On March 31, 2020, key points of the draft amendments to the Enforcement Decree of the Personal Information Protection Act (the "Draft Amendments") were published.  The Ministry of the Interior and Safety announced on June 8, 2020 the revised amendments based on the opinion gathered from the interested parties (the "Revised Amendments").  

While the Revised Amendments largely follow the Draft Amendments, please refer to below for key changes. 

Specific Standards for Using and Providing Personal Information within the "Scope Reasonably Related to Original Purpose of Collection" 

• The Draft Amendments stipulated that in order to use or provide personal information without the consent of data subjects within the scope reasonably related to original purpose of collection, all of the following four conditions need to be satisfied:  
  (i) the purpose of additional use and provision is substantially related to the original purpose for which the personal information was collected;  
  (ii) the additional use and provision is foreseeable in light of the circumstances and practices;  
  (iii) the additional use and provision does not unfairly infringe on the interests of the data subject or a third party; and  
  (iv) if the purpose of additional use and provision can be achieved with the personal information being pseudonymized, then the personal information must be pseudonymized.  

• While the Revised Amendments have retained most of these conditions, the underlined parts have been revised.  The reference to the purpose of additional use and provision having to be "substantially" related to the original purpose in the first condition has also been deleted.  The requirement that both the circumstances and practices be considered under the second condition has been relaxed, now only either the circumstances or the practices having to be taken into account.  

Security Measures for Pseudonymized and Additional Information 

• The Revised Amendments specify the requirements concerning pseudonymized information, such as keeping a record of processing pseudonymized information, and obligations to retain and destroy it. If data controllers process pseudonymized information, they need to maintain a record of the following matters and retain it for at least three years after destroying the pseudonymized information (except where the record is pseudonymized to ensure data security): 
  (i) The purpose of pseudonymization 
  (ii) Items of personal information which have been pseudonymized
  (iii) Retention period for which pseudonymized information 
  (iv) History of using the pseudonymized information 
  (v) Recipient of the pseudonymized information (if provided to a third party)
  (vi) Matters related to destruction of pseudonymized information 
  (vii) Any other matters notified by the Personal Information Protection Committee 

• According to the Revised Amendments, data controllers must destroy the pseudonymized information without delay when the retention period expires.  Further, data controllers must separately store pseudonymized information and the information that can be combined with the pseudonymized information to identify an individual ("additional information").  The additional information must be destroyed if it is no longer needed and access to pseudonymized and additional information, respectively, must be separated. 

Request to Remove Combined Pseudonymized Data 

• The Draft Amendments stated that when a data controller files a request to combine pseudonymized information, the request is to be assessed and approved in view of whether it is difficult to achieve the purpose of combination in the Analysis Space within the premises of the expert organization where technical, organizational and physical measures have been implemented or whether such Analysis Space is not readily available. 

• By deleting the underlined part above in the Revised Amendments, the restrictions on removing the combined information from the expert organization have been relaxed.  

[Korean version]