On December 29, 2023, the Personal Information Protection Commission (“PIPC”) published its final Guide on Amendments to the PIPA and its Enforcement Decree (the “Final Guide;” available online in Korean, Link).
Below are the key changes compared to the draft guide published on September 27, 2023.
Collection and Use of Personal Information
-
Recommending personalized content based on contractual necessity
|
– |
The Final Guide stipulates that where the essence of a contract between the data controller and the data subject is about recommending personalized content and the details are disclosed in the service agreement or the terms of use so that the data subject is fully informed, the data controller may collect and use the data subject’s personal information to recommend personalized content without consent in order to perform the contract. |
-
Important details must be emphasized when obtaining consent in writing
|
– |
While the provision requiring certain important details in a consent form to be in a minimum font size of nine points and at least 20% larger than the rest of the text has been removed, data controllers are still required to highlight such details through font size, color, boldness or underlining. Furthermore, data controllers may not obtain consent in a manner that misleads data subjects or makes it difficult for data subjects to understand, for instance, by intentionally using fine print. |
Regulations on Visual Data Processing Devices
-
Use of visual data collected through fixed visual data processing devices (e.g., CCTV)
|
– |
Data controllers may install and operate a fixed visual data processing device for the purpose of computing statistical values or characteristics provided that they do not retain the visual data recorded. The Final Guide provides that the visual data collected through a fixed visual data processing device and stored for a certain period of time for purposes such as crime prevention and ensuring facility safety must be pseudonymized before being used for the purpose of compiling statistics, conducting scientific research, or preserving records for the public interest. |
-
Regulations on mobile visual data processing devices (e.g., drones) and how to notify filming
|
– |
The amended PIPA provides an exception which allows data controllers to film using mobile visual data processing devices if the data controller clearly indicates that a device is filming, and the data subject does not object. The Final Guide clarifies that this exception does not apply to activities against which data subjects may not exercise their rights, such as investigation and law enforcement. Filming for such activities requires a legal ground for collecting and using personal information under the Article 15 of the PIPA. |
|
– |
The Final Guide offers recommendations on how to provide notice of filming for the main types of mobile visual data processing devices such as self-driving cars, robots, drones and bodycams and the details that must be included. |
Notice on History of Using / Providing Personal Information
-
Obligation to notify history of use and/or provision of personal information waived for former employees
|
– |
Where a data controller processes the personal information of its current employees to perform its duties as an employer, employees are not covered by the notification requirement. If the data controller retains or uses former employees’ personal information (for example to issue a certificate of employment) the former employees would also not be covered by requirement as their personal information would be processed based on their previous status as employees. |
-
Obligation to notify where a data controller has a personal credit information inquiry system under the Credit Information Act
|
– |
Data controllers are not required to notify data subjects of the history of use and/or provision of their personal information pursuant to the PIPA with respect to personal credit information managed through a personal credit information inquiry system pursuant to the Credit Information Act, which allows data subjects to access such history. If, however, a data controller processes personal information other than personal credit information, the history of use and/or provision of such personal information is subject to the notification requirement. |
Overseas Transfer of Personal Information
-
Obligation to obtain consent when providing personal information to third parties located overseas
|
– |
Data controllers are required to obtain consent to providing personal information to third parties and consent to transferring personal information overseas separately. |
Measures to Ensure Safety
-
Specific examples of personal information processing systems
|
– |
The Final Guide specifies that processing the personal information of employees through a security solution or a network management system for account management or notification purposes falls under the definition of a personal information processing system. |
-
Distinction between users and data subjects who are not users
|
– |
The Final Guide clarified the distinction between users of online services and regular data subjects. Users are persons who use online services provided by online service providers. When public institutions and offline business operators collect personal information, the data subjects should not be considered users of online services. Furthermore, when online service providers collect the personal information of employees and customers, but such information is collected, stored and managed offline, the data subjects should also not be considered users of the online service provider. |
Notification and Reporting of Personal Information Leakages
-
Calculating deadline for notifying and reporting personal information leakages
|
– |
The Final Guide provides that a data controller must notify the affected data subjects and report to the regulator within 72 hours of becoming aware of the leakage. The timeline includes non-working days such as public holidays. |
Administrative Fines and Penalties
-
Sanctions for failure to provide notice when obtaining consent
|
– |
The Final Guide stipulates that while the provision on administrative fines for violating the obligation to notify data subjects of certain information when obtaining consent (Articles 15 (2), 17 (2), and 18 (3) of the PIPA) has been removed, where a data controller fails to clearly inform data subjects by not providing such information in violation of Article 22 of the PIPA and Article 17 of the Enforcement Decree of the PIPA, it could still be subject to an administrative fine for violating its obligation to obtain consent (Articles 15 (1), 17 (1), and 18 (1) through 18 (2) of the PIPA). |
Removal of Regulations on Validity Period for Personal Information
-
Measures data controllers need to take when there is a change to dormant accounts policy
|
– |
If a data controller changes its policy on dormant accounts due to the removal of the regulations on the validity period for personal information, it must give a prior notice to users. The Final Guide stipulates that using such notice on changes in dormant accounts policy for marketing or advertising purposes could be in violation of the PIPA and the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. |
|
– |
The Final Guide provides that if any changes are made to the details of the services after the data subject has given consent, the data controller must obtain additional consent to the changes. |
|
– |
The Final Guide stipulates that the obligation to retain personal information for a certain period of time under laws such as the Framework Act on National Taxes and the E-Commerce Act is separate from the regulations on the validity period for personal information, and data controllers must continue to store such personal information separately. |
As the Final Guide reflects the position of the PIPC on interpreting and enforcing the amended PIPA, it is a useful resource for companies and privacy professionals to interpret the amended PIPA going forward.
