The Personal Information Protection Commission (“PIPC”) unveiled amendments to the Privacy Policy Drafting Guidelines (the “Guidelines”) (available in Korean, Link) on April 21, 2025, ahead of this year’s privacy policy evaluation. Key amendments are as follows:[1]
|
1.
|
Specification of Grounds for Processing Personal Information
The amendments clarify which personal information can be shown in the privacy policy as not requiring consent for their processing (e.g., personal information necessary for executing and performing contracts, such as membership services and after-sales consultations) and which require consent (e.g., sharing personal information with third parties or processing sensitive and unique identification information, even if they are necessary for executing and performing contracts). This reflects updates to the consent system enacted in September 2024.
|
|
2.
|
Update on Methods for Listing Personal Information Being Processed and Retention Period
If there is a special circumstance that makes it difficult to list every specific personal information to be processed in the privacy policy, categorization is now allowed, especially for personal information used for automated decision-making. Furthermore, if it is difficult to specify the retention periods, the criteria used to decide the retention periods can be shown, instead.
|
|
3.
|
Disclosure of Contact Information of Departments Handling Personal Information-related Inquiries
Previously, a privacy policy could only show the contact information of the Chief Privacy Officer’s (“CPO”) department. Now, a privacy policy can also disclose contact details of the department that handles privacy-related inquiries, such as, a customer service center under the CPO’s supervision.
|
|
4.
|
Improvement to Privacy Policy Disclosure Method
The requirement for privacy policy disclosure, previously restricted to the bottom of the landing page of a website, now extends to locations like the service menu, settings, and membership registration/login area for easier access by data subjects.
|
|
5.
|
Specification of Data Subjects’ Rights
Data controllers are now required to specify how data transmission requests can be made and how the status and details of such transmissions can be confirmed. If automated decision-making methods are used, standards and procedures for automated decision-making must be specifically described in the privacy policy. The amendments also recommend specifying transparency standards when collecting and using data for AI training.
|
|
6.
|
Clarification on Refusing Behavioral Data Processing
The amendments contain various examples of describing ways to block or refuse cookies and targeted advertisements, such as deleting cookies saved on web browsers, deleting third-party cookies, and deleting all cookies.
|
The PIPC will release a plan for evaluating privacy policies in May, aiming for commencement by June, and the amended Guidelines will be integral in this evaluation. Therefore, it is crucial to thoroughly review the amended Guidelines to ensure compliance and readiness for evaluation.
[1] Please see our May 2, 2024 newsletter for information on the previous version of the Guidelines (Link).
[Korean Version]
