On November 23, 2023, the Personal Information Protection Commission (“PIPC”) issued a legislative notice of the proposed amendment to the Enforcement Decree of the Personal Information Protection Act (the “PIPA”). The proposed amendment (the “Proposed Amendment”) stipulates matters delegated by the provisions of the PIPA, which are scheduled to come into force on March 15, 2024, while amending some of the current provisions of the Enforcement Decree of the PIPA.
Please find below the key details of the Proposed Amendment.
Obligation to Designate a Chief Privacy Officer (“CPO”) and Qualification Requirements of a CPO
|
1. |
Data controllers that are exempted from the obligation to designate a CPO |
-
Data controllers that are micro-enterprises under the Framework Act on Micro-Enterprises are exempted from the obligation to designate a CPO.
|
2. |
Data controllers that are obligated to designate a CPO with required qualifications |
-
Data controllers that meet certain criteria are required to designate a CPO with the qualification of (i) at least three years of experience in personal information protection, and (ii) a combined career of at least six years in personal information protection, data protection, and information technology.
-
More specifically, the obligation to designate a CPO with the foregoing qualifications is applicable to an entity whose annual sales revenue or income amounts to at least KRW 150 billion, and (i) processes sensitive information or unique identification information of at least 50,000 data subjects, or processes personal information of at least 1 million data subjects, (ii) is a school under the Higher Education Act with at least 10,000 enrolled students as of December 31 of the immediately preceding year, (iii) is a tertiary hospital under the Medical Service Act, or (iv) is a public institution operating a personal information processing system which meets the standards set by the PIPC.
|
3. |
Obligation to guarantee the CPO’s authority to independently perform his/her duties |
-
In order to allow the CPO to independently perform his/her duties, the Proposed Amendment requires a data controller to (i) guarantee the CPO’s access to all information in relation to the processing of personal information, (ii) establish a system for the CPO’s direct reporting to the representative and the board of directors at least once a year, (iii) provide the CPO with human and material resources by creating an organizational structure suitable for the performance of duties, and (iv) prohibit a situation where the CPO is placed at a disadvantage by reason of non-compliance with unreasonable instructions.
Method of Exercising the Data Subject’s Rights on Automated Decision-Making and Data Controller’s Follow-up Measures
|
1. |
A data controller’s obligations with respect to the right of data subjects to refuse automated decision-making by using their personal information and their right to require explanations of automated decisions (the “Rights on Automated Decision-Making”) |
-
According to the Proposed Amendment, a data controller is required to (i) provide data subjects with an easy-to-use method and procedure for exercising their Rights on Automated Decision-Making, (ii) allow data subjects to exercise their Rights on Automated Decision-Making at least through the same channel or method as that for collecting their personal information, and (iii) disclose on its website the method of and procedure for exercising their Rights on Automated Decision-Making.
|
2. |
Follow-up measures in response to data subjects’ exercise of Rights on Automated Decision-Making |
-
According to the Proposed Amendment, a data controller is required to (i) take measures to ensure not to make any automated decision-making if a data subject refuses automated decision-making, and (ii) notify the data subject of the results of reprocessing his/her personal information within 30 days (or within up to 60 days if there is a justifiable reason) from the date on which he/she requested the reprocessing of personal information by a human being.
|
3. |
Method of explaining automated decision-making |
-
According to the Proposed Amendment, a data controller is required to notify to a data subject who has requested an explanation of automated decision-making of (i) the results of automated decision-making, (ii) the major criteria for automated decision-making (e.g., major types and effects of personal information used for automated decision-making), and (iii) the process of automated decision-making (e.g., procedure for processing major types of personal information used for automated decision-making) in a way that is easy for the data subject to understand within 30 days (or within up to 60 days if there is a justifiable reason) from the date of request.
|
4. |
Obligation to notify data subjects that a data controller did not take measures in response to data subject’ exercise of Rights on Automated Decision-Making |
-
According to the Proposed Amendment, a data controller, who did not take follow-up measures in response to a data subject’s exercise of the Rights on Automated Decision Making for a justifiable reason, is required to notify the data subject of (i) the fact that none of the necessary measures has been taken in response to his/her exercise of Rights on Automated Decision-Making, (ii) the grounds for non-implementation of such measures, and (iii) the method of raising an objection.
|
5. |
Obligation to disclose the criteria and procedure for automated decision-making |
-
According to the Proposed Amendment, a data controller is required to disclose (i) the applicability and purpose of automated decision-making, along with the scope of data subjects to whom automated decision-making is applicable, (ii) major types of personal information used for automated decision-making, along with the relationship between such information and automated decision-making, (iii) matters that must be considered in the process of automated decision-making, and the procedure for processing major types of personal information, (iv) the purpose of processing sensitive information or personal information of children under the age of 14, in the process of automated decision-making, along with the items of personal information subject to processing, and (v) the rights of data subjects to reject, and request an explanation of, automated decision-making, along with the method of and procedure for exercising such rights.
Privacy Policy
|
1. |
Additional items that need to be included in a privacy policy |
-
According to the Proposed Amendments, a data controller is required to ensure that its privacy policy includes the following matters: (i) the fact that personal information of data subjects is processed overseas and the matters concerning the relevant foreign country, if their personal information is collected and processed overseas, and (ii) the legal basis for cross-border transfer of personal information and the matters that must be notified to data subjects when obtaining their consent to cross-border transfer.
Obligation to Purchase an Insurance Policy to Cover the Liability for Damages
|
1. |
Data controllers that are required to purchase an insurance policy to cover the liability for damages |
-
According to the Proposed Amendment, a data controller is required to purchase an insurance policy to cover the liability for damages if (i) its sales revenue in the immediately preceding year amounts to at least KRW 1 billion and (ii) it stores and manages personal information of at least 10,000 persons during the last three-month period of the immediately preceding year.
The Proposed Amendment is scheduled to come into force on March 15, 2024 after a 40-day public opinion canvassing period from November 23, 2023 to January 2, 2024. It is advisable for companies to keep an eye on the developments and implications of the Proposed Amendment as it stipulates the matters that may have an impact on the actual processing of personal information, including the data controllers’ obligation to designate a CPO, the required qualifications of a CPO, and the method of exercising the Rights on Automated Decision-Making.
