Archivos de la etiqueta: Incidents

31Oct/21

Act on Promotion of Information and Communications Network Utilization and Data Protection of 2001, established by Act nº 6360, Jan. 16, 2001

Act on Promotion of Information and Communications Network Utilization and Data Protection of 2001, established by Act nº 6360, Jan. 16, 2001, amended by Act nº 10138, Mar. 17, 2010, amended by Act nº 10560, Apr. 5, 2011, amended by Act nº 11322, Feb. 17, 2012, amended by Act nº 12681, May 28, 2014, amended by Act nº 13014, Jan. 20, 2015, amended by Act nº 13280, Mar. 27, 2015, amended by Act nº 13344, June 22, 2015, amended by Act nº 13520, Dec. 1, 2015.

ACT ON PROMOTION OF INFORMATION AND COMMUNICATIONS NETWORK UTILIZATION AND DATA PROTECTION, ETC.

Established by Act nº 6360, Jan. 16, 2001

Amended by Act nº 10138, Mar. 17, 2010

Amended by Act nº 10560, Apr. 5, 2011

Amended by Act nº 11322, Feb. 17, 2012

Amended by Act nº 12681, May 28, 2014

Amended by Act nº 13014, Jan. 20, 2015

Amended by Act nº 13280, Mar. 27, 2015

Amended by Act nº 13344, June 22, 2015

Amended by Act nº 13520, Dec. 1, 2015

CHAPTER I.- GENERAL PROVISIONS

Article 1 (Purpose)

The purpose of this Act is to promote the utilization of information and communications networks, to protect the personal information of users utilizing information and communications services, and to build a safe and sound environment for the information and communications networks in order to improve the citizen’s lives and enhance the public welfare.

Article 2 (Definitions)

(1) The terms used in this Act shall be defined as follows:

1. «Information and communications networks» mean the information and communications system under which telecommunications facilities and equipment as prescribed in subparagraph 2 of Article 2 of the Telecommunications Business Act are utilized, or the telecommunications facilities and equipment, computers and the technology of using computers are utilized together to collect, process, store, search, transmit and receive information;

2. «Information and communications services» mean the telecommunications services as prescribed in subparagraph 6 of Article 2 of the Telecommunications Business Act, and the provision of information or the intermediation of information services utilizing the telecommunications services;

3. «Information and communications service provider» means the operator of telecommunications as prescribed in subparagraph 8 of Article 2 of the Telecommunications Business Act and other person who provides information or intermediate information services for profit utilizing the services rendered by the telecommunications service providers;

4. «Users» mean the persons who utilize the information and communications services rendered by the information and communications service provider;

5. «Electronic message» means the standardized data in the form of document in which information is electronically compiled, sent or received, or stored by equipment, including computers, etc., that are capable of doing information processing;

6. «Personal information» means the information pertaining to any living person, which contains the code, letter, voice, sound and image, etc. that make it possible to identify such individual by his/her name and resident registration number, etc. (including the information that does not, on its own, permit direct identification of a specific individual, but that does identify specific individual when it is easily combined with other information.);

7. «Incidents» mean accidents caused by such attack on the information and communications networks or related information systems as hacking, computer viruses, logical bomb, mail bomb, denial of service, high-powered electromagnetic wave, etc.;

8. Deleted (Jun. 22, 2015);

9. «Bulletin boards» mean the computer programs or technological devices, regardless of their names, to which the users may post the code, letter, voice, sound, image, video clips and other information for the purpose of making public by using the information and communications networks;

10. «Communications billing services» mean the information and communications services carrying out the business as defined in the following items:

a. The business which claims and collects the prices of goods or services sold or provided by others together with the charges for the telecommunications services provided by itself; or

b. The business which transmits or receives the transaction data electronically, or conducts the settlement of charges as a proxy or intermediary so that the prices of the goods or services sold or provided by others may be claimed and collected together with the telecommunications service charges stated in Item a.

11. «Communications billing service provider» means the operator who provides the communications billing services subject to the registration pursuant to Article 53;

12. «Communications billing service users» mean the persons who purchase and use the goods or services by means of the communications billing services provided by the communications billing service provider; and

13. «Electronic transmission media» mean the media by which code, letter, voice, sound, image, video clips and other information are transmitted to the receiver in such an electronic form as electronic messages, etc. via the information and communications networks. (Amended May 28, 2014)

(2) The definitions stated herein, except otherwise provided for in paragraph (1), shall be subject to the National Informatization Framework Act.

Article 3 (Duties of Information and Communications Service Provider and Users)

(1) Any information and communications service provider shall protect the personal information of users, and contribute to the protection of the rights and interests of such users and to the enhancement of its information utilization capability by rendering the information and communications services in a safe and sound manner.

(2) Every user shall endeavor to help a sound information society take hold.

(3) The government may assist the organizations of information and communications service providers and the organizations of users in carrying out their activities designed to protect the personal information and the youth in the information and communications networks.

Article 4 (Policy for Promotion of Information and Communications Network Utilization and Data Protection, etc.)

(1) The Minister of Science, ICT and Future Planning or the Korea Communications Commission shall formulate a policy to lay the foundation for building an information society through the promotion of utilization and the secure management and operation of information and communications networks, and the protection of personal information of users (hereinafter referred to as the «promotion of the utilization of information and communications networks and data protection, etc.»).

(2) The policy referred to in paragraph (1) shall contain the matters stated in the following subparagraphs:

1. Development and distribution of technologies related to the information and communications networks;

2. Standardization of the information and communications networks;

3. Activation of utilization of the information and communications networks such as the development of information contents and applied services of the information and communications networks subject to Article 11;

4. Facilitation of joint utilization of information via information and communications networks;

5. Activation of utilization of the Internet;

6. Protection of personal information collected, processed, stored and utilized via information and communications networks, and development and distribution of related technologies;

7. Protection of the youth in the information and communications networks;

8. Enhancement of safety and reliability of the information and communications networks; and

9. Other matters necessary to promote the utilization of the information and communications networks and data protection, etc.                                                         (3) In formulating the policy referred to in paragraph (1), the Minister of Science, ICT and Future Planning or the Korea Communications Commission shall endeavor to coordinate such policy with the basic plan for promoting informatization as prescribed in Article 6 of the National Informatization Framework Act.

Article 5 (Relation with Other Acts)

The promotion of utilization of information and communications networks and data protection, etc. shall be governed by this Act except specially provided for in other acts; provided, however, that, in case this Act and the Electronic Financial Transactions Act compete to apply with respect to the communications billing services stated in Chapter VII, this Act shall prevail.

CHAPTER Ⅱ.- PROMOTION OF INFORMATION AND COMMUNICATIONS NETWORK UTILIZATION

Articles 6 – 17 Omitted1)

CHAPTER Ⅲ Deleted

Articles 18 – 21 Deleted (Jun. 22, 2015)

CHAPTER Ⅳ PROTECTION OF PERSONAL INFORMATION

Section 1. Collection of Personal Information

Article 22 (Consent to the Collection and Utilization of Personal Information, etc.)

(1) Any information and communications service provider shall, when it intends to gather user’s personal information, notify the user of the whole matters stated in the following subparagraphs, and obtain his/her consent thereof. The same shall apply to any change of the following subparagraphs:

1. The purpose of collection and utilization of personal information;

2. The items of personal information collected hereunder; and

3. The period of retention and utilization of personal information.

(2) The information and communications service provider may collect and utilize the user’s personal information without consent subject to paragraph (1) in case any of the following subparagraphs applies:

1. Where, as for the personal information, which is necessary to perform the contract for the provision of information and communications services, it is evidently difficult to obtain ordinary consent on account of economical and technological reasons;

2. Where it is necessary to calculate the fees for the provision of information and communications services; or

3. Where special provisions exist in this Act or other acts.

Article 22-2 (Consent to the Authorized Access)

(1) The information and communications service provider shall notify the user of the following subparagraphs so that he/she may understand them explicitly, and obtain his/her consent thereof when the information and communications service provider needs the authorized access to the data stored in the mobile communication device of the user and the functions of such device (hereinafter referred to as the “authorized access”) for its service for the user:

1. In case where the authorized access is inevitable for the relevant service

a. The items of data and functions in need of the authorized access; and

b. The reason why the authorized access is necessary.

2. In case where the authorized access is not inevitable for the relevant service

a. The items of data and functions in need of the authorized access;

b. The reason why the authorized access is necessary; and

c. The fact that user may abstain from consent to the authorized consent.

(2) The information and communications service provider shall not refuse the relevant services on the grounds that the user does not consent to the authorized access which is not necessarily required for the relevant service.

(3) The maker of basic operating systems of mobile communication devices (that means the infrastructure environment to run softwares of such devices) and the manufacturers of such devices and the supplier of softwares of such devices shall take such measures as consent to, and withdrawal from, the authorized access which are necessary for the protection of user’s data when the information and communications service provider intends to access the data stored in the mobile communication devices and the functions of such devices.

(4) The scope of the authorized access subject to paragraph (1), method of consent, necessary measures for the protection of user’s data and other necessary matters shall be prescribed by the Presidential Decree.

(Article Inserted Mar. 22, 2016)

Article 23 (Restrictions on Collecting Personal Information, etc.)

(1) No information and communications service provider shall collect the personal information, including ideology, belief, family and relative relations, academic record, medical record and other social career, etc., which is likely to excessively infringe upon the right, interest and privacy of the relevant user; provided, however, that the same shall not apply to the necessary mínimum extent where the consent of the user is obtained pursuant to Article 22(1) or the subject of collecting personal information is specified in other acts.

(Amended May 28, 2014)

(2) Any information and communications service provider shall, when it collects the personal information of users, collect only the minimum personal information to the extent necessary to provide the information and communications services. (Amended May 28, 2014)

(3) The information and communications service provider shall not refuse the relevant services on the grounds that the user does not provide any other personal information than the necessary minimum personal information. In this case, the necessary minimum personal information shall mean the inevitable information necessary to perform the fundamental function of the relevant service. (Inserted May 28, 2014)

Article 23-2 (Restriction of Use of Resident Registration Numbers)

(1) The information and communications service provider shall not collect and use the resident registration numbers of users except otherwise applicable to any of the following subparagraphs:

1. Where it has been designated as an identification agency pursuant to Article 23-3;

2. Where the collection and use of resident registration numbers of users are permitted by statutes; or

3. Where the information and communications service provider regards it as inevitable to collect and use the resident registration numbers of users for the conduct of business, as notified by the Korea Communications Commission.

(2) Although the collection and use of resident registration numbers are permitted pursuant to subparagraphs 2 or 3 of paragraph (1), alternative means to identify the user other than his/her resident registration number (hereinafter referred to as the «alternative means») shall be provided to the users.

(Article Amended Feb. 17, 2012)

Article 23-3 (Designation, etc. of Identification Agency)

(1) The Korea Communications Commission may, upon assessing the following matters, designate the person, who is determined capable of safe and trustful conduct of developing, providing and managing the alternative means (hereinafter referred to as the «identification operations«) as the identification agency:

1. Physical, technical and managerial measures and planning to ensure the safe and secure identification operations;

2. Technological and financial capability to conduct the identification operations; and

3. Appropriateness of facilities to conduct the identification operations.

(2) When the identification agency wants to have recess of the whole or part of identification operations, it shall notify the recess plan and period to users 30 days prior to the start day and report it to the Korea Communications Commission. In this case, the recess period shall not exceed six months.

(3) When the identification agency wants to repeal its identification operations, it shall notify the repeal plan to users 60 days in advance, and report it to the Korea Communications Commission.

(4) Necessary matters for the detailed assessment criteria pursuant to paragraphs (1) through (3), designation procedure and the recess, repeal, etc. Of identification operations shall be prescribed by the Presidential Decree.

(Article Inserted Apr. 5, 2011)

Article 23-4 (Suspension of Identification Operations and Withdrawal of Designation)

(1) When any of the following subparagraphs is applicable to the identification agency, the Korea Communications Commission may order the suspension of the whole or part of identification operations for a period of not more than six months or withdraw the designation of identification agency; provided, however, that the withdrawal of designation shall be mandatory in case of subparagraph 1or 2:

1. Where it has been designated as an identification agency by fraud or other unjust means;

2. Where it has failed to stop its operations in violation of the order to suspend the identification operations;

3. Where it has failed to start the identification operations within six months from the designation day, or has recess of the identification operations continuously for more than six months; or

4. Where it does not satisfy the criteria pursuant to Article 23-3(4).

(2) The criteria for administrative disposition pursuant to paragraph (1), its procedure and other necessary matters shall be prescribed by the Presidential Decree.

(Article Inserted Apr. 5, 2011)

Article 24 (Restrictions on Utilizing Personal Information)

No information and communications service provider shall utilize the personal information collected pursuant to Article 22 and the proviso of Article 23(1) for other purpose than the purpose consented by the relevant user or referred to in each subparagraph of Article 22(2).

Article 24-2 (Consent to the Provision of Personal Information, etc.)

(1) Any information and communications service provider shall, when it intends to provide user’s personal information to a third party, notify the user of the whole matters stated in the following subparagraphs except the cases falling under subparagraphs 2 and 3 of Article 22(2), and obtain his/her consent thereof. The same shall apply to any change of the following subparagraphs:

1. The receiver of personal information;

2. The purpose of utilizing personal information of such receiver;

3. The items of personal information provided hereunder; and

4. The period of retention and utilization of personal information by the receiver.

(2) The receiver of the personal information of users provided by the information and communications service provider pursuant to paragraph (1) shall not provide such personal information to a third party, nor utilize such personal information for other use than the purpose of being provided except the cases specified in other acts.

(3) The information and communications service provider, etc. as stated in Article 25(1) shall, upon obtaining the consent to the provision pursuant to paragraph (1) and the consent to entrusting handling of personal information pursuant to Article 25(1), separate such consent from the consent to the collection and use of personal information pursuant to Article 22, and shall not refuse to provide its service on ground that the user would not give consent to it. (Amended Mar. 22, 2016)

Article 25 (Entrusting Processing of Personal Information)

(1) The information and communications service provider and the receiver of the personal information of users provided by such provider pursuant to Article 24-2(1) (hereinafter referred to as the «information and communications service provider, etc.») shall, if they entrust the work (hereinafter collectively referred to as «entrusting processing» of personal information) of collecting, creating, connecting, interlocking, recording, retaining, processing, editing, retrieving, printing out, modifying, restoring, utilizing, providing, disclosing, destroying and similarly doing (hereinafter collectively referred to as «processing«) the personal information of users to a third party, notify the user of the whole matters stated in the following subparagraphs, and obtain his/her consent thereof. The same shall apply to any change of the following subparagraphs: (Amended Mar. 22, 2016)

1. The person entrusted processing of personal information (hereinafter referred to as the «trustee«); and

2. Particulars of entrusted work of processing of personal information.

(2) The information and communications service provider, etc. may skip the notice and consent procedure as prescribed in paragraph (1) in case the whole matters of each subparagraph of paragraph (1) are made public pursuant to Article 27-2(1) or notified to users in such a manner like sending e-mails as stated in the Presidential Decree, which is necessary to perform the contract for the provision of information and communications services and to augment the users’ convenience, etc. The same shall apply to any change of the subparagraphs of paragraph (1). (Amended May 28, 2014; Mar. 22, 2016)

(3) The information and communications service provider, etc. shall, when it intends to entrust processing of personal information, define the purpose in advance for which the trustee shall process the personal information of users.

The trustee shall not process the personal information of users beyond such purpose. (Amended Mar. 22, 2016)

(4) The information and communications service provider, etc. shall manage, supervise and educate the trustee lest it should violate the provisions in this Chapter. (Amended Mar. 22, 2016)

(5) The trustee, who caused damage to the users regarding the work processing entrusted hereunder in violation of the provisions in this Chapter, shall be deemed as an employee of the information and communications service provider, etc. only with respect to compensation for such damage. (Amended Mar. 22, 2016)

(6) What the information and communications service provider, etc. Has entrusted processing of personal information to a trustee shall be in writing. (Inserted Mar. 22, 2016)

(7) The trustee may re-entrust the work entrusted pursuant to paragraph (1) only when he/she has obtained the consent of the information and communications service provider, etc. who has entrusted processing of personal information. (Inserted Mar. 22, 2016)(Amended Mar. 22, 2016)

Article 26 (Transfer of Personal Information following the Business Transfer, etc.)

(1) In the event that the information and communications service provider, etc. transfers the personal information of users to others owing to the transfer of business in whole or in part, or merger, etc., it shall notify the users of the whole matters prescribed in the following subparagraphs in such a manner like sending e-mails, posting at the Website and so forth as stated in the Presidential Decree:

1. The fact that the personal information is to be transferred;

2. The name (referring to the company name in case of a juridical person; hereafter the same shall apply in this Article), address, telephone number and other contact points of a person who has received the personal information (hereinafter referred to as the «business transferee, etc.»);

3. The method and procedure to withdraw the consent in case the user would not want the transfer of personal information.

(2) The business transferee, etc. shall, without delay upon the transfer of personal information, notify the users of such fact and the name, address, telephone number and other contact points in such a manner like posting at the Website, sending e-mails and so forth as stated in the Presidential Decree.

(Amended May 28, 2014)

(3) The business transferee, etc. may utilize or provide the personal information of users within the scope of the initial purpose for which the information and communications service provider, etc. is allowed to utilize or provide such personal information; provided, however, that the same shall not apply where the users have consented specifically.

Article 26-2 (Method to Obtain Consent)

The method how to obtain the consent pursuant to Article 22(1), the proviso of Article 23(1), Article24-2(1) and (2), Article 25(1), the proviso of Article 26(3) or Article 63(2) (hereinafter collectively referred to as the «consent to the collection, utilization, provision, etc. of personal information») shall be stated by the Presidential Decree in view of the media for collecting personal information, the nature of business operations, the number of users, and so forth.

Section 2. The Management and Destruction of Personal Information

Article 27 (Designation of Person in Charge of Data Protection)

(1) The information and communications service provider, etc. shall designate the person in charge of data protection to protect the personal information of users and deal with complaints of users related with the personal information; provided, however, that the same may not apply to the information and communications service provider, etc. who satisfies the number of employees and users, and other criteria specified by the Presidential Decree. (Amended Mar. 22, 2016)

(2) In case the information and communications service provider, etc. Subject to the proviso of paragraph (1) do not designate the person in charge of data protection, its owner or representative shall become the person in charge of data protection. (Amended Mar. 22, 2016)

(3) Qualification requirements for the person in charge of data protection and other matters necessary to designate the person shall be prescribed by the Presidential Decree. (Amended Mar. 22, 2016)

(4) When the person in charge of data protection finds out any fact in violation of this Act and other relevant laws and regulations, he/she shall immediately take measures to correct such violations, and, if necessary, report such measures to the business owner or representative of the information and communications service provider, etc.; provided, however, that, if the business owner or representative shall become the person in charge of data protection, the provision regarding report of corrective measures shall not apply. (Amended Mar. 22, 2016)

Article 27-2 (Disclosure of Personal Information Policy Statement)

(1) In case of processing the personal information of users, the information and communications service provider, etc. shall establish and disclose the personal information policy statement in such a manner as stated in the Presidential Decree so that users may identify the policy with ease at any time.

(Amended Mar. 22, 2016)

(2) The personal information policy statement subject to paragraph (1) shall contain each and all following subparagraphs: (Amended Feb. 17, 2012; Mar. 22, 2016)

1. The purpose of collection and utilization of the personal information, particulars of personal information collected hereunder and the method of collection thereof;

2. The name (referring to the company name in case of a juridical person) of a person who has received the personal information, the purpose of utilization, and particulars, of the personal information in case the personal information is provided to a third party;

3. The period of retention and utilization of personal information, the procedure and method of destruction of personal information (including the ground of preservation and the particulars of personal information to be preserved in case of preserving such information subject to the proviso except each subparagraph of Article 29)

4. The content of business for which processing of personal information is entrusted and the trustee (including the processing policy statement, if applicable);

5. The rights of users and legal representatives, and how to excise the rights;

6. The installation and operation of the device collecting automatically the personal information like the Internet logon files, etc. and how to deny such device;

7. The name or a person in charge of data protection, or the department to protect the personal information of users and deal with complaints of users related with the personal information, and the contact points like telephone numbers.

(3) In case of change of the personal information policy statement pursuant to paragraph (1), the information and communications service provider, etc. Shall make public without delay the reason and changes thereof in such a manner as stated in the Presidential Decree so that users may identify the change of policy statement with ease at any time. (Amended Mar. 22, 2016)

Article 27-3 (Notification and Report of Personal Information Leakage, etc.)

(1) Upon knowing the loss, theft and leakage of personal information (hereinafter referred to as «leakage, etc.»), the information and communications service provider, etc. shall, without delay, inform each of the following subparagraphs of the relevant users, and report it to the Korea Communications Commission or the Korea Internet and Security Agency, and shall not delay, without justifiable reasons, such notification and report exceeding 24 hours from the time when it got to know the fact; provided, however, that it may take other measures, if there is such a justifiable reason as whereabouts of users are still unknown, as replaceable with the notification as prescribed by the Presidential Decree: (Amended May 28, 2014; Mar. 22, 2016)

1. Personal information items affected by leakage, etc.;

2. Time when leakage, etc. took place;

3. Measures that users may take;       

4. Countermeasures that the information and communications service provider, etc. may take; and                                                                                                                             

5. Department where users may place inquiries, etc. and other contact points.       

2) Upon receiving the report pursuant to paragraph (1), the Korea Internet and Security Agency shall, without delay, inform the fact of the Korea Communications Commission. (Inserted May 28, 2014)                                                                            

(3) The information and communications service provider, etc. shall explain the justifiable reasons pursuant to the main sentence and proviso of paragraph (1) to the Korea Communications Commission. (Inserted May 28, 2014)                                    

(4) The method, procedure, etc. of notification and report pursuant to paragraph (1) and other necessary matters shall be prescribed by the Presidential Decree. (Amended May 28, 2014) 

(5) The information and communications service provider, etc. shall prepare for the leakage, etc. of personal information, and explore ways to establish measures to minimize the damage to victims. (Amended May 28, 2014; Mar. 22, 2016)

Article 28 (Data Protection Measures)

(1) In case of processing the personal information of users, the information and communications service provider, etc. shall take such technological and managerial measures as mentioned in the following subparagraphs to prevent the loss, theft, leakage, forgery, alteration of, or damage to, the personal information and to ensure the safety of personal information by the standard as specified by the Presidential Decree. (Amended Mar. 22, 2016)

1. To establish and implement the in-house management plan to process the personal information more safely;

2. To install and operate the access control system like firewall to block illegal access to the personal information;

3. To take measures to prevent the forgery or falsification of logon files;

4. To take security measures using encryption technologies in order to store and transmit the personal information more safely;

5. To take such preventive measures as download and operation of the vaccination softwares to protect from computer viruses; and                                                               6. To take other protective measures necessary to secure the safety of the personal information.

(2) The information and communications service provider, etc. shall limit the persons to process the personal information of users to the minimum.

(Amended Mar. 22, 2016)

Article 28-2 (Prohibition of Leakage of Personal Information)

(1) Any person who is processing, or once processed, the personal information of users shall not damage, infringe upon or leak out the information acquired in the course of business. (Amended Mar. 22, 2016)

(2) No one shall be provided with the personal information for profit or unjust purposes while knowing such information has been leaked out.

Article 29 (Destruction of Personal Information)

(1) The information and communication service provider, etc. shall, without  delay, destroy the relevant personal information lest it should be restored or recovered in case any of the following cases applies; provided, however, that the same shall not apply where other acts require the preservation of such information: (Amended Feb. 17, 2012; May 28, 2014)

1. When the purpose of collecting or utilizing the personal information consented pursuant to Article 22(1), the proviso of Article 23(1) or Articles 24-2(1) and (2), or the relevant purpose as specified by any of the subparagraphs of Article 22(2) has been attained;

2. When the period of retention and utilization of personal information consented pursuant to Article 22(1), the proviso of Article 23(1) or Articles 24-2(1) and (2) has expired;

3. When the period of retention and utilization of personal information subject to Article 27-2(2) iii in case of collecting or utilizing the personal information without the consent of users pursuant to Article 22(2) has expired; or

4. When its business has been closed.

(2) The information and communication service provider, etc. shall take necessary measures, including the destruction of personal information and others as prescribed by the Presidential Decree, to protect the personal information of users who would not use the information and communications services for one year; provided, however, that it does not apply when the said period is otherwise fixed by other laws and regulations, or user’s request. (Inserted Feb. 17, 2012; Dec. 1, 2015)

(3) The information and communication service provider, etc. shall inform the users of the fact that their personal information will be destroyed, the expiry date, the particulars of the said personal information, etc. as prescribed by the Presidential Decree by means of email, etc. as prescribed by the Presidential Decree. (Inserted Dec. 1, 2015)

Section 3.- User’s Right

Article 30 (User’s Right, etc.)

(1) Every user may at any time withdraw his/her consent given to the information and communications service provider, etc. for the collection, utilization or provision of the personal information.

(2) Every user may request the access to, or provision of, any of the following items related with him/her, and if his/her personal information is found to be erroneous, he/she may request the correction thereof:

1. The personal information of users retained by the information and communications service provider, etc.;

2. The content of how the information and communications service provider, etc. has utilized, or provided to a third party, the personal information of users; or

3. The status at which the information and communications service provider, etc. has obtained consent for the collection, utilization or provision of the personal information.

(3) In case that a user withdraws his/her consent pursuant to paragraph (1), the information and communications service provider, etc. shall, without delay, take necessary measures, i.e., destroying his/her personal information collected lest it should be restored or recovered. (Amended May 28, 2014)

(4) The information and communications service provider, etc. shall, upon receiving a request for the access to, provision of, personal information pursuant to paragraph (2), take necessary measures without delay.

(5) The information and communications service provider, etc. shall, immediately upon receiving a request for the correction of erroneous personal information pursuant to paragraph (2), correct the erroneous information or take necessary measures, i.e., explaining why it failed to correct such information, and shall not utilize or provide the relevant personal information until the correction thereof; provided, however, that the same shall not apply where other acts require the provision of such information.

(6) The information and communications service provider, etc. shall make the withdrawal of consent pursuant to paragraph (1), or how to request access to, provision of, or correction of errors in, the personal information much easier than the method how to collect the personal information.

(7) The provisions of paragraphs (1) through (6) shall apply mutatis mutandis to the business transferee, etc. In this case, the information and communications service provider, etc. shall be deemed the business transferee, etc.

Article 30-2 (Notification of Personal Information Use Statement)

(1) The information and communications service provider, etc., which satisfies the criteria as prescribed by the Presidential Decree, shall notify periodically the use statement (including the provision pursuant to Article 24-2 and entrusting processing of personal information pursuant to Article 25) of personal information collected pursuant to Articles 22 and 23(1) proviso; provided, however, that the same shall not apply where such personal information as contact points to be notified was not collected. (Amended Mar. 22, 2016)

(2) The type of information to be notified to the users pursuant to paragraph (1), notification interval and method and other matters necessary to notify the use statement shall be prescribed by the Presidential Decree.

Article 31 (Legal Representative’s Right)

(1) The information and communications service provider, etc. shall, when it intends to obtain consent for the collection, utilization or provision of the personal information from a minor of age below 14, obtain the consent therefor from his/her legal representative. In this case, the information and communications service provider may demand from the child the necessary minimum information, including the name, etc. of the legal representative, so as to obtain the consent.

(2) The legal representative may exercise user’s right as for the personal information of the relevant child pursuant to Articles 30 (1) and (2).

(3) The provisions of Article 30 (3) through (5) shall apply mutatis mutandis to the withdrawal of consent, and the request for the access to, or the correction of, the personal information by the legal representative pursuant to paragraph (2).

Article 32 (Damages)

If a user suffers any damage caused by the violation of the provisions in this Chapter on part of the information and communications service provider, etc., such user may claim for the damages against the information and communications service provider, etc. In this case, the information and communications service provider, etc. may not be released from the damages if it fails to prove non-existence of its intention or negligence.

Article 32-2 (Claim for Statutory Damage)

(1) The user may, when all of the following subparagraphs are satisfied, claim for compensation of considerable amount up to three million won in place of damages pursuant to Article 32 against the information and communications service provider, etc. within the period as prescribed by the Presidential Decree.

In this case, the accused information and communications service provider, etc. cannot evade the responsibility unless it proves non-existence of intention or negligence: (Amended Mar. 22, 2016)

1. Where the information and communications service provider, etc. Violates provisions in this Chapter intentionally or negligently; and

2. Where the personal information was lost, stolen, leaked, forged, altered or damaged.

(2) The court may, upon the claim pursuant to paragraph (1), acknowledge a reasonable amount of damages within the scope of paragraph (1) based upon the examination of evidence and review of all the arguments during the proceedings.

(3) The user who has filed a lawsuit for damages pursuant to Article 32 may change it to the claim for damages subject to paragraph (1) until the closing of oral proceedings at the trial court. (Inserted Mar. 22, 2016)

Article 32-3 (Deletion and Blocking of Exposed Personal Information)                       

(1) The information and communications service provider, etc. shall exert itself lest users’ personal information including resident registration numbers, bank account numbers, credit card numbers, etc. should be exposed to public via information and communications network. (Amended Mar. 22, 2016)                                                      

(2) Upon the request of the Korea Communications Commission or the Korea Internet and Security Agency, the information and communications service provider, etc. shall take necessary measures including deletion, blocking, etc. Of personal information exposed under paragraph (1). (Inserted Mar. 22, 2016)

Section 4.- Deleted

Articles 33 through 40 Deleted 2)

CHAPTER Ⅴ.- PROTECTION OF THE YOUTH IN INFORMATION AND COMMUNICATIONS NETWORKS

Articles 41 through 44-10 Omitted

CHAPTER Ⅵ.- SECURING STABILITY OF INFORMATION AND COMMUNICATIONS NETWORKS, ETC.

Articles 45 through 46-2 Omitted

Article 46-3 Deleted

Article 47 (Certification of Data Protection Management System)

(1) The Minister of Science, ICT and Future Planning may certify for the purpose of securing the stability and reliability of the communications network whether the person who has established and operated a consolidated management system including the managerial, technical and physical safeguards (hereinafter referred to as the “Data Protection Management System” or DPMS) could satisfy the criteria subject to paragraph (4). (Amended Feb. 17, 2012; Mar. 23, 2013; Dec. 1, 2015)

(2) Any person who falls on any of the following paragraphs as a telecommunications business operator subject to Article 2 viii of the Telecommunications Business Act and an information provider/intermediary taking advantage of the telecommunications services of the said telecommunications business operator shall obtain the certification pursuant to paragraph (1). (Inserted Feb. 17, 2012; Dec. 1, 2015)

1. Any person who has obtained the permission subject to Article 6(1) of the Telecommunications Business Act and provides information and communications service as prescribed by the Presidential Decree;

2. An integrated information and communications facility operator; or

3. Any person with the annual sales, revenue, etc. of more than 150 billion won or the number of users daily average of one million people for the previous three months, who satisfies the criteria as prescribed by the Presidential Decree.

(3) The Minister of Science, ICT and Future Planning may omit parts of certification examination subject to paragraph (1) in case that the person in need of certification has obtained the international standard certification of data protection or taken other measures for data protection as prescribed by the Ordinance of the Ministry of Science, ICT and Future Planning. In this case, the scope of omission in detail of the said certification examination shall be decided and notified by the Minister of Science, ICT and Future Planning. (Inserted Dec. 1, 2015)

(4) The Minister of Science, ICT and Future Planning may prescribe and notify the certification criteria including the managerial, technical and physical safeguards and other necessary matters for the DPMS certification subject to paragraph (1). (Amended Feb. 17, 2012; Mar. 23, 2013; Dec. 1, 2015)

(5) The duration of the DPMS certification subject to paragraph (1) shall be three years; provided, however, that the person who has obtained the data protection degree pursuant to Article 47-5(1) is deemed to have been certified subject to paragraph (1) for the duration of such data protection degree.

(Inserted Feb. 17, 2012; Dec. 1, 2015)

(6) The Minister of Science, ICT and Future Planning may delegate the certification matters subject to paragraphs (1) and (2) of the following subparagraphs to the Korea Information and Security Agency or other institution designated by the Minister of Science, ICT and Future Planning (hereinafter referred to as the “DPMS Certification Agency”): (Inserted Feb. 17, 2012; Mar. 23, 2013; Dec. 1, 2015)

1. The certification examination to clarify the DPMS of a certification applicant being in conformity with certification criteria subject to paragraph (4) (hereinafter referred to as the “DPMS Certification Examination”);

2. Deliberation of the DPMS Certification Examination results;

3. Issuance and management of the DPMS Certificate;                                                   

4. Ex post facto management of the DPMS Certification;                                               

5. Fostering and qualification management of the DPMS Certification examiners; and 

6. Other matters in relation to the DPMS Certification.                                                 

(7) The Minister of Science, ICT and Future Planning may designate the institution to conduct the said certification examination (hereinafter referred to as the “DPMS Examination Agency”) if necessary to conduct the said certification task efficiently. (Inserted Dec. 1, 2015)                                                                                                    

(8) The Korea Information and Security Agency, the DPMS Certification Agency and the DPMS Examination Agency shall conduct ex post facto management at least once a year to enhance the effectiveness of the DPMS, and notify its result to the Minister of Science, ICT and Future Planning. (Inserted Feb. 17, 2012; Mar. 23, 2013; Dec. 1, 2015)                                                                                                                               

(9) The person who has obtained the DPMS certification pursuant to paragraphs (1) and (2) may represent or promote the DPMS Certification as prescribed by the Presidential Decree. (Amended Feb. 17, 2012; Dec. 1, 2015)                                                          

(10) The Minister of Science, ICT and Future Planning may withdraw the PIMS certification when finding out any reason which falls on any of the following subparagraph; provided, however, that the Minister shall cancel the said certification in case of subparagraph 1: (Inserted Feb. 17, 2012; Mar. 23, 2013; Dec. 1, 2015)            

1. Where the DPMS Certification has been obtained by fraud or other unjust means;    

2. Where the certification criteria subject to paragraph (4) fail to be satified; Or            

3. Where the ex post facto management subject paragraph (8) has been denied or obstructed.                                                                                                                     

(11) The method, procedure, scope and tariffs of certification subject to paragraphs (1) and (2), the method and procedure of ex post facto management subject to paragraph (8), the method and procedure of withdrawal of certification subject to paragraph (10), other necessary matters shall be prescribed by the Presidential Decree. (Amended Feb. 17, 2012; Dec. 1, 2015)                                                                                                

(12) Necessary matters for the designation criteria, procedure, duration, etc. Of the DPMS Certification Agency and the DPMS Examination Agency shall be prescribed by the Presidential Decree. (Amended Feb. 17, 2012; Dec. 1, 2015)                            (Article Amended Jun. 13, 2008.)

Article 47-2 (Withdrawal, etc. of Designation of DPMS Certification Agency and DPMS Examination Agency)

(1) The Minister of Science, ICT and Future Planning may withdrawal the designation of the DPMS Certification Agency and the DPMS Examination Agency, or suspend a whole or part of the DPMS operations for the period not exceeding one year when the juridical person or association designated as such pursuant to Article 47 falls on any of the following subparagraphs; provided, however, that the Minister shall withdraw the said designation in case of subparagraphs 1 and 2: (Inserted Feb. 17, 2012; Mar. 23, 2013; Dec. 1,2015)

1. Where the designation of the DPMS Certification Agency or DPMS Examination Agency has been obtained by fraud or other unjust means;

2. Where the certification or certification examination has been conducted  during the period of suspension of the said operation;

3. Where the certification or certification examination has not been conducted with justifiable reasons;

4. Where the certification or certification examination has been conducted in violation of Article 47(11); or

5. Where the designation criteria Article 47(12) fail to be satified.

(2) Necessary matters for the designation withdrawal and suspension of operation, etc. subject to paragraph (1) shall be prescribed by the Presidential Decree.

(Article Amended Jun. 13, 2008; Amended Dec. 1, 2015)

Article 47-3 (Certification of Personal Information Management System)

(1) The Korea Communications Commission may certify for the purpose of carrying out systemic and sustainable personal information protection activities in the communications network whether the person who has established and operated a consolidated management system including the managerial, technical and physical safeguards (hereinafter referred to as the “Personal Information Management System” or PIMS) could satisfy the criteria subject to paragraph (2).

(2) The Korea Communications Commission may prescribe and notify the certification criteria including the managerial, technical and physical safeguards and other necessary matters for the PIMS certification subject to paragraph (1).

(3) Articles 47(6) through (12) shall apply mutatis mutandis to the PIMS agencies, ex post facto management, etc. In this case, paragraphs (1) and (2) shall read paragraph (1). (Amended Dec. 1, 2015)

(4) Articles 47-2 shall apply mutatis mutandis to the designation withdrawal, etc. of the PIMS Certification Agency.

(Article Inserted Feb. 17, 2012)

(The previous Article 47-3 moved to Article 47-4 Feb. 17, 2012)

Article 47-4 (Data Protection of Users)

(1) The government may advise to the users to observe by establishing necessary standards for the data protection of users, and take necessary measures, i.e., checking the weak points and providing technological assistance, so as to prevent the incidents and block the dissemination thereof.

(2) through (4) Omitted

Article 47-5 (Grant of Data Protection Management Degree)

(1) The person who has obtained the DPMS certification pursuant to Article 47 may be granted the data protection management degree by the Minister of Science, ICT and Future Planning to enhance the consolidated corporate data protection management level and secure the reliability of data protection services from users. (Amended Mar. 23, 2013)

(2) The Minister of Science, ICT and Future Planning may delegate the grant of degree matters subject to paragraph (1) to the Korea Information and Security Agency. (Amended Mar. 23, 2013)

(3) The person who has been granted the data protection management degree pursuant to paragraph (1) may represent or promote the said data protection management degree.

(4) The Minister of Science, ICT and Future Planning may withdraw the degree granted as such when finding out any reason which falls on any of the following subparagraph; provided, however, that the Minister shall cancel the said degree in case of subparagraph 1: (Amended Mar. 23, 2013; Dec. 1, 2015)

1. Where the data protection management degree has been granted by fraud or other unjust means; or

2. Where the degree criteria subject to paragraph (5) fail to be satisfied.

(5) The criteria for grant of degree, the method, procedure and tariffs of grant of degree subject to paragraph (1), the duration of degree, the method and procedure of withdrawal of degree subject to paragraph (4), and other necessary matters shall be prescribed by the Presidential Decree.

(Article Newly Inserted Feb. 17, 2012)

Articles 48 through 48-4 Omitted

Article 49 (Protection of Secrets, etc.)

No one is allowed to damage the information of other persons or infringe upon, steal or leak the secrets of other persons, which are processed, stored or transmitted via the information and communications networks.

Article 49-2 (Prohibition of Collection of Personal Information by Means of Deceptive Activities)

(1) No one shall collect, or entice other person to provide with, the personal information of other person by means of deceptive activities in the information and communications networks.

(2) Any information and communications service provider shall report to the Minister of Science, ICT and Future Planning, the Korea Communications Commission or the Korea Information and Security Agency immediately upon finding out the violation of paragraph (1). (Amended Apr. 22, 2009; Mar. 22, 2016)

(3) The Minister of Science, ICT and Future Planning, the Korea Communications Commission or the Korea Information and Security Agency shall, upon receiving the report pursuant to paragraph (2) or finding out the violation of paragraph (1), take necessary measures prescribed in the following subparagraphs: (Amended Apr. 22, 2009; Mar. 22, 2016)

1. Collecting and disseminating the violation of paragraph (1);

2. Forecasting or warning of similar violations; and

3. Emergency measures to prevent present and further violations including request for blocking the access paths or request for notification of users’information exposed to the violations under paragraph (1) to the information and communications service provider.

(4) The Minister of Science, ICT and Future Planning or the Korea Communications Commission may order the information and communications service provider, prior to taking measures subject to paragraph (3) iii, to take necessary measures including sharing information in relation to deceptive activities via information and communications networks among service providers.

(Inserted Mar. 22, 2016)

Article 50 (Restrictions on Transmitting Advertisement Information Made for Profit) (1) Anybody, who intends to transmit via electronic transmission media any advertisement information made for profit, shall obtain the prior explicit consent of the relevant addressee; provided, however, that the same shall not apply to any of the following subparagraphs: (Amended Mar. 22, 2016)

1. Where somebody, who collects directly from the addressees the contact points through transactions of goods and services, intends to transmit the advertisement information made for profit within the period as prescribed by the Presidential Decree regarding the same kind of goods, etc. processed by himself and traded with the receiver; and

2. Where a call center operator subject to the Act Regarding Visiting Sales, etc. solicits over the telephone with his/her voice after informing the addressee of the sources of personal information.

(2) Notwithstanding paragraph (1), anybody, who intends to transmit via electronic transmission media any advertisement information made for profit, shall not transmit advertisement information made for profit if the addressee expresses refusal of such information or withdraw prior consent.

(3) Anybody, who intends to transmit any advertisement information made for profit via electronic transmission media to the addressee during the hours from 9:00 p.m. to 8:00 a.m. the next day, shall obtain the separate prior consent of the relevant addressee in spite of paragraph (1); provided, however, that the same shall not apply to the media as prescribed by the Presidential Decree.

(4) Anybody, who transmits advertisement information made for profit via electronic transmission media, shall indicate concretely the matters stated in the following subparagraphs in such a manner as prescribed by the Presidential Decree:                      1. The name and contact points of the sender; and

2. Other matters regarding the measure and methods to easily indicate the refusal of, or withdrawal of consent to, such information.

(5) Anybody, who transmits advertisement information made for profit via electronic transmission media, shall not take any measure specified in the following subparagraphs:

1. Measures to avoid and hinder the refusal or withdrawal of consent of the addressee of advertisement information;

2. Measures to automatically generate the contact points of addressee i.e., by combining numbers, codes or letters into new telephone numbers or e-mail addresses;

3. Measures to automatically register telephone numbers or e-mail addresses in order to transmit advertisement information made for profit;

4. Measures to conceal the identity of the sender of advertisement information or the source of advertisement transmission; or

5. Various measures to induce reply by deceiving the addressee for the purpose to transmit advertisement information made for profit.

(6) Anybody, who transmits advertisement information for profit via electronic transmission media, shall take necessary measures in such a manner as prescribed by the Presidential Decree lest the addressee should be charged the monetary cost incurred when telephoning a message to refuse, or withdraw the consent of, such information.

(7) Anybody, who transmits advertisement information for profit via electronic transmission media, shall, when the addressee expresses prior consent pursuant to paragraph (1), or refusal to receive or withdrawal of consent to receive pursuant to paragraph (2), inform to the addressee the result after processing prior consent, refusal to receive or withdrawal of consent as prescribed by the Presidential Decree.

(8) Anybody, who has obtained the consent pursuant to paragraphs (1) or (3), shall confirm periodically whether the addressee really consented to receive such advertisement information as prescribed by the Presidential Decree.

(Article Amended May 28, 2014)

Article 50-2 Deleted (May 28, 2014)

Article 50-3 (Entrusting Transmission of Advertisement Information Made for Profit)

(1) Anybody, who entrusts other person with a task to transmit advertisement information made for profit, shall control and supervise him/her lest the trustee should violate Article 50. (Amended May 28, 2014)

(2) Anybody, who is entrusted by a person with a task to transmit advertisement information made for profit pursuant to paragraph (1), shall be deemed an employee of such person in compensating the damage caused by violating the relevant acts related with such task.

Article 50-4 (Restrictions on Information Transmission Services, etc.)

(1) The information and communications service provider may take measures to refuse to provide the relevant services in any of the following subparagraphs:

1. Where obstacles occur or are expected to occur in providing services owing to transmitting or receiving advertisement information;                                                  

2. Where users would not want to receive advertisement information; or                        

3. Deleted (Amended May 28, 2014)                                                                                         

(2) The information and communications service provider, which intends to take measures to refuse pursuant to paragraph (1) or (4), shall include such provisions as how to refuse the relevant services in an end-user agreement with the user of such services. (Amended May 28, 2014)                                                                                  

(3) The information and communications service provider, which intends to take measures to refuse pursuant to paragraph (1) or

Article 50-5 (Installation of Advertisement Programs for Profit, etc.)

The information and communications service provider, which intends to show up advertisement information made for profit or install the programs to collect personal information in the users’ computer or other data processing devices as prescribed by the Presidential Decree, shall obtain the consent of users. In this case, it shall notify the usage of such programs and the method how to delete.

Article 50-6 (Distribution of Softwares to Block the Transmission of Advertisement Programs Made for Profit)

(1) The Korea Communications Commission may develop and distribute softwares and computer programs by which the addressee can conveniently block or report the advertisement information made for profit transmitted in violation of Article 50.

(2) The Korea Communications Commission may provide necessary support to the relevant public institutions, corporations, associations, etc. in order to promote the development and distribution of softwares and computer programs to block and report pursuant to paragraph (1).

(3) The Korea Communications Commission may advise the information and communications service provider to take such necessary measures as development of technologies, education, public relations, etc. for the protection of addressees when the services of the information and communications service provider are used to transmit the advertisement information made for profit in violation of Article 50.

(4) Necessary matters for the development and distribution pursuant to paragraph (1) and the support pursuant to paragraph (2) shall be prescribed by the Presidential Decree.

Article 50-7 (Restrictions on Posting Advertisement Information Made for Profit)

(1) Anybody, who intends to post any advertisement information made for profit on the Internet homepage, shall obtain prior consent of the webmaster or homepage manager; provided, however, that the same does not apply to a bulletin board which anybody has an easy access and may post messages without authorization.

(2) Notwithstanding paragraph (1), anybody, who intends to post any advertisement information made for profit on the Internet homepage, shall not post advertisement information made for profit if the webmaster or homepage manager expresses explicit refusal of posting such information or withdraw prior consent.

(3) A system operator or administrator of the Internet homepage may take such measures as deleting the advertisement information made for profit which is posted in violation of paragraph (1) or (2).

(ArticleAmended May 28, 2014)

Article 50-8 (Prohibition of Transmission of Advertisement Information for Illegal Act)

Nobody shall transmit advertisement information regarding goods or services prohibited by this Act or other acts via the information and communications networks.

Article 51 (Restrictions on Outflow of Material Information into Foreign Countries)

(1) The government may have each information and communications service provider or the relevant user of information and communications services take measures necessary to prevent material information regarding the domestic industry, economy, science and technology, etc. from being flowed out of Korea into foreign countries via the information and communications networks.

(2) The scope of material information referred to in paragraph (1) shall be as follows:

1. Security information related with the national security and major policy information; or

2. Information regarding state-of-the-art technologies or equipment developed domestically.

(3) The government may have each information and communications service provider processing the information referred to any of the subparagraphs of paragraph (2) take the following measures: (Amended Mar. 22, 2016)

1. Establishing systemic and technological devices to prevent improper utilization of the information and communications networks;

2. Taking systemic and technological measures to block the illegal destruction or manipulation of information; or

3. Taking measures to prevent the leakage of material information acquired in the course of processing information by the information and communications service provider.

Article 52 (Korea Information and Security Agency)

(1) The government shall establish the Korea Information and Security Agency (hereinafter referred to as «KISA«) to implement efficiently such policies as to enhance the information and communications networks (excluding the establishing, improving and managing such networks), as to promote the safe usage, and as to support the international cooperation and going abroad related with broadcasting and communications.

(2) KISA shall be a juridical person.

(3) KISA shall conduct the business referred to in the following subparagraphs: (Amended Mar. 23, 2013; Nov. 19, 2014; Jun. 22, 2015)                                                 

1. To survey and research into legal regimes, policies and systems for the utilization and protection of the information and communications networks, and the international cooperation and going abroad related with broadcasting and communications;              

2. To do research and analysis of statistics related with the utilization and protection of the information and communications networks;                                                              

3. To analyze negative effects of informatization and to research into countermeasures;

4. To conduct public relations, education and training for the utilization and protection of the information and communications networks;                                                           

5. To secure data protection in the information and communications networks, and to achieve technological development and standardization related with the Internet address resources;                                                                                                                          

6. To help establish the policy for the data protection industries, and to conduct related technological development and training of human resources;                                         

7. To implement and support the assessment, certification, etc. of data protection including the DPMS certification and the assessment and certification of data protection system;                                                                                                                                

8. To do research into effective measures for data protection, and to support the development and distribution of data protection technologies;                                        

9. To support the operation of the Dispute Mediation Committee and to opérate the Reporting Center for Personal Information Infringement;                                             

10. To do counseling and process claims regarding the transmission of advertisement information and the Internet advertisement;                                                                   

11. To deal with and analyze causes of the incidents infringing upon the information and communications networks, and to operate the incident response system;                

12. To manage the authentication of electronic signature pursuant to Article 25(1) of the Electronic Signature Act;                                                                                                

13. To support the efficient operation of the Internet and the promotion of utilization thereof;                                                                                                                            

14. To help protect the stored information of the Internet users;                                      

15. To support the service policy related with the Internet;                                           

16. To protect users in the Internet, and to help flow and disseminate sound information;

17. To conduct business regarding the Internet addresses under the Act on the Internet Resources;                                                                                                                       

18. To support operation of the Internet Address Dispute Mediation Committee pursuant to Article 16 of the Act on the Internet Resources;                                         

19. To support operation of the Mediation Committee pursuant to Article 25(7) of the Act on the Promotion of Data Protection Industry;                                                           

20. To assist the international cooperation, going abroad and overseas public relations related with broadcasting and communications;                                                            

21. Other activities incidental to the business of subparagraphs 1 through 20; and

22. Other tasks prescribed by this Act, and other acts and regulations to be conducted by KISA, or entrusted by the Minister of Science, ICT and Future Planning and the Minister of Interior, the Korea Communications Commission, or the head of other administrative agencies;                                                                                                  

(4) The government may make contributions to cover expenses necessary for the operation of KISA.

(5) The provisions regulating the incorporated foundation in the Civil Act shall apply mutatis mutandis to the matters not prescribed by this Act with respect to KISA.

(6) Other person than KISA shall not use the name of the Korea Information and Security Agency.

(7) Other matters necessary to operate, and conduct business of, KISA shall be prescribed by the Presidential Decree.

CHAPTER VII.- COMMUNICATIONS BILLING SERVICES

Articles 53 – 61 Omitted

CHAPTER VIII.- INTERNATIONAL COOPERATION

Article 62 (International Cooperation)

In performing the function stated in the following subparagraphs, the government shall cooperate with other states or international organizations:

1. Cross-border transfer of personal information and data protection;

2. Protection of the youth in the information and communications network;

3. Prevention of the incidents threatening the safety of information and communications network; and

4. Other activities to ensure safe and sound utilization of information and communications services.

Article 63 (Protection of Cross-Border Transfer of Personal Information)

(1) The information and communications service provider, etc. shall not enter into any international contract of which contents violate the provisions of this Act with respect to the personal information of users.

(2) The information and communications service provider, etc. shall obtain the consent of users when they intend to provide (including being subject to inquiry), entrust processing, store (hereinafter referred to as “transfer” in this Article) the personal information of such users to abroad; provided, however, that, if it is necessary to perform the contract for providing information and communications services and to enhance users convenience, etc., the provisions regarding the consent of users subject to entrusting processing and storing personal information abroad may not apply in case of disclosing under Article 27-2(1), or notifying to users by means as prescribed by Presidential Decree like email, all items of subparagraphs of paragraph (3). (Amended Mar. 22, 2016)

(3) The information and communications service provider, etc. shall, when they intend to obtain the consent pursuant to paragraph (2), notify the user in advance of the whole matters stated in the following subparagraphs:

1. The items of personal information to be transferred;

2. The state to which personal information will be transferred, the date and time of transfer and the method thereof;

3. The name (referring to the company name and the contact points of the officer in charge of data protection in case of a juridical person) of a person who will be provided with the personal information; and

4. The purpose of utilization, and the period of retention and utilization, of personal information on the part of a person who will be provided with the personal information.

(4) The information and communications service provider, etc. shall take the protective measures as prescribed by the Presidential Decree when they transfer the personal information to abroad with the consent pursuant to paragraph (2).

CHAPTER IX.- SUPPLEMENTARY PROVISIONS

Article 64 (Submission of Materials, etc.)

(1) The Minister of Science, ICT and Future Planning or the Korea Communications Commission may request the information and communications service provider, etc. (in this Article, including any person to whom Article 67 applies mutatis mutandis) to submit relevant goods, documents, etc. in case any of the following subparagraphs shall apply:

1. Where the violation of this Act is detected or knowingly suspected;

2. Where the violation of this Act is reported or any claim thereon is received; or

3. Where such other cases as prescribed by the Presidential Decree are necessary to protect the users.

(2) The Korea Communications Commission may request the information and communications service provider, etc. to have access to, or submit, data with respect to the name, address, resident registration number, period of utilization, etc. of the person who transmitted advertisement information made for profit in violation of this Act in order to take the measures stated in the following subparagraphs against such transmitter:                                                                                                                         1. Corrective measures pursuant to paragraph (4);

2. Imposition of fine for negligence pursuant to Article 76; and

3. Other measures amounting to the above-mentioned subparagraphs.

(3) When the information and communications service provider, etc. fails to submit materials pursuant to paragraphs (1) and (2), or it is deemed to have violated this Act, the Minister of Science, ICT and Future Planning or the Korea Communications Commission may have its officials enter the business place of the information and communications service provider, etc. and other concerned persons related with breach of the relevant laws to inspect its current business operations and examine ledger and books, or other documents, etc. (Amended Mar. 29, 2011; Mar. 23, 2013; Mar. 22, 2016)

(4) The Minister of Science, ICT and Future Planning or the Korea Communications Commission may order that the information and communications service provider, etc. in violation of this Act should take necessary corrective measures, and demand such information and communications service provider, etc., who has been ordered to do so, to make such fact public. In this case, such necessary matters as the method how to make it public, the criteria and procedure thereof, etc. shall be prescribed by the Presidential Decree.

(5) The Minister of Science, ICT and Future Planning or the Korea Communications Commission may, when it ordered necessary corrective measures pursuant to paragraph (4), make the fact public. In this case, such necessary matters as the method how to make it public, the criteria and procedure thereof, etc. shall be prescribed by the Presidential Decree.

(6) The Minister of Science, ICT and Future Planning or the Korea Communications Commission shall, when it requests the relevant information and communications service provider, etc. to submit or have access to data, etc. pursuant to paragraphs (2) and (3), notify in writing (including the electronic message) of the reason for request, legal grounds, time limit of submission thereof or the date and time to have access thereto, the content of data to be submitted or accessed in detail.

(7) In case of inspection pursuant to paragraphs (3), the inspection plan including the inspection date and time, reasons for inspection, particulars to be inspected shall be notified to the relevant information and communications service provider, etc. at least seven days before the scheduled inspection date; provided, however, that the same does not apply in case of emergency or when it deems such prior notification inappropriate to attain the inspection purpose because of probable destruction of evidences.

(8) The officials, who conduct the inspection pursuant to paragraph (3), shall carry certificates showing their authority, produce them to persons concerned, and deliver them the document containing officials’ names, inspection hours, purposes thereof, etc.

(9) The Minister of Science, ICT and Future Planning or the Korea Communications Commission shall, when it received, had access to, or inspected the data, etc. pursuant to paragraphs (1) and (3), notify in writing the relevant information and communications service provider, etc. of the inspection result (in case of making an order to take corrective measures subsequent to the inspection, including such order).

(10) The Minister of Science, ICT and Future Planning or the Korea Communications Commission shall, for the purpose of request of submission or inspection of data, etc. pursuant to paragraphs (1) and (4), may ask the head of KISA for technical advices and other necessary support.

(11) Any request of submission of, access to, or inspection of, data, etc. pursuant to paragraphs (1) and (4) shall be made within the minimum scope necessary to implement this Act, and shall not be misused for other purposes.

Article 64-2 (Preservation and Destruction of Materials, etc.)

(1) The Minister of Science, ICT and Future Planning or the Korea Communications Commission shall not provide to a third party the documents, materials, etc. submitted or collected pursuant to Article 64 nor make them public, if and when it is requested by the relevant information and communications service provider, etc. to preserve such materials.

(2) In case the Minister of Science, ICT and Future Planning or the Korea Communications Commission received the materials submitted via the information and communications networks, or made them digitalized, it shall take systemic and technological security measures lest the personal information, trade secrets etc. should be leaked out.

(3) The Minister of Science, ICT and Future Planning or the Korea Communications Commission shall destroy immediately the documents, materials, etc. submitted or collected pursuant to Article 64, if there occurs a case applicable to any of the following subparagraphs except otherwise specifically provided in other acts. The same shall apply to the person to whom the Minister of Science, ICT and Future Planning or the Korea Communications Commission delegates or entrusts the whole or part of its authority pursuant to Article 65:                                                                                        1. Where the purpose for which the request for submission of materials, visit and inspection, order to take corrective measures, etc. take place pursuant to Article 64 has been attained;

2. Where an administrative judgment is filed in disobedience of the order to take corrective measures pursuant to Article 64(4), or, in case of the administrative lawsuit, the relevant administrative dispute settlement proceedings have been closed;

3. Where the fine for negligence is levied pursuant to Article 76(4) and there is no objection thereto until the period of objection is over pursuant to Article 76(5); or

4. Where any objection is raised against the imposition of fine for negligence pursuant to Article 76(4) and the non-litigation proceedings of the competent court with jurisdiction are over.

Article 64-3 (Imposition, etc. of Penalty Surcharge)

(1) In case an action is in violation of any of the following subparagraphs, the Korea Communications Commission may impose the penalty surcharge3) amounting to not more than three percent (3/100) of total sales related with such violation on the wrong-doing information and communications service provider, etc.. the penalty surcharge of not more than 100 million won may be imposed to the violator of subparagraph 6: (Amended Feb. 17, 2012; May 28, 2014; Mar. 22, 2016)

1. To collect personal information without obtaining the consent of a user in violation of Article 22(1) including the case of application mutatis mutandis pursuant to Article 67;

2. To collect personal information which is most likely to infringe upon the right and interest, or the privacy, of an individual without obtaining the consent of the subject in violation of Article 23(1) including the case of application mutatis mutandis pursuant to Article 67;

3. To utilize personal information in violation of Article 24 including the case of application mutatis mutandis pursuant to Article 67;

4. To provide personal information to a third party in violation of Article 24-2 including the case of application mutatis mutandis pursuant to Article 67;

5. To entrust handling of personal information without obtaining the consent of a user in violation of Article 25(1) including the case of application mutatis mutandis pursuant to Article 67;

5-2. To allow negligent management, supervision or education under Article 25(4), including the case of application mutatis mutandis pursuant to Article 67, to cause the trustee in violation of Chapter IV;

6. To leave the personal information of a user lost, stolen, leaked, forged, altered or damaged, and fail to take measures required by Articles 28(1) ii through v including the case of application mutatis mutandis pursuant to Article 67;

7. To collect the personal information of a minor of age below 14 without obtaining the consent of his/her legal representative in violation of Article 31(1) including the case of application mutatis mutandis pursuant to Article 67; or 8. To provide the personal information of users abroad without obtaining their consent thereto in violation of the main sentence of Article 63(2).

(2) In case the penalty surcharge is imposed pursuant to paragraph (1), if such information and communications service provider, etc. denies to submit data for the calculation of sales or submits false data, its sales amount may be estimated on the basis of financial statements and other accounting information of the information and communications service provider, etc. with a similar size, and the business data including the number of subscribers, tariff table of users, etc. provided, however, that, in such a case of no sales report at all or the difficulty to calculate the amount of sales as prescribed by the Presidential Decree, the penalty surcharge of not more than 400 million won may be imposed to such operator.

(3) When imposing the penalty surcharge pursuant to paragraph (10, the Korea Communications Commission shall take the particulars stated in the following subparagraphs into consideration:

1. The substance and status of violations;

2. The duration and times of violations; and

3. The size of profit acquired out of violations.

(4) The penalty surcharge pursuant to paragraph (1) shall be assessed with the provision of paragraph (3) taken into consideration, but the detailed criteria and procedure for the assessment of penalty surcharge shall be prescribed by the Presidential Decree.

(5) When the person, who is required to pay the penalty surcharge pursuant to paragraph (1), fails to pay the penalty surcharge until the due date, the Korea Communications Commission shall collect the additional charge amounting to six percent per annum (6% p.a.) of such penalty surcharge for the period from the following day of the due date.

(6) When the person, who is required to pay the penalty surcharge pursuant to  paragraph (1), fails to pay the penalty surcharge until the due date, the Korea Communications Commission shall press for the payment by designating the extended period. If and when the person fails to pay the penalty surcharge and the additional charge for the extended period pursuant to paragraph (5), the Korea Communications Commission finally shall collect the penalty surcharge and the additional charge likewise by the disposition for recovery of the National Tax arrears.

(7) In case the penalty surcharge imposed pursuant to paragraph (1) is refunded owing to the court judgment, etc., the additional fee in the amount of six percent per annum (6% p.a.) of such penalty surcharge to be refunded shall be paid for the period from the payment date of penalty surcharge to the refund date.

Article 64-4 (Hearings)

The Minister of Science, ICT and Future Planning or the Korea Communications Commission shall hold hearings in case any of the following subparagraphs shall apply:

1. Where it intends to withdraw the designation of the certification agency pursuant to Article 9(2);

2. Where it intends to withdraw the designation of the identification agency pursuant to Article 23-4(1);

3. Where it intends to cancel the DPMS certification pursuant to Article 47(10) including the case of application mutatis mutandis pursuant to Article 47-3(3);

4. Where it intends to withdraw the designation of the DPMS Certification Agency pursuant to Article 47-2(1) including the case of application mutatis mutandis pursuant to Article 47-3(4);

5. Where it intends to cancel the data protection management degree pursuant to Article 47-5(4); or

6. Where it intends to cancel the registration pursuant to Article 55(1).

(Article Inserted Dec. 1, 2015)

Article 65 (Delegation and Entrustment of Authority)

(1) The authority of the Minister of Science, ICT and Future Planning or the Korea Communications Commission under this Act may be delegated or entrusted in part to the head of its administrative agency under the control of the Ministry of Science, ICT and Future Planning or the head of the Regional Post Agency in such a manner as prescribed by the Presidential Decree.

(2) The Minister of Science, ICT and Future Planning may entrust the Project to promote the utilization of the information and communications networks, etc. pursuant to Article 13 to the National Information Society Agency (NIA) established pursuant to Article 14 of the Nation’s Informatiztion Framework Act in such a manner as prescribed by the Presidential Decree.

(3) The Minister of Science, ICT and Future Planning or the Korea Communications Commission may entrust doing job to request the submission of, and inspect, the materials pursuant to Articles 64(1) and (2) to KISA in such a manner as prescribed by the Presidential Decree.

(4) The provision of Article 64(8) shall apply mutatis mutandis to the employees of KISA who are subject to paragraph (3).

Article 65-2 Deleted

Article 66 (Confidentiality, etc.)

Any person who is or was engaged in the business stated in the following subparagraphs shall not leak secrets acquired while performing his/her duties to any other person, or use such secrets for other purposes than the initial duties; provided, however, that the same shall not apply where other acts specifically prescribe otherwise:

1. Deleted

2. Certification of DPMS under Article 47;

2-2. Certification of PIMS under Article 47-3;

3. Assessment of the data protection system under Article 52(3) iv;

4. Deleted

5. Mediation of any dispute conducted by the defamation dispute mediation panel under Article 44-10.

Article 67 (Application mutatis mutandis to Broadcasting Service provider)

(1) The provisions of Chapter IV shall apply mutatis mutandis to the person who falls under Article 2 iii Items a through e and Article 2 vi, ix, xii and xiv of the Broadcasting Act, and would collect, use and provide to a third party personal information of audience and viewers. In this case, the «information and communications service provider» and the «information and communications service provider, etc.» shall be deemed the «person who falls under Article 2 iii Items Ga through Ma and Article vi, ix, xii and xiv of the Broadcasting Act,» and the «user» shall be deemed the «audience and viewers,» respectively.

(2) The provisions of Articles 22, 23, 23-2 through 23-4, 24, 24-2, 26, 26-2, 27, 27-2, 27-3, 28, 28-2, 29, 30, 30-2 and 31 shall apply mutatis mutandis to the trustee as prescribed in Article 25(1).

(Article Inserted Feb. 17, 2012)

Article 68 Deleted (Mar. 22, 2010)

Article 68-2 Deleted (Jun. 22, 2015)

Article 69 (Legal Fiction of Officials in Applying Penal Provisions)

The officers and employees of NIA and KISA, who are conducting the job entrusted by the Minister of Science, ICT and Future Planning or the Korea Communications Commission pursuant to Articles 65(2) and (3), shall be deemed government officials in the application of Articles 129 through 132 of the Criminal Act.

Article 69-2 (Accusation)

(1) When the Korea Communications Commission deems any of the subparagraphs of Article 64-3(1) to be applicable, the Commission may accuse the breaching information and communications service provider, etc. to the investigation authorities including the prosecution office.

(2) The Korea Communications Commission may recommend the information and communications service provider, etc. in violation of this Act in relation to personal information protection to take a disciplinary measure of the person responsible therefor (including a representative and/or director and officer responsible in charge). In this case, the person who has received such recommendation shall be respectful of it and notify the Korea Communications Commission of the result. (Inserted Mar. 22, 2016)

CHAPTER X.- PENAL PROVISIONS

Article 70 (Penal Provisions)

(1) Any person who has defamed other person by alleging openly facts via the information and communications networks with the purpose of slandering him/her shall be subject to imprisonment with prison labor for not more than 3 years or by a fine not exceeding 30 million won. (Amended May 28, 2014)

(2) Any person who has defamed other person by alleging openly false facts via the information and communications networks with the purpose of slandering him/her shall be subject to imprisonment with prison labor for not more than 7 years or the suspension of qualification for not more than 10 years, or by a fine not exceeding 50 million won.

(3) The offense stated in paragraphs (1) and (2) shall not be indicted against the will expressed by the victim.

Article 70-2 (Penal Provisions)

Any person who has relayed or distribute malicious programs in violation of Article 48(2) shall be subject to imprisonment with prison labor for not more than 7 years or by a fine not exceeding 70 million won.

Article 71 (Penal Provisions)

(1) Any person referred to in the following subparagraphs shall be subject to imprisonment with prison labor for not more than 5 years or by a fine not exceeding 50 million won:

1. A person who has collected the personal information of users without the consent of users in violation of Article 22(1) including the case of application mutatis mutandis under Article 67;

2. A person who has collected the personal information likely to excessively infringe upon the right, interest and privacy of the individual without the consent of users in violation of Article 23(1) including the case of application mutatis mutandis under Article 67;

3. A person who has utilized the personal information of users, provided such personal information to a third party, or received such personal information knowingly for profit or unjust purposes in violation of Articles 24, 24-2(1) and (2) or 26(3) including the case of application mutatis mutandis under Article 67;

4. A person who has entrusted handling of the personal information without the consent of users in violation of Article 25(1) including the case of application mutatis mutandis under Article 67;

5. A person who has damaged, infringed upon or leaked the personal information of users in violation of Article 28-2(1) including the case of application mutatis mutandis under Article 67;

6. A person who has received the personal information for profit or unjust purposes knowing such information leaked out in violation of Article 28-2(2);

7. A person who has provided or utilized the personal information without taking necessary measures in violation of Article 30(5) including the case of application mutatis mutandis under Articles 30(7), 31(3) and 67;

8. A person who has collected the personal information of a minor below 14 without the consent of his/her legal representative in violation of Article 31(1) including the case of application mutatis mutandis under Article 67;

9. A person who has conveyed or distributed malicious programs in violation of Article 48(2);

10. A person who has caused troubles in the information and communications networks in violation of Article 48(3); and

11. A person who has damaged the information of other person, or infringed upon, stolen or leaked the secrets of other person in violation of Article 49.

(2) An attempted crime of paragraph (1) ix shall be punished. (Inserted Mar. 22, 2016)

Article 72 (Penal Provisions)

(1) Any person referred to in the following subparagraphs shall be subject to imprisonment with prison labor for not more than 3 years or by a fine not exceeding 30 million won: (Amended Jan. 20, 2015; Mar. 27, 2015)

1. A person who has infiltrated the information and communications networks in violation of Article 48(1);

2. A person who has collected the personal information of other person in violation of Article 49-2(1);

2-2. A person who has transmitted the advertisement information in violation of Article 50-8 taking advantage of large-scale catastrophic situation subject to 14(1) of the Framework Act on the Management of Disasters and Safety;

3. A person who has done business without registration required by Article 53(1);

4. A person who has lent money, or has arranged, intermediated, solicited and promoted such transaction by conducting action applicable to any of the following Items:

a. To do transactions of communications billing services by pretending to sell or provide the goods or services, or exceeding the real sales, or to let others do so on his/her behalf; or

b. To purchase the goods or services at a discount which were bought or used by the user of communications billing services just after such user was induced to buy or use such goods or services by means of the communications billing services.

5. A person who has leaked the secrets to other person acquired while performing his/her duties, or utilized such secrets for other purpose than the initial duties in violation of Article 66.

(2) Deleted (Mar. 22, 2016)

Article 73 (Penal Provisions)

Any person referred to in the following subparagraphs shall be subject to imprisonment with prison labor for not more than 2 years or by a fine not exceeding 20 million won: (Amended May 28, 2014; Mar. 22, 2016)

1. A person who has lost, stolen, leaked, forged, altered or damaged the personal information of users by failing to take such technological and managerial measures as prescribed in Articles 28(1) ii through v including the case of application mutatis mutandis under Article 67;

1-2. A person who fails to destroy personal information in violation of Article 29(1) including the case of application mutatis mutandis under Article 67;

2. A person who has provided media materials harmful to the youth for profit without indicating the harmful nature in violation of Article 42;

3. A person who has transmitted to the youth, or exhibit publicly without taking any measure off-limits to the youth the information to advertize the media materials harmful to the youth in violation of Article 42-2;

4. A person who has used the information of users for other purposes tan filing civil or criminal lawsuits;

5. A person who has not observed the order of the Korea Communications Commission pursuant to Articles 44-7(2) and (3);

6. A person who has not preserved the relevant materials in violation of the order pursuant to Article 48-4(3);

7. A person who has enticed other person to provide with personal information in violation of Article 49-2 (1); or

8. A person who has not observed the order pursuant to Article 61.

Article 74 (Penal Provisions)

(1) Any person referred to in the following subparagraphs shall be subject to imprisonment with prison labor for not more than 1 year or by a fine not exceeding 10 million won: (Amended Feb. 17, 2012; May 28, 2014)

1. A person who has put any label on goods, or sold such goods bearing such label or displayed such goods for the purpose of selling them in violation of  Article 8 (4);

2. A person who has distributed, sold, rented, or openly displayed lascivious codes, letters, sounds, images or video clips in violation of Article 44-7(1) i;

3. A person who has repeatedly sent codes, letters, sounds, images or video clips inciting fears and uneasiness to other person in violation of Article 44-7(1) iii;

4. A person who has taken measures in violation of Article 50(5);

5. Deleted (May 28, 2014)

6. A person who has transmitted advertisement information in violation of Article 50-8; or

7. A person who has not registered the change of the registry nor reported business transfer, or the merger and succession of business in violation of Article 53(4).

(2) The offense stated in paragraph (1) iii shall not be indicted against the Will expressed by the victim.

Article 75 (Joint Penal Provisions)

If a representative of a corporation, or the agent, manager or other employee of a corporation or an individual violated the provisions of Articles 71 through 73 or 74 (1) with respect to the business of such corporation or individual, the actor shall be punished, but also the corporation or individual shall be subject to a fine prescribed in the relevant Article; provided, however, that the same shall not apply where such corporation or individual was not negligent in taking due care and supervisory duty to do the relevant business.

Article 75-2 (Confiscation and Additional Imposition of Fine)

The monies or other profits acquired by a person who committed any of the crimes set forth in Article 71(1) i through viii, Article 72(1) ii and Article 73 i, i-2, vii in relation to the relevant violations may be confiscated, and, if such confiscation is impossible, its equivalent amount may be imposed additionally. In this case, such confiscation or additional imposition my be levied in addition to other punishment. (Inserted Mar. 22, 2016)

Article 76 (Fine for Negligence)

(1) A person who is referred to in the following subparagraphs and abets other person to do the action applicable to Items 7 through 11 shall be subject to a fine for negligence not exceeding 30 million won: (Amended Mar. 29, 2011; Feb. 17, 2012; Mar. 23, 2013; May 28, 2014; Jun. 22, 2015; Dec. 1, 2015; Mar. 22, 2016)

1. A person who has denied services in violation of Articles 22-2(2) or 23(3) including the case of application mutatis mutandis under Article 67;

1-2. A person who has failed to take measures necessary for the protection of personal information of users including methods of consent to, and withdrawal from, the authorized access in violation of Article 22-2(3) including the case of application mutatis mutandis under Article 67;

2. A person who collects and uses resident registration numbers in violation of Article 23-2(1) or fails to take necessary measures in violation of Article 23-2(2) including the case of application mutatis mutandis under Article 67;

2-2. A person who has failed to notify or report to users, the Korea Communications Commission and KISA in violation of Article 27-3(1) including the case of application mutatis mutandis under Article 67, or delays exceeding 24 hours to notify or report with no justifiable reasons;

2-3. A person who has failed to explain or deceptively explained subject to Article 27-3(3);

3. A person who has failed to take technological and managerial measures as prescribed in Articles 28(1) i and vi including the case of application mutatis mutandis under Article 67);

4. A person who has failed to destroy personal information in violation of Article 29(2) including the case of application mutatis mutandis under Article 67;

5. A person who has failed to take necessary measures in violation of Articles 30(3), (4) and (6) including the case of application mutatis mutandis under Articles 30(7), 31(3) and 67);

5-2. A person who has failed to notify the detailed statement on the use of the personal information in violation of the main sentence of Articles 30-2(1) including the case of application mutatis mutandis under Article 67;

6. Deleted (May 28, 2014)

6-2. A person who has failed to report the designation of the chief privacy officer in violation of Articles 45-3 (1);

6-3. A person who has failed to obtain the DPMS certification in violation of Articles 47 (2);

7. A person who has transmitted advertisement information made for profit in violation of Articles 50 (1) through (3);

8. A person who has failed to indicate advertisement information or indicated fraudulently in violation of Articles 50 (4) or (5);                                                            

9. A person who has got the addressee charged the cost in violation of Article 50 (6);

9-2. A person who has failed to confirm the consent to receive in violation of Articles 50(8);

10. A person who has installed the programs without obtaining the consent of users in violation of Article 50-5;

11. A person who has posted advertisement information made for profit on the Internet homepage in violation of Article 50-7 (1) or (2); or

12. A person who has not observed the order to take corrective measures delivered by the Minister of Science, ICT and Future Planning or the Korea Communications Commission pursuant to Article 64(4) in violation of this Act.

(2) A person referred to in the following subparagraphs shall be subject to a fine for negligence not exceeding 20 million won: (Amended Mar. 22, 2016)

1. A person who has failed to make public or notify the users of entrusting the handling of personal information in violation of Article 25(2) including the case of application mutatis mutandis under Article 67;

1-2. A person who has re-entrusted to a third person without obtaining the consent of the initial information and communications service provider, etc. In violation of Article 25(7) including the case of application mutatis mutandis under Article 67;

2. A person who has failed to notify the users of transferring the personal information in violation of Articles 26(1) and (2) including the case of application mutatis mutandis under Article 67;

3. A person who has failed to designate the officer in charge of data protection in violation of Article 27(1) including the case of application mutatis mutandis under Article 67;

4. A person who has failed to make public the personal information policy statement in violation of Article 27-2(1) including the case of application mutatis mutandis under Article 67; or

5. A person who has provided the personal information of users abroad without disclosing all the items of subparagraphs of Article 63(3) or informing users of such fact in violation of the proviso of Article 63(2).

(3) A person referred to in the following subparagraphs shall be subject to a fine for negligence not exceeding 10 million won: (Amended Apr. 5, 2011; Feb. 17, 2012; Jun. 22, 2015; Dec. 1, 2015; Mar. 22, 2016)

1. Deleted (Jun. 22, 2015)

2. Deleted (Jun. 22, 2015)

2-2. A person who has conducted the identification operations without appropriate designation of the identification agency in violation of Article 23-3(1);

2-3. A person who has failed to notify to users, or report to the Korea Communications Commission, the recess of the identification operations pursuant to Article 23-3(2) or the repeal of the identification operations pursuant to Article 23-3(3);

2-4. A person who continues to conduct identification operations in spite of the suspension of identification operations or withdrawal of designation of the identification agency pursuant to Article 23-4(1);

2-5. A person who fails to entrust processing personal information to a trustee in writing in violation of Article 25(6) including the case of application mutatis mutandis under Article 67;                                                                                                                         

3. A person who has failed to designate the officer in charge of youth protection in violation of Article 42-3(1);

4. A person who has failed to keep information in custody in violation of Article 43;

5. A person who has failed to insure the information and communications facilities in violation of Article 46 (2);

6. Deleted (Dec. 1, 2015);

7. A person who has made fraudulent promotion on the result of authentication of the data protection management system in violation of Articles 47(9) and 47-3(3);

8. Deleted

9. Deleted

10. A person who has failed to inform the user of software in violation of Article 47-4(3);

11. A person who has not observed the order of correction pursuant to Article 48-2(4);

12. A person who has obstructed, rejected or dodged the entry and inspection of business pursuant to Article 48-4 (4);

12-2. A person who has failed to observe the order of the Minister of Science, ICT and Future Planning or the Korea Communications Commission in violation of Article 49-2(4).

12-3. A person who has failed to inform to the addressee the result after processing prior consent, refusal to receive or withdrawal of consent in violation of Article 50(7).

12-4. A person who fails to take necessary measure in violation of Article 50-4(4).

13. A person who has used the name of KISA in violation of Article 52(6);

14. A person who has failed to report the recess, closure or dissolution of business in violation of Article 53(4);

15. A person who has failed to report the general terms and conditions of business in violation of Article 56(1);

16. A person who has failed to take managerial and technological measures in violation of Article 57(2);

17 through 21. Omitted 4)

22. A person who has failed to submit related goods and documents, etc. pursuant to Article 64(1) or submitted false goods and documents, etc.;

23. A person who has denied the access to data and request of data production pursuant to Article 64(2); or

24. A person who has rejected, obstructed or dodged the entry and inspection of business pursuant to Article 64(3).

(4) The fine for negligence stated in paragraphs (1) through (3) shall be imposed and collected by the Minister of Science, ICT and Future Planning or the Korea Communications Commission as prescribed by the Presidential Decree.

(5) Any person who is dissatisfied with a fine for negligence imposed pursuant to paragraph (4) may file an objection with the Minister of Science, ICT and Future Planning or the Korea Communications Commission within 30 days from the day of notification of such disposition.

(6) If any person who has been subject to a fine for negligence pursuant to paragraph (4) filed an objection pursuant to paragraph (5), the Minister of Science, ICT and Future Planning or the Korea Communications Commission shall promptly notify the competent court of the fact, and the competent court shall, upon receiving the notification thereof, put the case on trial in accordance with the Non-Contentious Litigation Procedure Act.

(7) If any person fails to file an objection within the period under paragraph (5) and would not pay the fine for negligence, the fine for negligence in question shall be collected likewise by the disposition for recovery of the national taxes in arrears.

ADDENDA

(Act nº 6360, January 1, 2001)

Article 1 (Enforcement Date)

This Act shall enter into force on July 1, 2001.

Articles 2 and 3. Omitted

Article 4 (Transitional Measures Regarding Application of Penal Provisions)

The application of the penal provisions to any act committed prior to the enforcement of this Act shall be governed by the previous provisions.

Article 5. Omitted

Article 6 (Relations to Other Acts and Regulations)

If other acts and regulations cite the former «Act on the Promotion, etc. Of  Utilization of Information System» or its provisions at the time of enforcement of this Act and if there exist corresponding provisions thereto in this Act, this Act or the corresponding provisions in this Act shall be regarded as being cited.

ADDENDA

Omitted for the period from December 2001 to December 2008.

ADDENDA

(Act nº 9637, July 23, 2009)

Article 1 (Enforcement Date)

This Act shall enter into force on the day when 3 months elapse after its promulgation for the establishment of the Korea Internet and Security Agency.

Articles 2 and 3 Omitted

Article 4 (Amendment to Other Acts) Omitted

Article 5 (Relations to Other Acts and Regulations)

If other acts and regulations cite the former «Act on Promotion of Information and Communications Network Utilization and Data Protection, etc.» or its provisions at the time of enforcement of this Act and if there exist corresponding provisions thereto in this Act, this Act or the corresponding provisions in this Act shall be regarded as being cited.

ADDENDUM

(Act nº 10138, March 17, 2010)

This Act shall enter into force on the day of promulgation.

ADDENDA

(Act nº 10165, September 23, 2010)

Article 1 (Enforcement Date)

This Act shall enter into force on the day when 6 months elapse after its promulgation.

Articles 2 through 5 Omitted

Article 6 (Amendment to Other Acts)

(9) The part of the Act on Promotion of Information and Communications Network Utilization and Data Protection, etc. shall be amended as follows:

Article 68 shall be deleted.

Article 7 Omitted

ADDENDA

(Act nº 10465, September 30, 2011)

Article 1 (Enforcement Date)

This Act shall enter into force on the day when 6 months elapse after its promulgation (in line with the enforcement the Personal Information Protection Act).

Articles 2 through 5 Omitted

Article 6 (Amendment to Other Acts)

(11) The part of the Act on Promotion of Information and Communications Network Utilization and Data Protection, etc. shall be amended as follows: (. . .) the Minister of Public Administration and Security, the Minister of Knowledge and Economy or the Korea Communications Commission shall read the Minister of Knowledge and Economy or the Korea Communications Commission; and the Minister of Public Administration and Security or the Korea Communications Commission shall read the Korea Communications Commission, respectively.

Article 7 Omitted

ADDENDA

Omitted for the period from April 2011 to September 2011.

ADDENDA

(Act nº 11322, August 18, 2012)

Article 1 (Enforcement Date)

This Act shall enter into force on the day when 6 months elapse after its promulgation; provided, however, that the revised provisions of Articles 45, 45-2, 45-3, 46-3, 47, 47-2, 47-3, 47-5, 52(3) vii, 66 and 76(3) vi through ix shall enter into force one year after its promulgation.

Article 2 (Transitional Measures Regarding the Restriction of Collection and Use of Resident Registration Number)

(1) The information and communications service provider, who has provided membership application method by means of resident registration number at the time of enforcement of this Act, shall destroy its resident registration number data within two years therefrom; provided, however, that the same shall not apply to any of the subparagraphs of Article 23-2(1).

(2) The failure to destroy the resident registration number data within the period prescribed in paragraph (1) shall be deemed in violation of the revised provision of Article 23-2(1).

Article 3 (Transitional Measures Regarding the Repeal of Data Protection Safety Diagnosis)

Omitted

Article 4 (Transitional Measures Regarding the Authentication of Personal Information Protection Management System)

Omitted

Article 5 (Transitional Measures Regarding Fine for Negligence)

The application of the fine for negligence to any act committed prior to the enforcement of this Act shall be governed by the previous provisions.

ADDENDA

(Act nº 11690, March 23, 2013)

Article 1 (Enforcement Date)

(1) This Act shall enter into force on the day of promulgation.5)

(2) Omitted

Articles 2 through 5 Omitted

Article 6 (Amendment to Other Acts)

(687) The part of the Act on Promotion of Information and Communications Network Utilization and Data Protection, etc. shall be amended as follows: (. . .) the Minister of Knowledge and Economy shall read the Minister of Science, ICT and Future Planning.

ADDENDA

(Act nº 12681, May 28, 2014)

Article 1 (Enforcement Date)

(1) This Act shall enter into force on the day when 6 months elapse after its promulgation; provided, however, that the revised provisions of Articles 44(3), 44-5 and 76(1) vi shall enter into force on the day of promulgation.

Article 2 (Transitional Measures Regarding Penalty Surcharge and Penal Provisions)

The application of the penalty surcharge and penal provisions to any act committed prior to the enforcement of this Act shall be governed by the previous provisions.

ADDENDA

(Act nº 13344, July 22, 2015)

Article 1 (Enforcement Date)

This Act shall enter into force on the day when 6 months elapse after its promulgation.

Article 2 (Exemplary Application of Administrative Disposition)

The amendments of Article 55(1) shall apply to the administrative disposition on the violations prior to the enforcement of this Act.

ADDENDA

(Act nº 13520, December 1, 2015)

Article 1 (Enforcement Date)

This Act shall enter into force on the day when 6 months elapse after its promulgation; provided, however, that the amendments of Articles 29(2) and (3) shall enter into force on the day of promulgation.

Article 2 (Exemplary Application of Destruction, etc. of Personal Information)

The amendments of Article 29(2) and (3) shall apply to the personal  information collected and transferred prior to the entry into force of the said amendments.

Article 3 (Exemplary Application of Omission of DPMS Certification Examination)

The amendments of Article 47(3) shall apply to the person who applied for the DPMS certification prior to the enforcement of this Act, and has undergone the said procedure.

Article 4 (Transitional Measures Regarding DPMS Certification)

The imposition of the fine for negligence on the violations prior to the enforcement of this Act shall be subject to the previous penal provisions.

ADDENDA

(Act nº 14080, March 22, 2016)

Article 1 (Enforcement Date)

This Act shall enter into force on the day when 6 months elapse after its promulgation; provided, however, that the amendments of Articles 22(2), 76(1) i and 76(1) i-2 shall enter into force when one year elapses after promulgation; the amendments of Articles 32(2) and (3), 32-2(3) on July 25, 2016; the amendment of Article 52(4) on the day of promulgation, respectively.

Article 2 (Exemplary Application of Damages)

The amendments of Articles 32(2), 32(3) and 32-2(3) shall apply to the claim for damages arising out of the loss, theft, leakage, forgery, alteration of, or damage to, personal information after the entry into force of the same amendments.

Article 3 (Transitional Measures Regarding Guide of Data Exposed to Violations)

The information and communications service provider shall establish the facilities to send guide message to users pursuant to the amendment of Article 49-2(3) within six months after the promulgation of this Act.

Article 4 (Transitional Measures Regarding Penal Provisions)

In case of application of penal provisions against violations prior to the entry into force of this Act, the previous provisions shall apply.

Article 5 (Amendment to Other Act)

The part of the Internet Address Resources Act shall be amended as follows:

Of the first sentence of Article 15(2), “Article 71 i” shall be “Article 71(1) i”, and “Article 76(1) i through v” shall be “Article 76(1) i through v (excluding Article 76(1) i-2)”

——————————————————–

1) Translation of the provisions of Articles unrelated with data protection is Omitted

2) The provisions regarding the Personal Information Dispute Mediation Committee were deleted on March 29, 2011 when the Personal Information Protection Act was promulgated.

3) In this Act, the penalty surcharge means the administrative penalty.

4) These are violators in relation to communications billing services.

5) This amendment was in line with the enforcement of the newly amended Government Organization Act.