparency and foreseeability by clearly notifying the data subject of the processing purpose, the legal basis for processing, and the personal information to be collected and used. This is because processing may proceed on another legal basis even if consent is not obtained.
|
|
(2)
|
Contractual Necessity (Article 15, Paragraph (1), Item 4 of the PIPA)
Personal information required to execute or perform a contract (e.g., a service agreement) typically falls within the reasonably expected scope of processing and does not require separate consent. In this regard, the Guidelines provide that where the purpose of collection and use of personal information, even if disclosed in the terms of use, is not related to the underlying service, it cannot be considered “necessary for performance of the contract.” In such cases, separate consent must be obtained.
Further, the Guidelines include the following new examples of contractual necessity:
|
-
Collecting a user’s personal information, such as name and contact information, to handle user complaints;
-
Using a data subject’s information for building or facility access, where both the facility manager and the data subject agree on such access;
-
Collecting email addresses to send newsletters in accordance with a subscription agreement;
-
Collecting and using a student’s information, such as name, contact information, and courses taken, to manage course histories and attendance under an education service agreement.
|
|
(3)
|
Legitimate Interest of the Data Controller (Article 15, Paragraph (1), Item 6 of the PIPA)
The Guidelines set out the legal requirements and considerations for processing based on legitimate interest, balancing the data controllers’ interest with the data subject’s right to data self-determination.
|
|
Legal Element
|
Key Considerations
|
|
Legitimacy of Purpose
|
|
|
Necessity of Personal Information Processing
|
|
|
Balancing of Interests
|
-
Sensitivity of personal information to be processed
-
Data subject’s reasonable expectation
-
Processing methods
-
Security measures taken to protect the data subject’s rights
-
Whether the data controller holds a superior position over the data subject
|
The Guidelines further clarity that after termination of a contract, the “contractual necessity” basis no longer applies. Any continued processing must then be reevaluated under “legitimate interest,” considering the above factors.
In addition, the Guidelines provide the following new examples of legitimate interest processing:
-
Using user access records to operate fraud detection system to prevent unlawful use to ensure service security;
-
Hospital staff recording emergency situations (e.g., assault) for evidentiary purposes;
-
Apartment management offices making audio recordings (with prior notice) to address persistent abusive behavior by residents.
|
|
2.
|
Additional Use and Collection of Personal Information (Article 15, Paragraph (3) and Article 17, Paragraph (4) of the PIPA)
Reflecting the 2023 amendments to the PIPA Enforcement Decree, the Guidelines state that if the additional use or provision of personal information is reasonably related to the original purpose of collection and is ongoing, the criteria for such continued use or provision must be disclosed in the privacy policy. However, if the additional use or provision is only temporary, it may proceed according to data controller’s internal criteria without a separate disclosure. For example, personal information collected by an online shopping mall operator may be used to enhance the AI chatbot service for after-sales support, if this is within users’ reasonable expectations.
|
|
3.
|
Management and Supervision of Professional Delegatees (Article 26 of the PIPA)
The Guidelines provide that when personal information processing is delegated to a specialized third-party (professional delegatee) handling processing for multiple delegators, the delegator (data controller) can meet its supervision obligation by ensuring that the delegatee conducts regulator inspections with a professional management agency (e.g., ISMS-P, CSAP, and CPO Council) and report the results to the delegator, who then monitors the results.
To this end, the professional delegatee must formally document the management and inspection mechanism and its relationships with multiple delegators in advance. For example, a cloud service provider may enter into a standard processing delegation agreement with multiple delegators, specifying matters concerning training, oversight and reporting arrangements.
|
As the Guidelines provide a comprehensive overview of the PIPC’s latest interpretation of the PIPA, a careful review of the Guidelines is recommended, particularly regarding the legal bases for personal information processing and the management and supervision of professional delegatees, among others.
[Korean Version]
