On July 21, 2025, the Standards for Ensuring the Security of Personal Information (Standards) were partially amended, and the amended provisions came into effect on October 31, 2025 (Amendment).
This Amendment was adopted in response to the rapid advancement of foundational technologies, such as artificial intelligence and cloud computing, as well as the shift toward a data-centric protection framework. Its purpose is to establish a personal information processing environment appropriate for these changes and to expand support for the development of new services.
|
1. |
Improvement of the Internet Access Blocking Measures |
|
2. |
Strengthening the Responsibility of Platform Operators (Open Market Sellers and Others) |
-
The scope of those required to apply secure authentication methods when accessing personal information systems from outside has been expanded to include any person with legitimate access permissions to the personal information system (excluding data subjects) (Article 6(2)).
-
The obligation to retain access logs, previously limited to personal information handlers, has been expanded to require retention of access logs for any person who has accessed the personal information system (excluding data subjects) (Article 8(1)).
-
The scope of those subject to differentiated access permissions has been expanded from personal information handlers to operators (Article 5(1)).
-
The scope of those subject to access restrictions after a certain number of failed authentication attempts has been expanded from personal information handlers or data subjects to all persons accessing the personal information system (Article 5(6)).
|
3. |
Increased Flexibility in Access Log Review Frequency Under the previous Standards, access logs for personal information systems were required to be reviewed at least once a month. Now, through this Amendment, data controllers are allowed to determine, through their internal management plans, the frequency, methods, and follow-up procedures for reviewing access logs and monitoring download activities (Article 8(2)). |
|
4. |
Expansion of Internal Management Plan Requirements Previously, the Standards did not require internal management plans to cover safeguards when printing or copying and matters related to the destruction of personal information. With this Amendment, these items have now been explicitly added to the list of matters that must be addressed in internal management plans (Article 4). |
Among the above changes, the provisions related to internet access blocking measures take effect immediately, while the provisions that require preparation on the part of data controllers (such as the establishment or revision of internal management plans) will take effect one year after the promulgation date of the Amendment. According to the Personal Information Protection Commission (PIPC), a revised Guidelines for Ensuring the Security of Personal Information reflecting these changes will be published within the year. The PIPC also plans to hold explanatory sessions for relevant stakeholders to provide further details. Accordingly, organizations should begin preparing follow‑up measures now to ensure timely compliance with the amended Standard.
[1] A large-scale data controller refers to a data controller who stores and manages a daily average of at least one million users during the three months immediately preceding the end of the previous year.
Related Topics
#Privacy #Personal Information #Security of Personal Information #PIPC
