Archivos de la etiqueta: data subject

12Nov/24

Decree nº 13/2023/ND-CP, Hanoi April 17, 2023. Personal Data Protection

Decree nº 13/2023/ND-CP, Hanoi April 17, 2023. Personal Data Protection

DECREE PERSONAL DATA PROTECTION

Pursuant to the Law on Organization of the Government dated June 19, 2015; Law amending and supplementing a number of articles of the Law on Organization of the Government and the Law on Organization of Local Government dated November 22, 2019;

Pursuant to the Civil Code dated November 24, 2015;

Pursuant to the Law on National Security dated December 3, 2004;

Pursuant to the Law on Cyber ​​Security dated June 12, 2018;

At the request of the Minister of Public Security;

The Government issued a Decree on personal data protection.

Chapter I.- GENERAL PROVISIONS

Article 1. Scope of regulation and applicable subjects

1. This Decree provides for the protection of personal data and the responsibility of relevant agencies, organizations and individuals to protect personal data.

2. This Decree applies to:

a) Vietnamese agencies, organizations and individuals;

b) Foreign agencies, organizations and individuals in Vietnam;

c) Vietnamese agencies, organizations and individuals operating abroad;

d) Foreign agencies, organizations and individuals directly involved in or related to personal data processing activities in Vietnam.

Article 2. Interpretation of terms

In this Decree, the following terms are construed as follows:

1. Personal data is information in the form of symbols, letters, numbers, images, sounds or similar forms in an electronic environment that is associated with a specific person or helps to identify a specific person. Personal data includes basic personal data and sensitive personal data.

2. Information that helps identify a specific person is information generated from an individual’s activities that, when combined with other stored data and information, can identify a specific person.

3. Basic personal data includes:

a) Surname, middle name, birth name, other names (if any);

b) Date of birth; date of death or disappearance;

c) Gender;

d) Place of birth, place of birth registration, permanent residence, temporary residence, current residence, hometown, contact address;

d) Nationality;

e) Personal image;

g) Telephone number, identity card number, personal identification number, passport number, driver’s license number, vehicle license plate number, personal tax code number, social insurance number, health insurance card number;

h ) Marital status;

i) Information about family relationships (parents, children);

k) Information about individual digital accounts; personal data reflecting activities and history of activities in cyberspace;

l) Other information associated with a specific person or helping to identify a specific person not covered by Clause 4 of this Article.

4. Sensitive personal data is personal data associated with an individual’s privacy that, when violated, will directly affect the individual’s legitimate rights and interests, including:

a) Political views, religious views;

b) Health status and personal information recorded in medical records, excluding blood type information;

c) Information related to racial origin, ethnic origin;

d) Information on inherited or acquired genetic characteristics of an individual;

d) Information on individual physical attributes and biological characteristics;

e) Information about an individual’s sexual life and sexual orientation;

g) Data on crimes and criminal acts collected and stored by law enforcement agencies;

h) Customer information of credit institutions, foreign bank branches, payment intermediary service providers, and other licensed organizations, including: customer identification information as prescribed by law, account information, deposit information, deposited assets information, transaction information, information about organizations and individuals that are guarantors at credit institutions, bank branches, and payment intermediary service providers;

i) Data on the location of an individual determined through location services;

k) Other personal data that is specified by law as specific and requires necessary security measures.

5. Personal data protection is the activity of preventing, detecting, stopping and handling violations related to personal data according to the provisions of law.

6. Data subject is the individual about whom the personal data is reflected.

7. Processing of personal data is one or more activities affecting personal data, such as: collecting, recording, analyzing, validating, storing, editing, publishing, combining, accessing, retrieving, withdrawing, encrypting, decrypting, copying, sharing, transmitting, providing, transferring, deleting, destroying personal data or other related actions.

8. Consent of the data subject is the clear, voluntary, affirmative expression of permission for the processing of the data subject’s personal data.

9. The Personal Data Controller is the organization or individual that decides the purposes and means of processing personal data.

10. The Personal Data Processor is an organization or individual that processes data on behalf of the Data Controller, through a contract or agreement with the Data Controller.

11. The Controller and Processor of Personal Data is the organization or individual that simultaneously decides the purpose, means and directly processes personal data.

12. Third party is an organization or individual other than the Data Subject, Personal Data Controller, Personal Data Processor, Personal Data Controller and Processor authorized to process personal data.

13. Automated personal data processing is a form of personal data processing carried out by electronic means to evaluate, analyze, and predict the activities of a specific person, such as: habits, preferences, trust level, behavior, location, trends, capacity and other cases.

14. Transferring personal data abroad is the activity of using cyberspace, devices, electronic means or other forms to transfer personal data of Vietnamese citizens to a location outside the territory of the Socialist Republic of Vietnam or using a location outside the territory of the Socialist Republic of Vietnam to process personal data of Vietnamese citizens, including:

a) Organizations, enterprises and individuals transfer personal data of Vietnamese citizens to organizations, enterprises and management departments abroad for processing in accordance with the purposes agreed to by the data subject;

b) Processing personal data of Vietnamese citizens by automated systems located outside the territory of the Socialist Republic of Vietnam by the Personal Data Controller, the Personal Data Controller and Processor, and the Personal Data Processor in accordance with the purposes agreed to by the data subject.

Article 3. Principles of personal data protection

1. Personal data is processed in accordance with the provisions of law.

2. The data subject is informed about the activities related to the processing of his/her personal data, unless otherwise provided by law.

3. Personal data shall only be processed for the purposes specified in the Personal Data Controller, Personal Data Processor, Personal Data Controller and Processor, and Third Party registration or declaration on personal data processing.

4. Personal data collected must be appropriate and limited to the scope and purpose of processing. Personal data may not be bought or sold in any form, unless otherwise provided by law.

5. Personal data is updated and supplemented in accordance with the processing purpose.

6. Personal data is protected and secured during processing, including protection against violations of personal data protection regulations and prevention of loss, destruction or damage due to incidents, using technical measures.

7. Personal data shall only be stored for the period relevant to the purposes for which the data is processed, unless otherwise provided by law.

8. The Data Controller, the Controller and the Personal Data Processor shall be responsible for complying with the data processing principles set out in Clauses 1 to 7 of this Article and demonstrating its compliance with such data processing principles.

Article 4. Handling of violations of personal data protection regulations

Agencies, organizations and individuals violating regulations on personal data protection, depending on the severity, may be subject to disciplinary action, administrative sanctions or criminal prosecution in accordance with regulations.

Article 5. State management of personal data protection

The Government unifies state management of personal data protection.

State management contents on personal data protection include:

1. Submit to competent state agencies for promulgation or promulgate under their authority legal documents and direct and organize the implementation of legal documents on personal data protection.

2. Develop and organize the implementation of strategies, policies, projects, programs, and plans on personal data protection.

3. Provide guidance to agencies, organizations and individuals on measures, processes and standards for protecting personal data in accordance with the provisions of law.

4. Propagating and educating about the law on personal data protection; communicating and disseminating knowledge and skills on personal data protection.

5. Develop, train and foster cadres, civil servants, public employees and those assigned to work on personal data protection.

6. Inspect and examine the implementation of legal provisions on personal data protection; resolve complaints and denunciations and handle violations of the law on personal data protection in accordance with the law.

7. Statistics, information, reports on the situation of personal data protection and implementation of laws on personal data protection to competent state agencies.

8. International cooperation on personal data protection.

Article 6. Application of the Decree on Personal Data Protection, relevant laws and international treaties

Personal data protection is implemented in accordance with the provisions of international treaties to which the Socialist Republic of Vietnam is a member, other provisions of relevant Laws and this Decree.

Article 7. International cooperation on personal data protection

1. Develop an international cooperation mechanism to facilitate effective enforcement of laws on personal data protection.

2. Provide mutual legal assistance on personal data protection with other countries, including notification, request for complaint, assistance in investigation and exchange of information, with appropriate safeguards to protect personal data.

3. Organize conferences, seminars, scientific research and promote international cooperation activities in law enforcement to protect personal data.

4. Organize bilateral and multilateral meetings to exchange experiences in law-making and practices in personal data protection.

5. Technology transfer to serve personal data protection.

Article 8. Prohibited acts

1. Processing personal data contrary to the provisions of law on personal data protection.

2. Processing personal data to create information and data aimed at opposing the Socialist Republic of Vietnam.

3. Processing personal data to create information and data that affect national security, social order and safety, and the legitimate rights and interests of other organizations and individuals.

4. Obstructing the personal data protection activities of competent authorities.

5. Taking advantage of personal data protection activities to violate the law.

Chapter II.- PERSONAL DATA PROTECTION ACTIVITIES

Section 1. RIGHTS AND OBLIGATIONS OF DATA SUBJECTS

Article 9. Rights of data subjects

1. Right to know

The data subject is informed about the processing of his personal data, unless otherwise provided by law.

2. Right to consent

Data subjects may consent or not consent to the processing of their personal data, except in the cases provided for in Article 17 of this Decree .

3. Access Rights

Data subjects have access to view, correct or request correction of their personal data, unless otherwise provided by law.

4. Right to withdraw consent

The data subject has the right to withdraw his or her consent, unless otherwise provided by law.

5. Right to data erasure

Data subjects have the right to delete or request deletion of their personal data, unless otherwise provided by law.

6. Right to restriction of data processing

a) Data subjects are required to restrict the processing of their personal data, unless otherwise provided by law;

b) Restriction of data processing is carried out within 72 hours of the data subject’s request, with respect to all personal data that the data subject requests restriction, unless otherwise provided by law.

7. Right to data portability

The data subject is required to provide his/her personal data to the Personal Data Controller, the Personal Data Controller and the Personal Data Processor, unless otherwise provided by law.

8. Right to object to data processing

a) The data subject may object to the Personal Data Controller, the Personal Data Controller and Processor processing his/her personal data in order to prevent or restrict the disclosure of personal data or its use for advertising or marketing purposes, unless otherwise provided by law;

b) The Personal Data Controller and the Personal Data Controller and Processor shall execute the request of the data subject within 72 hours of receipt of the request, unless otherwise provided by law.

9. Right to complain, denounce, and sue

Data subjects have the right to complain, denounce or file a lawsuit in accordance with the provisions of law.

10. Right to claim damages

Data subjects have the right to request compensation for damages in accordance with the law when there is a violation of the regulations on the protection of their personal data, unless the parties have agreed otherwise or the law provides otherwise.

11. Right to self-defense

Data subjects have the right to self-protection in accordance with the provisions of the Civil Code , other relevant laws and this Decree, or request competent agencies and organizations to implement methods to protect civil rights in accordance with the provisions of Article 11 of the Civil Code .

Article 10. Obligations of data subjects

1. Protect your personal data yourself; request other relevant organizations and individuals to protect your personal data.

2. Respect and protect the personal data of others.

3. Provide complete and accurate personal data when agreeing to allow the processing of personal data.

4. Participate in promoting and disseminating personal data protection skills.

5. Comply with legal regulations on personal data protection and participate in preventing and combating violations of regulations on personal data protection.

Section 2. PROTECTION OF PERSONAL DATA DURING PERSONAL DATA PROCESSING

Article 11. Consent of the data subject

1. The consent of the data subject applies to all operations in the processing of personal data, unless otherwise provided by law.

2. The data subject’s consent is only valid when the data subject voluntarily and clearly knows the following contents:

a) The type of personal data processed;

b) Purpose of processing personal data;

c) Organizations and individuals whose personal data is processed;

d) Rights and obligations of data subjects.

3. The data subject’s consent must be clearly and specifically expressed in writing, by voice, by checking a consent box, by text message consent syntax, by selecting technical consent settings or by another action that demonstrates this.

4. Consent must be given for the same purpose. Where there are multiple purposes, the Personal Data Controller, the Personal Data Controller and the Personal Data Processor shall list the purposes for which the data subject consents to one or more of the stated purposes.

5. The data subject’s consent must be expressed in a format that can be printed, reproduced in writing, including in electronic form or in a verifiable format.

6. Silence or non-response of the data subject shall not be considered as consent.

7. The data subject may give consent in part or with conditions attached.

8. For the processing of sensitive personal data, the data subject must be informed that the data to be processed is sensitive personal data.

9. The data subject’s consent is valid until the data subject decides otherwise or until a competent state authority requests it in writing.

10. In the event of a dispute, the burden of proving the data subject’s consent lies with the Personal Data Controller, the Personal Data Controller and the Personal Data Processor.

11. Through authorization as prescribed by the Civil Code , organizations and individuals may, on behalf of data subjects, carry out procedures related to the processing of personal data of data subjects with the Personal Data Controller, the Personal Data Controller and Processor in cases where the data subject has clearly known and agreed as prescribed in Clause 3 of this Article, unless otherwise provided by law.

Article 12. Withdrawal of consent

1. Withdrawal of consent does not affect the lawfulness of the processing of data that was consented to before the withdrawal of consent.

2. The withdrawal of consent must be in a format that can be printed, reproduced in writing, including in electronic form or in a verifiable format.

3. Upon receiving a request to withdraw consent from a data subject, the Personal Data Controller and the Personal Data Controller and Processor shall notify the data subject of the consequences and possible damages of withdrawing consent.

4. After implementing the provisions of Clause 2 of this Article, the Data Controller, Data Processor, Data Controller and Processor, and Third Party must stop and request relevant organizations and individuals to stop processing the data of the data subject who has withdrawn consent.

Article 13. Notification of personal data processing

1. Notification shall be made once before proceeding with any personal data processing activity.

2. Content of notification to data subjects about personal data processing:

a) Purpose of processing;

b) The type of personal data used is relevant to the processing purposes specified in Point a, Clause 2 of this Article;

c) Processing method;

d) Information about other organizations and individuals related to the processing purposes specified in Point a, Clause 2 of this Article;

d) Unwanted consequences and damages that may occur;

e) Start time, end time of data processing.

3. The notice to the data subject shall be in a format that can be printed, reproduced in writing, including in electronic form or in a verifiable format.

4. The Personal Data Controller and the Personal Data Controller and Processor are not required to comply with the provisions of Clause 1 of this Article in the following cases:

a) The data subject has clearly known and fully agreed to the contents specified in Clause 1 and Clause 2 of this Article before agreeing to let the Personal Data Controller and the Personal Data Controller and Processor collect personal data, in accordance with the provisions of Article 9 of this Decree ;

b) Personal data is processed by competent state agencies for the purpose of serving the activities of state agencies in accordance with the provisions of law.

Article 14. Provision of personal data

1. The data subject is required to provide his/her personal data to the Personal Data Controller, the Personal Data Controller and Processor.

2. Personal Data Controller, Personal Data Controller and Processor:

a) Provide personal data of data subjects to other organizations and individuals with the consent of the data subject, except where otherwise provided by law;

b) On behalf of the data subject, provide the data subject’s personal data to another organization or individual when the data subject agrees to allow representation and authorization, unless otherwise provided by law.

3. The provision of personal data by the data subject is carried out by the Personal Data Controller, the Personal Data Controller and Processor within 72 hours of the request of the data subject, unless otherwise provided by law.

4. The Personal Data Controller, the Personal Data Controller and Processor shall not provide personal data in the following cases:

a) Causing harm to national defense, national security, and social order and safety;

b) The provision of personal data by the data subject may affect the safety, physical or mental health of another person;

c) The data subject does not agree to provide, allow a representative or proxy to receive personal data.

5. Form of request for provision of personal data:

a) The data subject directly or authorizes another person to come to the headquarters of the Personal Data Controller, the Personal Data Controller and Processor to request the provision of personal data.

The request recipient is responsible for guiding the requesting organization or individual to fill in the Personal Data Request Form.

In case the organization or individual requesting information is illiterate or disabled and cannot write the request, the person receiving the request for information is responsible for helping to fill in the contents of the Personal Data Request Form;

b) Send the Request for providing personal data according to Form No. 01 , 02 in the Appendix of this Decree via electronic network, postal service, fax to the Personal Data Controller, Personal Data Controller and Processor.

6. The request form for providing personal data must be presented in Vietnamese and include the following main contents:

a) Full name; place of residence, address; identity card number, citizen identification card number or passport number of the requester; fax number, telephone number, email address (if any);

b) Personal data requested to be provided, specifying the name of the document, file, or material;

c) Form of providing personal data;

d) Reason and purpose of requesting personal data.

7. In case of request for provision of personal data as prescribed in Clause 2 of this Article, it must be accompanied by written consent of the relevant individual or organization.

8. Receiving requests for personal data

a) The Personal Data Controller, the Personal Data Controller and Processor are responsible for receiving requests for personal data provision and monitoring the process and list of personal data provision upon request;

b) In case the requested personal data is not within the authority, the Personal Data Controller and the Personal Data Controller and Processor receiving the request must notify and guide the requesting organization or individual to the competent authority or clearly notify that the personal data cannot be provided.

9. Handling requests for personal data

Upon receiving a valid request for personal data provision, the Personal Data Controller and the Personal Data Controller and Processor shall be responsible for providing personal data, notifying the deadline, location, and form of personal data provision; actual costs for printing, copying, photographing, sending information via postal service, fax (if any) and payment method and deadline; and providing personal data in accordance with the order and procedures prescribed in this Article.

Article 15. Correction of personal data

1. Data subject:

a) To access, view and edit one’s personal data after it has been collected by the Personal Data Controller, the Personal Data Controller and Processor with consent, unless otherwise provided by law;

b) Where direct correction is not possible for technical or other reasons, the data subject requests the Personal Data Controller, the Personal Data Controller and Processor to correct his/her personal data.

2. The Personal Data Controller and the Personal Data Controller and Processor shall correct the personal data of the data subject after obtaining the consent of the personal data subject as soon as possible or as prescribed by specialized laws. In case it is not possible to do so, the data subject shall be notified within 72 hours of receiving the request to correct the personal data of the data subject.

3. The Personal Data Processor, Third Party may edit the personal data of the data subject after obtaining the written consent of the Personal Data Controller, the Personal Data Controller and Processor and knowing that the consent of the data subject has been obtained.

Article 16. Storage, deletion and destruction of personal data

1. The data subject is entitled to request the Personal Data Controller, the Personal Data Controller and Processor to delete his/her personal data in the following cases:

a) Realizing that it is no longer necessary for the purpose of collection has agreed and accepting the possible damages when requesting data deletion;

b) Withdrawal of consent;

c) Object to the processing of data and the Personal Data Controller, the Personal Data Controller and Processor have no legitimate reasons to continue processing;

d) Personal data is processed in a manner inconsistent with the agreed purpose or the processing of personal data is in violation of the provisions of law;

d) Personal data must be deleted according to the provisions of law.

2. Data deletion will not be applied upon request of the data subject in the following cases:

a) The law does not allow data deletion;

b) Personal data is processed by competent state agencies for the purpose of serving the activities of state agencies in accordance with the provisions of law;

c) Personal data has been made public in accordance with the provisions of law;

d) Personal data is processed to serve legal requirements, scientific research, and statistics as prescribed by law;

d) In case of emergency regarding national defense, security, social order and safety, major disasters, dangerous epidemics; when there is a threat to national security and defense but not to the extent of declaring a state of emergency; preventing and combating riots, terrorism, preventing and combating crimes and violations of the law;

e) Respond to an emergency situation that threatens the life, health or safety of a data subject or other individual.

3. In case of division, separation, merger, consolidation or dissolution of an enterprise, personal data will be transferred in accordance with the provisions of law.

4. In case of division, separation, merger of agencies, organizations, administrative units and reorganization, conversion of ownership form of state-owned enterprises, personal data shall be transferred in accordance with the provisions of law.

5. Data deletion is performed within 72 hours of the data subject’s request for all personal data collected by the Personal Data Controller, the Personal Data Controller and Processor, unless otherwise provided by law.

6. The Personal Data Controller, the Personal Data Controller and Processor, the Personal Data Processor, and the Third Party shall store personal data in a form appropriate to their operations and take measures to protect personal data in accordance with the provisions of law.

7. The Personal Data Controller, Personal Data Controller and Processor, Personal Data Processor, Third Party shall irreversibly delete in the event of:

a) Processing data for purposes other than those for which the data subject has consented or for which the purpose of processing personal data has been fulfilled;

b) The storage of personal data is no longer necessary for the operations of the Personal Data Controller, Personal Data Controller and Processor, Personal Data Processor, or Third Party;

c) The Personal Data Controller, the Personal Data Controller and Processor, the Personal Data Processor, the Third Party is dissolved or no longer operating or declares bankruptcy or terminates its business operations in accordance with the law.

Article 17. Processing of personal data without the consent of the data subject

1. In case of emergency, it is necessary to immediately process relevant personal data to protect the life or health of the data subject or other persons. The Personal Data Controller, Personal Data Processor, Personal Data Controller and Processor, and Third Party shall have the responsibility to prove this case.

2. Disclosure of personal data as prescribed by law.

3. Data processing by competent state agencies in case of emergency regarding national defense, national security, social order and safety, major disasters, dangerous epidemics; when there is a threat to national security and defense but not to the extent of declaring a state of emergency; preventing and combating riots, terrorism, preventing and combating crimes and violations of the law as prescribed by law.

4. To perform the data subject’s contractual obligations with relevant agencies, organizations and individuals as prescribed by law.

5. Serving the activities of state agencies as prescribed by specialized laws.

Article 18. Processing of personal data collected from recording and filming activities in public places

Competent agencies and organizations are authorized to record audio, video and process personal data obtained from recording and video recording activities in public places for the purpose of protecting national security, social order and safety, and the legitimate rights and interests of organizations and individuals in accordance with the provisions of law without the consent of the subject. When recording and video recording, competent agencies and organizations are responsible for notifying the subject so that he or she understands that he or she is being recorded and video recorded, unless otherwise provided by law.

Article 19. Processing of personal data of persons declared missing or dead

1. The processing of personal data relating to the personal data of a person declared missing or deceased must have the consent of that person’s spouse or adult child. In the absence of such persons, the consent of the parent of the person declared missing or deceased must be obtained, except in the cases specified in Articles 17 and 18 of this Decree .

2. In case all the persons mentioned in Clause 1 of this Article are not present, it is considered that there is no consent.

Article 20. Processing of children’s personal data

1. Processing of children’s personal data is always carried out in accordance with the principle of protecting the rights and in the best interests of the child.

2. The processing of children’s personal data must have the consent of the child in cases where the child is 7 years of age or older and has the consent of the parent or guardian as prescribed, except in cases specified in Article 17 of this Decree . The Personal Data Controller, the Personal Data Processor, the Personal Data Controller and Processor, and the Third Party must verify the age of the child before processing the child’s personal data.

3. Stop processing children’s personal data, irreversibly delete or destroy children’s personal data in case of:

a) Processing data for purposes other than those for which the data subject has consented or for which the purpose of processing personal data has been fulfilled, unless otherwise provided by law;

b) The child’s parent or guardian withdraws consent to the processing of the child’s personal data, unless otherwise provided by law;

c) At the request of competent authorities when there is sufficient evidence to prove that the processing of personal data affects the rights and legitimate interests of children, unless otherwise provided by law.

Article 21. Protection of personal data in marketing services and advertising product introduction

1. Organizations and individuals providing marketing services and advertising product introduction may only use customers’ personal data collected through their business activities to provide marketing services and advertising product introduction with the consent of the data subject.

2. Processing of customers’ personal data for marketing services and advertising product introduction must have the customer’s consent, on the basis that the customer clearly knows the content, method, form, and frequency of product introduction.

3. Organizations and individuals providing marketing services and introducing advertising products are responsible for proving that the use of personal data of customers whose products are introduced is in accordance with the provisions of Clause 1 and Clause 2 of this Article.

Article 22. Illegal collection, transfer, purchase and sale of personal data

1. Organizations and individuals involved in processing personal data must apply personal data protection measures to prevent unauthorized collection of personal data from their systems and service equipment.

2. Establishing software systems, technical measures or organizing activities to collect, transfer, buy and sell personal data without the consent of the data subject is a violation of the law.

Article 23. Notification of violations of regulations on personal data protection

1. In case of detecting a violation of personal data protection regulations, the Personal Data Controller and the Personal Data Controller and Processor shall notify the Ministry of Public Security (Department of Cyber ​​Security and High-Tech Crime Prevention and Control) no later than 72 hours after the violation occurs according to Form No. 03 in the Appendix of this Decree. In case of notification after 72 hours, the reason for the late notification must be included.

2. The Personal Data Processor must notify the Personal Data Controller as soon as possible after becoming aware of a breach of the personal data protection regulations.

3. Content of notification of violation of regulations on personal data protection:

a) Describe the nature of the violation of personal data protection regulations, including: time, location, behavior, organization, individual, types of personal data and quantity of data involved;

b) Contact details of the employee assigned to protect data or the organization or individual responsible for protecting personal data;

c) Describe the consequences and possible damages of violating personal data protection regulations;

d) Describe the measures taken to address and mitigate the harm caused by breaches of personal data protection regulations.

4. In case it is not possible to fully notify the contents specified in Clause 3 of this Article, the notification may be made in batches and stages.

5. The Personal Data Controller and the Personal Data Controller and Processor must make a Record of Confirmation of the occurrence of a violation of personal data protection regulations and coordinate with the Ministry of Public Security (Department of Cyber ​​Security and High-Tech Crime Prevention) to handle the violation.

6. Organizations and individuals shall notify the Ministry of Public Security (Department of Cyber ​​Security and High-Tech Crime Prevention) when discovering the following cases:

a) Detecting violations of the law on personal data;

b) Personal data is processed for the wrong purpose, not in accordance with the original agreement between the data subject and the Personal Data Controller, the Personal Data Controller and Processor or in violation of the provisions of law;

c) The rights of data subjects are not guaranteed or not properly exercised;

d) Other cases as prescribed by law.

Section 3. IMPACT ASSESSMENT AND TRANSFER OF PERSONAL DATA ABROAD

Article 24. Assessment of the impact of personal data processing

1. The Personal Data Controller, the Personal Data Controller and the Personal Data Processor shall establish and maintain a Personal Data Impact Assessment Record from the moment the Personal Data Processing commences.

Personal data processing impact assessment dossier of the Personal Data Controller, Personal Data Controller and Processor, including:

a) Information and contact details of the Personal Data Controller, the Personal Data Controller and Processor;

b) Full name and contact details of the organization assigned to perform the task of protecting personal data and the personal data protection officer of the Personal Data Controller, the Personal Data Controller and Processor;

c) Purpose of processing personal data;

d) Types of personal data processed;

d) Organizations and individuals receiving personal data, including organizations and individuals outside the territory of Vietnam;

e) In case of transferring personal data abroad;

g) Time for processing personal data; expected time for deleting or destroying personal data (if any);

h) Description of the personal data protection measures applied;

i) Assess the level of impact of personal data processing; consequences, unexpected damages that may occur, measures to minimize or eliminate such risks and harms.

2. The Personal Data Processor shall prepare and maintain a Personal Data Processing Impact Assessment Record in the event of performing a contract with the Personal Data Controller. The Personal Data Processor’s Personal Data Processing Impact Assessment Record shall include:

a) Information and contact details of the Personal Data Processor;

b) Full name and contact details of the organization assigned to process personal data and the employees of the Personal Data Processor performing the personal data processing;

c) Description of the processing activities and types of personal data processed under the contract with the Personal Data Controller;

d) Time for processing personal data; expected time for deleting or destroying personal data (if any);

d) In case of transferring personal data abroad;

e) General description of the personal data protection measures applied;

g) Possible undesirable consequences and damages, measures to minimize or eliminate such risks and damages.

3. The personal data processing impact assessment records specified in Clauses 1 and 2 of this Article shall be established in a legally valid document of the Personal Data Controller, the Personal Data Controller and Processor or the Personal Data Processor.

4. The dossier assessing the impact of personal data processing must always be available to serve the inspection and assessment activities of the Ministry of Public Security and send 01 original copy to the Ministry of Public Security (Department of Cyber ​​Security and High-Tech Crime Prevention and Control) according to Form No. 04 in the Appendix of this Decree within 60 days from the date of processing personal data.

5. The Ministry of Public Security (Department of Cyber ​​Security and High-Tech Crime Prevention) shall assess and request the Personal Data Controller, Personal Data Controller and Processor, and Personal Data Processor to complete the Personal Data Processing Impact Assessment File in case the file is incomplete and not in accordance with regulations.

6. The Personal Data Controller, the Personal Data Controller and Processor, and the Personal Data Processor shall update and supplement the Personal Data Processing Impact Assessment File when there is a change in the content of the file sent to the Ministry of Public Security (Department of Cyber ​​Security and High-Tech Crime Prevention and Control) according to Form No. 05 in the Appendix of this Decree.

Article 25. Transfer of personal data abroad

1. Personal data of Vietnamese citizens is transferred abroad in case the Party transferring data abroad prepares a dossier to assess the impact of transferring personal data abroad and carries out the procedures prescribed in Clauses 3, 4 and 5 of this Article. The Party transferring data abroad includes the Personal Data Controller, the Personal Data Controller and Processor, the Personal Data Processor, and the Third Party.

2. Profile of impact assessment of transferring personal data abroad, including:

a) Information and contact details of the Data Transfer Party and the Data Recipient of the personal data of Vietnamese citizens;

b) Full name and contact details of the organization or individual in charge of the Data Transfer Party related to the transfer and receipt of personal data of Vietnamese citizens;

c) Describe and explain the objectives of the activities of processing personal data of Vietnamese citizens after being transferred abroad;

d) Describe and clarify the type of personal data transferred abroad;

d) Describe and clearly state the compliance with the personal data protection regulations in this Decree, detailing the personal data protection measures applied;

e) Assess the level of impact of personal data processing; consequences, unexpected damages that may occur, measures to minimize or eliminate such risks and harms;

g) Consent of the data subject as prescribed in Article 11 of this Decree on the basis of clearly knowing the feedback and complaint mechanism when an incident or request arises;

h) There is a document showing the binding and responsibility between organizations and individuals transferring and receiving personal data of Vietnamese citizens regarding the processing of personal data.

3. Records of the assessment of the impact of transferring personal data abroad must always be available to serve the inspection and assessment activities of the Ministry of Public Security.

The party transferring data abroad shall send 01 original copy of the dossier to the Ministry of Public Security (Department of Cyber ​​Security and High-Tech Crime Prevention and Control) according to Form No. 06 in the Appendix of this Decree within 60 days from the date of processing personal data.

4. The data transferor shall notify the Ministry of Public Security (Department of Cyber ​​Security and High-Tech Crime Prevention) of information about the data transfer and contact details of the responsible organization or individual in writing after the data transfer is successful.

5. The Ministry of Public Security (Department of Cyber ​​Security and High-Tech Crime Prevention) shall assess and request the Party transferring data abroad to complete the Dossier on assessing the impact of transferring personal data abroad in case the dossier is not complete and in accordance with regulations.

6. The Party transferring data abroad shall update and supplement the Dossier on the assessment of the impact of transferring personal data abroad when there is a change in the content of the dossier sent to the Ministry of Public Security (Department of Cyber ​​Security and High-Tech Crime Prevention and Control) according to Form No. 05 in the Appendix of this Decree. The time limit for completing the dossier for the Party transferring data abroad is 10 days from the date of request.

7. Based on the specific situation, the Ministry of Public Security shall decide to inspect the transfer of personal data abroad once a year, except in cases where violations of the provisions of the law on personal data protection in this Decree are discovered or incidents of disclosure or loss of personal data of Vietnamese citizens occur.

8. The Ministry of Public Security decides to request the Party transferring data abroad to stop transferring personal data abroad in the following cases:

a) When it is discovered that the transferred personal data is used for activities that violate the interests and national security of the Socialist Republic of Vietnam;

b) The party transferring data abroad does not comply with the provisions in Clause 5 and Clause 6 of this Article;

c) Allowing incidents of personal data of Vietnamese citizens to be disclosed or lost.

Section 4. MEASURES AND CONDITIONS TO ENSURE PERSONAL DATA PROTECTION

Article 26. Measures to protect personal data

1. Personal data protection measures are applied from the beginning and throughout the processing of personal data.

2. Measures to protect personal data, including:

a) Management measures implemented by organizations and individuals involved in processing personal data;

b) Technical measures implemented by organizations and individuals involved in processing personal data;

c) Measures taken by competent state management agencies in accordance with the provisions of this Decree and relevant laws;

d) Investigation and prosecution measures implemented by competent state agencies;

d) Other measures as prescribed by law.

Article 27. Protection of basic personal data

1. Apply the measures prescribed in Clause 2, Article 26 of this Decree .

2. Develop and promulgate regulations on personal data protection, clearly stating the tasks to be performed according to the provisions of this Decree.

3. Encourage the application of personal data protection standards appropriate to the fields, professions and activities related to the processing of personal data.

4. Check the network security of the system and means, equipment serving the processing of personal data before processing, delete irrecoverably or destroy devices containing personal data.

Article 28. Protection of sensitive personal data

1. Apply the measures prescribed in Clause 2, Article 26 and Article 27 of this Decree .

2. Designate a department responsible for protecting personal data, designate personnel responsible for protecting personal data and exchange information about the department and individuals responsible for protecting personal data with the Personal Data Protection Authority. In case the Personal Data Controller, Personal Data Controller and Processor, Data Processor, or Third Party is an individual, the information of the individual performing the task shall be exchanged.

3. Notify the data subject that his/her sensitive personal data is being processed, except in the cases specified in Clause 4, Article 13, Article 17 and Article 18 of this Decree .

Article 29. Specialized agency for personal data protection and National Portal on personal data protection

1. The agency responsible for protecting personal data is the Department of Cyber ​​Security and High-Tech Crime Prevention and Control – Ministry of Public Security, responsible for assisting the Ministry of Public Security in performing state management of personal data protection.

2. National portal on personal data protection:

a) Provide information on the Party’s guidelines, policies, and State laws on personal data protection;

b) Disseminate and popularize policies and laws on personal data protection;

c) Update information and status of personal data protection;

d) Receive information, records, and data on personal data protection activities via cyberspace;

d) Provide information on the results of the assessment of personal data protection work of relevant agencies, organizations and individuals;

e) Receiving notices of violations of regulations on personal data protection;

g) Warn and coordinate warnings about risks and acts of personal data infringement according to the provisions of law;

h) Handling violations of personal data protection according to the provisions of law;

i) Carry out other activities as prescribed by law on personal data protection.

Article 30. Conditions for ensuring personal data protection activities

1. Personal data protection force:

a) The task force responsible for protecting personal data is arranged at the Personal Data Protection Agency;

b) Departments and personnel with the function of protecting personal data are designated in agencies, organizations and enterprises to ensure compliance with regulations on personal data protection;

c) Organizations and individuals are mobilized to participate in protecting personal data;

d) The Ministry of Public Security shall develop specific programs and plans to develop human resources for personal data protection.

2. Agencies, organizations and individuals are responsible for disseminating knowledge and skills, and raising awareness of personal data protection for agencies, organizations and individuals.

3. Ensure facilities and operating conditions for the Agency specializing in personal data protection.

Article 31. Funding for ensuring personal data protection activities

1. Financial sources for personal data protection include the state budget; support from domestic and foreign agencies, organizations and individuals; revenue from providing personal data protection services; international aid and other legal sources of revenue.

2. The budget for personal data protection of state agencies is guaranteed by the state budget and is arranged in the annual state budget estimate. The management and use of state budget funds are implemented in accordance with the provisions of the law on state budget.

3. The budget for protecting personal data of organizations and enterprises shall be arranged and implemented by organizations and enterprises themselves according to regulations.

Chapter III.- RESPONSIBILITIES OF AGENCIES, ORGANIZATIONS AND INDIVIDUALS

Article 32. Responsibilities of the Ministry of Public Security

1. Assist the Government in implementing unified state management of personal data protection.

2. Guide and implement activities to protect personal data, protect the rights of data subjects against violations of the law on personal data protection, propose the promulgation of Personal Data Protection Standards and recommendations for application.

3. Build, manage and operate the National Portal on personal data protection.

4. Evaluate the results of personal data protection work of relevant agencies, organizations and individuals.

5. Receive documents, forms, and information on personal data protection as prescribed in this Decree.

6. Promote measures and conduct research to innovate in the field of personal data protection, and implement international cooperation on personal data protection.

7. Inspect, examine, resolve complaints, denunciations, and handle violations of regulations on personal data protection according to the provisions of law.

Article 33. Responsibilities of the Ministry of Information and Communications

1. Direct media agencies, press, organizations and enterprises in the management field to implement personal data protection according to the provisions of this Decree.

2. Develop, guide and implement measures to protect personal data and ensure network information security for personal data in information and communication activities according to assigned functions and tasks.

3. Coordinate with the Ministry of Public Security in inspecting, examining and handling violations of the law on personal data protection.

Article 34. Responsibilities of the Ministry of National Defense

Manage, inspect, examine, supervise, handle violations and apply regulations on personal data protection to agencies, organizations and individuals under the management of the Ministry of National Defense according to legal regulations and assigned functions and tasks.

Article 35. Responsibilities of the Ministry of Science and Technology

1. Coordinate with the Ministry of Public Security in developing Personal Data Protection Standards and recommendations for applying Personal Data Protection Standards.

2. Research and discuss with the Ministry of Public Security on measures to protect personal data in line with the development of science and technology.

Article 36. Responsibilities of ministries, ministerial-level agencies, and government agencies

1. Implement state management of personal data protection for sectors and fields under management according to the provisions of law on personal data protection.

2. Develop and implement the contents and tasks of personal data protection in this Decree.

3. Supplement regulations on personal data protection in the development and implementation of tasks of ministries and branches.

4. Arrange funding for personal data protection activities according to current budget management hierarchy.

5. Issue an Open Data Catalog in compliance with personal data protection regulations.

Article 37. Responsibilities of People’s Committees of provinces and centrally run cities

1. Implement state management of personal data protection for sectors and fields under management according to the provisions of law on personal data protection.

2. Implement the provisions on personal data protection in this Decree.

3. Arrange funding for personal data protection activities according to current budget management hierarchy.

4. Issue an Open Data Catalog in compliance with personal data protection regulations.

Article 38. Responsibilities of the Personal Data Controller

1. Implement appropriate organizational and technical measures and safety and security measures to demonstrate that data processing activities have been carried out in accordance with the provisions of the law on personal data protection, review and update these measures as necessary.

2. Record and store system logs of personal data processing.

3. Notification of violations of regulations on personal data protection as prescribed in Article 23 of this Decree .

4. Select a Personal Data Processor that is suitable for a clear mandate and only work with Personal Data Processors that have appropriate safeguards in place.

5. Ensure the rights of data subjects as prescribed in Article 9 of this Decree .

6. The Personal Data Controller is responsible to the data subject for damages caused by the processing of personal data.

7. Coordinate with the Ministry of Public Security and competent state agencies in protecting personal data, providing information to serve the investigation and handling of violations of the law on personal data protection.

Article 39. Responsibilities of the Personal Data Processor

1. Personal data shall only be received after a contract or agreement on data processing has been entered into with the Personal Data Controller.

2. Process personal data in accordance with the contract or agreement concluded with the Personal Data Controller.

3. Fully implement personal data protection measures prescribed in this Decree and other relevant legal documents.

4. The Personal Data Processor is responsible to the data subject for damages caused by the processing of personal data.

5. Delete and return all personal data to the Personal Data Controller after the data processing is completed.

6. Coordinate with the Ministry of Public Security and competent state agencies in protecting personal data, providing information to serve the investigation and handling of violations of the law on personal data protection.

Article 40. Responsibilities of the Data Controller and Processor

Fully comply with the provisions on the responsibilities of the Personal Data Controller and the Personal Data Processor.

Article 41. Third Party Liability

Fully comply with the provisions on responsibility for handling personal data as prescribed in this Decree.

Article 42. Responsibilities of relevant organizations and individuals

1. Take measures to protect your personal data and be responsible for the accuracy of the personal data you provide.

2. Implement the provisions on personal data protection in this Decree.

3. Promptly notify the Ministry of Public Security of violations related to personal data protection activities.

4. Coordinate with the Ministry of Public Security in handling violations related to personal data protection activities.

Chapter IV.- TERMS OF IMPLEMENTATION

Article 43. Entry into force

1. This Decree comes into force from July 1, 2023.

2. Micro-enterprises, small enterprises, medium-sized enterprises, and startups have the right to choose to be exempted from the regulations on the appointment of individuals and personal data protection departments for the first 02 years from the date of establishment of the enterprise.

3. Micro-enterprises, small enterprises, medium-sized enterprises, and start-ups directly engaged in personal data processing activities are not subject to the provisions of Clause 2 of this Article.

Article 44. Responsibility for implementation

1. The Minister of Public Security shall urge, inspect and guide the implementation of this Decree.

2. Ministers, Heads of ministerial-level agencies, Heads of Government agencies, Chairmen of People’s Committees of provinces and centrally run cities are responsible for implementing this Decree./.

For the Prime Minister, the Prime Minister, Deputy Prime Minister, Tran Luu Quang

10Mar/24

Data Protection Act , 2020, Malawi 16 december 2021

Data Protection Act , 2020, Malawi 16 december 2021

MEMORANDUM

As the Malawi economy becomes increasingly reliant on digital technologies, there is a need to protect personal data of individuals collected, generated, stored and utilized by public and private sector institutions including in the provision of healthcare, health and other types of insurance, education, banking and financial services, hospitality services, civil registration, voting, immigration, national ID and delivery of social programmes.

Such personal data can be stolen, lost, disclosed, misused and abused by those who collect, generate, store and utilize it, resulting in identity theft, unwarranted or embarrassing disclosures, loss of information and unwarranted marketing and solicitation.

In recognition of the dangers posed to individuals by the unregulated or uncontrolled collection and use of personal data and the critical role that the integrity of data, including personal data, plays in the modernization of the Malawi economy, this Bill seeks to provide a comprehensive legislative framework for the protection and security of personal data, consolidate data protection provisions currently found in various Acts of Parliament, and protect the digital privacy of individuals without hampering social and economic development in Malawi.

The Bill is divided into ten parts.

Part I contains preliminary provisions, namely, the short title of the Bill, the definitions of various terms or expressions used in the Bill and the objectives of the Bill. The overall objective of this Bill is to regulate matters relating to personal data.

Part I also provides for the scope of the application of the Bill. The Bill applies where the data controller or data processor, as defined in the Bill, is domiciled, ordinarily resident, or ordinarily operating in Malawi, is processing personal data withing Malawi, or, subject to some limitations, is processing personal data of a data subject who is in Malawi. The Bill does not apply to the collection or processing of personal data for personal, recreational or household purposes, or for security, law enforcement or public health purposes.

In Part II, the Bill designates the Malawi Communications Regulatory Authority as the Authority to regulate and monitor personal data protection and digital privacy in Malawi and oversee the implementation of and be responsible for the enforcement of the Bill. A Data Protection Office is established within the Authority responsible for the activities relating to data protection under the Bill. Part II also describes various administrative processes relating to the Authority’s data protection duties, functions and powers.

Part III provides for the principles governing the processing of personal data. It requires a data controller or data processor to process data fairly and in a transparent manner and only where (a) the data subject has given and not withdrawn his consent, and (b) the data are required for legitimate purposes outlined in the Bill. The Bill further limits the processing of sensitive personal data. All processing of personal data must adhere to internationally recognized data protection principles set out in Part III.

Part III also requires a data controller or data processor to obtain the consent of a parent or legal guardian where the processing of personal data relates to a person below the age of eighteen years of age. Further, Part III requires a data controller and data processor to carry out a data protection impact assessment where processing is likely to result in high risk to the rights and freedoms of a data subject and to notify the Malawi Communication Regulatory Authority of the results.

Part IV grants a data subject individual rights with respect to personal data, including the right to freely (a) obtain from a data controller or data processor copies of his personal data in a commonly used electronic format and demand correction of any inaccurate information or deletion of inaccurate, incomplete or misleading information, and (b) object, or withdraw his consent previously given, to the processing of his personal data.

Part V deals with data security. It compels a data controller or dataprocessor to implement appropriate technical and organizational measures to ensure the security, integrity and confidentiality of personal data in its possession or under its control, including protection against accidental or unlawful destruction, loss, misuse or alteration and unauthorized disclosure or access.

The Bill sets out obligations of the data controller to report any personal data breaches to the Malawi Communication Regulatory Authority and, where the breach is likely to affect rights and freedoms of individuals, to the data subject.

Part VI restricts a data controller or data processor from transferring personal data from Malawi to another country except in the circumstances outlined therein.

Part VII provides for the registration of data controllers or data processors of major importance as defined in section 2 of the Bill. The Authority shall maintain a register published on its website of duly registered data controllers or data processors of major importance and prescribe annual fees to be paid by them.

Part VIII deals with provisions for the enforcement of compliance by data controllers and data processors with the requirements of this Bill. It empowers a data subject who is aggrieved by the decision, action or inaction of a data controller or data processor in violation of this Bill and or regulations, rules or other subsidiary legislation or orders to lodge a complaint with the Authority.

Part VIII also obliges the Authority to initiate an investigation on its own accord or upon reference by the data subject in accordance with rules and procedures published in the Gazette, and make appropriate compliance and enforcement orders against the violating data controller or data processor. A data controller or data processor who fails to comply with a compliance or enforcement order is liable a fine of K5,000,000 and imprisonment for two years.

Part IX deals with miscellaneous matters. It provides for exceptions to the application of the obligations and rights under Parts III, IV, V, VI, VII and VIII when a data controller or data processor is processing personal data for the purposes of the prevention, detection or prosecution of criminal offences; promotion of public health or control of epidemic; national security; or is carried out in connection with licensed credit reference bureau under the Credit Reference Bureau Act, Cap. 46:09. Part IX also empowers the Minister responsible for personal data protection and security to make, on the recommendation of the Malawi Communication Regulatory Authority, regulations for the better carrying out of the Bill.

Parliament is informed that in order to implement the mechanics of this Bill and make this Bill the umbrella law on the protection and security of personal data in Malawi, it is necessary to amend or repeal, as the case may be, provisions related to personal data protection in two existing Acts of Parliament, namely, Access to Information Act, 2017 and Electronic Transactions and Cyber Security Act, Cap 74:02. The amendments or repeals will be effected in two separate amending Bills and presented to Parliament simultaneously with this Bill. The proposed amendments and repeals will eliminate inconsistencies between this Bill and the said two Acts of Parliament.

THE DATA PROTECTION BILL, 2021

A BILL

entitled

An Act to make provision for protection of personal data, for regulation of the processing of personal data, and for matters connected therewith or incidental thereto.

ENACTED by the Parliament of Malawi as follows:

PART I—PRELIMINARY PROVISIONS

Short title and commencement

1. This Act may be cited as the Data Protection Act, 2020, and shall come into operation on such date as the Minister may appoint, by notice published in the Gazette.

Interpretation

2. In this Act, unless the context otherwise requires:

“Authority” means the Malawi Communications Regulatory Authority established under section 4 of the Communications Act;

“binding corporate rules” means personal data protection policies and procedures adhered to by the members of a group of firms under common control with respect to the transfer of personal data among such members and containing provisions for the protection of such personal data;

“biometric data” means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of an individual, which allow or confirm the unique identification of that individual, including without limitation by physical measurements, facial images, blood typing, fingerprinting, retinal scanning, voice recognition and deoxyribonucleic acid (DNA) analysis;

“certification mechanism” means certification by an official or professional third-party entity that evaluates the personal data protection policies and procedures of data controllers and data processors according to recognised standards;

“child” means an individual below eighteen years of age;

“consent” means any freely given, specific, informed, and unambiguous indication, whether by a written or oral statement or an affirmative action, of an individual’s agreement to the processing of personal data relating to him or to another individual on whose behalf he has the authority to provide such consent;

“data controller” means an individual, private entity, public authority or agency or any other body who or which, alone or jointly with others, determines the purposes and means of the processing of personal data;

“data controller or data processor of major importance” means a data controller or data processor that is domiciled, ordinarily resident, or ordinarily operating in Malawi and processes or intends to process personal data of more than 10,000 data subjects who are within Malawi, or a greater number of data subjects prescribed by the Authority in rules published in the Gazette, or such other class of data controller or data processor that is processing personal data of particular value or significance to the economy, society or security of Malawi as the Authority may designate;

“data processor” means an individual, private entity, public authority or agency or any other body who or which processes personal data on behalf of or at the direction of a data controller or another data processor;

“data subject” means an individual to whom personal data relates;

“Director General” means the Director General of the Authority as described in the Communications Act;

“filing system’” means any structured set of personal data which is accessible by reference to a data subject or according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

“personal data” means any information relating to an individual who can be identified or is identifiable, directly or indirectly by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, cultural, social or economic identity of that individual;

“personal data breach” means a breach of security of a data controller or data processor leading to or reasonably likely to lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

“processing” means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; and “sensitive personal data” means personal data relating to an individual’s:

  • biometric data;
  • race or ethnic origin;
  • religious or similar beliefs, such as those reflecting conscience or philosophy;
  • health status;
  • sex life or sexual orientation;
  • political opinions or affiliations; or
  • any other personal data prescribed by the Authority as sensitive personal data pursuant to section 19(2).

Objectives

3. The objectives of this Act are to:

a) ensure that the processing of personal data complies with principles of data protection, including digital privacy and data security;

b) provide individuals with rights with respect to the processing of personal data relating to them;

c) set standards for the transmission of personal data outside of Malawi;

d) establish an institutional mechanism to promote and enforce the principles, rights and obligations provided for in this Act; and

e) provide a legal foundation to promote the digital economy of Malawi and its participation in the regional and global economies through the beneficial uses of personal data.

Applicatioon of this Act

4.

(1) This Act applies to the processing of personal data wholly or partly by automated means and processing other than by automated means of personal data which form or are intended to form part of a filing system.

(2) This Act applies only where:

a) the data controller or data processor is domiciled, ordinarily resident, or ordinarily operating in Malawi;

b) the processing occurs within Malawi, provided that the mere transiting of data through Malawi shall not constitute data processing occurring in Malawi; or

c) the processing relates to the targeted offering of goods or services to the data subject in Malawi, or the monitoring of the behaviour of the data subject as far as his behaviour takes place within Malawi.

(3) This Act shall be without prejudice to the application of Part IV of the Electronic Transactions and Cyber Security Act with respect to intermediary service providers and online content editors.

(4) For purposes of this section, a “filing system” is a structured set of personal data which are accessible according to specific criteria.

Exemptions

5.

(1) This Act does not apply to the processing of personal data to the extent it is carried out by one or more individuals solely for personal, recreational or household purposes.

(2) Data controllers and data processors that are domiciled, ordinarily resident, or ordinarily operating in Malawi and are not data controllers or data processors of major importance are exempt from the provisions of this Act until the second anniversary of the date on which it comes into force.

PART II— ADMINISTRATION

Duties, functions and Powers of the Authority

6.

(1) The Authority shall promote the protection of personal data and regulate the processing of personal data throughout Malawi and oversee the implementation of and be responsible for the enforcement of this Act.

(2) Notwithstanding the generality of subsection (1), the Authority shall:

a) promote public awareness and understanding of personal data protection and the risks to personal data, including the rights granted and obligations imposed under this Act;

b) promote awareness of data controllers and data processors of their obligations under this Act;

c) encourage the introduction of technological and administrative measures to enhance personal data protection;

d) foster the development of personal data protection technologies in accordance with recognized international standards and applicable international law;

e) participate in international fora and engage with other national and regional authorities responsible for data protection with a view to developing consistent and efficient approaches to regulation of cross-border transfers of personal data;

f) advise the government on policy issues relating to personal data protection;

g) submit legislative proposals to the Minister, including amending existing laws, with a view to strengthening personal data protection in Malawi;

h) collect and publish information with respect to personal data protection, including personal data breaches;

i) receive complaints relating to violations of this Act or regulations issued thereunder;

j) conduct investigations of potential violations by a data controller or a data processor of any requirement under this Act or any regulations, rules or other subsidiary legislation or orders made hereunder;

k) impose penalties in case of violations of the provisions of this Act or any regulations, rules or other subsidiary legislation or orders made hereunder;

l) designate countries, regions, sectors or standard contractual clauses as affording or not affording adequate personal data protection standards for cross-border transfers;

m) ensure compliance with national and international personal data protection standards and obligations laid down by international agreements and treaties to which Malawi is a party;

n) render technical assistance on personal data protection matters to the Minister;

o) register and levy fees on data controllers and data processors of major importance;

p) submit proposals to the Minister for regulations to be made under this Act;

q) issue directives and opinions, make recommendations and rules and publish guidance as provided under this Act; and

r) generally implement the provisions of this Act and do all such things as are necessary, incidental or conducive to the better carrying out of the functions of the Authority.

(3) Without prejudice to any functions or powers granted or duties imposed on it under the Communications Act, the Electronic

Transactions and Cyber Security Act or any other written law, the

Authority shall perform such functions, exercise such powers and

undertake such duties as are conferred by this Act.

The Date Protection Office

7. There is hereby established the Data Protection Office, which shall be a unit under the Authority responsible for the activities of the Authority in relation to data protection under this Act.

Governance Powers of the Authority

8. Without prejudice to the generality of section 6, the Authority shall have the power to:

a) issue guidance, and give directions to the Director General;

b) approve strategic plans, action plans and budget support programmes submitted by the Director General;

c) approve annual reports and financial reports submitted by the Director General;

d) hire consultants to assist the Authority in the discharge of its functions, where necessary; and

e) issue rules, directives, opinions and make recommendations on any recurrent question related to the regulated missions of the Authority as defined under this Act.

Committees of the Authority

9.

(1) The Authority may for the purpose of performing its functions under this Act, establish committees of the Authority, and delegate to any such committees any of its functions as it considers necessary.

(2) The Chairperson of every committee shall be a person who is a member of the Authority, but an ex-officio member shall not be a Chairperson.

(3) The Chairperson of the Authority shall not be a member of a committee.

(4) The Authority shall pay a member of a committee, from the funds of the Authority, an allowance that the Minister responsable for public service may, on recommendation of the Board of the Authority, approve for attendance at meetings of the committee.

(5) Subject to the general or special directions of the Authority and to the provisions of this Act, every committee of the Authority shall have the power to determine its own procedure.

Advisor fora

10.

(1) The Authority shall establish consultative or advisory fora comprising representatives of the interests of data controllers, data processors and data subjects, and experts in data protection or another relevant field to assist the Authority with the discharge of its functions under this Act.

(2) The Authority shall contribute out of its annual budget to the expenses of any forum established under subsection (1).

Consultation with other bodies

11.

(1) The Authority shall consult and coordinate with the Human Rights Commission established under Chapter XI of the Constitution with respect to the application of this Act and the Access to Information Act and personal data to which both apply.

(2) The Authority shall consult and coordinate with ministries, departments and agencies responsible for the management and regulation of information including personal data in order to promote understanding of this Act, encourage the adoption of Good data protection practices and procedures, and resolve any uncertainties about the application of this Act and rules and regulations made hereunder.

Rules of the Authority

12.

(1) In exercise of its functions under this Act, the Authority may make such rules as are necessary for the better carrying out of the provisions of this Act.

(2) The Authority shall , before making rules:

a) consult with relevant ministries, departments and agencies and with, data controllers and, data processors, and interested parties and the public, before making such rules.; and

b) Before making rules, the Authority shall publish by notice in the Gazette of a draft form of the rules it proposes to make, and shall provide the persons listed in subsection at least public with a period of not less than thirty (30) days thereafter to provide comments thereon comment on the draft rules.

(3) The Authority shall publish in the Gazette rules made under this Act.

(4) The Authority shall, within twenty-eight days after the publication in Gazette of the rules, inform the public, through the print and electronic media, of the publication of the rules.

(2) Rules made under subsection (1) may prescribe how the provisions of this Act shall apply given the features of any particular use of personal data or any particular sector of the economy or society, including:

a) health;

b) education;

c) financial services;

d) employment;

e) electronic commerce;

f) digital identification;

g) membership of particular groups and associations;

h) historical, statistical or scientific research; and

i) any other matter that the Authority may prescribe.

(3) Consultation under subsection (2) shall where appropriate consider the costs and benefits of the proposed rules.

Good practices and codes of conduct

13.

(1) The Authority may publish guidance on good practices in, and development of, codes of conduct on data protection and compliance with this Act.

(2) The Authority may issue and publish in the Gazette, a code of conduct, on the Authority’s own initiative or by application from one or more interested parties.

(3) PriorThe Authority shall, prior to issuance of a code of conduct, the Authority shall give notice in the Gazette of the proposed code of conduct and provide the public nowith a period of not less than thirty (30) days thereafter to provide commentscomment on the proposed code of conduct.

(4) The absence of a code of conduct issued by the Authority shall not preclude data controllers or data processors from, alone or together with others, adopting codes of conduct on data protection and compliance with this Act.

Confidentiality

14.

(1) A member of the Authority, employee, consultant, adviser or sub-contractor of the Authority shall not publish or disclose to any person, other than in the course of his duties, the contents of any document, communication or information which has come to his knowledge in the course of his duties under this Act.

(2) Any member of the Authority, employee, consultant, adviser or sub-contractor of the Authority who holds confidential information, or any person who has, directly or indirectly, obtained any such information from a member of the Authority, employee, consultant, adviser or sub-contractor of the Authority, whom that person knows or has reasonable cause to believe held the information by virtue of his office, and who:

a) deals in any contract or proposed contract to which the information relates and in which the Authority is involved;

b) counsels or instigates anyone else to deal in any such contract or proposed contract, knowing or having reasonable cause to believe that the other entity would deal in such contract or proposed contract; or

c) communicates to anyone else the information held or, as the case may be, obtained by him if he knows or has reasonable cause to believe that such other entity or any other entity would make use of the information for the purpose of dealing in, or counselling or causing anyone else to deal in, any contract or proposed contract to which the information relates, and in which the Authority is involved,

commits an offence and is liable to a fine of K5,000,000 and imprisonment for five years.

(3) This section shall apply to any information that:

a) a member of the Authority, employee, consultant, adviser or sub-contractor of the Authority holds by virtue of his office or dealings with the Authority;

b) would not be expected, or would not be reasonable for it, to be disclosed by a member of the Authority, employee, consultant, adviser or sub-contractor of the Authority except in the proper performance of the functions of his office; or

c) the member of the Authority, employee, consultant, adviser or sub-contractor of the Authority holding the information knows or ought to know that it is unpublished information in relation to any contract or proposed contract of the Authority.

(4) The provisions of this section shall continue to apply to any member of the Authority, employee, consultant, adviser or subcontractor of the Authority, notwithstanding the expiry or termination of the term of office of the member or the employment of the employee, consultant, adviser or subcontractor of the Authority, as the case may be.

Delegation of powers

15.

(1) The Authority may delegate some of its functions under this Act to the Director General of the Authority, any member of the Authority, the head of the Data Protection Office or any other member of staff of the Authority.

(2) The Director General of the Authority may, with the approval of the Authority, delegate any power or function assigned to him under this Act, to any member of staff of the Authority.

Funds of the Authority

16.

(1) The operational and financial costs of the Authority of carrying out its duties, functions and powers under this Act shall be provided through:

a) fees, levies and other moneys payable to the Authority under this Act;

b) fines payable to the Authority in respect of violations of this Act;

c) grants or donations received by the Authority;

d) such moneys as are from time to time appropriated to the Authority by Parliament; and

e) proceeds from the sale by the Authority of any of its assets or equipment to which it has title.

(2) The Authority may charge fees in respect of publications, seminars, documents, and other services provided by the Authority.

(3) Subject to the Public Finance Management Act, the Authority may borrow such amounts as it may require for the performance of its functions under this Act.

(4) The Authority may invest, on short term deposit with any bank or financial institution in Malawi, any of its moneys that are not immediately required for the performance of its functions under this Act.

Consultations with interested parties

17.

(1) Where the Authority intends to take a decision in accordance with this Act, it shall consult with any interested party, and shall give such interested party at least thirty (30) days from the date of issuance of notice from the Authority to comment on the proposed decision.

(2) The Authority shall publish the results of any consultation launched publicly and the results shall be made available through such means as the Authority considers appropriate in the circumstances, except in the case of information that the Authority considers to be confidential.

PART III— PRINCIPLES GOVERNING PROCESSING OF PERSONAL DATA

Lawfulness of data processing

18.

(1) A data controller shall ensure that personal data is processed, by such data controller or any data processor processing personal data on its behalf, fairly, in a transparent manner and in accordance with subsection (2) and section 19.

(2) A data controller shall neither process nor permit a data processor to process on its behalf, personal data unless:

a) the data subject has given and not withdrawn his consent for the specific purpose or purposes for which it will be processed;

b) the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

c) the processing is necessary for compliance with a legal obligation to which the data controller or data processor is subject;

d) the processing is necessary in order to protect the vital interests of the data subject or another individual;

e) the processing is authorised by law and carried out by a competent public authority or agency in furtherance of its legal mandate;

f) the processing is required by or under any written law or order of a court;

g) the processing is necessary for the implementation of a specific economic development or humanitarian initiative;

h) the processing is necessary for the performance of a task carried out in the public interest or in the exercise of oficial authority vested in the data controller or data processor;

i) the processing is necessary for the purposes of the legitimate interests pursued by the data controller or data processor or by a third party to whom the data is disclosed, except where such interests are overridden by the interests of fundamental rights and freedoms of the data subject;

j) the processing is necessary to comply with disclosure requirements mandated under the Access to Information Act; or

k) the processing is necessary for archiving purposes in the public interest, or for the purpose of historical, statistical or scientific research.

(3) Further processing of personal data other than for the purpose for which it was originally collected shall be compatible with the purpose for which the data was collected.

Processing of sensitive personal data

(4) Compatibility in subsection (3) shall be assessed in light of relationship between the original purpose and the purpose of the intended further processing, the nature of the personal data concerned, the consequences of the further processing, how the personal data has been collected, and the existence of appropriate safeguards.

19.

(1) A data controller or data processor shall not process, nor shall it permit a data processor to process on its behalf, sensitive personal data unless one of the conditions of Section 18(2) has first been met and:

a) the data subject has given and not withdrawn his consent to the processing for the specific purpose or purposes for which it will be processed;

a) the processing is necessary to protect the vital interests of the data subject or of another individual where the data subject is physically or legally incapable of giving consent;

b) the processing is necessary for the purposes of exercising or performing rights or obligations of the data controller or of the data subject under employment or social security laws or any other similar laws;

c) the processing is carried out for purposes of medical care or community welfare and is undertaken by or under the responsibility of a professional or similar service provider owing a duty of confidentiality;

d) the processing is necessary for reasons of public health and provides for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

e) the processing is necessary for reasons of substantial public interest, on the basis of a law which shall be proportionate to the aim pursued, and provides for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

f) the processing is necessary for the establishment, exercise or defence of a legal claim, obtaining legal advice or conduct of a legal proceeding;

g) the processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a charitable, educational, literary, artistic, philosophical, religious or trade union aim and:

(i) the processing relates solely to the members or former members of the entity or to individuals who have regular contact with it in connection with its purposes; and

(ii) the sensitive personal data is not disclosed outside of the entity without the explicit consent of the data subject;

h) the processing is necessary for archiving purposes in the public interest, or historical, statistical or scientific research, in each case on the basis of a law, which shall be proportionate to the aim pursued, and provides for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject; or

(i) the data subject has intentionally made such sensitive personal data public.

(2) The Authority may prescribe in rules published in the Gazette further categories of personal data that may be classified as sensitive personal data, further grounds on which they may be processed, and safeguards that may apply, having regard to:

a) the risk of significant harm that may be caused to a data subject or class of data subjects by the processing of such category of personal data;

b) the reasonable expectation of confidentiality attached to such category of personal data; and

c) the adequacy of protection afforded to personal data generally.

Children

20.

(1) When a data subject is a child or an individual lacking the legal capacity to consent, a data controller shall obtain consent of a parent or other appropriate legal guardian of the child or other individual, as applicable, to rely on consent under section 18(2)(a).

(2) A data controller or data processor shall apply appropriate mechanisms, including presentation of government approved identification documents, to verify age and consent.

(3) Subsection (1) does not apply to a data controller or data processor when:

a) the processing is necessary to protect the vital interests of the child or individual lacking the legal capacity to consent; or

b) the processing is carried out for purposes of medical or social care and is undertaken by or under the responsibility of a professional or similar service provider owing a duty of confidentiality.

Conditions of consent

21.

(1) A data controller shall bear the burden of proof for establishing a data subject’s consent (or in the case of a data subject who is a child, the consent of a parent or legal guardian of the data subject) to anything requiring consent under this Act.

(2) In determining whether consent was freely given, account shall be taken of whether performance by a third party of a contract between the data subject and such third party is conditioned on the processing of personal data of the data subject and such processing would not be necessary for such performance.

Provisiono f information to the data subject

22.

(1) When a data controller collects personal data directly from a data subject, the data controller shall provide the data subject with:

a) the identity of, and means of contacting, the data controller and its representative, if any;

b) the specific basis of processing under section 18(2) or 19(1) and the purposes of the processing for which the personal data are intended;

c) third parties with which the data will be shared and where feasible the means of contacting such third parties;

d) the existence of the rights of the data subject under Part IV; and

e) the right to lodge a complaint with the Authority in accordance with Section 39(1).

When a data controller collects personal data other tan directly from the data subject, it must inform the data subject of the items set out in subsection (1), unless the data subject already has been provided such information or provision of such information is impossible or would involve a disproportionate effort or expense.

Purpose specification data minimisation, retention and accuracy

23.

A data controller shall ensure that personal data is:

a) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;

b) adequate, relevant and limited to what is the mínimum necessary for the purposes for which the personal data was collected or further processed;

c) retained for no longer than is necessary to achieve the purpose for which the personal data was collected or further processed except where:

(i) such retention is required or authorised by law; or

(ii) the data subject has consented to such retention; and

d) accurate, complete, not misleading and, where necessary, kept up to date having regard to the purposes for which the personal data was collected or is further processed.

Data protection impact assesment

24.

(1) Where processing is likely to result in high risk to the  rights and freedoms of a data subject by virtue of its nature, scope, context and purposes, a data controller shall, prior to the processing, carry out a data protection impact assessment.

(2) The data impact assessment report shall be submitted to the Authority prior to the processing of personal data.

(3) The data controller or data processor shall consult the Authority prior to the processing if, notwithstanding the measures envisaged under subsection (6)(d), the data protection impact assessment indicates that the processing of the data would result in a high risk to the rights and freedoms of the data subject.

(4) The Authority shall publish in the Gazette:

a) guidelines for carrying out data impact assessments; and

b) lists of the kinds of processing which are, and which are not, subject to the requirement for a data protection impact assessment pursuant to subsection (1).

(5) This section shall not apply until the second anniversary of

the date on which this Act enters into force.

(6) For purposes of this section, a “data protection impact assessment” is an assessment of the impact of the envisaged processing on the protection of personal data comprising:

a) a systematic description of the envisaged processing and its purpose, including where applicable the legitimate interest pursued by the data controller, data processor or third party;

b) an assessment of the necessity and proportionality of the processing in relation to the purposes the personal data would be processed;

c) an assessment of the risks to the rights and freedoms of data subjects; and

d) the measures envisaged to address the risks and the safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Act, taking into account the rights, and legitimate interests of data subjects and other persons concerned.

(7) The Authority may by publication in the Gazette exempt categories of data controllers or data processors from the obligations under this section.

Obligations of the data controller and data processor

25.

(1) Where a data controller engages the services of a data processor, or any data processor engagesthe services of another data processor, the data controller or data processor shall take reasonable measures to ensure that the engaged data processor shall:

a) comply with the principles and obligations set out in section 23 applicable to the data controller;

b) assist the data controller or data processor, as the case may be, by appropriate technical and organisational measures, where practical, in the fulfilment of the data controller’s obligations to honour the individual rights of data subjects under Part IV;

c) implement appropriate technical and organisational measures to ensure the security, integrity and confidentiality of personal information as required in Part V, with due regard to section 32;

d) provide the data controller or data processor, as applicable, with any information it reasonably requires to comply and demonstrate compliance with this Act; and

e) notify the data controller or data processor, as the case may be, when any new data processors are engaged.

(2) Reasonable measures under subsection (1) include a written agreement between the data controllers and the data processor or between data processors, as the case may be.

(3) The Authority may prescribe such measures in rules published in the Gazette.

PART IV—RIGHTS OF A DATA SUBJECT

Rights of the data subject

26. A data subject has the right to obtain from a data controller, without constraint or unreasonable delay and at no expens:

a) confirmation as to whether or not the data controller, or a data processor operating on its behalf, is storing or otherwise processing personal data relating to the data subject and the source of such personal data;

b) a copy of such personal data in a commonly used electronic format except to the extent that providing such data would impose unreasonable costs on the data controller;, in which case the data subject may be required by the data controller to bear some or all of such costs;

c) correction, or if correction is not feasible or suitable, deletion of any such personal data that is inaccurate, out of date, incomplete or misleading; and

d) deletion of any such personal data which the data controller is not entitled to retain.

Withdrawak of consent

27.

(1) A data subject has the right to withdraw his consent to processing of personal data under section 18(2)(a) or section 19(1)(a) at any time.

(2) The data controller shall ensure that it is as easy for the data subject to withdraw as to give consent.

Right to object

28.

(1) A data subject has the right to object on grounds relating to his particular situation to the processing of personal data relating to him based on section 18(2)(e) or (i), including profiling, if he can demonstrate that:

a) such processing is causing or is likely to cause substantial damage or substantial distress to him or to another person; and

b) such distress or damage is or would be unwarranted.

(2) The data controller may no longer process such data unless it demonstrates a public interest or other legitimate grounds which outweigh any unwarranted distress or damage demonstrated.

Automated decisión-making

29.

A data subject has the right not to be subject to a decisión based solely on automated processing of personal data, including profiling, which produces legal or similar significant effects concerning him, except where such decisions are:

a) necessary for entering into, or performance of, a contract between the data subject and a data controller;

b) authorized by a written law which establishes suitable measures to safeguard the fundamental rights and the interests of the data subject; or

c) authorized by the consent of the data subject.

Data portability

30.

(1) The Authority may make rules and procedures published in the Gazette establishing a right of personal data portability.

(29) Any such right of data portability established by the Authority shall entitle the data subject to:

a) receive from a data controller personal data concerning them in a structured, commonly used and machine-readable format;

b) transmit the data obtained under paragraph (a) to another data controller without any hindrance; and

c) where technically possible, have the personal data transmitted directly from one data controller to another.

(3) The Authority may prescribe the circumstances in, and conditions on, which such a right would apply to a data subject and the obligations it would impose on a data controller or data processor, or categories of data controllers or data processors, including questions of costs and timing.

PART V—DATA SECURITY

Security integrity and confidentiality

31.

(1) Each data controller and data processor shall implement appropriate technical and organizational measures to ensure the security, integrity and confidentiality of personal data in its possession or under its control, including protections against accidental or unlawful destruction, loss, misuse or alteration, unauthorized disclosure or access, taking into account:

a) the amount and sensitivity of the personal data;

b) the degree and likelihood of harm to data subjects that could result from the loss, disclosure or other misuse of the personal data;

c) the extent of the processing;

d) the period of data retention; and

e) the cost of any technologies, tools or other measures to be implemented relative to the size of the data controller or data processor.

(2) Measures implemented under subsection (1) may include:

a) pseudonymization or other methods of de-identification of personal data;

b) encryption of personal data;

c) processes to ensure security, integrity, confidentiality, availability and resilience of processing systems and services;

d) processes to restore availability and access to personal data in a timely manner in the event of a physical or technical incident;

e) periodic assessments of risks to processing systems and services, including without limitation where the processing involves the transmission of data over an electronic communications network;

f) regular testing, assessing and evaluation of the effectiveness of the measures implemented against current and evolving risks identified; and

g) regular updating of the measures and introduction of new measures to address shortcomings in effectiveness and accommodate evolving risks.

Appropriateness

32.

In determining the appropriateness of the measures to be implemented under section 31, a data controller or data processor shall take into account:

a) available technologies and systems;

b) the cost of implementing the security measures; and

c) the relative risks inherent in the nature, scope, context and purposes of the processing and the likely harms to the rights and freedoms of the data subjects.

Personal data breaches

33.

(1) When a personal data breach has occurred with respect to personal data being stored or otherwise processed by a data processor, the data processor shall:

a) notify the data controller or data processor that engaged it within seventy-two hours after becoming aware thereof, describing the nature of the personal data breach including, where possible, the categories and approximate numbers of data subjects and personal data records concerned; and

b) respond without undue delay to all information requests from the data controller or data processor that engaged it as they may require to comply with their obligations under this section.

(2) When a personal data breach has occurred with respect to personal data being stored or otherwise processed by a data controller or a data processor acting on its behalf and is likely to result in a risk to the rights and freedoms of individuals, the data controller shall notify the Authority of the breach within seventytwo hours after having become aware of it, describing the nature of the personal data breach including, where possible, the categories and approximate numbers of data subjects and personal data records concerned.

(3) When such a personal data breach is likely to result in a high risk to the rights and freedoms of a data subject:

a) the data controller shall communicate the personal data breach to the data subject without undue delay in plain and clear language, including advice about measures the data subject could take to mitigate effectively the possible adverse effects of the data breach; and

b) if a direct communication to the data subject under paragraph (a) would involve disproportionate effort or expense or is otherwise not feasible, the data controller may instead make a public communication in one or more widely-used media sources such that data subjects are likely to be informed.

(4) The notifications and communications referred to in subsections (1), (2) and (3) shall, in addition to the requirements of those subsections, at least:

a) communicate the name and contact details of a point of contact of the data controller where more information can be obtained;

b) describe the likely consequences of the personal data breach; and

c) describe the measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

(5) The data controller may extend the seventy-two-hour period set out in subsection (2) to accommodate the legitimate needs of law enforcement or as reasonably necessary to implement measures required to determine the scope of the breach, provided that the data controller provides to the Authority evidence of the reasonsgrounds for such extension, including supporting evidence.

(6) The Authority may at any time make a public communication about a personal data breach notified to it under subsection (2) if it considers the steps of the data controller to inform data subjects inadequate.

(7) The Authority shall issue and publish in the Gazette guidance on the steps to be taken by a data controller to adequately inform data subjects of a personal data breach for purposes of subsection (6).

(8) In evaluating whether a personal data breach is likely to result in a high risk to the rights and freedoms of a data subject under subsection (3), the data controller and the Authority may take into account:

a) the likely effectiveness of any technical and administrative measures implemented to mitigate the likely harm resulting from the personal data breach, including any encryption or deidentification of the data;

b) any subsequent measures taken by the data controller to mitigate such risk; and

c) the nature, scope and sensitivity of the personal data involved.

(9) The data controller and data processor shall keep a record of all personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken in a manner that enables the Authority to verify compliance with this section.

(10) Where, and in so far as, it is not possible to provide information under this section at the same time, the information may be provided in phases without undue further delay.

(11) This section shall not apply until the second anniversary of the data on which this Act enters into force.

PART VI—CROSS-BORDER TRANSFERS OF PERSONAL DATA

Basis for crossborder transfer of personal data

34.

(1) A data controller or data processor shall not transfer personal data from Malawi to another country unless:

a) the recipient of the personal data is subject to a law, binding corporate rules, contractual clauses, code of conduct or certification mechanism that affords an adequate level of protection with respect to the personal data in accordance with section 35; or

b) one of the conditions set forth in section 36 applies.

(2) A data controller or data processor shall record the basis for transfer of personal data to another country under section 34(1) and the adequacy of protection under section 35, if applicable.

(3) The Authority may make rules requiring data controllers and data processors to notify it of the measures in place under section 34(1) and to explain their adequacy in terms of section 35, if applicable.

Adequacy of protection

35.

(1) A level of protection is adequate for the purposes of section 34(1)(a) if it upholds principles that are substantially similar to the conditions for processing of the personal data provided for in this Act, including in relation to the onward transfer of personal data to other countries.

(2) The adequacy of protection referred to in subsection (1) shall be assessed taking into account:

a) the availability of enforceable data subject rights, the ability of data subjects to enforce their rights through administrative or judicial redress, and the rule of law generally;

b) the existence of any legally binding instrument between the Authority and a relevant public authority in the recipient country addressing elements of adequate protection referred to in subsection (1);

c) the access of a public authority to personal data;

d) the existence of an effective data protection law;

e) the existence and functioning of an independent, competent data protection or similar supervisory authority with adequate enforcement powers; and

f) international commitments and conventions binding on the relevant country and its membership of any multilateral or regional organisations.

(3) The Authority may from time to time, by notice in the Gazette, designate any country, region or specified sector within a country, or standard contractual clauses as affording or as not affording an adequate level of protection under subsection (1).

(4) The Authority may approve binding corporate rules, codes of conduct or certification mechanisms proposed to it by a data controller, where the Authority determines that the aforesaid meets the adequacy requirements of subsection (1).

(5) The absence of a determination by the Authority under subsection (3) or (4) with respect to a country, territory, sector, binding corporate rule, contractual clause, code of conduct or certification mechanism shall not imply the adequacy or inadequacy of the protections afforded by it.

(6) The Authority may make a determination under subsection (3) based on adequacy decisions made by competent data protection authorities of other jurisdictions where such decisions have taken into account factors similar to those listed in subsection (2).

Other bases for transfer of personal data outside Malawi

36.

In the absence of adequacy of protection under section 35, a data controller or data processor shall only transfer personal data from Malawi to another country if:

a) the data subject has given and not withdrawn consent to such transfer after having been informed of the possible risks of such transfers for the data subject due to the absence of adequate protections;

b) the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the data controller and a third party; or

d) the transfer is for the benefit of the data subject and:

(i) it is not reasonably practicable to obtain the consent of the data subject to that transfer; and

(ii) if it were reasonably practicable to obtain such consent, the data subject would likely give it.

PART VII—REGISTRATION AND FEES

Registration of data controllers and data processors of major importance

37.

(1) Data controllers and data processors of major importance shall register with the Authority.

(2) Registration under subsection (1) shall be made by notifying the Authority of:

a) name and address, or name and address of any representative;

b) a description of the personal data and the categories and number of data subjects to which the personal data relate;

c) the purposes for which the personal data is processed;

d) the categories of recipients to whom the data controller or data processor intends or is likely to disclose the personal data;

e) the name and address, or name and address of any representative of any data processor operating directly or indirectly on its behalf;

f) any country to which the data controller or data processor intends, directly or indirectly, to transfer the personal data;

g) a general description of the risks, safeguards, security measures and mechanisms to ensure the protection of the personal data; and

h) any other information required by the Authority.

(3) The data controller or data processor of major importance shall:

a) notify the Authority of any significant change to the information submitted under subsection (2) within 90 days after such change; and

b) provide the Authority with a full updated registration no later than the third anniversary of its previous registration.

(4) The Authority shall maintain and publish on its website a register of data controllers and data processors of major importance that have duly registered with it under this section.

(5) The Authority shall remove a data controller or data processor from the register if it notifies the Authority that it is no longer a data controller or data processor of major importance.

(6) The Authority may exempt a class of data controller or data processor of major importance from the registration requirement of this section where it considers such requirement to be unnecessary or disproportionate.

Fees and levies

38.

(1) The Authority may prescribe annual fees or levies which shall be paid by data controllers and data processors of major importance.

(2) The Authority may prescribe annual fees or levies under subsection (1) applicable to different classes of data controllers or data processors of major importance.

(3) The Government, statutory bodies and any other body appointed by the Government to carry out public functions shall not be subject to the annual fees or levies under subsection (1).

(4) Any fees or levies prescribed under subsection (1) shall be set with a view not to exceed the anticipated costs of the activities of Authority relating to data protection under this Act for the next financial year to the extent that such costs are not anticipated to be funded from other sources.

PART VIII—ENFORCEMENT

Complaints

39.

(1) A data subject who is aggrieved by the decision, action or inaction of a data controller or data processor in violation of this Act, subsidiary legislation or orders may lodge a complaint with the Authority.

(2) The Authority shall investigate any complaint referred to it where it appears to the Authority that:

a) the complainant has an interest in the matter to which the complaint relates; and

b) the complaint is not frivolous or vexatious.

(3) The Authority may initiate an investigation of its own Accord where it has reason to believe a data controller or data processor has or is likely to violate this Act or any regulations, rules or other subsidiary legislation or orders.

(4) The Authority may, for the purpose of an investigation, order any person to:

a) attend at a specific time and place for the purpose of being examined orally in relation to a complaint;

b) produce such document, record or article as may be required with respect to any matter relevant to the investigation, which the person is not prevented by any other written law from disclosing; or

c) furnish a statement in writing made under oath or an affirmation setting out all information which may be required under the order.

(5) Where material to which an investigation relates consists of information stored in any mechanical or electronic device, the Authority may require the person named to produce or give Access to it in a form in which it is visible and legible in a structured, commonly used and machine-readable format.

(6) The Authority may, where necessary, make representations to the data controller or data processor on behalf of a complainant Complaints or to a complainant on behalf of relevant the data controller or data processor, as the Authority may deem appropriate.

(7) The Authority shall establish a section of the Data Protection Office that shall receive and follow up on complaints from data subjects and conduct investigations.

(8)The Authority shall adopt rules and procedures published in the Gazette on handling complaints and conducting investigations referred to it under this Act.

Compliance orders

40.

(1) Where the Authority is satisfied that a data controller or data processor has violated or is likely to violate any requirement under this Act or any regulations, rules or other subsidiary legislation or orders issued thereunder, the Authority may make an appropriate compliance order against that data controller or data processor.

(2) The order made by the Authority under subsection (1) may include any of the following:

a) a warning that certain acts or omissions are likely to be a violation of one or more provisions under this Act or any subsidiary legislation or orders issued thereunder;

b) a requirement that the data controller or data processor complies with such provisions, including complying with the requests of a data subject to exercise one or more rights under this Act; or

c) a cease and desist order requiring the data controller or data processor to stop or refrain from doing an act which is in violation of this Act, including stopping or refraining from processing personal data that is the subject of the order.

(3) An order made under this section shall be in writing and shall specify:

a) the provisions of this Act that the data controller or data processor has violated or is likely to violate;

b) in the case of an actual violation, specific measures to be taken by the data controller or data processor to avoid, remedy or eliminate the situation which has resulted in the violation;

c) in the case of an actual violation, a period not less than 30 days in which to implement such measures; and

d) in the case of an actual violation, a right to judicial review under section 43.

Enforcement orders

41.

(1) Notwithstanding any criminal sanctions under this Act, if the Authority, after completing an investigation under Section 39, is satisfied that a data controller or data processor has violated any provision of this Act, or any regulation, rule or other subsidiary legislation made thereunder, it:

a) may make any appropriate enforcement order or impose a sanction on the data controller or data processor; and

b) shall inform the data controller or data processor, and if applicable, any data subject who lodged a complaint leading to the investigation, in writing of its decision.

(2) Notwithstanding section 21(e) of the General Interpretation Act, an enforcement order made or sanction imposed under subsection (1) may include the following:

a) requiring the data controller or data processor to remedy the violation;

b) ordering the data controller or data processor to pay compensation to a data subject who suffers injury, loss or harm as a result of a violation;

c) ordering the data controller or data processor to account for the profits made out of the violation; or

d) ordering the data controller or data processor to pay a fine of K5,000,000.

Offence

42.

A data controller or data processor who fails to comply with any order made under section 41 commits an offence for which such data controller or data processor is liable to a fine of K5,000,000 and imprisonment for two years.

Judicial review

43.

A person who is not satisfied with an order of the Authority may apply to the High Court within thirty days after the date the order was made for judicial review thereof.

Civil remedies

44.

A data subject who suffers injury, loss or harm as a result of a violation of this Act or regulations made hereunder by a data controller or data processor, or a recognized consumer organization acting on behalf of such a data subject, may recover damages by way of civil proceedings in the High Court from such data controller or data processor.

PART IX—MISCELLANEOUS

Exceptions

45.

(1)

The obligations and rights under Parts III, IV, V, VI, VII and VIII do not apply to a data controller or data processor when processing of personal data is:

a) carried out by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties;

b) carried out by competent authorities for the purposes of prevention or control of a national public health emergency;

c) carried out by competent authorities as necessary for national security; or

d) carried out in connection with licensed credit reference bureau business under the Credit Reference Bureau Act;

so long as such processing as is carried out uses suitable measures to safeguard the fundamental rights and the interests of the data subject.

(2) The obligations and rights under Parts III, IV, VI, VII and VIII do not apply to data processing carried out with a view to publication in the public interest for the purposes of journalism, educational purposes, artistic purposes or literary purposes to the extent that such obligations and rights would be incompatible with such purposes.

Joint and vicarious liability

46.

(1) Where a data controller or data processor charged with an offence under this Act is a body corporate, any person who, at the time the offence was committed was a chief executive officer, manager or officer of such body corporate, may be charged jointly in the same proceedings with the body corporate, if the person was party to the offence committed.

(2) A person who is a partner in a firm shall be jointly and severally liable for acts or omissions of other partners in the firm so far as the acts or omissions relate to the firm.

(3) Each data controller and data processor shall be vicariously liable for the acts or omissions of its agent, clerk, servant or other person, in so far as the acts or omissions relates to its business.

Regulations

47.

(1) The Minister may, on the recommendation of the Authority, make regulations for the better carrying out of the purposes of this Act.

(2) Without prejudice to the generality of subsection (1), the regulations may provide for:

a) the financial management of the affairs of the Authority;

b) the protection of personal data and data subjects;

c) the manner in which the Authority may exercise any power or perform any duty or function under this Act;

d) any matter that under this Act is required or permitted to be prescribed; or

e) any matter that the Minister considers necessary or expedient to give effect to the objectives of this Act.

(3) Notwithstanding section 21(e) of the General Interpretation Act, the regulations made under this Act may create offences in respect of any contravention to the regulations, and may for any such contravention impose a fine of up to K5,000,000 and to imprisonment for up to five years.

OBJECTS AND REASONS

The principal object of this Bill is to consolidate into a single and effective legislative framework and strengthen the provisions currently found in various Acts of Parliament for the protection and security of personal data used by data controllers and data processors as defined in the Bill in the provision of their services to the public.

CHIKOSA M. SILUNGWE

Attorney General

07Mar/24

Personal Data Protection Act (PDPA), 2022 13th June, 2023 

Personal Data Protection Act (PDPA), 2022 13th June, 2023 

GOVERNMENT NOTICE Nº 395B published on 13/6/2023

THE UNITED REPUBLIC OF TANZANIA

CHAPTER 44

THE PERSONAL DATA PROTECTION ACT

This version of the Personal Data Protection Act, Chapter 44 has been translated into English Language, and is published pursuant to section 84(4) of the Interpretation of Laws Act, Chapter 1.

Dodoma, ELIEZER MBUKI FELESHI

13th June, 2023 Attorney General

THE UNITED REPUBLIC OF TANZANIA

Supplement No. 21 13th JUNE, 2023

SPECIAL SUPPLEMENT

To The Special Gazette of the United Republic of Tanzania No. 15 Vol. 104 Dated 13th June, 2023

Printed by The Government Printer, Dodoma by Order of Government

CHAPTER 44

THE PERSONAL DATA PROTECTION ACT

An Act to provide for principles of protection of personal data so as to establish minimum requirements for the collection and processing of personal data; to provide for establishment of Personal Data Protection Commission; to provide for improvement of protection of personal data processed by public and private bodies; and to provide for matters connected therewith.

[1st May, 2023]

Act Nº 11 of 2022

PART I. PRELIMINARY PROVISIONS

Short title 1. This Act may be cited as the Personal Data Protection Act, 2022.

Application 2. This Act shall apply to Mainland Tanzania as well as Tanzania Zanzibar save that in Tanzania Zanzibar this Act shall not apply to non-union matters.

Interpretation 3. In this Act, unless the context otherwise requires-

“data protection officer” means an individual appointed by the data controller or data processor charged with ensuring compliance with the obligations provided for in this Act;

“code of ethics” means data-use charters which regulates the conduct of a data controller or data processor prepared in accordance with section 65;

“court” means the court of competent jurisdiction;

“data processor” means a natural person, legal person or public body which processes personal data for and on behalf of the controller and under the data controller’s instruction, except for the persons who, under the direct authority of the controller, are authorised to process the data and it includes his representative;

“data subject” means the subject of personal data which are processed under this Act;

“Director General” means the Director General of the Commission appointed under section 11;

“data controller” means a natural person, legal person or public body which alone or jointly with others determines the purpose and means of processing of personal data; and where the purpose and means of processing are determined by law,

“data controller” is the natural person, legal person or public body designated as such by that law and it includes his representative;

“recipient” means a natural person, legal person, public body or any other person who receives personal data from a data controller;

“health professional” means a person providing health care services and recognised as such by the relevant law;

Cap. 13 “child” has the meaning ascribed to it under the Child Act;

“third party” means any natural or legal person, or public body other than-

(a) the data subject;

(b) the data controller or data processor; and

(c) any person who is authorised to process personal data;

“document” means any medium in which data is recorded, whether printed or on tape or film or by electronic means or otherwise and includes any map, diagram, photograph, film, microfilm, video-tape, sound recording or machine-readable record or any record which is capable of being produced from a machine-readable record by means of equipment or a programme, or a combination of both, which is used by the data controller for record purposes;

“register” means the register established by the Commission under section 15;

“personal data” means data about an identifiable person that is recorded in any form, including-

(a) personal data relating to the race, national or ethnic origin, religion, age or marital status of the individual;

(b) personal data relating to the education, the medical, criminal or employment history;

(c) any identifying number, symbol or other particular assigned to the individual;

(d) the address, fingerprints or blood type of the individual;

(e) the name of the individual appearing on personal data of another person relating to the individual or where the disclosure of the name itself would reveal personal data about the individual;

(f) correspondence sent to a data controller by the data subject that is explicitly or implicitly of a private or confidential nature, and replies to such correspondence that would reveal the contents of the original correspondence, and the views or opinions of any other person about the data subject;

“sensitive personal data” includes-

(a) genetic data, data related to children, data related to offences, financial transactions of the individual, security measure or biometric data;

(b) if they are processed for what they reveal, personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, affiliation, trade-union membership, gender and data concerning health or sex life; and

(c) any personal data otherwise considered under the laws of the country as presenting a major risk to the rights and interests of the data subject;

“genetic data” means any personal data stemming from a Deoxyribonucleic acid (DNA) analysis;

“Commission” means the Personal Data Protection Commission established under section 6;

“processing” means analysis of personal data, whether or not by automated means, such as obtaining, recording or holding the data or carrying out any analysis on personal data, including:

(a) organization, adaptation or alteration of the personal data;

(b) retrieval or use of the data; or

(c) alignment, combination, blocking, erasure or destruction of the data;

“transborder flow” means any international cross-border flows of personal data by means of electronic transmission or other means;

“Minister” means the Minister responsible for communication.

Objectives of Act 4. The objectives of this Act are to-

(a) regulate the collection and processing of personal data;

(b) ensure that the collection and processing of personal data of a data subject is guided by the principles set out in this Act;

(c) protect the privacy of individuals;

(d) establish a legal and institutional mechanism to protect personal data; and

(e) provide data subjects with rights and remedies to protect their personal data from collection and processing that is not in accordance with this Act.

Principles of personal data protection

5. A data controller or data processor shall ensure that personal data is-

(a) processed lawfully, fairly and transparently;

(b) collected for explicit, specified and legitimate purposes and not further processing in a manner incompatible with those purposes;

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;

(d) accurate and where necessary, kept up to date, with every reasonable step taken to ensure that any inaccurate personal data is erased or rectified without delay;

(e) stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed;

(f) processed in accordance with the rights of a data subject;

(g) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against any loss, destruction or damage, using appropriate technical or organisational measures; and

(h) not transferred abroad contrary to the provisions of this Act.

PART II. PERSONAL DATA PROTECTION COMMISSION

Establishment of Personal Data Protection Commission

6.-

(1) There is established a Commission to be known as the Personal Data Protection Commission.

(2) The Commission shall be a body corporate with perpetual succession and a common seal and, shall in its own name be capable of-

(a) acquiring and holding movable and immovable property, to dispose of property and to enter into any contract or other transaction;

(b) suing and being sued; and

(c) performing any other acts which a body corporate may lawfully perform, for the proper performance of its functions under this Act.

Functions of Commission

7. The functions of the Commission shall be to-

(a) monitor compliance by data controllers and data processors of the provisions of this Act;

(b) register data controllers and data processors in accordance with this Act;

(c) receive, investigate and deal with complaints about alleged violations of the protection of personal data and privacy of persons;

(d) inquire into and take measures against any matter, that appears to the Commission to affect the protection of personal data and infringe privacy of the individuals;

(e) educate the public as may be appropriate to the implementation of objectives of this Act;

(f) undertake research and to monitor technological developments in data processing;

(g) establish mechanisms of cooperation with other data protection authorities from other countries, and advise the Government on matters relating to implementation of this Act; and

(h) perform other functions of the Commission for better implementation of the provisions of this Act.

Establishment of Board

8.-

(1) There is hereby established a Board to be known as the Board of Personal Data Protection Commission which shall be the governing body of the Commission and shall consist of seven members as follows:

(a) a Chairman and Vice-Chairman; and

(b) five other members.

(2) The Chairman and the Vice-Chairman shall be appointed by the President on basis of the principle that where the Chairman hails from one part of the United Republic, the Vice-Chairman shall be a person who hails from the other part of the United Republic.

(3) The other five members under subsection (1)(b) shall be appointed by the Minister from among persons with qualification and experience in ICT, law, engineering, finance or administration.

(4) In order to maintain impartiality of the Commission and for the purpose of avoiding conflict of interest, a person shall not be qualified for appointment as a member of the Authority if owing to the nature of the office he holds, is likely to exert influence on the Commission.

(5) Director-General of Commission shall be the secretary to the Board.

(6) The provisions relating to the Board and its proceeding shall be as set out in the Schedule.

Functions of Board

9.-

(1) The Board shall oversee the performance of the Commission so as to ensure adherence to the governing laws and procedures.

(2) Without prejudice to the generality of subsection (1), the Board shall-

(a) provide strategic guidance and formulate policies for operation and management of the Commission;

(b) conduct oversight on the activities and performance of management of the Commission;

(c) ensure efficient use of resources, including approval of annual work plan, annual Budget and supplementary budget;

(d) approve investment plans of the Commission;

(e) approve performance reports of the Commission;

(f) approve code of conduct for staff of Commission;

(g) approve and oversee financial regulations and staff rules;

(h) approve the disposal of assets of the Commission; and

(i) perform any other functions as it may consider necessary for the achievement of its goals in accordance with this Act.

Committees of Board

10. The Board may, for the purpose of efficient performance of its functions, form and appoint from among its members, such number of committees as it considers necessary.

Appointment of Director General

11.-

(1) There shall be the Director General of the Commission who shall be appointed by the President.

(2) A person shall be qualified for appointment as Director General if he-

(a) is a graduate of a recognised university with a bachelor’s degree or above in the fields of ICT, engineering, law, economics, finance or administration;

(b) has experience of not less than ten years of service in either of the fields referred in paragraph (a); and

(c) expresses knowledge and expertise in the field of personal data protection.

Tenure of office of Director General

12. The Director General shall hold office for aperiod of five years and may be reappointed for one further term.

Staff of Commission

13.-

(1) The Commission shall, subject to the laws governing public service, employ other officers and employees of such number as may be necessary for the effective discharge of the functions of the Commission.

(2) The Commission may appoint consultants and experts in various disciplines on such terms and conditions as the Commission may determine.

PART III. REGISTRATION OF DATA CONTROLLERS AND DATA PROCESSORS

Registration of data controllers and data processors

14.-

(1) A person shall not collect or process personal data without being registered as a data controller or a data processor under this Act.

(2) A person who intends to collect or process personal data shall apply to the Commission for registration.

(3) The Commission may, within a period specified in the regulations, grant or reject the application submitted under subsection (2).

(4) The Commission shall issue a certificate of registration to the data controller or data processor who has fulfilled the prescribed requirements and registered under this section.

(5) Where the Commission rejects an application it shall inform the applicant in writing and give reasons for the decision.

Register of data controllers and data processors

15.-

(1) The Commission shall establish and maintain a register of data controllers and data processors registered in accordance with this Act.

(2) The register shall contain such particulars as may be prescribed in the regulations.

(3) A data controller or data processor may, at any time, apply to the Commission to update or change any particulars in the register.

Duration of registration

16.-

(1) The period of registration shall be five years from the date of issuance of certificate of registration.

(2) The application for renewal shall be submitted within the period of three months before expiry in the manner prescribed in the regulations.

Inspection of registered particulars

17. Subject to the procedures as may be prescribed in the regulations and upon payment of prescribed fees, the Commission may permit any person to inspect and extract any entry in the register.

Deregistration 18. The Commission may deregister any registration under this Act as may be prescribed in the regulations.

Offences relating to registration

19. Any person who contravenes the provisions of this Part or furnishes false or misleading information during registration or renewal, commits an offence and upon conviction shall be liable for a penalty specified under section 63.

Appeal relating to registration

20. Any person who is aggrieved by the decisión of the Commission under this Part may appeal in writing to the Minister.

Registration of public institutions

21. Immediately after commencement of this Act, public institutions which collect and process personal data shall be deemed as registered with the Commission under this Act and shall be required to comply with the provisions of this Act.

PART IV. COLLECTION, USE, DISCLOSURE AND RETENTION OF PERSONAL DATA

Collection of 22.-

(1) This Part shall be applicable to personal data (a) any collection and processing of personal data performed wholly or partly by manual or automated means;

(b) the processing of personal data carried out in the performance of activities of a controller domiciled in United Republic or in a territory where the laws of the United Republic apply by virtue of international public law; and

(c) the processing of personal data by a data controller or data processor who is not domiciled in the United Republic, if the processing of the personal data is in United Republic and such processing is not for the purposes of mere transit of personal data through Tanzania to another country.

(2) A data controller shall collect personal data if-

(a) the personal data is collected for a lawful purpose related to a function of the data controller; and

(b) the collection of the data is necessary or incidental or directly related to the lawful purpose.

(3) A data controller shall not collect personal data by unlawful means.

Source and notification of personal data

23.-

(1) Subject to subsection (3), a data controller shall collect personal data directly from the data subject concerned.

(2) Before collecting data, a data controller shall ensure that the data subject is aware of-

(a) the purposes for which the personal data is collected;

(b) the fact that collection of the personal data is for authorised purposes; and

(c) any intended recipients of the personal data.

(3) A data controller is not obliged to comply with subsection (1) where

(a) the personal data is publicly available;

(b) the data subject concerned authorises the collection of the personal data from a third party;

(c) compliance is not reasonably practicable in the circumstances of the particular case;

(d) non-compliance is necessary for compliance with other written laws; or

(e) compliance would prejudice the lawful purpose of the collection.

Accuracy of personal data

24. Subject to the purpose for which the personal data are intended to be used, a data controller who holds personal data shall not use that personal data without taking such steps as are, in the circumstances, reasonable to ensure that, the data is complete, accurate, relevant and not misleading.

Personal data to be used for intended purpose

25.-

(1) Personal data collected under this Act shall be used for the intended purposes.

(2) Where a data controller holds personal data that was collected in connection with a particular purpose, he may use that personal data for other purposes if-

(a) the data subject authorises the use of the personal data for that other purpose;

(b) use of the personal data for that other purpose is authorised or required by law;

(c) the purpose for which the personal data is used is directly related to the purpose for which the personal data was collected;

(d) the personal data is used-

(i) in a form in which the data subject is not identified; or

(ii) for statistical or research purposes and shall not be published in a form that could reasonably be expected to identify the data subject;

(e) the data controller believes on reasonable grounds that use of the personal data for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the data subject or other person, or to public health or safety; or

(f) use of personal data for that other purpose is necessary for compliance with the laws.

Limitations on disclosure of personal data

26. Where data controller holds personal data, he shall not disclose the personal data to a person, other than the data subject except in the circumstances specified under section 25.

Security of personal data

27.-

(1) A data controller and his representatives shall ensure that personal data is protected, by such security safeguards that is reasonable in the circumstances necessary for the personal data protection against negligent loss or unauthorised destruction, alteration, access or processing of the personal data.

(2) Security measures taken in accordance with subsection (1) shall ensure an appropriate level of security taking into account-

(a) the state of technological advancement and the cost of implementing the measures; and

(b) the nature of the personal data to be protected and the potential risks to the data subject.

(3) The data controller and data processor, as the case may be, shall appoint a data protection officer who shall ensure that the control and security measures are in place to protect the personal data collected or being processed.

(4) Implementation of activities of the data processor shall be governed by a contract which associates the data processor to the data controller to the effect that the data processor acts under instructions of the data controller and that the data processor is additionally, responsible for ensuring compliance of the security standards as provided by this Act.

(5) The data controller shall notify the Commission, without any undue delay, of any security breach affecting personal data being processed by or on behalf of the data controller.

Retention and disposal of personal data

28.-

(1) Where a data controller uses personal data for a specified purpose as specified under section 25, he shall retain that personal data for a period specified in the relevant laws or a period prescribed in the regulations in order to ensure that the data subject has a reasonable opportunity to access the personal data where need arises.

(2) Subject to subsection (1), the Minister may, by regulations prescribe the retention and disposal of personal data held by a data controller in accordance with the purpose of retention.

Correction of personal data

29.-

(1) Where a document or file to which access has been given under this Act contains personal data and that data subject claims that the personal data-

(a) is incomplete, incorrect or misleading; or (b) not relevant to the purpose for which the document is held, the data controller may, subject to procedures as may be prescribed in the regulations and upon receiving and being satisfied with the application of the data subject, amend the personal data.

(2) The data controller shall, when making an amendment to personal data in a document under this section, ensure that he does not permanently delete the record of the text of the document as it existed prior to the amendment.

(3) Where a data controller is not satisfied with the reasons for an application under subsection (1), he may refuse to make any amendment to the personal data and inform the applicant of the reasons for refusal.

Prohibition on processing of sensitive personal data

30.-

(1) A person shall not process sensitive personal data without obtaining prior written consent of the data subject.

(2) The consent under subsection (1) may be withdrawn by the data subject at any time and without any explanation or charges.

(3) The Minister may, by regulations, determine circumstances in which the prohibition to process the personal data referred to in this section cannot be removed even with the data subject’s consent.

(4) Where the data subject from whom consent is sought for the purpose of this Act, is a minor, a person of unsound mind or any other person unable to consent, such person’s consent shall be sought from his parents, guardian, heirs, attorneys or any other person recognised by law to be acting on behalf of the person whose consent is to be sought.

(5) Subsection (1) shall not apply where-

(a) the processing is necessary for compliance with other written laws;

(b) the processing is necessary to protect the vital interests of the data subject or of another person, where the data subject is incapable of giving his consent or is not represented by his legal representative;

(c) the processing is necessary for the institution, trial or defence of legal claims;

(d) the processing relates to personal data which has apparently been made public by the data subject;

(e) the processing is necessary for the purposes of scientific research and the Commission has, by special guidelines, specified the circumstances under which such processing may be carried out; or

(f) the processing is necessary for the purposes of medical reasons in the interest of the data subject, and the sensitive personal data concerned, is processed under the supervisión of a health professional in accordance with the law governing such health care services.

PART V. TRANSBORDER DATA FLOW

Transfer of personal data to state with adequate personal data protection

31.-

(1) The Commission may, subject to the provisions of this Act, prohibit the transfer of personal data to a place outside the country.

(2) Personal data shall be transferred to country that has a legal framework that provides for adequate data protection, if-

(a) the recipient establishes that the personal data is necessary for the performance of a task carried out in the public interest or pursuant to the lawful functions of a data controller; or

(b) the recipient establishes the necessity of having the data transferred and there is no reason to assume that the data subject’s legitimate interests might be prejudiced by the transfer or the processing in the recipient country.

(3) The data controller shall, notwithstanding subsection (2), be required to make a provisional evaluation of the necessity for the transfer of the personal data.

(4) The recipient shall ensure that the necessity for the transfer of the personal data can be subsequently verified.

(5) The data controller shall ensure that the recipient shall process the personal data for the purposes for which it was transferred.

Transfer of personal data to state without adequate personal data

32.-

(1) Personal data may be transferred to recipients states other than those referred to under section 31, if an adequate level of protection is ensured in the country of the recipient and the personal data is protection transferred solely to permit processing authorised to be undertaken by the controller.

(2) The adequacy of the level of protection afforded by the relevant third country shall be assessed in the light of-

(a) all the circumstances surrounding the relevant personal data transfer;

(b) nature of the personal data;

(c) the purpose and duration of the proposed processing;

(d) the recipient’s country;

(e) the relevant laws in force in the third country; and

(f) the professional rules and security measures which are complied within that recipient’s country.

(3) The Minister shall, after consultation with Commission and by regulations, specify categories of processing for which and the circumstances in which the transfer of personal data to countries outside the United Republic is not authorised.

(4) Notwithstanding the provisions of subsection (3), a transfer of personal data to a recipient in a country outside the country or to a country which does not have adequate level of protection may take place in one of the following cases-

(a) the data subject has consented to the proposed transfer;

(b) the transfer is necessary for the performance of a contract between the data subject and the data controller or the implementation of precontractual measures taken in response to the data subject’s request;

(c) the transfer is necessary for the conclusion or performance of a contract concluded or to be concluded between the data controller and a third party in the interest of the data subject;

(d) the transfer is necessary or legally required on public interest grounds, or for the institution, trial or defence of legal claims;

(e) the transfer is necessary in order to protect the legitimate interests of the data subject; and

(f) the transfer is made in accordance with the law, and is intended to provide information to the public, and is open for consultation either by the public in general or by any person who can demonstrate a legitimate interest, to give his opinion in accordance with the conditions provided under the law.

(5) Without prejudice to the provisions of this Act, the Commission may authorise a transfer of personal data to a recipient country or any other country which does not have adequate level of protection in its laws, if the data controller satisfies the Commission that there is adequate safeguards with respect to the protection of personal data, fundamental rights and freedoms of the data subject and the exercise of the data subject’s rights, and that such safeguards can be appropriated through adequate legal and security measures and contractual clauses in particular.

PART VI. RIGHTS OF DATA SUBJECTS

Right of Access to personal data

33.-

(1) Subject to the provisions of this Act, a data subject shall be entitled-

(a) to be informed by any data controller whether his personal data are being processed by or on behalf of that data controller;

(b) to be given by the data controller a description of

(i) the personal data of which that individual is the data subject;

(ii) the purposes for which they are being processed; and

(iii) the recipients or classes of recipients to whom they are or may be disclosed;

(c) where the processing of personal data by automatic means for the purpose of evaluating matters relating to him has constituted or is likely to constitute the sole basis for any decision significantly affecting him, to be informed by the data controller of the logic involved in that decision making.

(2) Notwithstanding the provisions subsection (1), a data controller is not obliged to inform the data subject where the personal data-

(a) are not accurate;

(b) are involved in any investigation in accordance with the laws; or

(c) have been prohibited by court order.

Right to prevent processing likely to affect data subject

34.-

(1) Subject to subsection (2), a data subject is entitled to require a data controller through procedures prescribed in the regulations, to suspend or not to begin, processing of any personal data in respect of which he is the data subject, if the processing of such personal data is likely to cause substantial damage to him or to another person.

(2) Subsection (1) shall not apply in the exceptions provided under this Act.

Right to prevent processing of personal data for direct marketing purposes

35.-

(1) A data subject may, through the procedures prescribed in the regulations, require the data controller to stop processing his personal data for purposes of direct marketing.

(2) Subject to subsection (1), a data subject may enter into agreement with a data controller for purposes of using or processing his personal data for pecuniary benefits.

(3) In this section “direct marketing” includes the communication by whatever means of any advertising or marketing material which is directed at an individual.

Rights in relation to automated decision making

36.-

(1) A data subject may, through the procedures prescribed in the regulations, require the data controller to ensure that any decision taken by or on behalf of the data controller which significantly affects data subject shall not base solely on the processing by automatic means.

(2) Without prejudice to subsection (1), where a decision which significantly affects a data subject is based solely on automated processing-

(a) the data controller shall, as soon as practicable, notify the data subject that the decision was taken on that basis; and

(b) the data subject may require the data controller to reconsider the decision.

(3) This section shall not apply if the decision is-

(a) necessary for entering into, or performance of, a contract between the data subject and a data controller;

(b) authorised by any written law; or

(c) based on the data subject’s explicit consent.

Right to compensation

37.-

(1) A data subject who suffers damage by reason of any contravention of any of the requirements of this Act by a data controller or data processor shall be entitled to compensation from the data controller or data processor for that damage.

(2) The data subject whose rights have been infringed by reason of any contravention of any of the requirements of this Act shall be entitled to compensation from the data controller or data processor, if-

(a) the complainant is the affected data subject or a representative of a data subject where the data subject is a child or a person of unsound mind;

(b) the data subject’s rights have been infringed by reason of the contravention; and (c) the damage relates to the processing of personal data in contravention of the provisions of this Act.

(3) Where the Commission is satisfied on the application of a data subject-

(a) that he has suffered damage by reason of contravention of any of the requirements of this Act by a data controller or data processor in respect of any personal data, in circumstances entitling him to compensation under this section; and

(b) that there is a substantial risk of further contravention in respect of the personal data in such circumstances,

the Commission may order the rectification, blocking, erasure or destruction of any of the personal data.

(4) The Commission may, where it makes an order under subsection (3), and where it considers it reasonable, order the data controller or data processor to notify third parties to whom the personal data have been disclosed of the rectification, blocking, erasure or destruction.

(5) In determining whether it is reasonably practicable to require the notification in subsection (4), the Commission shall have regard, in particular, to the number of persons who need to be notified.

Rectification, blocking, erasure and destruction of personal data

38.-

(1) Where the Commission is satisfied on the application of a data subject that his personal data is inaccurate, the Commission may order the data controller or data processor to rectify, block, erase, or destroy the personal data.

(2) Subsection (1) shall apply whether or not the personal data is an accurate record of information received or obtained by the data controller from the data subject or a third party.

(3) Where the personal data is not accurate record of the information, the Commission may direct the data controller or processor to correct the personal data as it considers appropriate.

(4) Where the personal data complained of has been rectified, blocked, updated, erased or destroyed under this section, the data controller or data processor shall be required to notify third parties to whom the personal data has been previously disclosed of the rectification, blocking, updating, erasure or destruction.

PART VII. INVESTIGATION OF COMPLAINTS

Complaints against violation of personal data protection principles

39.-

(1) Any person who considers that a data controller or data processor has infringed personal dataprotection principles may file a complaint to the Commission.

(2) Where the Commission is satisfied that there are reasonable grounds to investigate a matter under this Act, the Commission may initiate an investigation in respect thereof.

(3) A complaint made under this section shall be investigated and concluded within ninety days from the date of receipt.

(4) The Commission may, taking into account the circumstances of the complaint, extend the time provided under subsection (3) up to a period not exceeding ninety days.

Notice of investigation

40. Before commencing an investigation of a complaint under this Act, the Commission shall, in a form prescribed in the regulations, notify the data controller or data processor concerned of the substance of the complaint and intention to carry out the investigation.

Investigation confidentiality

41.-

(1) Investigation of a complaint under this Act shall be conducted confidentially.

(2) The Director General or any person acting on his behalf who receives personal data relating to any investigation under this Act or any other written law shall satisfy any security requirements by taking any oath of secrecy required to be taken by persons undertaking tasks of the similar nature.

Powers of Commission in carrying out investigations

42.-

(1) In the course of carrying out investigation of any complaint, the Commission shall have power to-

(a) summon a person before the Commission;

(b) receive and accept such evidence and other information, whether on oath or by affidavit or otherwise;

(c) enter any premises occupied by any data controller or data processor for satisfying security requirements of the premises;

(d) interrogate any person or take any device with personal data in any premises entered pursuant to paragraph (c); and

(e) examine or obtain copies of, or extracts from, books, documents or other records found in any premises entered pursuant to paragraph

(c) containing any matter relevant to the investigation.

(2) In the course of an investigation of a complaint under this section, the complainant and the data controller or data processor concerned may be given an opportunity to make representations to the Commission.

(3) Notwithstanding any other written law, the Commission may examine any personal data recorded in any form held by a data controller or data processor and in doing so, no personal data shall be withheld from the Commission.

(4) Any document or articles produced pursuant to this section by data controller or data processor or any person shall be returned by the Commission within ten working days after a request is made to the Commission by the data controller or data processor or that person, but nothing in this subsection precludes the Commission from again requiring its production in accordance with this section.

Obstruction of Commission

43. A person who, in relation to the exercise of a power conferred by this Act-

(a) obstructs or impedes the Commission in the exercise of its powers;

(b) fails to provide assistance or information requested by the Commission;

(c) refuses to allow the Commission to enter any premises or to take any document or device with personal data; or

(d) gives to the Commission any information which is false or misleading; commits an offence and shall be liable on conviction to a fine of not less than one hundred thousand shillings but not exceeding five million shillings or imprisonment to a term of not more than two years, or both.

Seeking assistance of any person or authority

44.-

(1) For the purpose of gathering information or for any investigation under this Act, the Commission may cooperate with or use any person or other authority as it considers necessary to assist the Commission in the discharge of its functions.

(2) The person or another authority that will be involved or used by the Commission under subsection (1) shall have the same power as that of the Commission in exercising investigation powers under this Act.

Enforcement notice

45.-

(1) Where the Commission is satisfied that a person has failed to comply with any provision of this Act, the Commission may serve an enforcement notice on that person requiring such person to rectify the failure within such period as may be specified in the notice.

(2) An enforcement notice served under subsection (1) shall-

(a) specify the provision of this Act which has been contravened;

(b) specify the measures to be taken to remedy or eliminate the situation that leads to such contravention;

(c) specify a period that shall not be less tan twenty-one days within which such measures shall be implemented; and

(d) state any right to appeal.

Notice of penalty

46.-

(1) Where the Commission is satisfied that a person has failed or is failing to comply with the enforcement notice issued under section 45, the Commission may issue a penalty notice requiring the person to pay a fine to the Commission of an amount specified in the notice.

(2) In deciding whether to give a penalty notice to a person and determining the amount of the penalty, the Commission shall, so far as relevant, have regard to-

(a) the nature, gravity and duration of the failure;

(b) the intentional or negligent character of the failure;

(c) any action taken by the data controller or data processor to mitigate the damage suffered by data subjects including technical and organisational measures;

(d) any relevant previous failures by the data controller or data processor;

(e) the degree of co-operation with the Commission, in order to remedy the failure and mitigate the possible adverse effects of the failure;

(f) the categories of personal data affected by the failure;

(g) the manner in which the failure became known to the Commission, including whether the data controller or data processor notified the Commission of the failure;

(h) the extent to which the data controller or data processor has complied with previous enforcement notices or penalty notices;

(i) adherence to codes of ethics or terms and conditions of registration;

(j) whether the penalty would be effective; and

(k) any other aggravating or mitigating factor applicable to the case, including financial benefits gained, or losses suffered, as a result of the failure, whether directly or indirectly.

Administrative fines

47. The maximum amount of the penalty that may be imposed by the Commission in a penalty notice in relation to contravention of provisions of this Act is one hundred million shillings.

Review of decision

48.-

(1) The Commission may, upon application or on its own motion, review its decision or direction given in accordance with the provisions of this Part.

(2) After review of the decision under subsection (1), the Commission may reverse, alter or revoke its decision or direction previously issued.

Right of appeal 49. A person who is aggrieved with the administrative action taken by the Commission, including the directions given in the enforcement notice or penalty imposed in the penalty notice, may appeal to the High Court.

Payment of compensation

50.-

(1) Subject to the provisions of section 37, the Commission may, in addition to any penalty given under this Act, order a data controller or data processor who causes damages to the data subject following contraventions of any provisions of this Act to pay compensation to the data subject.

(2) Subject to subsection (1)-

(a) a data controller involved in processing of personal data shall be liable for damage caused by the processing; and

(b) a data processor involved in processing of personal data shall be liable for damage caused by the processing if the processor-

(i) has not complied with an obligation under the Act specifically directed to data processors; or

(ii) has acted contrary to the data controller’s lawful instructions.

(3) A data controller or data processor shall not be liable in the manner specified in subsection (2) if the data controller or data processor proves that he is not in any way responsible for the event caused the damage.

(4) In this section, “damage” includes financial loss and damage not involving financial loss.

PART VIII. FINANCIAL PROVISIONS

Sources of funds of Commission

51. The funds of the Commission shall consist of-

(a) such sums of moneys as may be appropriated by the Parliament;

(b) money accruing from services, consultancy or other payments;

(c) money received from donations, gifts or subsidies;

(d) loans; and

(e) such other income as derived from performance of functions under this Act.

Financial management

52. The funds of the Commission shall be managed and administered by the Board in accordance with financial laws and shall be utilised to defray expenses in connection with performance of functions of the Commission under this Act.

Estimates of income and expenditure and financial control

53.-

(1) The Director General shall, not less tan three months before the end of each financial year, prepare and submit to the Board for approval the Budget that includes the estimates of income and expenditure for the next financial year.

(2) Subject to the provision of subsection (1), the Commission shall submit a copy of the budget to the Minister for approval.

(3) The Minister may require the Commission to revise the budget if in his opinion the budget does not represent a fair and reasonable projection of income and expenditure.

Expenditure of funds

54. An expenditure shall not be incurred from the funds of Commission unless that expenditure is part of the expenditure approved by the Board under section 53(1) in respect of the financial year to which the expenditure relates.

Supplementary budget

55.-

(1) The Board may, at any time before the end of the current financial year, prepare and submit to the Minister for approval any estimates supplementary to the estimates of the current year.

(2) Without prejudice to subsection (1), the Director General may, where exigencies occur in relation to the performance of the functions of the Commission, incur expenditure not approved by the Board in which case the Director General shall, within three months following such expenditure, seek approval of the Board.

Accounts and audit

56.-

(1) The Commission shall keep books of account and maintain proper records of its operations in accordance with accounting standards.

(2) The Commission shall, within six months after the end of each financial year, prepares a report on the performance of its functions during that financial year, and one copy of such report together with a copy of the audited accounts shall be submitted to the Minister.

Cap. 286

(3) The accounts of the Commission shall be audited by the Controller and Auditor General or such other person registered as an auditor under the Auditors and Accountants (Registration) Act, appointed by the  Controller and Auditor General for that purpose.

Annual reports and performance agreements

57.-

(1) The Director General shall, within two months after he has received audited accounts and auditor’s report on those accounts, submit to the Minister an annual report in respect of that year containing-

(a) a copy of the audited accounts of the Commission, together with the auditor’s report on those accounts;

(b) a report on performance against key targets and any other related information;

(c) a report on operations of the Commission during that financial year; and

(d) such other report as the Minister may require.

(2) The Minister shall lay before the National Assembly a copy of the annual report of the Commission within two month’s or at the next meeting of the National Assembly.

PART IX. MISCELLANEOUS PROVISIONS

Exceptions from application of provisions of this Act

58.-

(1) Nothing under this section shall exempt the data controller or the data processor from the responsibility of complying with the principles of the law in collection and processing of personal data and taking necessary measures to ensure protection and security of the personal data.

(2) Without prejudice to subsection (1), processing of personal data may be exempted from the provisions of this Act if such processing is held

(a) by the data subject for his personal use;

(b) in accordance with any law or court order;

(c) for purpose of safeguarding national safety and security and public interest;

(d) for the purpose of prevent or detect crimes;

(e) for the purpose of detect or prevent tax evasion;

(f) for the purpose of investigation of misappropriation of public funds;

(g) for purposes of vetting for appointment to any public service position.

(3) The Minister may prescribe other instances in which the provisions of this Act may be exempted and other provisions regarding implementation of this section.

Preservation order

59.-

(1) The Commission may apply to a court for a preservation order for the expeditious preservation of any personal data including traffic personal data, where there is reasonable ground to believe that the personal data is vulnerable to loss or modification.

(2) Where the court is satisfied under subsection (1), that an order may be made under this subsection, it shall issue a preservation order specifying a period which shall not be more than ninety days during which the order shall remain in force.

(3) The court may, on application by the Commission, extend the period specified in subsection

(2) for such time as the court thinks fit.

Offences of unlawful disclosure of personal data

60.-

(1) A data controller who, without lawful excuse, discloses personal data in any manner that is incompatible with the purpose for which such personal data has been collected commits an offence.

(2) A data processor who, without lawful excuse, discloses personal data processed by the data processor without the prior authority of the data controller commits an offence.

(3) Subject to subsection (4), a person who-

(a) obtains personal data, or obtains any information constituting personal data, without prior authority of the data controller or data processor by whom the personal data is kept; or

(b) discloses personal data to third party, commits an offence.

(4) A person who offers for sale personal data of another person obtained in breach of subsection (1) commits an offence.

(5) For the purposes of subsection (4), an advertisement indicating that personal data is or may be for sale, constitutes an offer for sale of the personal data.

(6) A person who commits an offence under this section shall, upon conviction, be liable to-

(a) in the case of an individual, a fine of not les than one hundred thousand shillings but not exceeding twenty million shillings or to imprisonment for a term not exceeding ten years or both; and

(b) in the case of a company or corporation, a fine of not less than one million shillings but not exceeding five billion shillings.

Offences of unlawful destruction, deletion, concealment or alteration of personal data

61. A person who unlawfully destroys, deletes, misleads, conceals or alters personal data commits an offence and shall, upon conviction, be liable to a fine of not less than one hundred thousand shillings but not exceeding ten million shillings or to imprisonment for a term not exceeding five years or both.

Offences by company or corporation

62. Where an offence under this Act is committed by a company or corporation, the company or corporation and every officer of the company or corporation who knowingly and willfully authorises or permits the contravention shall be liable for the offence.

General penalty

63.-

(1) Any person who contravenes a provision under this Act commits an offence and where no penalty is specifically provided, shall, upon conviction, be liable to a fine of not less than one hundred thousand shillings but not exceeding five million shillings or imprisonment for a term not exceeding five years or to both.

(2) After conviction of a person for any offence under this Act, the court may order for forfeiture of the devices containing the personal data connected with the commission of an offence.

Regulations

64.-

(1) The Minister may make regulations for giving effect to the provisions of this Act.

(2) Notwithstanding the generality of subsection (1), regulations made under this section may prescribe-

(a) instances which may be exempted from the provisions of this Act;

(b) registration procedures under this Act;

(c) functions of the data protection officer in relation to personal data protection;

(d) functions of the data controller’s representative when collecting and processing personal data on behalf of the data controller;

(e) procedures of enforcing rights under this Act;

(f) procedures for submission of complaints under this Act;

(g) conditions for processing sensitive personal data;

(h) appropriate standards relating to security of information to be met by data controllers;

(i) various fees to be imposed in respect of implementation of the provisions of this Act;

(j) procedures for retention and disposal of personal data held by data controllers;

(k) categories of processing and cases in which transborder data flow may not be allowed;

(l) anything which is necessary or proper for the better carrying out of the provisions of this Act.

Code of ethics for personal data protection

65.-

(1) Every data controller shall draw and put in place a code of ethics or policy for personal data protection which shall prescribe for ethics and conduct to be complied with during collection or processing of personal data.

(2) Such codes or policies shall be submitted to the Commission for consideration and approval.

(3) In considering the codes of ethics or policies, the Commission shall ascertain, among other things, whether the drafts submitted to it have complied with the provisions of this Act and the relevant sector and where it considers necessary, seek the views of data subjects or their representatives and consult with the data controller concerned for the purposes of undertaking necessary amendments prior to the approval.

SCHEDULE

(Made under section 8(6))

PROCEEDINGS OF THE BOARD

Tenure of appointment members

1.-

(1) The tenure of members of the Board shall be as follows:

(a) a Chairman and Vice-Chairman – four years; and

(b) other members – three years.

(2) Each member shall be eligible for reappointment for one further term and thereafter shall not be eligible for reappointment.

(3) Any member may at any time resign by giving notice in writing to the appointing authority and from the date specified in the notice or if no date is so specified, from the date of receipt of the notice by the appointing authority, he shall cease to be a member.

Cessation of members

2. A member of the Board may at any time cease from his office on the following reasons:

(a) inability to perform the functions of his office arising from infirmity of body or mind;

(b) misbehaviour or misconduct in a manner which bring or is likely to bring the Board into disrepute;

(c) absence from three consecutive meetings of the Board without notification;

(d) resigning; and

(e) death.

Absence from meetings of Board

3.-

(1) Where any member absents himself from three consecutive meetings of the Board without notification, the Board shall advise the appointing authority of the fact and the appointing authority may terminate the appointment of the member and appoint another member in his place.

(2) Where any member is by reason of illness, infirmity or absence from the United Republic unable to attend any meeting of the Board, the Minister may appoint a temporary member in his place and any such temporary member shall cease to hold office on the resumption of office of the substantive member.

Proceeding not to be invalid by reason of irregularity

4. The proceedings of the Board shall not be invalid by reason only of any defect in the appointment of any member or of the fact that any member was at the time disqualified or disentitled as such.

Meetings of Board

5.-

(1) The Board shall meet in quarterly basis at such times and places as it deems necessary for the transaction of its business.

(2) The Chairman or, in his absence, the Vice-Chairman, may, convene a special or extraordinary meeting of the Board.

(3) An ordinary meeting of the Board shall be convened by the Chairman and the notice specifying the place, date and time of the meeting shall be sent to each member not less than ten days before the date of the meeting and where the Chairman is unable to act by reason of illness or other cause or is absent from the United Republic, the Vice-Chairman may convene the meeting.

(4) The Board may act notwithstanding any vacancy in its membership.

Conflict of interest

6.-

(1) Where at any time a member of the Board has a conflict of interest in relation to-

(a) any matter before the Board for consideration or determination;

(b) any matter the Board could reasonably expect might come before it for consideration or determination, the member shall immediately disclose the conflict of interest to the other members of the Board and refrain from taking part, or taking any further part, in the consideration or determination of the matter.

(2) Where the Board becomes aware that a member has a conflict of interest in relation to any matter which is before the Board, shall direct the member to refrain from taking part, or taking any further part, in the consideration or determination of the matter.

(3) A member of the Board shall be considered to have breached the provision of subparagraph (1) if-

(a) he fails without reasonable cause to make declarations of his interests as required; or

(b) he knowingly makes a declaration false or misleading in material particulars thereby affecting the decision, that person commits an offence and shall be required to resign from office.

Invitation of expert

7. The Board may invite any person who is not a member to participate in the deliberations of the Board and provide expertise as the Board may require, but such person shall not be entitled to vote.

Quorum

8. The quorum at any meeting of the Board shall be more than half of the members in the Board.

Minutes of meetings

9. Minutes of each meeting of the Board shall be kept and shall be confirmed by the Board at its next meeting.

Decision of Board

10. Decision of the Board shall be decided by majority of the vote of the members present and in the event of the equality of  the vote the Chairman shall have a casting vote.

Board to regulate its own proceedings

11. Subject to the provisions of this Act, the Board shall regulate its own proceedings in relation to its meetings and discharge of its duties.

Remuneration of members

12. The members of the Board shall be paid such fees and allowances as may be determined by the relevant authority.

01May/20

Personal Information Protection Act. (PIPA), established by Act nº 10465, Mar. 29, 2011

Personal Information Protection Act. (PIPA), established by Act nº 10465, Mar. 29, 2011, amended by Act nº 11690, Mar. 23, 2013, amended by Act nº 11990,  Aug. 6, 2013, amended by Act nº 12504, Mar. 24, 2014, amended by Act nº 12844, Nov. 19, 2014, amended by Act nº 13423, Jul. 24, 2015, amended by Act nº 14107,  Mar. 29,  2016, amended by Act nº 14765, Apr. 18, 2017, amended by Act nº 14839, Jul. 26, 2017

CHAPTER I.- GENERAL PROVISIONS

Article 1 (Purpose)

The purpose of this Act is to provide for the processing and protection of personal information for the purposes of protecting the freedom and rights of individuals, and further realizing the dignity and value of the individuals. (Amended by Act nº 12504, Mar. 24, 2014)

Article 2 (Definitions)

The terms used in this Act shall be defined as follows: (Amended by Act nº 12504, Mar. 24, 2014)

1. The term “personal information” means information relating to a living individual that makes it possible to identify the individual by his/her full name, resident registration number, image, etc. (including information which, if not by itself, makes it possible to identify any specific individual if combined with other information);

2. The term “processing” means the collection, generation, connecting, interlocking, recording, storage, retention, value-added processing, editing, retrieval, output, correction, recovery, use, provision, and disclosure, destruction of personal information and other similar activities;

3. The term “data subject” means an individual who is identifiable by the information processed hereby to become the subject of that information;

4. The term “personal information file” means a set or sets of personal information arranged or organized in a systematic manner based on a certain rule for easy access to the personal information;

5. The term “personal information controller” means a public institution, legal person, organization, individual, etc. that processes personal information directly or indirectly to operate the personal information files for official or business purposes;

6. The term “public institution” means any of the following institutions:

(a) The administrative bodies of the National Assembly, the Courts, the Constitutional Court, and the National Election Commission; the central administrative agencies (including agencies under the Presidential Office and the Prime Minister’s Office) and their affiliated entities; and local governments;

(b) Other national agencies and public entities prescribed by Presidential Decree;

7. The term “visual data processing devices” means the devices prescribed by Presidential Decree, which are continuously installed at a certain place to take pictures of persons or images of things, or transmit such pictures or images via wired or wireless networks.

Article 3 (Principles for Protecting Personal Information)

(1) The personal information controller shall specify and explicit the purposes for which personal information is processed; and shall collect personal information lawfully and fairly to the minimum extent necessary for such purposes.

(2) The personal information controller shall process personal information in a manner compatible with the purposes for which the personal information is processed, and shall not use it beyond such purposes.

(3) The personal information controller shall ensure personal information is accurate, complete, and up to date to the extent necessary in relation to the purposes for which the personal information is processed.

(4) The personal information controller shall manage personal information safely according to the processing methods, types, etc. of personal information, taking into account the possibility of infringement on the data subject rights and the severity of the relevant risks.

(5) The personal information controller shall make public its privacy policy and other matters related to personal information processing; and shall guarantee the data subject rights, such as the right to access their personal information.

(6) The personal information controller shall process personal information in a manner to minimize the possibility to infringe on the privacy of a data subject.

(7) The personal information controller shall endeavor to process personal information in anonymity, if possible.

(8) The personal information controller shall endeavor to obtain trust of data subjects by observing and performing such duties and responsibilities as provided for in this Act and other related statutes.

Article 4 (Rights of Data Subjects)

A data subject has the following rights in relation to the processing of his/her own personal information:

1. The right to be informed of the processing of such personal information;

2. The right to consent or not, and to elect the scope of consent, to the processing of such personal information;

3. The right to confirm the processing of such personal information, and to request access (including the provision of copies; hereinafter the same applies) to such personal information;

4. The right to suspend the processing of, and to request a correction, erasure, and destruction of such personal information;

5. The right to appropriate redress for any damage arising out of the processing of such personal information in a prompt and fair procedure.

Article 5 (Obligations of State, etc.)

(1) The State and a local government shall formulate policies to prevent harmful consequences of beyond-purpose collection, abuse and misuse of personal information, indiscrete surveillance and pursuit, etc. and to enhance the dignity of human beings and individual privacy.

(2) The State and a local government shall establish policy measures, such as improving statutes, necessary to protect the data subject rights as provided for in Article 4.

(3) The State and a local government shall respect, promote, and support self-regulating data protection activities of personal information controllers to improve irrational social practices relating to the processing of personal information.

(4) The State and a local government shall enact or amend any statutes or municipal ordinances in conformity with the purpose of this Act.

Article 6 (Relationship to other Acts)

The protection of personal information shall be governed by this Act, except as otherwise specifically provided for in other Acts.  (Amended by Act nº 12504, Mar. 24, 2014)

CHAPTER II.- ESTABLISHMENT OF PERSONAL INFORMATION PROTECTION POLICIES, ETC.

Article 7 (Personal Information Protection Commission)

(1) The Personal Information Protection Commission (hereinafter referred to as the “Protection Commission”) shall be established under the Presidential Office to deliberate and resolve on matters relating to the protection of personal information. The Protection Commission shall independently conduct functions belonging to its authority.

(2) The Protection Commission shall be comprised of not more than 15 Commissioners, including one Chairperson and one Standing Commissioner, who shall be a public official in political service.

(3) The Chairperson shall be commissioned by the President from among non-public official Commissioners.

(4) The Commissioners shall be appointed or commissioned by the President from among the following persons. In this case, five Commissioners shall be appointed or commissioned from among the candidates elected by the National Assembly, and other five Commissioners from among the candidates designated by the Chief Justice of the Supreme Court:

1. Persons recommended by the civil society organizations or consumer groups related to the protection of personal information;

2. Persons recommended by the trade associations comprised of personal information controllers;

3. Other persons who have abundant academic knowledge and experience related to personal information.

(5) The term of office for the Chairperson and Commissioners shall be three years, renewable for only one further term.

(6) Meetings of the Protection Commission shall be convened by the Chairperson when the Chairperson deems it necessary or not less than 1/4 of the Commissioners demand it.

(7) The resolution of a meeting of the Protection Commission shall be made by the affirmative votes of a majority of present Commissioners if not less than 1/2 of the Commissioners are present at the meeting.

(8) A secretariat shall be established within the Protection Commission to support the administration of the Protection Commission.

(9) Except as otherwise expressly provided for in paragraphs (1) through (8), matters necessary for the organizational structure and operation of the Protection Commission shall be prescribed by Presidential Decree.

Article 8 (Functions, etc. of Protection Commission)

(1) The Protection Commission shall deliberate and resolve on the following matters:  (Amended by Act nº 13423, Jul. 24, 2015)

1. Matters concerning the assessment of data breach incident factors under Article 8-2;

1-2. Matters concerning the establishment of the Master Plan referred to in Article 9 and the Implementation Plans referred to in Article 10;

2. Matters concerning the improvement of policies, systems, and statutes;

3. Matters concerning the coordination of positions taken by public institutions with respect to the processing of personal information;

4. Matters concerning the interpretation and operation of statutes related to the protection of personal information;

5. Matters concerning the use and provision of personal information under Article 18 (2) 5;

6. Matters concerning the results of the privacy impact assessment under Article 33 (3);

7. Matters concerning the presentation of opinions under Article 61 (1);

8. Matters concerning recommendation on measures under Article 64 (4);

9. Matters concerning the publication of processing results under Article 66;

10. Matters concerning the preparation and submission of annual reports under Article 67 (1);

11. Matters referred to a meeting by the President, the Chairperson of the Commission, or at least two Commissioners of the Protection Commission with respect to the protection of personal information;

12. Other matters on which the Protection Commission deliberates or resolves pursuant to this Act or other statutes.

(2) The Protection Commission may take the following measures if necessary to deliberate and resolve on the matters provided for in paragraph (1): (Amended by Act nº 13423, Jul. 24, 2015)

1. Listening to the opinions of relevant public officials, specialists in data protection, civic organizations and related business operators;

2. Request of relevant materials from the relevant agencies or inquiry of facts.

(3) The relevant agencies in receipt of a request made under paragraph (2) 2, shall comply with the request, except in extenuating circumstances.  (Inserted by Act nº 13423, Jul. 24, 2015)

(4) Upon deliberating and resolving on the matters provided for in paragraph (1) 2, the Protection Commission may advise the improvement of such matters to the relevant agency.  (Inserted by Act nº 13423, Jul. 24, 2015)

(5) The Protection Commission may inspect whether its advice given under paragraph (4) has been implemented or not.  (Inserted by Act nº 13423, Jul. 24, 2015)

Article 8-2 (Assessment of Data Breach Incident Factors)

(1) The head of a central administrative agency shall request the Protection Commission to assess data breach incident factors where the policy or system in need of personal information processing is adopted or changed by the enactment or amendment of any statute under his/her jurisdiction.

(2) Upon receipt of a request made pursuant to paragraph (1), the Protection Commission may advise the head of the relevant agency of the matters necessary to improve the relevant statute by analyzing and reviewing the data breach incident factors of such statute.

(3) Necessary matters concerning the procedure and method to assess the data breach incident factors under paragraph (1) shall be prescribed by Presidential Decree.

(Article Inserted by Act nº 13423, Jul. 24, 2015)

Article 9 (Master Plan)

(1) The Protection Commission shall establish a Master Plan to protect personal information (hereinafter referred to as a “Master Plan”) every three years in consultation with the heads of relevant central administrative agencies to ensure the protection of personal information and the rights and interests of data subjects.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 13423, Jul. 24, 2015)

(2) The Master Plan shall include the following:

1. Basic goals and intended directions of the protection of personal information;

2. Improvement of systems and statutes related to the protection of personal information;

3. Measure to prevent personal information breaches;

4. How to vitalize self-regulation to protect personal information;

5. How to promote education and public relations to protect personal information;

6. Training of specialists in the protection of personal information;

7. Other matters necessary to protect personal information.

(3) The National Assembly, the Court, the Constitutional Court, and the National Election Commission may establish and implement its own Master Plan to protect personal information of relevant institutions, including affiliated entities.

Article 10 (Implementation Plan)

(1) The head of a central administrative agency shall establish an implementation plan to protect personal information each year in accordance with the Master Plan and submit it to the Protection Commission, and shall execute the implementation plan subject to the deliberation and resolution of the Protection Commission.

(2) Matters necessary for the establishment and execution of the implementation plan shall be prescribed by Presidential Decree.

Article 11 (Request for Materials, etc.)

(1) To efficiently establish the Master Plan, the Protection Commission may request materials or opinions regarding the status of regulatory compliance, personal information management, etc. by personal information controllers from personal information controllers, the heads of related central administrative agencies, the heads of local governments and related organizations or associations, etc. (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 13423, Jul. 24, 2015)

(2) The Minister of the Interior and Safety may survey the level and status of personal information protection toward personal information controllers, the heads of related central administrative agencies, the heads of local governments and related organizations or associations, etc., if necessary to promote personal information protection policies, to assess outcomes of such policies, etc. (Inserted by Act nº 13423, Jul. 24, 2015; Act nº 14839, Jul. 26, 2017)

(3) To efficiently establish and promote implementation plans, the head of a central administrative agency may request the materials referred to in paragraph (1) in the fields under his/her jurisdiction from personal information controllers. (Amended by Act nº 13423, Jul. 24, 2015)

(4) Any person in receipt of a request to furnish the materials under paragraphs (1) through (3) shall comply with the request except in extenuating circumstances.  (Amended by Act nº 13423, Jul. 24, 2015)

(5) The scope and method to furnish the materials under paragraphs (1) through (3) and other necessary matters shall be prescribed by Presidential Decree.  (Amended by Act nº 13423, Jul. 24, 2015)

Article 12 (Personal Information Protection Guidelines)

(1) The Minister of the Interior and Safety may establish the Standard Personal Information Protection Guidelines (hereinafter referred to as the “Standard Guidelines”) regarding the personal information processing standard; types of personal information breaches; preventive measures, etc.; and may encourage personal information controllers to comply with the Standard Guidelines.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(2) The head of a central administrative agency may establish the personal information protection guidelines regarding the personal information processing in the fields under his/her jurisdiction in accordance with the Standard Guidelines; and may encourage personal information controllers to comply with such guidelines.

(3) The National Assembly, the Court, the Constitutional Court, and the National Election Commission may establish and implement its own or its affiliated entities’ personal information protection guidelines.

Article 13 (Promotion and Support of Self-Regulation)

The Minister of the Interior and Safety shall establish policies necessary for the following matters to promote and support self-regulating data protection activities of personal information controllers: (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

1. Education and public relations concerning protecting personal information;

2. Promoting and supporting agencies and organizations related to the protection of personal information;

3. Introducing and facilitating ePRIVACY Mark system;

4. Assisting personal information controllers in establishing and implementing self-regulatory rules;

5. Other matters necessary to support the self-regulating data protection activities of personal information controllers.

Article 14 (International Cooperation)

(1) The Government shall establish policy measures necessary to enhance the personal information protection standard in the international environment.

(2) The Government shall establish relevant policy measures so that the rights of data subjects may not be infringed on owing to the cross-border transfer of personal information.

CHAPTER III.- PROCESSING OF PERSONAL INFORMATION

SECTION 1.- Collection, Use, Provision, etc. of Personal Information

Article 15 (Collection and Use of Personal Information)(1) A personal information controller may collect personal information in any of the following circumstances, and use it with the scope of the purpose of collection:

1. Where the consent is obtained from a data subject;

2. Where special provisions exist in laws or it is inevitable to observe legal obligations;

3. Where it is inevitable so that a public institution may perform the duties under its jurisdiction as prescribed by statutes, etc.;

4. Where it is inevitably necessary to execute and perform a contract with a data subject;

5. Where it deems necessary explicitly for the protection, from impending danger, of life, body or economic profits of a data subject or a third party in case that the data subject or his/her legal representative is not in a position to express intention, or prior consent cannot be obtained owing to unknown addresses;

6. Where it is necessary to attain the justifiable interest of a personal information controller, which is explicitly superior to that of a data subject. In this case, it is allowed only when substantial relation exists with the justifiable interest of the personal information controller and it does not go beyond the reasonable scope.

(2) A personal information controller shall inform a data subject of the following matters when it obtains the consent under paragraph (1) 1. The same shall apply when any of the following is modified.

1. The purpose of the collection and use of personal information;

2. Particulars of personal information to be collected;

3. The period for retaining and using personal information;

4. The fact that the data subject is entitled to deny consent, and disadvantage affected resultantly from the denial of consent.

Article 16 (Limitation to Collection of Personal Information)

(1) A personal information controller shall collect the minimum personal information necessary to attain the purpose in the case applicable to Article 15 (1). In this case, the burden of proof that the minimum personal information is collected shall be borne by the personal information controller.

(2) A personal information controller shall collect personal information by informing a data subject of the fact concretely that he/she may deny the consent to the collection of other personal information than the minimum information necessary in case of collecting the personal information by the consent of the data subject.  (Inserted by Act nº 11990, Aug. 6, 2013)

(3) A personal information controller shall not deny the provision of goods or services to a data subject on ground that the data subject would not consent to the collection of personal information exceeding minimum requirement.  (Amended by Act nº 11990, Aug. 6, 2013)

Article 17 (Provision of Personal Information)

(1) A personal information controller may provide (or share; hereinafter the same shall apply) the personal information of a data subject to a third party in any of the following circumstances:

1. Where the consent is obtained from the data subject;

2. Where the personal information is provided within the scope of purposes for which it is collected pursuant to Article 15 (1) 2, 3, and 5.

(2) A personal information controller shall inform a data subject of the following matters when it obtains the consent under paragraph (1) 1. The same shall apply when any of the following is modified:

1. The recipient of personal information;

2. The purpose for which the recipient of personal information uses such information;

3. Particulars of personal information to be provided;

4. The period for which the recipient retains and uses personal information;

5. The fact that the data subject is entitled to deny consent, and disadvantage affected resultantly from the denial of consent.

(3) A personal information controller shall inform a data subject of the matters provided for in paragraph (2), and obtain the consent from the data subject in order to provide personal information to a third party overseas; and shall not enter into a contract for the cross-border transfer of personal information in violation of this Act.

Article 18 (Limitation to Out-of-Purpose Use and Provision of Personal Information)

(1) A personal information controller shall not use personal information beyond the scope provided for in Article 15 (1), or provide it to any third party beyond the scope provided for in Article 17 (1) and (3).

(2) Notwithstanding paragraph (1), where any of the following subparagraphs applies, a personal information controller may use personal information or provide it to a third party for other purpose than the intended one, unless it is likely to infringe on unfairly the interest of a data subject or third party: Provided, That subparagraphs 5 through 9 are applicable only to public institutions:

1. Where additional consent is obtained from the data subject;

2. Where special provisions exist in other laws;

3. Where it is deemed necessary explicitly for protecting, from impending danger, life, body or economic profits of the data subject or third party where the data subject or his/her legal representative is not in a position to express his/her intention, or prior consent cannot be obtained owing to unknown addresses;

4. Where personal information is provided in a manner keeping a specific individual unidentifiable necessarily for such purposes as compiling statistics or academic research;

5. Where it is impossible to perform the duties under its jurisdiction as provided for in any Act, unless the personal information controller uses personal information for other purpose than the intended one, or provides it to a third party, and it is subject to the deliberation and resolution by the Commission;

6. Where it is necessary for providing personal information to a foreign government or international organization to perform a treaty or other international convention;

7. Where it is necessary for the investigation of a crime, indictment and prosecution;

8. Where it is necessary for the court to proceed the case;

9. Where it is necessary for punishment, probation and custody.

(3) A personal information controller shall inform the data subject of the following matters when it obtains the consent under paragraph (2) 1. The same shall apply when any of the following is modified.

1. The recipient of personal information;

2. The purpose of use of personal information (where personal information is provided, it means the purpose of use by the recipient);

3. Particulars of personal information to be used or provided;

4. The period for retaining and using personal information (where personal information is provided, it means the period for retention and use by the recipient);

5. The fact that the data subject is entitled to deny consent, and disadvantage affected resultantly from the denial of consent.

(4) Where a public institution uses personal information, or provides it to a third party under paragraph (2) 2 through 6, 8, and 9 for other purpose than the intended one, the public institution shall post the legal grounds for such use or provision, purpose and scope, and other necessary matters on the Official Gazette or its website, as prescribed by Ordinance of the Ministry of the Interior and Safety.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(5) Where a personal information controller provides personal information to a third party for other purpose than the intended one in any case provided for in paragraph (2), the personal information controller shall request the recipient of the personal information to limit the purpose and method of use and other necessary matters, or to prepare necessary safeguards to ensure the safety of the personal information. In such cases, the person in receipt of such request shall take necessary measures to ensure the safety of the personal information.

Article 19 (Limitation to Use and Provision of Personal Information on Part of Its Recipients)

A person who receives personal information from a personal information controller shall not use the personal information, or provide it to a third party, for any purpose other than the intended one, except in the following circumstances:

1. Where additional consent is obtained from the data subject;

2. Where special provisions exist in other laws.

Article 20 (Notification on Sources, etc. of Personal Information Collected from Third Parties)

(1) When a personal information controller processes personal information collected from third parties, the personal information controller shall immediately notify the data subject of the following matters at the request of such data subject:

1. The source of collected personal information;

2. The purpose of processing personal information;

3. The fact that the data subject is entitled to demand suspension of processing personal information.

(2) Notwithstanding paragraph (1), when a personal information controller satisfying the criteria prescribed by Presidential Decree taking into account the types and amount of processed personal information, number of employees, amount of sales, etc., collects personal information from third parties and processes upon obtaining consent as provided for in Article 17 (1) 1, the personal information controller shall notify the data subject of the matters referred to in paragraph (1): Provided, That this shall not apply where the information collected by the personal information controller does not contain any personal information, such as contact information, through which the notification can be given to the data subject.  (Inserted by Act nº 14107, Mar. 29, 2016)

(3) Necessary matters in relation to the timing, method, and procedure of giving notification to the data subject pursuant to the main sentence of paragraph (2), shall be prescribed by Presidential Decree.  (Inserted by Act nº 14107, Mar. 29, 2016)

(4) Paragraph (1) and the main sentence of paragraph (2) shall not apply to any of the following circumstances: Provided, That it is explicitly superior to the rights of data subjects under this Act: (Amended by Act nº 14107, Mar. 29, 2016)

1. Where personal information, which is subject to a notification request, is included in the personal information files referred to in Article 32 (2);

2. Where such notification is likely to cause harm to the life or body of any other person, or unfairly damages the property and other profits of any other person.

Article 21 (Destruction of Personal Information)

(1) A personal information controller shall destroy personal information without delay when the personal information becomes unnecessary owing to the expiry of the retention period, attainment of the purpose of processing the personal information, etc.: Provided, That this shall not apply where the retention of such personal information is mandatory by other statutes.

(2) When a personal information controller destroys personal information pursuant to paragraph (1), necessary measures to block recovery and revival shall be taken.

(3) Where a personal information controller is obliged to retain, rather than destroy, personal information pursuant to the proviso to paragraph (1), the relevant personal information or personal information files shall be stored and managed separately from other personal information.

(4) Other necessary matters, such as the methods to destroy personal information and its destruction process, shall be prescribed by Presidential Decree.

Article 22 (Methods of Obtaining Consent)

(1) To obtain the consent of a data subject (including his/her legal representative as stated in paragraph (6): hereafter in this Article the same applies) to the processing of his/her personal information pursuant to this Act, a personal information controller shall present the request for consent to the data subject in an explicitly recognizable manner which distinguishes matters requiring consent from the other matters, and obtain his/her consent thereto, respectively.  (Amended by Act nº 14765, Apr. 18, 2017)

(2) To obtain the consent referred to in paragraph (1) in writing (including an electronic document defined in subparagraph 1 of Article 2 of the Framework Act on Electronic Documents and Transactions), a personal information controller shall state the significant matters prescribed by Presidential Decree, such as the purpose of collecting and using personal information and particulars of the personal information that he/she intends collect and use, as prescribed by Ordinance of the Ministry of the Interior and Safety in an explicit and easily recognizable manner.  (Inserted by Act nº 14765, Apr. 18, 2017; Act nº 14839, Jul. 26, 2017)

(3) To obtain the consent of a data subject to the processing of his/her personal information pursuant to Articles 15 (1) 1, 17 (1) 1, 23 (1) 1, and 24 (1) 1, a personal information controller shall distinguish personal information that requires the data subject’s consent to processing, from the personal information that requires no consent in executing a contract with the data subject. In such cases, the burden of proof that no consent is required in processing the personal information shall be borne by the personal information controller.  (Amended by Act nº 14107, Mar. 29, 2016; Act nº 14765, Apr. 18, 2017)

(4) To obtain the consent of a data subject to the processing of his/her personal information in order to promote goods or services or solicit purchase thereof, a personal information controller shall notify the data subject of the fact in an explicitly recognizable manner, and obtain his/her consent thereto.  (Amended by Act nº 14765, Apr. 18, 2017)

(5) A personal information controller shall not deny the provision of goods or services to a data subject on ground that the data subject would not consent to the matter eligible for selective consent pursuant to paragraph (3), or would not consent pursuant to paragraph (4) and Article 18 (2) 1.  (Amended by Act nº 14765, Apr. 18, 2017)

(6) When it is required to obtain consent pursuant to this Act to process personal information of a child under 14 years of age, a personal information controller shall obtain the consent of his/her legal representative. In such cases, minimum personal information necessary to obtain the consent of the legal representative may be collected directly from such child without the consent of his/her legal representative.  (Amended by Act nº 14765, Apr. 18, 2017)

(7) Except as otherwise expressly provided for in paragraphs (1) through (6), other matters necessary in relation to detailed methods to obtain the consent of data subjects and the minimum information referred to in paragraph (6) shall be prescribed by Presidential Decree, in consideration of the collection media of personal information.  (Amended by Act nº 14765, Apr. 18, 2017)

SECTION 2 Limitation to Processing of Personal Information

Article 23 (Limitation to Processing of Sensitive Information)(1) A personal information controller shall not process any information prescribed by Presidential Decree (hereinafter referred to as “sensitive information”), including ideology, belief, admission to or withdrawal from a trade union or political party, political opinions, health, sexual life, and other personal information that is likely to threat the privacy of any data subject noticeably: Provided, That this shall not apply in any of the following circumstances:  (Amended by Act nº 14107, Mar. 29, 2016)

1. Where the personal information controller informs the data subject of the matters provided for in Article 15 (2) or 17 (2), and obtains the consent of the data subject apart from the consent to the processing of other personal information;

2. Where other statutes require or permit the processing of sensitive information.

(2) Where a personal information controller processes sensitive information pursuant to paragraph (1), the personal information controller shall take measures necessary to ensure safety pursuant to Article 29 so that the sensitive information may not be lost, stolen, divulged, forged, altered, or damaged.  (Inserted by Act nº 14107, Mar. 29, 2016)

Article 24 (Limitation to Processing of Personally Identifiable Information)(1) A personal information controller shall not process any information prescribed by Presidential Decree that can be used to identify an individual in accordance with statutes (hereinafter referred to as “personally identifiable information”), except in any of the following cases:

1. Where the personal information controller informs a data subject of the matters provided for in Article 15 (2) or 17 (2), and obtains the consent of the data subject apart from the consent to the processing of other personal information;

2. Where other statutes require or permit the processing of personally identifiable information in a concrete manner.

(2) Deleted.  (Act nº 11990, Aug. 6, 2013)

(3) Where a personal information controller processes personally identifiable information pursuant to paragraph (1), the personal information controller shall take measures necessary to ensure safety, including encryption, as prescribed by Presidential Decree, so that the personally identifiable information may not be lost, stolen, divulged, forged, altered, or damaged.  (Amended by Act nº 13423, Jul. 24, 2015)

(4) The Minister of the Interior and Safety shall regularly inspect whether a personal information controller meeting the criteria prescribed by Presidential Decree based on the types and amount of processed personal information, number of employees, amount of sales, etc., has taken the measures necessary to ensure safety pursuant to paragraph (3), as prescribed by Presidential Decree.  (Inserted by Act nº 14107, Mar. 29, 2016; Act nº 14839, Jul. 26, 2017)

(5) The Minister of the Interior and Safety may authorize specialized institutions prescribed by Presidential Decree to conduct the inspection referred to in paragraph (4).  (Inserted by Act nº 14107, Mar. 29, 2016; Act nº 14839, Jul. 26, 2017)

Article 24-2 (Limitation to Processing of Resident Registration Numbers)

(1) Notwithstanding Article 24 (1), a personal information controller shall not process any resident registration number, except in any of the following cases: (Amended by Act nº 14107, Mar. 29, 2016; Act nº 14839, Jul. 26, 2017)

1. Where any Act, Presidential Decree, National Assembly Regulations, Supreme Court Regulations, Constitutional Court Regulations, National Election Commission Regulations, or Board of Audit and Inspection Regulations require or permit the processing of resident registration numbers in a concrete manner;

2. Where it is deemed explicitly necessary for protecting, from impending danger, life, body and property of a data subject or a third party;

3. Where it is inevitable to process resident registration numbers in line with subparagraphs 1 and 2 in circumstances prescribed by Ordinance of the Ministry of the Interior and Safety.

(2) Notwithstanding Article 24 (3), a personal information controller shall retain resident registration numbers in safety by means of encryption so that the resident registration numbers may not be lost, stolen, divulged, forged, altered, or damaged. In such cases, any necessary matters in relation to the scope of encryption objects, encryption timing by object, etc. shall be prescribed by Presidential Decree, based on the amount of personal information processed, data breach impact, etc.  (Inserted by Act nº 12504, Mar. 24, 2014; Act nº 13423, Jul. 24, 2015)

(3) A personal information controller shall provide data subjects with an alternative sign-up tool without using their resident registration numbers in the stage of being admitted to membership via the website while processing the resident registration numbers pursuant to paragraph (1).

(4) The Minister of the Interior and Safety may prepare and support measures, such as legislative arrangements, policy-making, necessary facilities, and system build-up to assist a personal information controller in providing the methods referred to in paragraph (3).  (Amended by Act nº 12504, Mar. 24, 2014; Act nº 14839, Jul. 26, 2017)

(Article Inserted by Act nº 11990, Aug. 6, 2013)

Article 25 (Limitation to Installation and Operation of Visual Data Processing Devices)

(1) No one shall install and operate any visual data processing device at open places, except in any of the following circumstances:

1. Where statutes allow it in a concrete manner;

2. Where it is necessary for the prevention and investigation of crimes;

3. Where it is necessary for the safety of facilities and prevention of fire;

4. Where it is necessary for regulatory control of traffic;

5. Where it is necessary for the collection, analysis, and provision of traffic information.

(2) No one shall install and operate any visual data processing device so as to look into the places which is likely to threat individual privacy noticeably, such as a bathroom, restroom, sauna, and dressing room used by many unspecified persons: Provided, That the same shall not apply to the facilities prescribed by Presidential Decree, which detain or protect persons in accordance with statutes, such as correctional facilities and mental health care centers.

(3) The head of a public institution who intends to install and operate visual data processing devices pursuant to paragraph (1) and a person who intends to install and operate visual data processing devices pursuant to the proviso to paragraph (2) shall gather opinions of relevant specialist and interested persons through the formalities prescribed by Presidential Decree such as public hearings and information sessions.

(4) A person who intends to install and operate visual data processing devices pursuant to paragraph (1) (hereinafter referred to as “VDPD operator”) shall take necessary measures including posting on a signboard the following matters, so that data subjects may recognize such devices with ease: Provided, That this shall not apply to military installations defined in subparagraph 2 of Article 2 of the Protection of Military Bases and Installations Act, important national facilities defined in subparagraph 13 of Article 2 of the United Defense Act, and other facilities prescribed by Presidential Decree:  (Amended by Act nº 14107, Mar. 29, 2016)

1. The purpose and place of installation;

2. The scope and hours of photographing;

3. The name and contact information of the person in charge of its management;

4. Other matters prescribed by Presidential Decree.

(5) A VDPD operator shall not handle arbitrarily the visual data processing devices for other purposes than the initial one; direct the said devices toward different spots; nor use sound recording functions.

(6) Every VDPD operator shall take measures necessary to ensure safety pursuant to Article 29 so that the personal information may not be lost, stolen, divulged, forged, altered, or damaged.  (Amended by Act nº 13423, Jul. 24, 2015)

(7) Every VDPD operator shall establish the appropriate policy to operate and manage the visual data processing devices, as prescribed by Presidential Decree. In this case, he/she may be discharged to make the Privacy Policy pursuant to Article 30.

(8) A VDPD operator may outsource the installation and operation of visual data processing devices to a third party: Provided, That the public institutions shall comply with the procedures and requirements prescribed by Presidential Decree when outsourcing the installation and operation of visual data processing devices to a third party.

Article 26 (Limitation to Personal Information Processing Subsequent to Outsourcing of Work)

(1) A personal information controller shall undergo paper-based formalities stating the following when outsourcing personal information processing to a third party:

1. Prevention of personal information processing for other purposes than the outsourced purpose;

2. Technical and managerial safeguards of personal information;

3. Other matters prescribed by Presidential Decree to manage personal information safely.

(2) A personal information controller that outsources personal information processing pursuant to paragraph (1) (hereinafter referred to as “outsourcer”) shall disclose the details of the outsourced work and the entity that processes personal information (hereinafter referred to as “outsourcee”) under an outsourcing contract in the manner prescribed by Presidential Decree so that data subjects may recognize it with ease at any time.

(3) The outsourcer shall, in case of outsourcing the promotion of goods or services, or soliciting of sales thereof, notify data subjects of the outsourced work and the outsourcee in the manners prescribed by Presidential Decree. The same shall apply where the outsourced work or the outsourcee has been changed.

(4) The outsourcer shall educate the outsourcee so that personal information of data subjects may not be lost, stolen, leaked, forged, altered, or damaged owing to the outsourcing of work, and supervise how the outsourcee processes such personal information safely by inspecting the status of processing, etc., as prescribed by Presidential Decree.  (Amended by Act nº 13423, Jul. 24, 2015)

(5) An outsourcee shall not use any personal information beyond the scope of the work outsourced by the personal information controller, nor provide personal information to a third party.

(6) With respect to the compensation of damage arising out of the processing of personal information outsourced to an outsourcee in violation of this Act, the outsourcee shall be deemed an employee of the personal information controller.

(7) Articles 15 through 25, 27 through 31, 33 through 38, and 59 shall apply mutatis mutandis to outsourcees.

Article 27 (Limitation to Transfer of Personal Information following Business Transfer, etc.)

(1) A personal information controller shall notify in advance the data subjects of the following matters in the manner prescribed by Presidential Decree in the case of transfer of personal information to a third party owing to the transfer of some or all of his/her business, a merger, etc.:

1. The fact that the personal information will be transferred;

2. The name (referring to the company name in case of a legal person), address, telephone number and other contact information of the recipient of the personal information (hereinafter referred to as “business transferee”);

3. The method and procedure to withdraw the consent if the data subject would not want the transfer of his/her personal information.

(2) Upon receiving personal information, the business transferee shall, without delay, notify data subjects of the fact in the manner prescribed by Presidential Decree: Provided, That this shall not apply where the personal information controller has already notified the data subjects of the fact of such transfer pursuant to paragraph (1).

(3) Upon receiving personal information owing to business transfer, a merger, etc., the business transferee may use, or provide a third party with, the personal information only for the initial purpose prior to transfer. In this case, the business transferee shall be deemed the personal information controller.

Article 28 (Supervision of Personal Information Handlers)

(1) While processing personal information, a personal information controller shall conduct appropriate control and supervision against the persons who process the personal information under his/her command and supervision, such as an officer or employee, temporary agency worker and part-time worker (hereinafter referred to as “personal information handler”) to ensure the safe management of the personal information.

(2) A personal information controller shall provide personal information handlers with necessary educational programs on a regular basis in order to ensure the appropriate handling of personal information.

CHAPTER IV SAFEGUARD OF PERSONAL INFORMATION

Article 29 (Duty of Safeguards)

Every personal information controller shall take such technical, managerial, and physical measures as establishing an internal management plan and preserving log-on records, etc. that are necessary to ensure safety as prescribed by Presidential Decree so that the personal information may not be lost, stolen, divulged, forged, altered, or damaged.  (Amended by Act nº 13423, Jul. 24, 2015)

Article 30 (Establishment and Disclosure of Privacy Policy)

(1) Every personal information controller shall establish the personal information processing policy including the following matters (hereinafter referred to as “Privacy Policy”). In such cases, public institutions shall establish the Privacy Policy for the personal information files to be registered pursuant to Article 32: (Amended by Act nº 14107, Mar. 29, 2016)

1. The purposes for which personal information is processed;

2. The period for processing and retaining personal information;

3. Providing personal information to a third party (if applicable);

4. Outsourcing personal information processing (if applicable);

5. The rights and obligations of data subjects and legal representatives, and how to exercise the rights;

6. Contact information, such as the name of the privacy officer designated under Article 31 or the name, telephone number, etc. of the department which performs the duties related to personal information protection and handles related grievances;

7. Installing and operating an automatic collection tool of personal information, including Internet access data files, and the denial thereof (if applicable);

8. Other matters prescribed by Presidential Decree regarding the processing of personal information.

(2) Upon establishing or modifying the Privacy Policy, every personal information controller shall disclose the Privacy Policy in the way prescribed by Presidential Decree so that data subjects may recognize it with ease.

(3) Where there exist discrepancies between the Privacy Policy and the agreement executed by and between the personal information controller and data subjects, what is beneficial to the data subjects prevails.

(4) The Minister of the Interior and Safety may formulate the Privacy Policy Guidelines and encourage personal information controllers to comply with such Guidelines.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

Article 31 (Designation of Privacy Officers)

(1) A personal information controller shall designate a privacy officer who comprehensively takes charge of personal information processing.

(2) Every privacy officer shall perform the following functions:

1. To establish and implement a personal information protection plan;

2. To conduct a regular survey of the status and practices of personal information processing, and to improve shortcomings;

3. To treat grievances and remedial compensation in relation to personal information processing;

4. To build the internal control system to prevent the divulgence, abuse, and misuse of personal information;

5. To prepare and implement an education program about personal information protection;

6. To protect, control, and manage the personal information files;

7. Other functions prescribed by Presidential Decree for the appropriate processing of personal information.

(3) In performing the functions provided for in paragraph (2), every privacy officer may inspect the status of personal information processing and systems frequently, if necessary, and may request a report thereon from the relevant parties.

(4) Where a privacy officer becomes aware of any violation of this Act or other relevant statutes in relation to the protection of personal information, the privacy officer shall take corrective measures immediately, and shall report such corrective measures to the head of the institution or organization to which he/she belongs, if necessary.

(5) A personal information controller shall not have the privacy officer give or take disadvantage without any justifiable ground while performing the functions provided for in paragraph (2).

(6) The requirements for designation as privacy officers, functions, qualifications, and other necessary matters, shall be prescribed by Presidential Decree.

Article 32 (Registration and Disclosure of Personal Information Files)

(1) When operating personal information files, the head of a public institution shall register the following matters with the Minister of the Interior and Safety. The same shall also apply where the registered matters are modified.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

1. The titles of the personal information files;

2. The grounds and purposes for operating the personal information files;

3. Particulars of personal information recorded in the personal information files;

4. The method of processing personal information;

5. The period for retaining personal information;

6. The recipient of personal information, if it is provided routinely or repetitively;

7. Other matters prescribed by Presidential Decree.

(2) Paragraph (1) shall not apply to any of the following personal information files:

1. Personal information files that record the national security, diplomatic secrets, and other matters relating to grave national interests;

2. Personal information files that record the investigation of crimes, indictment and prosecution, punishment, and probation and custody, corrective orders, protective orders, security observation orders, and immigration;

3. Personal information files that record the investigations of violations of the Punishment of Tax Offenses Act and the Customs Act;

4. Personal information files exclusively used for internal job performance of public institutions;

5. Classified personal information files pursuant to other statutes.

(3) If necessary, the Minister of the Interior and Safety may review the registration and content of the personal information files referred to in paragraph (1), and advise the head of the relevant public institution to make improvements.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(4) The Minister of the Interior and Safety shall make public the status of personal information files registered under paragraph (1) so that anyone may access them with ease.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(5) Necessary matters regarding the registration referred to in paragraph (1), the method, scope, and procedure of public disclosure referred to in paragraph (4), shall be prescribed by Presidential Decree.

(6) The registration and public disclosure of the personal information files retained by the National Assembly, the Court, the Constitutional Court and the National Election Commission (including their affiliated entities) shall be prescribed by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, and the National Election Commission Regulations.

Article 32-2 (Certification of Personal Information Protection)

(1) The Minister of the Interior and Safety may certify whether the data processing and other data protection-related activities of a personal information controller abide by this Act, etc.  (Amended by Act nº 14839, Jul. 26, 2017)

(2) The certification provided for in paragraph (1) shall be effective for three years.

(3) In any of the following cases, the Minister of the Interior and Safety may revoke the certification granted under paragraph (1), as prescribed by Presidential Decree: Provided, That it shall be revoked in cases falling under subparagraph 1: (Amended by Act nº 14839, Jul. 26, 2017)

1. Where personal information protection has been certified by fraud or other unjust means;

2. Where follow-up management provided for in paragraph (4) has been denied or obstructed;

3. Where the certification criteria provided for in paragraph (8) have not been satisfied;

4. Where personal information protection-related statutes are breached seriously.

(4) The Minister of the Interior and Safety shall conduct follow-up management at least once annually to maintain the effectiveness of the certification of personal information protection.  (Amended by Act nº 14839, Jul. 26, 2017)

(5) The Minister of the Interior and Safety may authorize the specialized institutions prescribed by Presidential Decree to perform the duties related to certification under paragraph (1), revocation of certification under paragraph (3), follow-up management under paragraph (4), management of certification examiners under paragraph (7).  (Amended by Act nº 14839, Jul. 26, 2017)

(6) Any person who has obtained certification pursuant to paragraph (1) may indicate or publicize the certification, as prescribed by Presidential Decree.

(7) Qualifications of certification examiners who conduct the certification examination pursuant to paragraph (1), grounds for disqualification, and other relevant matters, shall be prescribed by Presidential Decree based on specialty, career, and other necessary matters.

(8) Other matters necessary for the certification criteria, method, procedure, etc. subject to paragraph (1), including whether the personal information management system, guarantee of data subjects’ rights, and safeguards are consistent with this Act, shall be prescribed by Presidential Decree.

(Article Inserted by Act nº 13423, Jul. 24, 2015)

Article 33 (Privacy Impact Assessment)(1) In the case of a probable breach of personal information of data subjects arising out of the operation of personal information files meeting the criteria prescribed by Presidential Decree, the head of a public institution shall conduct an assessment to analyze and improve risk factors (hereinafter referred to as “privacy impact assessment”), and submit the result thereof to the Minister of the Interior and Safety. In such cases, the head of the public institution shall request the privacy impact assessment from any of the institutions designated by the Minister of the Interior and Safety (hereinafter referred to as “PIA institution“).  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(2) The privacy impact assessment shall cover the following matters:

1. The number of personal information being processed;

2. Whether the personal information is provided to a third party;

3. The probability to violate the rights of the data subjects and the degree of risks;

4. Other matters prescribed by Presidential Decree.

(3) The Minister of the Interior and Safety may provide his/her opinion subject to the deliberation and resolution by the Protection Commission upon receiving the results of the privacy impact assessment conducted under paragraph (1).  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(4) The head of the public institution shall register the personal information files in accordance with Article 32 (1), for which the privacy impact assessment has been conducted pursuant to paragraph (1), with the results of the privacy impact assessment attached thereto.

(5) The Minister of the Interior and Safety shall take necessary measures, such as fostering relevant specialists, and developing and disseminating criteria for the privacy impact assessment, to promote the privacy impact assessment.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(6) Necessary matters in relation to the privacy impact assessment, such as the criteria for designation as PIA institutions, revocation of designation, assessment criteria, method and procedure, etc. pursuant to paragraph (1), shall be prescribed by Presidential Decree.

(7) Matters regarding the privacy impact assessment conducted by the National Assembly, the Court, the Constitutional Court and the National Election Commission (including their affiliated entities) shall be prescribed by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, and the National Election Commission Regulations.

(8) A personal information controller other than public institutions shall proactively endeavor to conduct a privacy impact assessment, if a breach of personal information of data subjects is highly probable in operating the personal information files.

Article 34 (Data Breach Notification, etc.)

(1) A personal information controller shall notify the aggrieved data subjects of the following matters without delay when he/she becomes aware their personal information has been divulged:

1. Particulars of the personal information divulged;

2. When and how personal information has been divulged;

3. Any information about how the data subjects can do to minimize the risk of damage from divulgence;

4. Countermeasures of the personal information controller and remedial procedure;

5. Help desk and contact points for the data subjects to report damage.

(2) A personal information controller shall prepare countermeasures to minimize the risk of damage where personal information is divulged.

(3) Where a breach of personal information above the scale prescribed by Presidential Decree arises, the personal information controller shall, without delay, report the results of notification given under paragraph (1) and the results of measures taken under paragraph (2) to the Minister of the Interior and Safety and the specialized institution designated by Presidential Decree. In such cases, the Minister of the Interior and Safety and the specialized institution designated by Presidential Decree may provide technical assistance for preventing or recovering further damage, etc.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(4) Necessary matters in relation to the timing, method and procedure for data breach notification pursuant to paragraph (1), shall be prescribed by Presidential Decree.

Article 34-2 (Imposition, etc. of Penalty Surcharges)

(1) The Minister of the Interior and Safety may impose and collect a penalty surcharge not exceeding 500 million won where a personal information controller has failed to prevent any loss, theft, divulgence, forgery, alteration, or damage of resident registration numbers: Provided, That this shall not apply where the personal information controller has fully taken measures necessary to ensure safety under Article 24 (3) to prevent any loss, theft, divulgence, forgery, alteration, or damage of resident registration numbers.  (Amended by Act nº 12844, Nov. 19, 2014; Act nº 13423, Jul. 24, 2015; Act nº 14839, Jul. 26, 2017)

(2) The Minister of the Interior and Safety shall consider the following when imposing the penalty surcharge pursuant to paragraph (1): (Amended by Act nº 12844, Nov. 19, 2014; Act nº 13423, Jul. 24, 2015; Act nº 14839, Jul. 26, 2017)

1. Efforts being taken to perform the measures necessary to ensure safety under Article 24 (3);

2. Status of the resident registration numbers which have been lost, stolen, divulged, forged, altered or damaged;

3. Fulfillment of subsequent measures to prevent further damage.

(3) The Minister of the Interior and Safety shall collect a late-payment penalty prescribed by Presidential Decree in an amount not exceeding 6/100 per annum of the unpaid penalty surcharge for the period beginning on the day following the payment deadline and ending on the day immediately preceding the day the penalty surcharge is paid where a person liable to pay the penalty surcharge under paragraph (1) fails to pay it by the payment deadline. In such cases, the late-payment penalty shall be collected for a maximum period of 60 months.  (Amended by Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(4) Where a person liable to pay the penalty surcharge under paragraph (1) fails to pay it by the payment deadline, the Minister of the Interior and Safety shall give notice with the period of payment specified in it; and where the penalty surcharge and late-payment penalty are not paid within the specified period, the Minister of the Interior and Safety shall collect such penalty surcharge and late-payment penalty in the same manner as delinquent national taxes are collected.  (Amended by Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(5) Other matters necessary for imposing and collecting penalty surcharges shall be prescribed by Presidential Decree.

(Article Inserted by Act nº 11990, Aug. 6, 2013)

CHAPTER V.- GUARANTEE OF RIGHTS OF DATA SUBJECTS

Article 35 (Access to Personal Information)

(1) A data subject may request access to his/her own personal information, which is processed by a personal information controller, from the personal information controller.

(2) Notwithstanding paragraph (1), where a data subject intends to request access to his/her own personal information from a public institution, the data subject may request such access directly from the said public institution, or indirectly via the Minister of the Interior and Safety, as prescribed by Presidential Decree.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(3) Upon receipt of a request for access filed under paragraphs (1) and (2), a personal information controller shall permit the data subject to access his/her own personal information for the period prescribed by Presidential Decree. In such cases, if a personal information controller finds any good cause for not permitting access for such period, the personal information controller may postpone access after notifying the relevant data subject of the said cause. If the said cause ceases to exist, the postponement shall be lifted without delay.

(4) In any of the following cases, a personal information controller may limit or deny access after it notifies a data subject of the cause:

1. Where access is prohibited or limited by Acts;

2. Where access may probably cause damage to the life or body of a third party, or improper violation of property and other benefits of a third party;

3. Where a public institution has grave difficulties in performing any of the following duties:

(a) Imposition, collection or refund of taxes;

(b) Evaluation of academic achievements or admission affairs at the schools of each level established under the Elementary and Secondary Education Act and the Higher Education Act, lifelong educational facilities established under the Lifelong Education Act, and other higher educational institutions established under other Acts;

(c) Testing and qualification examination regarding academic competence, technical capability and employment;

(d) Ongoing evaluation or decision-making in relation to compensation or grant assessment;

(e) Ongoing audit and examination under other Acts.

(5) Necessary matters in relation to the methods and procedures for filing requests for access; for limiting access; for giving notification, etc. pursuant to paragraphs (1) through (4) shall be prescribed by Presidential Decree.

Article 36 (Correction or Erasure of Personal Information)

(1) A data subject who has accessed his/her personal information pursuant to Article 35 may request a correction or erasure of such personal information from the relevant personal information controller: Provided, That the erasure is not permitted where the said personal information shall be collected by other statutes.

(2) Upon receipt of a request by a data subject pursuant to paragraph (1), the personal information controller shall investigate the personal information in question without delay; shall take necessary measures to correct or erase as requested by the data subject unless otherwise specifically provided by other statutes in relation to correction or erasure; and shall notify such data subject of the result.

(3) The personal information controller shall take measures not to recover or revive the personal information in case of erasure pursuant to paragraph (2).

(4) Where the request of a data subject falls under the proviso to paragraph (1), a personal information controller shall notify the data subject of the details thereof without delay.

(5) While investigating the personal information in question pursuant to paragraph (2), the personal information controller may, if necessary, request from the relevant data subject the evidence necessary to confirm a correction or erasure of the personal information.

(6) Necessary matters in relation to the request of correction and erasure, notification method and procedure, etc. pursuant to paragraphs (1), (2) and (4) shall be prescribed by Presidential Decree.

Article 37 (Suspension, etc. of Processing of Personal Information)

(1) A data subject may request the relevant personal information controller to suspend the processing of his/her personal information. In this case, if the personal information controller is a public institution, the data subject may request the suspension of processing of only the personal information contained in the personal information files to be registered pursuant to Article 32.

(2) Upon receipt of the request under paragraph (1), the personal information controller shall, without delay, suspend processing of some or all of the personal information as requested by the data subject: Provided, That, where any of the following is applicable, the personal information controller may deny the request of such data subject:

1. Where special provisions exist in law or it is inevitable to observe legal obligations;

2. Where it may probably cause damage to the life or body of a third party, or improper violation of property and other benefits of a third party;

3. Where the public institution cannot perform its work as prescribed by any Act without processing the personal information in question;

4. Where the data subject fails to express explicitly termination of the contract even though it is impracticable to perform the contract such as provision of service as agreed upon with the said data subject without processing the personal information in question.

(3) When denying the request pursuant to the proviso to paragraph (2), the personal information controller shall notify the data subject of the reason without delay.

(4) The personal information controller shall, without delay, take necessary measures including destruction of the relevant personal information when suspending the processing of personal information as requested by data subjects.

(5) Necessary matters in relation to the methods and procedures to request the suspension of processing, to deny such request, and to give notification, etc. pursuant to paragraphs (1) through (3) shall be prescribed by Presidential Decree.

Article 38 (Methods and Procedures for Exercise of Rights)

(1) A data subject may authorize his/her representative to file requests for access pursuant to Article 35, correction or erasure pursuant to Article 36, and suspension of processing pursuant to Article 37 (hereinafter referred to as “request for access, etc.”) in writing or by the methods and procedure prescribed by Presidential Decree.

(2) The legal representative of a child under 14 years of age may file a request for access, etc. to the personal information of the child with a personal information controller.

(3) A personal information controller may demand a fee and postage (only in case of a request to mail the copies), as prescribed by Presidential Decree, from a person who files a request for access, etc.

(4) A personal information controller shall prepare the detailed method and procedure to enable data subjects to file requests for access, etc., and publicly announce such method and procedure so that the data subjects may become aware of them.

(5) A personal information controller shall prepare, and guide towards, necessary procedure for data subjects to raise objections against its denial to a request for access, etc. from such data subjects.

Article 39 (Responsibility for Compensation)

(1) A data subject who suffers damage by reason of a violation of this Act by a personal information controller is entitled to claim compensation from the personal information controller for that damage. In this case, the said personal information controller may not be released from the responsibility for compensation if it fails to prove non-existence of his/her wrongful intent or negligence.

(2) Deleted.  (by Act nº 13423, Jul. 24, 2015)

(3) Where a data subject suffers damage out of loss, theft, divulgence, forgery, alteration, or damage of his/her own personal information, caused by wrongful intent or negligence of a personal information controller, the Court may determine the damages not exceeding three times such damage: Provided, That the same shall not apply to the personal information controller who has proved non-existence of his/her wrongful intent or negligence.  (Inserted by Act nº 13423, Jul. 24, 2015)

(4) The Court shall take into account the following when determining the damages pursuant to paragraph (3): (Inserted by Act nº 13423, Jul. 24, 2015)

1. The degree of wrongful intent or expectation of damage;

2. The amount of loss caused by the violation;

3. Economic benefits the personal information controller has gained in relation to the violation;

4. A fine and a penalty surcharge to be levied subject to the violation;

5. The duration, frequency, etc. of violations;

6. The property of the personal information controller;

7. The personal information controller’s efforts to retrieve the affected personal information exerted after the loss, theft, or divulgence of personal information;

8. The personal information controller’s efforts to remedy damage suffered by the data subject.

Article 39-2 (Claims for Statutory Compensation)

(1) Notwithstanding Article 39 (1), a data subject, who suffers damage out of loss, theft, divulgence, forgery, alteration, or damage of his/her own personal information, caused by wrongful intent or negligence of a personal information controller, may claim a reasonable amount of damages not exceeding three million won. In this case, the said personal information controller may not be released from the responsibility for compensation if it fails to prove non-existence of his/her wrongful intent or negligence.

(2) In the case of a claim made under paragraph (1), the Court may determine a reasonable amount of damages not exceeding the amount provided for in paragraph (1) taking into account all arguments in the proceedings and the results of examining evidence.

(3) A data subject who has claimed compensation pursuant to Article 39 may change such claim to the claim provided for in paragraph (1) until the closing of fact-finding proceedings.

(Article Inserted by Act nº 13423, Jul. 24, 2015)

CHAPTER VI.- PERSONAL INFORMATION DISPUTE MEDIATION COMMITTEE

Article 40 (Establishment and Composition)

(1) There shall be established a Personal Information Dispute Mediation Committee (hereinafter referred to as the “Dispute Mediation Committee”) to mediate disputes over personal information.

(2) The Dispute Mediation Committee shall be comprised of not more than 20 members, including one chairperson, and the members shall be ex officio and commissioned members.  (Amended by Act nº 13423, Jul. 24, 2015)

(3) The commissioned members shall be commissioned by the Chairperson of the Protection Commission from among the following persons, and public officials of the national agencies prescribed by Presidential Decree shall be ex officio members:  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 13423, Jul. 24, 2015)

1. Persons who once served as members of the Senior Executive Service of the central administrative agencies in charge of data protection, or persons who presently work or have worked at equivalent positions in the public sector and related organizations, and have job experience in data protection;

2. Persons who presently serve or have served as associate professors or higher positions in universities or in publicly recognized research institutes;

3. Persons who presently serve or have served as judges, public prosecutors, or attorneys-at-law;

4. Persons recommended by data protection-related civic organizations or consumer groups;

5. Persons who presently work or have worked as senior officers for the trade associations comprised of personal information controllers.

(4) The chairperson shall be commissioned by the Chairperson of the Protection Commission from among Committee members except public officials.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 13423, Jul. 24, 2015)

(5) The term of office for the chairperson and commissioned members shall be two years, and their term may be renewable for only one further term. (Amended by Act nº 13423, Jul. 24, 2015)

(6) In order to conduct dispute settlement efficiently, the Dispute Mediation Committee may, if necessary, establish a mediation panel that is comprised of not more than five Committee members in each sector of mediation cases, as prescribed by Presidential Decree. In this case, the resolution of the mediation panel delegated by the Dispute Mediation Committee shall be construed as that of the Dispute Mediation Committee.

(7) The Dispute Mediation Committee or a mediation panel shall be open with a majority of its members present, and its resolution shall be made by the affirmative votes of a majority of the members present.

(8) The Protection Commission may deal with the administrative affairs necessary for dispute mediation, such as receiving dispute mediation cases and fact-finding.  (Amended by Act nº 13423, Jul. 24, 2015)

(9) Except as otherwise expressly provided for in this Act, matters necessary to operate the Dispute Mediation Committee shall be prescribed by Presidential Decree.

Article 41 (Guarantee of Members’ Status)

None of the Committee members shall be dismissed or de-commissioned against his/her will except when he/she is sentenced to the suspension of qualification or a heavier punishment, or unable to perform his/her duties due to mental or physical incompetence.

Article 42 (Exclusion, Challenge, and Refrainment of Members)

(1) A member of the Dispute Mediation Committee shall be excluded from participating in the deliberation and resolution of a case requested for dispute mediation pursuant to Article 43 (1) (hereafter in this Article referred to as “case”) if:

1. The member or his/her current or former spouse is a party to the case or is a joint right holder or a joint obligator with respect to the case;

2. The member is or was a relative of a party to the case;

3. The member has given any testimony, expert opinion, or legal advice with respect to the case;

4. The member is or was involved in the case as an agent or representative of a party to the case.

(2) When any party finds it impracticable to expect a fair deliberation and resolution from a Committee member, he/she may file a challenge application with the chairperson. In this case, the chairperson shall determine the challenge application without any resolution of the Dispute Mediation Committee.

(3) When any committee member falls under the case of paragraph (1) or (2), he/she may refrain from the deliberation and resolution of the case.

Article 43 (Application for Mediation, etc.)

(1) Any person, who wants a dispute over personal information mediated, may apply for mediation of the dispute to the Dispute Mediation Committee.

(2) Upon receipt of an application for dispute mediation from a party to the case, the Dispute Mediation Committee shall notify the counterparty of the application for mediation.

(3) When a public institution is notified of dispute mediation under paragraph (2), the public institution shall respond to it except in extenuating circumstances.

Article 44 (Time Limitation of Mediation Proceedings)

(1) The Dispute Mediation Committee shall examine the case and prepare draft mediation within 60 days from the date of receiving an application pursuant to Article 43 (1): Provided, That the Dispute Mediation Committee may pass a resolution to extend such period by reason of inevitable circumstances.

(2) When the period is extended pursuant to the proviso to paragraph (1), the Dispute Mediation Committee shall inform the applicant of the reasons for extending the period and other matters concerning the extension of such period.

Article 45 (Request for Materials, etc.)

(1) Upon receipt of an application for dispute mediation pursuant to Article 43 (1), the Dispute Mediation Committee may request disputing parties to provide materials necessary to mediate the dispute. In this case, such parties shall comply with the request unless any justifiable ground exists.

(2) The Dispute Mediation Committee may require disputing parties or relevant witnesses to appear before the Committee to hear their opinions, if deemed necessary.

Article 46 (Settlement Advice before Mediation)

Upon receipt of an application for dispute mediation pursuant to Article 43 (1), the Dispute Mediation Committee may present a draft settlement to disputing parties and recommend a settlement before mediation.

Article 47 (Dispute Mediation)

(1) The Dispute Mediation Committee may prepare a draft mediation including the following matters:

1. Suspension of the violation to be investigated;

2. Restitution, compensation and other necessary remedies;

3. Any measure necessary to prevent recurrence of the identical or similar violations.

(2) Upon preparing a draft mediation pursuant to paragraph (1), the Dispute Mediation Committee shall present the draft mediation to each party without delay.

(3) Each party presented with the draft mediation prepared under paragraph (1) shall notify the Dispute Mediation Committee of his/her acceptance or denial of the draft mediation within 15 days from the date of receipt of such draft mediation, without which such mediation shall be deemed denied.

(4) If the parties accept the draft mediation, the Dispute Mediation Committee shall prepare a written mediation, and the chairperson of the Dispute Mediation Committee and the parties shall have their names and seals affixed thereon.

(5) The mediation agreed upon pursuant to paragraph (4) shall have the same effect as a settlement before the court.

Article 48 (Rejection and Suspension of Mediation)

(1) Where the Dispute Mediation Committee deems that it is inappropriate to mediate any dispute in view of its nature, or that an application for mediation of any dispute is filed for an unfair purpose, it may reject the mediation. In this case, the reasons why it rejects the mediation shall be notified to the applicant.

(2) If one of the parties files a lawsuit while mediation proceedings are pending, the Dispute Mediation Committee shall suspend the dispute mediation and notify the parties thereof.

Article 49 (Collective Dispute Mediation)

(1) The State, a local government, a data protection organization or institution, a data subject, and a personal information controller may request or apply for a collective dispute mediation (hereinafter referred to as “collective dispute mediation”) to the Dispute Mediation Committee where sufferings or infringement on rights take place to a multitude of data subjects in an identical or similar manner, and such incident is prescribed by Presidential Decree.

(2) Upon receipt of a request or an application for collective dispute mediation under paragraph (1), the Dispute Mediation Committee may commence, by its resolution, collective dispute mediation proceedings pursuant to paragraphs (3) through (7). In this case, the Dispute Mediation Committee shall publicly announce the commencement of such proceedings for a period prescribed by Presidential Decree.

(3) The Dispute Mediation Committee may accept an application from any data subject or personal information controller other than the parties to the collective dispute mediation to participate in the collective dispute mediation additionally as a party.

(4) The Dispute Mediation Committee may, by its resolution, select at least one person as a representative party, who most appropriately represents the common interest among the parties to the collective dispute mediation pursuant to paragraphs (1) and (3).

(5) When the personal information controller accepts a collective dispute mediation award presented by the Dispute Mediation Committee, the Dispute Mediation Committee may advise the personal information controller to prepare and submit a compensation plan for the benefit of the non-party data subjects suffered from the same incident.

(6) Notwithstanding Article 48 (2), if a group of data subjects among a multitude of data subject parties to the collective dispute mediation files a lawsuit before the court, the Dispute Mediation Committee shall not suspend the proceedings but exclude the relevant data subjects, who have filed the lawsuit, from the proceedings.

(7) The period for collective dispute mediation shall not exceed 60 days from the following day when public announcement referred to in paragraph (2) ends: Provided, That the period can be extended by the resolution of the Dispute Mediation Committee in extenuating circumstances.

(8) Other necessary matters, such as collective dispute mediation proceedings, shall be prescribed by Presidential Decree.

Article 50 (Mediation Proceedings, etc.)

(1) Except as otherwise expressly provided for in Articles 43 through 49, the method and proceedings to mediate disputes and matters necessary to deal with such dispute mediation shall be prescribed by Presidential Decree.

(2) Except as otherwise expressly provided for in this Act, the Judicial Conciliation of Civil Disputes Act shall apply mutatis mutandis to the operation of the Dispute Mediation Committee and dispute mediation proceedings.

CHAPTER VII.- CLASS-ACTION LAWSUIT OVER DATA BREACH

Article 51 (Parties to Class-Action Lawsuits, etc.)

Any of the following organizations may file a lawsuit (hereinafter referred to as “class-action lawsuit”) with the court to prevent or suspend data breach if a personal information controller rejects or would not accept the collective dispute mediation under Article 49:

1. A consumer group registered with the Fair Trade Commission pursuant to Article 29 of the Framework Act on Consumers that meets all of the following criteria:

(a) Its by-laws shall state the purpose to augment the rights and interests of data subjects constantly;

(b) The number of full members shall exceed 1000;

(c) Three years shall have passed since the registration under Article 29 of the Framework Act on Consumers;

2. A non-profit, non-governmental organization referred to in Article 2 of the Assistance for Non-Profit, Non-Governmental Organizations Act that meets all of the following criteria:

(a) At least 100 data subjects, who experienced the same sufferings as a matter of law or fact, shall submit a request to file a class-action lawsuit;

(b) Its by-laws shall state the purpose of data protection and it has conducted such activities for the most recent 3 years;

(c) The number of regular members shall be at least 5000;

(d) It shall be registered with any central administrative agency.

Article 52 (Exclusive Jurisdictions)

(1) A class-action lawsuit shall be subject to the exclusive jurisdiction of the competent district court (panel of judges) at the place of business or main office, or at the address of the business manager in the case of no business establishment, of the defendant.

(2) Where paragraph (1) applies to a foreign business entity, the same shall be determined by the place of business or main office, or the address of the business manager located in the Republic of Korea.

Article 53 (Retention of Litigation Attorney)

The plaintiff of a class-action lawsuit shall retain an attorney-at-law as a litigation attorney.

Article 54 (Application for Certification of Lawsuit)

(1) An organization that intends to file a class-action lawsuit shall submit to the court an application for certification of lawsuit describing the following as well as the petition:

1. Plaintiff and his/her litigation attorney;

2. Defendant;

3. Detailed violation of the rights of data subjects.

(2) An application for certification of lawsuit filed under paragraph (1) shall be accompanied by the following materials:

1. Materials that prove that the organization which has filed a lawsuit meets all criteria provided for in Article 51;

2. Documentary evidence that proves that the personal information controller has rejected the dispute mediation or would not accept the mediation award.

Article 55 (Requirements for Certification of Lawsuit, etc.)

(1) The court shall certify in a decision a class-action lawsuit only when all of the following requirements are satisfied:

1. That the personal information controller has rejected the dispute mediation or would not accept the mediation award;

2. That none of the descriptions in the application for certification of lawsuit filed under Article 54 is incomplete.

(2) The court decision that certifies, or rejects to certify, a class-action lawsuit may be objected by an immediate appeal.

Article 56 (Effect of Conclusive Judgment)

When a judgment dismissing a plaintiff’s complaint becomes conclusive, any other organizations provided for in Article 51 cannot file a class-action lawsuit regarding the identical case: Provided, That this shall not apply in any of the following circumstances:

1. Where, after the judgment became conclusive, new evidence has been found by the State, a local government, or a State or local government-invested institution regarding the said case;

2. Where the judgment dismissing the lawsuit proves to be caused intentionally by the plaintiff.

Article 57 (Application of the Civil Procedure Act, etc.)

(1) Except as otherwise expressly provided for in this Act, the Civil Procedure Act shall apply to class-action lawsuits.

(2) When a decision to certify a class-action lawsuit is made under Article 55, a preservation order provided for in PART IV of the Civil Execution Act may be issued.

(3) Matters necessary for class-action lawsuit proceedings shall be provided by the Supreme Court Regulations.

CHAPTER VIII.- SUPPLEMENTARY PROVISIONS

Article 58 (Partial Exclusion of Application)

(1) Chapter III through VII shall not apply to any of the following personal information:

1. Personal information collected pursuant to the Statistics Act for processing by public institutions;

2. Personal information collected or requested to be provided for the analysis of information related to national security;

3. Personal information processed temporarily where it is urgently necessary for the public safety and security, public health, etc.;

4. Personal information collected or used for its own purposes of reporting by the press, missionary activities by religious organizations, and nomination of candidates by political parties, respectively.

(2) Articles 15, 22, 27 (1) and (2), 34, and 37 shall not apply to any personal information that is processed by means of the visual data processing devices installed and operated at open places pursuant to Article 25 (1).

(3) Articles 15, 30 and 31 shall not apply to any personal information that is processed by a personal information controller to operate a group or association for friendship, such as an alumni association and a hobby club.

(4) In the case of processing personal information pursuant to paragraph (1), a personal information controller shall process the personal information to the minimum extent necessary to attain the intended purpose for a minimum period; and shall also make necessary arrangements, such as technical, managerial and physical safeguards, individual grievance treatment and other necessary measures for the safe management and appropriate processing of such personal information.

Article 59 (Prohibited Activities)

No person who processes or has ever processed personal information shall do any of the following activities:

1. To acquire personal information or to obtain consent to personal information processing by fraud, improper, or unjust means;

2. To divulge personal information acquired in the course of business, or to provide it for any third party’s use without authority;

3. To damage, destroy, alter, forge, or divulge other’s personal information without legal authority or beyond proper authority.

Article 60 (Confidentiality, etc.)

Any person who performs or has performed the following affairs shall not divulge any confidential information acquired in the course of performing his/her duties to any third party, nor use such information for any purpose other than for his/her duties: Provided, That, the same shall not apply where specific provisions exist in other Acts:

1. Affairs of the Protection Commission provided for in Article 8;

2. Impact assessments provided for in Article 33;

3. Dispute mediation of the Dispute Mediation Committee established under Article 40.

Article 61 (Suggestions and Advices for Improvements)

(1) The Minister of the Interior and Safety may suggest his/her opinion to any relevant agency subject to the deliberation and resolution by the Protection Commission, where he/she deems necessary with respect to the statutes or municipal ordinances containing provisions likely to affect the protection of personal information.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(2) The Minister of the Interior and Safety may advise a personal information controller to improve the status of personal information processing, where deemed necessary to protect personal information. In such cases, upon receiving the advice, the personal information controller shall endeavor to conscientiously comply with the advice; and shall inform the Minister of the Interior and Safety of its result.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(3) The head of a related central administrative agency may advise a personal information controller to improve the status of personal information processing pursuant to the Acts under his/her jurisdiction, where deemed necessary to protect personal information. In such cases, upon receiving the advice, the personal information controller shall endeavor to conscientiously comply with the advice; and shall inform the head of the related central administrative agency of its result.

(4) Central administrative agencies, local governments, the National Assembly, the Court, the Constitutional Court, and the National Election Commission may suggest their opinions, or provide guidance or inspection with respect to the protection of personal information to their affiliated entities and public institutions under their jurisdiction.

Article 62 (Reporting on Infringements, etc.)

(1) Anyone who suffers infringement on the rights or interests involving his/her personal information in the course of personal information processing by a personal information controller may report such infringement to the Minister of the Interior and Safety.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(2) The Minister of the Interior and Safety may designate a specialized institution to efficiently receive and handle the claim reports pursuant to paragraph (1), as prescribed by Presidential Decree. In such cases, such specialized institution shall establish and operate a personal information infringement call center (hereinafter referred to as “Privacy Call Center”). (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(3) The Privacy Call Center shall perform the following duties:

1. To receive the claim reports and provide counseling in relation to personal information processing;

2. To investigate and confirm the incidents and hear opinions of interested parties;

3. Duties incidental to subparagraphs 1 and 2.

(4) The Minister of the Interior and Safety may, if necessary, dispatch its public official to the specialized institution designated under paragraph (2) pursuant to Article 32-4 of the State Public Officials Act to efficiently investigate and confirm the incidents pursuant to paragraph (3) 2. (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

Article 63 (Requests for Materials and Inspections)

(1) The Minister of the Interior and Safety may request the relevant materials, such as goods and documents, from a personal information controller in any of the following cases: (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

1. Where any violation of this Act is found or suspected;

2. Where any violation of this Act is reported or a civil complaint thereon is received;

3. In cases prescribed by Presidential Decree where it is necessary to protect personal information of data subjects.

(2) Where a personal information controller fails to furnish the materials pursuant to paragraph (1) or is deemed to have violated this Act, the Minister of the Interior and Safety may require its public official to enter the offices or places of business of the personal information controller and other persons involved in such violation to inspect the status of business operations, ledgers, documents, etc. In such cases, the public official who conducts the inspection shall carry a certificate indicating his/her authority and produce it to the interested persons.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 13423, Jul. 24, 2015; Act nº 14839, Jul. 26, 2017)

(3) The head of a related central administrative agency may request the materials from a personal information controller pursuant to paragraph (1); or may inspect the personal information controller and other persons involved in the violation of the relevant Act pursuant to paragraph (2) in accordance with the Acts under his/her jurisdiction.  (Amended by Act nº 13423, Jul. 24, 2015)

(4) When finding or suspecting any violation of this Act, the Protection Commission may demand the Minister of the Interior and Safety or the head of a related central administrative agency to take measures provided for in paragraph (1) or (3). In such cases, upon receiving such demand, the Minister of the Interior and Safety or the head of the related central administrative agency shall comply therewith except in extenuating circumstances.  (Inserted by Act nº 13423, Jul. 24, 2015; Act nº 14839, Jul. 26, 2017)

(5) The Minister of the Interior and Safety and the head of a related central administrative agency shall not provide any third party with the documents, materials, etc. furnished or collected pursuant to paragraphs (1) and (2), nor make them public, except as otherwise required by this Act.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 13423, Jul. 24, 2015; Act nº 14839, Jul. 26, 2017)

(6) Where the Minister of the Interior and Safety and the head of a related central administrative agency receives the materials submitted via the information and communications networks, or make them digitalized, they shall take systematic and technical measures to prevent the divulgence of personal information, trade secrets, etc.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(7) The Minister of the Interior and Safety may inspect the status of personal information protection jointly with the head of a related central administrative agency for the prevention of personal information breach incidents and efficient response.  (Inserted by Act nº 13423, Jul. 24, 2015; Act nº 14839, Jul. 26, 2017)

Article 64 (Corrective Measures, etc.)

(1) Where the Minister of the Interior and Safety deems that any personal information breach is substantially grounded and negligence over such breach is likely to cause irreparable damage, he/she may order the violator of this Act (excluding the central administrative agencies, local governments, the National Assembly, the Court, the Constitutional Court, and the National Election Commission) to take any of the following measures:  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

1. To suspend personal information breach;

2. To temporarily suspend personal information processing;

3. Other measures necessary to protect personal information and to prevent personal information breach.

(2) Where the head of a related central administrative agency deems that any personal information breach is substantially grounded and negligence over such breach is likely to cause irreparable damage, he/she may order a personal information controller to take any of the measures provided for in paragraph (1) pursuant to the Acts under his/her jurisdiction.

(3) A local government, the National Assembly, the Court, the Constitutional Court, or the National Election Commission may order their affiliated entities and public institutions, which are found to violate this Act, to take any of the measures provided for in paragraph (1).

(4) When a central administrative agency, a local government, the National Assembly, the Court, the Constitutional Court, or the National Election Commission violates this Act, the Protection Commission may advise the head of the relevant agency to take any of the measures provided for in paragraph (1). In such cases, upon receiving the advice, the agency shall comply therewith except in extenuating circumstances.

Article 65 (Accusation and Advices for Disciplinary Action)

(1) Where reasonable grounds exist to suspect that a personal information controller has violated this Act or other data protection-related statutes, the Minister of the Interior and Safety may accuse the fact to the competent investigative agency.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(2) Where reasonable grounds exist to suspect that this Act or other data protection-related statutes are violated, the Minister of the Interior and Safety may advise the relevant personal information controller to take disciplinary action against the person responsible for it (including the representative and the executive officer in charge). In such cases, upon receiving the advice, the relevant personal information controller shall comply therewith; and shall notify the Minister of the Interior and Safety of the result.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 11990, Aug. 6, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(3) The head of a related central administrative agency may accuse a personal information controller pursuant to paragraph (1), or advise the head of the relevant affiliated agency, organization, etc. to take disciplinary action pursuant to paragraph (2), in accordance with the Acts under his/her jurisdiction. In such cases, upon receiving the advice under paragraph (2), the head of the relevant affiliated agency, organization, etc. shall comply therewith; and shall notify the head of the related central administrative agency of the result.

Article 66 (Disclosure of Results)

(1) The Minister of the Interior and Safety may disclose the advice for improvement pursuant to Article 61; the corrective measures pursuant to Article 64; the accusation or advice for disciplinary action pursuant to Article 65; and the imposition of administrative fines pursuant to Article 75 and its result, subject to deliberation and resolution by the Protection Commission.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(2) The head of a related central administrative agency may disclose the matters provided for in paragraph (1) in accordance with the Acts under his/her jurisdiction.

(3) The method, criteria, and procedure for disclosure pursuant to paragraphs (1) and (2), and other related matters, shall be prescribed by Presidential Decree.

Article 67 (Annual Reports)

(1) The Protection Commission shall prepare a report each year, based on necessary materials furnished by related agencies, etc., in relation to the establishment and implementation of personal information protection policy measures, and submit (including transmission via the information and communications networks) it to the National Assembly before the opening of the plenary session

(2) The annual report referred to in paragraph (1) shall contain the following matters:  (Amended by Act nº 14107, Mar. 29, 2016)

1. Infringement on the rights of data subjects and the status of remedies thereof;

2. Findings of the survey in relation to the status of personal information processing;

3. Status of implementation of the personal information protection policy measures and achievements thereof;

4. Overseas legislation and policy developments related with personal information;

5. Status of the enactment and amendment of the Acts, Presidential Decrees, the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, the National Election Commission Regulations, and the Board of Audit and Inspection Regulations, in relation to processing of resident registration numbers;

6. Other matters to be disclosed or reported in relation to the personal information protection policy measures.

Article 68 (Delegation and Entrustment of Authority)

(1) Authority of the Minister of the Interior and Safety or the head of a related central administrative agency under this Act may be partially delegated or entrusted, as prescribed by Presidential Decree, to the Special Metropolitan City Mayor, Metropolitan City Mayors, Do Governors, Special Self-Governing Province Governors, or the specialized institutions prescribed by Presidential Decree.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(2) The agencies to which authority of the Minister of the Interior and Safety or the head of a related central administrative agency has been partially delegated or entrusted pursuant to paragraph (1) shall notify the Minister of the Interior and Safety or the head of the related central administrative agency of the results of performing the affairs delegated or entrusted.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(3) Where delegating or entrusting a part of authority to a specialized institution pursuant to paragraph (1), the Minister of the Interior and Safety may grant a contribution to the specialized institution to cover expenses incurred in performing the affairs delegated or entrusted.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

Article 69 (Persons Deemed to be Public Officials for Purposes of Penalty Provisions)

Any executive or employee of a relevant agency that performs the affairs entrusted by the Minister of the Interior and Safety or the head of a related central administrative agency shall be deemed a public official for the purposes of Articles 129 through 132 of the Criminal Act.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

CHAPTER IX.- PENALTY PROVISIONS

Article 70 (Penalty Provisions)

Any of the following persons shall be punished by imprisonment with labor for not more than 10 years, or by a fine not exceeding 100 million won: (Amended by Act nº 13423, Jul. 24, 2015)

1. A person who causes the suspension, paralysis or other severe hardship of work of a public institution by altering or erasing the personal information processed by the public institution for the purpose of disturbing the personal information processing of such public institution;

2. A person who obtains any personal information processed by third parties by fraud or other unjust means or methods and provides it to a third party for a profit-making or unjust purpose, and a person who abets or arranges such conduct.

Article 71 (Penalty Provisions)

Any of the following persons shall be punished by imprisonment with labor for not more than 5 years, or by a fine not exceeding 50 million won: (Amended by Act nº 14107, Mar. 29, 2016)

1. A person who provides personal information to a third party without the consent of a data subject in violation of Article 17 (1) 1 even through Article 17 (1) 2 is not applicable, and a person who knowingly receives such personal information;

2. A person who uses personal information or provides personal information to a third party in violation of Articles 18 (1) and (2), 19, 26 (5), or 27 (3), and a person who knowingly receives such personal information for a profit-making or unfair purpose;

3. A person who processes sensitive information in violation of Article 23 (1);

4. A person who processes personally identifiable information in violation of Article 24 (1);

5. A person who divulges or provides a third party without authority with, the personal information acquired in the course of performing business in violation of subparagraph 2 of Article 59, and a person who knowingly receives such personal information for a profit-making or unfair purposes;

6. A person who damages, destroys, alters, forges, or divulges any third party’s personal information in violation of subparagraph 3 of Article 59.

Article 72 (Penalty Provisions)

Any of the following persons shall be punished by imprisonment with labor for not more than 3 years, or by a fine not exceeding 30 million won:

1. A person who arbitrarily handles visual data processing devices for any purpose other than the initial one, directs such devices toward different spots, or uses a sound recording function in violation of Article 25 (5);

2. A person who acquires personal information or obtains consent to personal information processing by fraud or other unjust means in violation of subparagraph 1 of Article 59, and a person who knowingly receives such personal information for a profit-making or unfair purpose;

3. A person who divulges confidential information acquired while performing his/her duties, or uses such information for other purposes than the initial one in violation of Article 60.

Article 73 (Penalty Provisions)

Any of the following persons shall be punished by imprisonment with labor for not more than 2 years, or by a fine not exceeding 20 million won: (Amended by Act nº 13423, Jul. 24, 2015; Act nº 14107, Mar. 29, 2016)

1. A person who fails to take necessary measures to ensure safety in violation of Article 23 (2), 24 (3), 25 (6), or 29 and causes personal information to be lost, stolen, divulged, forged, altered, or damaged;

2. A person who fails to take necessary measures to correct or erase personal information in violation of Article 36 (2), and continuously uses, or provides a third party with, the personal information;

3. A person who fails to suspend processing of personal information in violation of Article 37 (2), and continuously uses, or provides a third party with, the personal information.

Article 74 (Joint Penalty Provisions)

(1) If the representative of a corporation, or an agent or employee of, or any other person employed by, a corporation or an individual commits any of the offense provided for in Article 70 in connection with the business affairs of the corporation or individual, not only shall such offender be punished, but also the corporation or individual shall be punished by a fine not exceeding 70 million won: Provided, That the same shall not apply where such corporation or individual has not been negligent in taking due care and supervisory duty concerning the relevant business affairs to prevent such offense.

(2) If the representative of a corporation, or an agent or employee of, or any other person employed by, a corporation or an individual commits any of the offense provided for in Articles 71 through 73 in connection with the business affairs of the corporation or individual, not only shall such offender be punished, but also the corporation or individual shall be punished by a fine prescribed in the relevant Article: Provided, That the same shall not apply where such corporation or individual has not been negligent in taking due care and supervisory duty concerning the relevant business affairs to prevent such offense.

Article 74-2 (Confiscation, Additional Collection, etc.)

Any money or goods or other profits acquired by a person who has violated Articles 70 through 73 in relation to such violation shall be confiscated, or, if confiscation is impossible, the value thereof may be collected. In this case, such confiscation or additional collection may be levied in addition to other penalty provisions.

(Article Inserted by Act nº 13423, Jul. 24, 2015)

Article 75 (Administrative Fines)

(1) Any of the following persons shall be subject to an administrative fine not exceeding fifty million won: (Amended by Act nº 14765, Apr. 18, 2017)

1. A person who collects personal information, in violation of Article 15 (1);

2. A person who fails to obtain the consent of a legal representative, in violation of Article 22 (6);

3. A person who installs and operates a visual data processing device, in violation of Article 25 (2).

(2) Any of the following persons shall be subject to an administrative fine not exceeding thirty million won: (Amended by Act nº 11990, Aug. 6, 2013; Act nº 12504, Mar. 24, 2014; Act nº 13423, Jul. 24, 2015; Act nº 14107, Mar. 29, 2016; Act nº 14765, Apr. 18, 2017)

1. A person who fails to notify a data subject of necessary information, in violation of Article 15 (2), 17 (2), 18 (3), or 26 (3);

2. A person who denies the provision of goods or services to a data subject, in violation of Article 16 (3) or 22 (5);

3. A person who fails to notify a data subject of the matters provided for in Article 20 (1) or (2), in violation of Article 20 (1) or (2);

4. A person who fails to destroy personal information, in violation of Article 21 (1);

4-2. A person who processes resident registration numbers, in violation of Article 24-2 (1);

4-3. A person who fails to adopt encryption, in violation of Article 24-2 (2);

5. A person who fails to provide a data subject with an alternative method without using his/her resident registration number, in violation of Article 24-2 (3);

6. A person who fails to take measures necessary to ensure safety, in violation of Article 23 (2), 24 (3), 25 (6), or 29;

7. A person who installs and operates a visual data processing device, in violation of Article 25 (1);

7-2. A person who indicates and promotes the certification by fraud despite a failure to obtain such certification, in violation of Article 32-2 (6);

8. A person who fails to notify a data subject of the facts provided for in Article 34 (1), in violation of the same paragraph;

9. A person who fails to report the results of measures taken, in violation of Article 34 (3);

10. A person who limits or denies access to personal information, in violation of Article 35 (3);

11. A person who fails to take necessary measures to correct or erase personal information, in violation of Article 36 (2);

12. A person who fails to take necessary measures, such as destruction of the personal information whose processing has been suspended, in violation of Article 37 (4);

13. A person who fails to comply with corrective measures taken under Article 64 (1).

(3) Any of the following persons shall be subject to an administrative fine not exceeding ten million won: (Amended by Act nº 14765, Apr. 18, 2017)

1. A person who fails to store and manage personal information separately, in violation of Article 21 (3);

2. A person who obtains consent, in violation of Article 22 (1) through (4);

3. A person who fails to take necessary measures including posting on a signboard, in violation of Article 25 (4);

4. A person who fails to undergo paper-based formalities stating the matter provided for in Article 26 (1) when outsourcing the work, in violation of the same paragraph;

5. A person who fails to disclose the outsourced work and the outsourcee, in violation of Article 26 (2);

6. A person who fails to notify a data subject of the transfer of his/her personal information, in violation of Article 27 (1) or (2);

7. A person who fails to establish, or disclose, the Privacy Policy, in violation of Article 30 (1) or (2);

8. A person who fails to designate a privacy officer, in violation of Article 31 (1);

9. A person who fails to notify a data subject of necessary information, in violation of Article 35 (3) and (4), 36 (2) and (4), or 37 (3);

10. A person who fails to furnish materials, such as goods and documents pursuant to Article 63 (1), or who submits false materials;

11. A person who refuses, interferes with, or evades access or an inspection pursuant to Article 63 (2).

(4) Administrative fines provided for in paragraphs (1) through (3) shall be imposed and collected by the Minister of the Interior and Safety and the head of a related central administrative agency, as prescribed by Presidential Decree. In such cases, the head of a related central administrative agency shall impose and collect administrative fines from the personal information controllers in the field under his/her jurisdiction.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

Article 76 (Special Exemption to Application of Provisions on Administrative Fines)

For the purposes of the provisions on administrative fines provided for in Article 75, no additional administrative fine shall be imposed on any act subject to penalty surcharges pursuant to Article 34-2.

(Article Inserted by Act nº 11990, Aug. 6, 2013)

ADDENDA (Act nº 11690,  Mar. 23,  2013)

ADDENDA (Act nº 11990,  Aug. 6,  2013)

ADDENDUM (Act nº 12504,  Mar. 24,  2014)

ADDENDA (Act nº 12844,  Nov. 19,  2014)

ADDENDA (Act nº 13423,  Jul. 24,  2015)

ADDENDA (Act nº 14107,  Mar. 29,  2016)

ADDENDUM (Act nº 14765,  Apr. 18,  2017)

ADDENDA (Act nº 14839,  Jul. 26,  2017)

Article 1 (Enforcement Date)

This Act shall enter into force on the date of its promulgation: Provided, That any amendment to the Acts made pursuant to Article 5 of this Addenda, promulgated before this Act enters into force, which have not yet entered into force, shall enter into force on the date the corresponding Act takes effect.

Articles 2 through 6 Omitted.