On July 21, 2025, the Personal Information Protection Commission announced a draft amendment to the Standards for Measures to Ensure Security of Personal Information (the “Amendment”) (available in Korean, Link).
The proposed changes are intended to improve the current uniform requirement for blocking internet access to personal information systems and to expand the application of certain provisions, such as those related to access rights, access control, and log retention, to include online marketplace sellers and similar parties.
|
1.
|
Differential Application of Internet Access Blocking Measures Based on Processing Environment (Article 6-2 of the Amendment)
Under the current regulation, large-scale data controllers (those who, as of the end of the previous year, stored or managed personal information of an average of 1 million or more users per day over the preceding three months) are required to block internet access on all devices used by personal information handlers who can either download or delete personal information or configure access rights to personal information processing systems. However, there were concerns that such uniform blocking measures hinder the adoption of up-to-date technologies and reduce operational efficiency.
To address this, the Amendment will allow large-scale data controllers to exempt certain devices used by the personal information handlers from internet access blocking measures, if (i) a risk assessment conducted under the data controller’s internal management plan concludes that the identified risks are significantly low or (ii) adequate safeguards are in place to sufficiently mitigate those risks.
In essence, the level of internet access control can vary depending on the nature, purpose, and context of the relevant personal information processing. However, companies should consider the examples[1] listed in the Annex when assessing the adequacy of such safeguards. Moreover, full internet access blocking measures are still required for devices used by the personal information handlers who can download or delete sensitive information, passwords, biometric data, resident registration numbers, unique identification information, etc. (proviso to Article 6-2 of the Amendment).
|
|
2.
|
Expanding Application of Provisions on Access Rights, Access Controls, and Log Retention (Articles 5(1)-(6), 6(2), and 8(1) of the Amendment)
Under the current regulation, access rights to personal information processing systems may only be granted to personal information handlers, and access control measures must be implemented to ensure that only the authorized personal information handlers or data subjects can access the system. Additionally, data controllers are required to implement secure authentication measures for personal information handlers accessing the system from external networks and to retain access logs only for those personal information handlers.
The Amendment seeks to expand the application of these obligations to cover a broader group of individuals who perform tasks using personal information processing systems, including online marketplace sellers. To this end, Article 5(1) of the Amendment will be revised to remove the restriction limiting access rights to personal information handlers, and data controllers will be required to grant access rights to only to the minimum extent necessary for the performance of duties, regardless of whether the authorized individual qualifies as a personal information handler. Article 5(6) of the Amendment will be amended to clarify that only the individuals with legitimate authorization can access personal information processing systems.
In line with these changes, Article 6(2) of the Amendment will require data controllers to implement secure authentication methods when individuals with legitimate access rights (excluding data subjects) access personal information processing systems from external networks. Furthermore, Article 8(1) will expand the obligation to retain access logs to include all individuals who access the system, other than data subjects.
|
|
3.
|
Flexible Management of Access Log Review Through Internal Management Plans (Article 8(2) of the Amendment)
The current regulation requires all data controllers to review access logs for personal information processing systems at least once per month without exception. Article 8(2) of the Amendment will introduce a more flexible approach by allowing data controllers to determine the frequency, method, follow-up procedures, and other aspects of access log review as part of their internal management plans.
This change is intended to enable data controllers to establish and implement appropriate access log review practices based on the volume, sensitivity, and nature of the personal information they process.
|
The Amendment will also revise the definition of “password” under Article 2(8) to mean “a unique string of characters that is entered together with an identifier and transmitted to the system to “authenticate” that the individual has legitimate access rights.”[2] It also adds the following matters to be included in internal management plans: (i) matters related to security measures when printing or copying personal information and (ii) matters concerning the destruction of personal information (see Article 4(1) (xii) and (xiii) of the Amendment).
The Amendment is expected to be take effect around September 2025, following a 20-day public opinion canvassing period from July 21 to August 9, 2025, and the completion of subsequent procedure. Businesses closely related to this Amendment, such as large-scale data controllers, should closely monitor the relevant developments and prepare follow-up measures to ensure compliance with the revised regulations.
[1] ① For computers, etc., of personal information handlers that can “download” personal information files, the following measures should be applied: △ Application of secure authentication methods when accessing the personal information processing system, △ Encryption of personal information files using secure encryption algorithms when storing them, △ Limitation on the number of personal information downloads, △ Minimization of personal information handlers with download permissions, △ Application of display restriction measures such as masking or safe numbers when printing personal information. ② For computers, etc., of personal information handlers that can “destroy” personal information files, the following measures are suggested as examples: △ Minimization of personal information handlers with destruction permissions, △ Setting so that destruction requires separate approval from an administrator or others.
[2] The term “identification” has been revised to “authentication.”
[Korean Version]
