Archivos de la etiqueta: personal information

31Oct/21

Act on Promotion of Information and Communications Network Utilization and Data Protection of 2001, established by Act nº 6360, Jan. 16, 2001

Act on Promotion of Information and Communications Network Utilization and Data Protection of 2001, established by Act nº 6360, Jan. 16, 2001, amended by Act nº 10138, Mar. 17, 2010, amended by Act nº 10560, Apr. 5, 2011, amended by Act nº 11322, Feb. 17, 2012, amended by Act nº 12681, May 28, 2014, amended by Act nº 13014, Jan. 20, 2015, amended by Act nº 13280, Mar. 27, 2015, amended by Act nº 13344, June 22, 2015, amended by Act nº 13520, Dec. 1, 2015.

ACT ON PROMOTION OF INFORMATION AND COMMUNICATIONS NETWORK UTILIZATION AND DATA PROTECTION, ETC.

Established by Act nº 6360, Jan. 16, 2001

Amended by Act nº 10138, Mar. 17, 2010

Amended by Act nº 10560, Apr. 5, 2011

Amended by Act nº 11322, Feb. 17, 2012

Amended by Act nº 12681, May 28, 2014

Amended by Act nº 13014, Jan. 20, 2015

Amended by Act nº 13280, Mar. 27, 2015

Amended by Act nº 13344, June 22, 2015

Amended by Act nº 13520, Dec. 1, 2015

CHAPTER I.- GENERAL PROVISIONS

Article 1 (Purpose)

The purpose of this Act is to promote the utilization of information and communications networks, to protect the personal information of users utilizing information and communications services, and to build a safe and sound environment for the information and communications networks in order to improve the citizen’s lives and enhance the public welfare.

Article 2 (Definitions)

(1) The terms used in this Act shall be defined as follows:

1. “Information and communications networks” mean the information and communications system under which telecommunications facilities and equipment as prescribed in subparagraph 2 of Article 2 of the Telecommunications Business Act are utilized, or the telecommunications facilities and equipment, computers and the technology of using computers are utilized together to collect, process, store, search, transmit and receive information;

2. “Information and communications services” mean the telecommunications services as prescribed in subparagraph 6 of Article 2 of the Telecommunications Business Act, and the provision of information or the intermediation of information services utilizing the telecommunications services;

3. “Information and communications service provider” means the operator of telecommunications as prescribed in subparagraph 8 of Article 2 of the Telecommunications Business Act and other person who provides information or intermediate information services for profit utilizing the services rendered by the telecommunications service providers;

4. “Users” mean the persons who utilize the information and communications services rendered by the information and communications service provider;

5. “Electronic message” means the standardized data in the form of document in which information is electronically compiled, sent or received, or stored by equipment, including computers, etc., that are capable of doing information processing;

6. “Personal information” means the information pertaining to any living person, which contains the code, letter, voice, sound and image, etc. that make it possible to identify such individual by his/her name and resident registration number, etc. (including the information that does not, on its own, permit direct identification of a specific individual, but that does identify specific individual when it is easily combined with other information.);

7. “Incidents” mean accidents caused by such attack on the information and communications networks or related information systems as hacking, computer viruses, logical bomb, mail bomb, denial of service, high-powered electromagnetic wave, etc.;

8. Deleted (Jun. 22, 2015);

9. “Bulletin boards” mean the computer programs or technological devices, regardless of their names, to which the users may post the code, letter, voice, sound, image, video clips and other information for the purpose of making public by using the information and communications networks;

10. “Communications billing services” mean the information and communications services carrying out the business as defined in the following items:

a. The business which claims and collects the prices of goods or services sold or provided by others together with the charges for the telecommunications services provided by itself; or

b. The business which transmits or receives the transaction data electronically, or conducts the settlement of charges as a proxy or intermediary so that the prices of the goods or services sold or provided by others may be claimed and collected together with the telecommunications service charges stated in Item a.

11. “Communications billing service provider” means the operator who provides the communications billing services subject to the registration pursuant to Article 53;

12. “Communications billing service users” mean the persons who purchase and use the goods or services by means of the communications billing services provided by the communications billing service provider; and

13. “Electronic transmission media” mean the media by which code, letter, voice, sound, image, video clips and other information are transmitted to the receiver in such an electronic form as electronic messages, etc. via the information and communications networks. (Amended May 28, 2014)

(2) The definitions stated herein, except otherwise provided for in paragraph (1), shall be subject to the National Informatization Framework Act.

Article 3 (Duties of Information and Communications Service Provider and Users)

(1) Any information and communications service provider shall protect the personal information of users, and contribute to the protection of the rights and interests of such users and to the enhancement of its information utilization capability by rendering the information and communications services in a safe and sound manner.

(2) Every user shall endeavor to help a sound information society take hold.

(3) The government may assist the organizations of information and communications service providers and the organizations of users in carrying out their activities designed to protect the personal information and the youth in the information and communications networks.

Article 4 (Policy for Promotion of Information and Communications Network Utilization and Data Protection, etc.)

(1) The Minister of Science, ICT and Future Planning or the Korea Communications Commission shall formulate a policy to lay the foundation for building an information society through the promotion of utilization and the secure management and operation of information and communications networks, and the protection of personal information of users (hereinafter referred to as the “promotion of the utilization of information and communications networks and data protection, etc.”).

(2) The policy referred to in paragraph (1) shall contain the matters stated in the following subparagraphs:

1. Development and distribution of technologies related to the information and communications networks;

2. Standardization of the information and communications networks;

3. Activation of utilization of the information and communications networks such as the development of information contents and applied services of the information and communications networks subject to Article 11;

4. Facilitation of joint utilization of information via information and communications networks;

5. Activation of utilization of the Internet;

6. Protection of personal information collected, processed, stored and utilized via information and communications networks, and development and distribution of related technologies;

7. Protection of the youth in the information and communications networks;

8. Enhancement of safety and reliability of the information and communications networks; and

9. Other matters necessary to promote the utilization of the information and communications networks and data protection, etc.                                                         (3) In formulating the policy referred to in paragraph (1), the Minister of Science, ICT and Future Planning or the Korea Communications Commission shall endeavor to coordinate such policy with the basic plan for promoting informatization as prescribed in Article 6 of the National Informatization Framework Act.

Article 5 (Relation with Other Acts)

The promotion of utilization of information and communications networks and data protection, etc. shall be governed by this Act except specially provided for in other acts; provided, however, that, in case this Act and the Electronic Financial Transactions Act compete to apply with respect to the communications billing services stated in Chapter VII, this Act shall prevail.

CHAPTER Ⅱ.- PROMOTION OF INFORMATION AND COMMUNICATIONS NETWORK UTILIZATION

Articles 6 – 17 Omitted1)

CHAPTER Ⅲ Deleted

Articles 18 – 21 Deleted (Jun. 22, 2015)

CHAPTER Ⅳ PROTECTION OF PERSONAL INFORMATION

Section 1. Collection of Personal Information

Article 22 (Consent to the Collection and Utilization of Personal Information, etc.)

(1) Any information and communications service provider shall, when it intends to gather user’s personal information, notify the user of the whole matters stated in the following subparagraphs, and obtain his/her consent thereof. The same shall apply to any change of the following subparagraphs:

1. The purpose of collection and utilization of personal information;

2. The items of personal information collected hereunder; and

3. The period of retention and utilization of personal information.

(2) The information and communications service provider may collect and utilize the user’s personal information without consent subject to paragraph (1) in case any of the following subparagraphs applies:

1. Where, as for the personal information, which is necessary to perform the contract for the provision of information and communications services, it is evidently difficult to obtain ordinary consent on account of economical and technological reasons;

2. Where it is necessary to calculate the fees for the provision of information and communications services; or

3. Where special provisions exist in this Act or other acts.

Article 22-2 (Consent to the Authorized Access)

(1) The information and communications service provider shall notify the user of the following subparagraphs so that he/she may understand them explicitly, and obtain his/her consent thereof when the information and communications service provider needs the authorized access to the data stored in the mobile communication device of the user and the functions of such device (hereinafter referred to as the “authorized access”) for its service for the user:

1. In case where the authorized access is inevitable for the relevant service

a. The items of data and functions in need of the authorized access; and

b. The reason why the authorized access is necessary.

2. In case where the authorized access is not inevitable for the relevant service

a. The items of data and functions in need of the authorized access;

b. The reason why the authorized access is necessary; and

c. The fact that user may abstain from consent to the authorized consent.

(2) The information and communications service provider shall not refuse the relevant services on the grounds that the user does not consent to the authorized access which is not necessarily required for the relevant service.

(3) The maker of basic operating systems of mobile communication devices (that means the infrastructure environment to run softwares of such devices) and the manufacturers of such devices and the supplier of softwares of such devices shall take such measures as consent to, and withdrawal from, the authorized access which are necessary for the protection of user’s data when the information and communications service provider intends to access the data stored in the mobile communication devices and the functions of such devices.

(4) The scope of the authorized access subject to paragraph (1), method of consent, necessary measures for the protection of user’s data and other necessary matters shall be prescribed by the Presidential Decree.

(Article Inserted Mar. 22, 2016)

Article 23 (Restrictions on Collecting Personal Information, etc.)

(1) No information and communications service provider shall collect the personal information, including ideology, belief, family and relative relations, academic record, medical record and other social career, etc., which is likely to excessively infringe upon the right, interest and privacy of the relevant user; provided, however, that the same shall not apply to the necessary mínimum extent where the consent of the user is obtained pursuant to Article 22(1) or the subject of collecting personal information is specified in other acts.

(Amended May 28, 2014)

(2) Any information and communications service provider shall, when it collects the personal information of users, collect only the minimum personal information to the extent necessary to provide the information and communications services. (Amended May 28, 2014)

(3) The information and communications service provider shall not refuse the relevant services on the grounds that the user does not provide any other personal information than the necessary minimum personal information. In this case, the necessary minimum personal information shall mean the inevitable information necessary to perform the fundamental function of the relevant service. (Inserted May 28, 2014)

Article 23-2 (Restriction of Use of Resident Registration Numbers)

(1) The information and communications service provider shall not collect and use the resident registration numbers of users except otherwise applicable to any of the following subparagraphs:

1. Where it has been designated as an identification agency pursuant to Article 23-3;

2. Where the collection and use of resident registration numbers of users are permitted by statutes; or

3. Where the information and communications service provider regards it as inevitable to collect and use the resident registration numbers of users for the conduct of business, as notified by the Korea Communications Commission.

(2) Although the collection and use of resident registration numbers are permitted pursuant to subparagraphs 2 or 3 of paragraph (1), alternative means to identify the user other than his/her resident registration number (hereinafter referred to as the “alternative means”) shall be provided to the users.

(Article Amended Feb. 17, 2012)

Article 23-3 (Designation, etc. of Identification Agency)

(1) The Korea Communications Commission may, upon assessing the following matters, designate the person, who is determined capable of safe and trustful conduct of developing, providing and managing the alternative means (hereinafter referred to as the “identification operations“) as the identification agency:

1. Physical, technical and managerial measures and planning to ensure the safe and secure identification operations;

2. Technological and financial capability to conduct the identification operations; and

3. Appropriateness of facilities to conduct the identification operations.

(2) When the identification agency wants to have recess of the whole or part of identification operations, it shall notify the recess plan and period to users 30 days prior to the start day and report it to the Korea Communications Commission. In this case, the recess period shall not exceed six months.

(3) When the identification agency wants to repeal its identification operations, it shall notify the repeal plan to users 60 days in advance, and report it to the Korea Communications Commission.

(4) Necessary matters for the detailed assessment criteria pursuant to paragraphs (1) through (3), designation procedure and the recess, repeal, etc. Of identification operations shall be prescribed by the Presidential Decree.

(Article Inserted Apr. 5, 2011)

Article 23-4 (Suspension of Identification Operations and Withdrawal of Designation)

(1) When any of the following subparagraphs is applicable to the identification agency, the Korea Communications Commission may order the suspension of the whole or part of identification operations for a period of not more than six months or withdraw the designation of identification agency; provided, however, that the withdrawal of designation shall be mandatory in case of subparagraph 1or 2:

1. Where it has been designated as an identification agency by fraud or other unjust means;

2. Where it has failed to stop its operations in violation of the order to suspend the identification operations;

3. Where it has failed to start the identification operations within six months from the designation day, or has recess of the identification operations continuously for more than six months; or

4. Where it does not satisfy the criteria pursuant to Article 23-3(4).

(2) The criteria for administrative disposition pursuant to paragraph (1), its procedure and other necessary matters shall be prescribed by the Presidential Decree.

(Article Inserted Apr. 5, 2011)

Article 24 (Restrictions on Utilizing Personal Information)

No information and communications service provider shall utilize the personal information collected pursuant to Article 22 and the proviso of Article 23(1) for other purpose than the purpose consented by the relevant user or referred to in each subparagraph of Article 22(2).

Article 24-2 (Consent to the Provision of Personal Information, etc.)

(1) Any information and communications service provider shall, when it intends to provide user’s personal information to a third party, notify the user of the whole matters stated in the following subparagraphs except the cases falling under subparagraphs 2 and 3 of Article 22(2), and obtain his/her consent thereof. The same shall apply to any change of the following subparagraphs:

1. The receiver of personal information;

2. The purpose of utilizing personal information of such receiver;

3. The items of personal information provided hereunder; and

4. The period of retention and utilization of personal information by the receiver.

(2) The receiver of the personal information of users provided by the information and communications service provider pursuant to paragraph (1) shall not provide such personal information to a third party, nor utilize such personal information for other use than the purpose of being provided except the cases specified in other acts.

(3) The information and communications service provider, etc. as stated in Article 25(1) shall, upon obtaining the consent to the provision pursuant to paragraph (1) and the consent to entrusting handling of personal information pursuant to Article 25(1), separate such consent from the consent to the collection and use of personal information pursuant to Article 22, and shall not refuse to provide its service on ground that the user would not give consent to it. (Amended Mar. 22, 2016)

Article 25 (Entrusting Processing of Personal Information)

(1) The information and communications service provider and the receiver of the personal information of users provided by such provider pursuant to Article 24-2(1) (hereinafter referred to as the “information and communications service provider, etc.”) shall, if they entrust the work (hereinafter collectively referred to as “entrusting processing” of personal information) of collecting, creating, connecting, interlocking, recording, retaining, processing, editing, retrieving, printing out, modifying, restoring, utilizing, providing, disclosing, destroying and similarly doing (hereinafter collectively referred to as “processing“) the personal information of users to a third party, notify the user of the whole matters stated in the following subparagraphs, and obtain his/her consent thereof. The same shall apply to any change of the following subparagraphs: (Amended Mar. 22, 2016)

1. The person entrusted processing of personal information (hereinafter referred to as the “trustee“); and

2. Particulars of entrusted work of processing of personal information.

(2) The information and communications service provider, etc. may skip the notice and consent procedure as prescribed in paragraph (1) in case the whole matters of each subparagraph of paragraph (1) are made public pursuant to Article 27-2(1) or notified to users in such a manner like sending e-mails as stated in the Presidential Decree, which is necessary to perform the contract for the provision of information and communications services and to augment the users’ convenience, etc. The same shall apply to any change of the subparagraphs of paragraph (1). (Amended May 28, 2014; Mar. 22, 2016)

(3) The information and communications service provider, etc. shall, when it intends to entrust processing of personal information, define the purpose in advance for which the trustee shall process the personal information of users.

The trustee shall not process the personal information of users beyond such purpose. (Amended Mar. 22, 2016)

(4) The information and communications service provider, etc. shall manage, supervise and educate the trustee lest it should violate the provisions in this Chapter. (Amended Mar. 22, 2016)

(5) The trustee, who caused damage to the users regarding the work processing entrusted hereunder in violation of the provisions in this Chapter, shall be deemed as an employee of the information and communications service provider, etc. only with respect to compensation for such damage. (Amended Mar. 22, 2016)

(6) What the information and communications service provider, etc. Has entrusted processing of personal information to a trustee shall be in writing. (Inserted Mar. 22, 2016)

(7) The trustee may re-entrust the work entrusted pursuant to paragraph (1) only when he/she has obtained the consent of the information and communications service provider, etc. who has entrusted processing of personal information. (Inserted Mar. 22, 2016)(Amended Mar. 22, 2016)

Article 26 (Transfer of Personal Information following the Business Transfer, etc.)

(1) In the event that the information and communications service provider, etc. transfers the personal information of users to others owing to the transfer of business in whole or in part, or merger, etc., it shall notify the users of the whole matters prescribed in the following subparagraphs in such a manner like sending e-mails, posting at the Website and so forth as stated in the Presidential Decree:

1. The fact that the personal information is to be transferred;

2. The name (referring to the company name in case of a juridical person; hereafter the same shall apply in this Article), address, telephone number and other contact points of a person who has received the personal information (hereinafter referred to as the “business transferee, etc.”);

3. The method and procedure to withdraw the consent in case the user would not want the transfer of personal information.

(2) The business transferee, etc. shall, without delay upon the transfer of personal information, notify the users of such fact and the name, address, telephone number and other contact points in such a manner like posting at the Website, sending e-mails and so forth as stated in the Presidential Decree.

(Amended May 28, 2014)

(3) The business transferee, etc. may utilize or provide the personal information of users within the scope of the initial purpose for which the information and communications service provider, etc. is allowed to utilize or provide such personal information; provided, however, that the same shall not apply where the users have consented specifically.

Article 26-2 (Method to Obtain Consent)

The method how to obtain the consent pursuant to Article 22(1), the proviso of Article 23(1), Article24-2(1) and (2), Article 25(1), the proviso of Article 26(3) or Article 63(2) (hereinafter collectively referred to as the “consent to the collection, utilization, provision, etc. of personal information”) shall be stated by the Presidential Decree in view of the media for collecting personal information, the nature of business operations, the number of users, and so forth.

Section 2. The Management and Destruction of Personal Information

Article 27 (Designation of Person in Charge of Data Protection)

(1) The information and communications service provider, etc. shall designate the person in charge of data protection to protect the personal information of users and deal with complaints of users related with the personal information; provided, however, that the same may not apply to the information and communications service provider, etc. who satisfies the number of employees and users, and other criteria specified by the Presidential Decree. (Amended Mar. 22, 2016)

(2) In case the information and communications service provider, etc. Subject to the proviso of paragraph (1) do not designate the person in charge of data protection, its owner or representative shall become the person in charge of data protection. (Amended Mar. 22, 2016)

(3) Qualification requirements for the person in charge of data protection and other matters necessary to designate the person shall be prescribed by the Presidential Decree. (Amended Mar. 22, 2016)

(4) When the person in charge of data protection finds out any fact in violation of this Act and other relevant laws and regulations, he/she shall immediately take measures to correct such violations, and, if necessary, report such measures to the business owner or representative of the information and communications service provider, etc.; provided, however, that, if the business owner or representative shall become the person in charge of data protection, the provision regarding report of corrective measures shall not apply. (Amended Mar. 22, 2016)

Article 27-2 (Disclosure of Personal Information Policy Statement)

(1) In case of processing the personal information of users, the information and communications service provider, etc. shall establish and disclose the personal information policy statement in such a manner as stated in the Presidential Decree so that users may identify the policy with ease at any time.

(Amended Mar. 22, 2016)

(2) The personal information policy statement subject to paragraph (1) shall contain each and all following subparagraphs: (Amended Feb. 17, 2012; Mar. 22, 2016)

1. The purpose of collection and utilization of the personal information, particulars of personal information collected hereunder and the method of collection thereof;

2. The name (referring to the company name in case of a juridical person) of a person who has received the personal information, the purpose of utilization, and particulars, of the personal information in case the personal information is provided to a third party;

3. The period of retention and utilization of personal information, the procedure and method of destruction of personal information (including the ground of preservation and the particulars of personal information to be preserved in case of preserving such information subject to the proviso except each subparagraph of Article 29)

4. The content of business for which processing of personal information is entrusted and the trustee (including the processing policy statement, if applicable);

5. The rights of users and legal representatives, and how to excise the rights;

6. The installation and operation of the device collecting automatically the personal information like the Internet logon files, etc. and how to deny such device;

7. The name or a person in charge of data protection, or the department to protect the personal information of users and deal with complaints of users related with the personal information, and the contact points like telephone numbers.

(3) In case of change of the personal information policy statement pursuant to paragraph (1), the information and communications service provider, etc. Shall make public without delay the reason and changes thereof in such a manner as stated in the Presidential Decree so that users may identify the change of policy statement with ease at any time. (Amended Mar. 22, 2016)

Article 27-3 (Notification and Report of Personal Information Leakage, etc.)

(1) Upon knowing the loss, theft and leakage of personal information (hereinafter referred to as “leakage, etc.”), the information and communications service provider, etc. shall, without delay, inform each of the following subparagraphs of the relevant users, and report it to the Korea Communications Commission or the Korea Internet and Security Agency, and shall not delay, without justifiable reasons, such notification and report exceeding 24 hours from the time when it got to know the fact; provided, however, that it may take other measures, if there is such a justifiable reason as whereabouts of users are still unknown, as replaceable with the notification as prescribed by the Presidential Decree: (Amended May 28, 2014; Mar. 22, 2016)

1. Personal information items affected by leakage, etc.;

2. Time when leakage, etc. took place;

3. Measures that users may take;       

4. Countermeasures that the information and communications service provider, etc. may take; and                                                                                                                             

5. Department where users may place inquiries, etc. and other contact points.       

2) Upon receiving the report pursuant to paragraph (1), the Korea Internet and Security Agency shall, without delay, inform the fact of the Korea Communications Commission. (Inserted May 28, 2014)                                                                            

(3) The information and communications service provider, etc. shall explain the justifiable reasons pursuant to the main sentence and proviso of paragraph (1) to the Korea Communications Commission. (Inserted May 28, 2014)                                    

(4) The method, procedure, etc. of notification and report pursuant to paragraph (1) and other necessary matters shall be prescribed by the Presidential Decree. (Amended May 28, 2014) 

(5) The information and communications service provider, etc. shall prepare for the leakage, etc. of personal information, and explore ways to establish measures to minimize the damage to victims. (Amended May 28, 2014; Mar. 22, 2016)

Article 28 (Data Protection Measures)

(1) In case of processing the personal information of users, the information and communications service provider, etc. shall take such technological and managerial measures as mentioned in the following subparagraphs to prevent the loss, theft, leakage, forgery, alteration of, or damage to, the personal information and to ensure the safety of personal information by the standard as specified by the Presidential Decree. (Amended Mar. 22, 2016)

1. To establish and implement the in-house management plan to process the personal information more safely;

2. To install and operate the access control system like firewall to block illegal access to the personal information;

3. To take measures to prevent the forgery or falsification of logon files;

4. To take security measures using encryption technologies in order to store and transmit the personal information more safely;

5. To take such preventive measures as download and operation of the vaccination softwares to protect from computer viruses; and                                                               6. To take other protective measures necessary to secure the safety of the personal information.

(2) The information and communications service provider, etc. shall limit the persons to process the personal information of users to the minimum.

(Amended Mar. 22, 2016)

Article 28-2 (Prohibition of Leakage of Personal Information)

(1) Any person who is processing, or once processed, the personal information of users shall not damage, infringe upon or leak out the information acquired in the course of business. (Amended Mar. 22, 2016)

(2) No one shall be provided with the personal information for profit or unjust purposes while knowing such information has been leaked out.

Article 29 (Destruction of Personal Information)

(1) The information and communication service provider, etc. shall, without  delay, destroy the relevant personal information lest it should be restored or recovered in case any of the following cases applies; provided, however, that the same shall not apply where other acts require the preservation of such information: (Amended Feb. 17, 2012; May 28, 2014)

1. When the purpose of collecting or utilizing the personal information consented pursuant to Article 22(1), the proviso of Article 23(1) or Articles 24-2(1) and (2), or the relevant purpose as specified by any of the subparagraphs of Article 22(2) has been attained;

2. When the period of retention and utilization of personal information consented pursuant to Article 22(1), the proviso of Article 23(1) or Articles 24-2(1) and (2) has expired;

3. When the period of retention and utilization of personal information subject to Article 27-2(2) iii in case of collecting or utilizing the personal information without the consent of users pursuant to Article 22(2) has expired; or

4. When its business has been closed.

(2) The information and communication service provider, etc. shall take necessary measures, including the destruction of personal information and others as prescribed by the Presidential Decree, to protect the personal information of users who would not use the information and communications services for one year; provided, however, that it does not apply when the said period is otherwise fixed by other laws and regulations, or user’s request. (Inserted Feb. 17, 2012; Dec. 1, 2015)

(3) The information and communication service provider, etc. shall inform the users of the fact that their personal information will be destroyed, the expiry date, the particulars of the said personal information, etc. as prescribed by the Presidential Decree by means of email, etc. as prescribed by the Presidential Decree. (Inserted Dec. 1, 2015)

Section 3.- User’s Right

Article 30 (User’s Right, etc.)

(1) Every user may at any time withdraw his/her consent given to the information and communications service provider, etc. for the collection, utilization or provision of the personal information.

(2) Every user may request the access to, or provision of, any of the following items related with him/her, and if his/her personal information is found to be erroneous, he/she may request the correction thereof:

1. The personal information of users retained by the information and communications service provider, etc.;

2. The content of how the information and communications service provider, etc. has utilized, or provided to a third party, the personal information of users; or

3. The status at which the information and communications service provider, etc. has obtained consent for the collection, utilization or provision of the personal information.

(3) In case that a user withdraws his/her consent pursuant to paragraph (1), the information and communications service provider, etc. shall, without delay, take necessary measures, i.e., destroying his/her personal information collected lest it should be restored or recovered. (Amended May 28, 2014)

(4) The information and communications service provider, etc. shall, upon receiving a request for the access to, provision of, personal information pursuant to paragraph (2), take necessary measures without delay.

(5) The information and communications service provider, etc. shall, immediately upon receiving a request for the correction of erroneous personal information pursuant to paragraph (2), correct the erroneous information or take necessary measures, i.e., explaining why it failed to correct such information, and shall not utilize or provide the relevant personal information until the correction thereof; provided, however, that the same shall not apply where other acts require the provision of such information.

(6) The information and communications service provider, etc. shall make the withdrawal of consent pursuant to paragraph (1), or how to request access to, provision of, or correction of errors in, the personal information much easier than the method how to collect the personal information.

(7) The provisions of paragraphs (1) through (6) shall apply mutatis mutandis to the business transferee, etc. In this case, the information and communications service provider, etc. shall be deemed the business transferee, etc.

Article 30-2 (Notification of Personal Information Use Statement)

(1) The information and communications service provider, etc., which satisfies the criteria as prescribed by the Presidential Decree, shall notify periodically the use statement (including the provision pursuant to Article 24-2 and entrusting processing of personal information pursuant to Article 25) of personal information collected pursuant to Articles 22 and 23(1) proviso; provided, however, that the same shall not apply where such personal information as contact points to be notified was not collected. (Amended Mar. 22, 2016)

(2) The type of information to be notified to the users pursuant to paragraph (1), notification interval and method and other matters necessary to notify the use statement shall be prescribed by the Presidential Decree.

Article 31 (Legal Representative’s Right)

(1) The information and communications service provider, etc. shall, when it intends to obtain consent for the collection, utilization or provision of the personal information from a minor of age below 14, obtain the consent therefor from his/her legal representative. In this case, the information and communications service provider may demand from the child the necessary minimum information, including the name, etc. of the legal representative, so as to obtain the consent.

(2) The legal representative may exercise user’s right as for the personal information of the relevant child pursuant to Articles 30 (1) and (2).

(3) The provisions of Article 30 (3) through (5) shall apply mutatis mutandis to the withdrawal of consent, and the request for the access to, or the correction of, the personal information by the legal representative pursuant to paragraph (2).

Article 32 (Damages)

If a user suffers any damage caused by the violation of the provisions in this Chapter on part of the information and communications service provider, etc., such user may claim for the damages against the information and communications service provider, etc. In this case, the information and communications service provider, etc. may not be released from the damages if it fails to prove non-existence of its intention or negligence.

Article 32-2 (Claim for Statutory Damage)

(1) The user may, when all of the following subparagraphs are satisfied, claim for compensation of considerable amount up to three million won in place of damages pursuant to Article 32 against the information and communications service provider, etc. within the period as prescribed by the Presidential Decree.

In this case, the accused information and communications service provider, etc. cannot evade the responsibility unless it proves non-existence of intention or negligence: (Amended Mar. 22, 2016)

1. Where the information and communications service provider, etc. Violates provisions in this Chapter intentionally or negligently; and

2. Where the personal information was lost, stolen, leaked, forged, altered or damaged.

(2) The court may, upon the claim pursuant to paragraph (1), acknowledge a reasonable amount of damages within the scope of paragraph (1) based upon the examination of evidence and review of all the arguments during the proceedings.

(3) The user who has filed a lawsuit for damages pursuant to Article 32 may change it to the claim for damages subject to paragraph (1) until the closing of oral proceedings at the trial court. (Inserted Mar. 22, 2016)

Article 32-3 (Deletion and Blocking of Exposed Personal Information)                       

(1) The information and communications service provider, etc. shall exert itself lest users’ personal information including resident registration numbers, bank account numbers, credit card numbers, etc. should be exposed to public via information and communications network. (Amended Mar. 22, 2016)                                                      

(2) Upon the request of the Korea Communications Commission or the Korea Internet and Security Agency, the information and communications service provider, etc. shall take necessary measures including deletion, blocking, etc. Of personal information exposed under paragraph (1). (Inserted Mar. 22, 2016)

Section 4.- Deleted

Articles 33 through 40 Deleted 2)

CHAPTER Ⅴ.- PROTECTION OF THE YOUTH IN INFORMATION AND COMMUNICATIONS NETWORKS

Articles 41 through 44-10 Omitted

CHAPTER Ⅵ.- SECURING STABILITY OF INFORMATION AND COMMUNICATIONS NETWORKS, ETC.

Articles 45 through 46-2 Omitted

Article 46-3 Deleted

Article 47 (Certification of Data Protection Management System)

(1) The Minister of Science, ICT and Future Planning may certify for the purpose of securing the stability and reliability of the communications network whether the person who has established and operated a consolidated management system including the managerial, technical and physical safeguards (hereinafter referred to as the “Data Protection Management System” or DPMS) could satisfy the criteria subject to paragraph (4). (Amended Feb. 17, 2012; Mar. 23, 2013; Dec. 1, 2015)

(2) Any person who falls on any of the following paragraphs as a telecommunications business operator subject to Article 2 viii of the Telecommunications Business Act and an information provider/intermediary taking advantage of the telecommunications services of the said telecommunications business operator shall obtain the certification pursuant to paragraph (1). (Inserted Feb. 17, 2012; Dec. 1, 2015)

1. Any person who has obtained the permission subject to Article 6(1) of the Telecommunications Business Act and provides information and communications service as prescribed by the Presidential Decree;

2. An integrated information and communications facility operator; or

3. Any person with the annual sales, revenue, etc. of more than 150 billion won or the number of users daily average of one million people for the previous three months, who satisfies the criteria as prescribed by the Presidential Decree.

(3) The Minister of Science, ICT and Future Planning may omit parts of certification examination subject to paragraph (1) in case that the person in need of certification has obtained the international standard certification of data protection or taken other measures for data protection as prescribed by the Ordinance of the Ministry of Science, ICT and Future Planning. In this case, the scope of omission in detail of the said certification examination shall be decided and notified by the Minister of Science, ICT and Future Planning. (Inserted Dec. 1, 2015)

(4) The Minister of Science, ICT and Future Planning may prescribe and notify the certification criteria including the managerial, technical and physical safeguards and other necessary matters for the DPMS certification subject to paragraph (1). (Amended Feb. 17, 2012; Mar. 23, 2013; Dec. 1, 2015)

(5) The duration of the DPMS certification subject to paragraph (1) shall be three years; provided, however, that the person who has obtained the data protection degree pursuant to Article 47-5(1) is deemed to have been certified subject to paragraph (1) for the duration of such data protection degree.

(Inserted Feb. 17, 2012; Dec. 1, 2015)

(6) The Minister of Science, ICT and Future Planning may delegate the certification matters subject to paragraphs (1) and (2) of the following subparagraphs to the Korea Information and Security Agency or other institution designated by the Minister of Science, ICT and Future Planning (hereinafter referred to as the “DPMS Certification Agency”): (Inserted Feb. 17, 2012; Mar. 23, 2013; Dec. 1, 2015)

1. The certification examination to clarify the DPMS of a certification applicant being in conformity with certification criteria subject to paragraph (4) (hereinafter referred to as the “DPMS Certification Examination”);

2. Deliberation of the DPMS Certification Examination results;

3. Issuance and management of the DPMS Certificate;                                                   

4. Ex post facto management of the DPMS Certification;                                               

5. Fostering and qualification management of the DPMS Certification examiners; and 

6. Other matters in relation to the DPMS Certification.                                                 

(7) The Minister of Science, ICT and Future Planning may designate the institution to conduct the said certification examination (hereinafter referred to as the “DPMS Examination Agency”) if necessary to conduct the said certification task efficiently. (Inserted Dec. 1, 2015)                                                                                                    

(8) The Korea Information and Security Agency, the DPMS Certification Agency and the DPMS Examination Agency shall conduct ex post facto management at least once a year to enhance the effectiveness of the DPMS, and notify its result to the Minister of Science, ICT and Future Planning. (Inserted Feb. 17, 2012; Mar. 23, 2013; Dec. 1, 2015)                                                                                                                               

(9) The person who has obtained the DPMS certification pursuant to paragraphs (1) and (2) may represent or promote the DPMS Certification as prescribed by the Presidential Decree. (Amended Feb. 17, 2012; Dec. 1, 2015)                                                          

(10) The Minister of Science, ICT and Future Planning may withdraw the PIMS certification when finding out any reason which falls on any of the following subparagraph; provided, however, that the Minister shall cancel the said certification in case of subparagraph 1: (Inserted Feb. 17, 2012; Mar. 23, 2013; Dec. 1, 2015)            

1. Where the DPMS Certification has been obtained by fraud or other unjust means;    

2. Where the certification criteria subject to paragraph (4) fail to be satified; Or            

3. Where the ex post facto management subject paragraph (8) has been denied or obstructed.                                                                                                                     

(11) The method, procedure, scope and tariffs of certification subject to paragraphs (1) and (2), the method and procedure of ex post facto management subject to paragraph (8), the method and procedure of withdrawal of certification subject to paragraph (10), other necessary matters shall be prescribed by the Presidential Decree. (Amended Feb. 17, 2012; Dec. 1, 2015)                                                                                                

(12) Necessary matters for the designation criteria, procedure, duration, etc. Of the DPMS Certification Agency and the DPMS Examination Agency shall be prescribed by the Presidential Decree. (Amended Feb. 17, 2012; Dec. 1, 2015)                            (Article Amended Jun. 13, 2008.)

Article 47-2 (Withdrawal, etc. of Designation of DPMS Certification Agency and DPMS Examination Agency)

(1) The Minister of Science, ICT and Future Planning may withdrawal the designation of the DPMS Certification Agency and the DPMS Examination Agency, or suspend a whole or part of the DPMS operations for the period not exceeding one year when the juridical person or association designated as such pursuant to Article 47 falls on any of the following subparagraphs; provided, however, that the Minister shall withdraw the said designation in case of subparagraphs 1 and 2: (Inserted Feb. 17, 2012; Mar. 23, 2013; Dec. 1,2015)

1. Where the designation of the DPMS Certification Agency or DPMS Examination Agency has been obtained by fraud or other unjust means;

2. Where the certification or certification examination has been conducted  during the period of suspension of the said operation;

3. Where the certification or certification examination has not been conducted with justifiable reasons;

4. Where the certification or certification examination has been conducted in violation of Article 47(11); or

5. Where the designation criteria Article 47(12) fail to be satified.

(2) Necessary matters for the designation withdrawal and suspension of operation, etc. subject to paragraph (1) shall be prescribed by the Presidential Decree.

(Article Amended Jun. 13, 2008; Amended Dec. 1, 2015)

Article 47-3 (Certification of Personal Information Management System)

(1) The Korea Communications Commission may certify for the purpose of carrying out systemic and sustainable personal information protection activities in the communications network whether the person who has established and operated a consolidated management system including the managerial, technical and physical safeguards (hereinafter referred to as the “Personal Information Management System” or PIMS) could satisfy the criteria subject to paragraph (2).

(2) The Korea Communications Commission may prescribe and notify the certification criteria including the managerial, technical and physical safeguards and other necessary matters for the PIMS certification subject to paragraph (1).

(3) Articles 47(6) through (12) shall apply mutatis mutandis to the PIMS agencies, ex post facto management, etc. In this case, paragraphs (1) and (2) shall read paragraph (1). (Amended Dec. 1, 2015)

(4) Articles 47-2 shall apply mutatis mutandis to the designation withdrawal, etc. of the PIMS Certification Agency.

(Article Inserted Feb. 17, 2012)

(The previous Article 47-3 moved to Article 47-4 Feb. 17, 2012)

Article 47-4 (Data Protection of Users)

(1) The government may advise to the users to observe by establishing necessary standards for the data protection of users, and take necessary measures, i.e., checking the weak points and providing technological assistance, so as to prevent the incidents and block the dissemination thereof.

(2) through (4) Omitted

Article 47-5 (Grant of Data Protection Management Degree)

(1) The person who has obtained the DPMS certification pursuant to Article 47 may be granted the data protection management degree by the Minister of Science, ICT and Future Planning to enhance the consolidated corporate data protection management level and secure the reliability of data protection services from users. (Amended Mar. 23, 2013)

(2) The Minister of Science, ICT and Future Planning may delegate the grant of degree matters subject to paragraph (1) to the Korea Information and Security Agency. (Amended Mar. 23, 2013)

(3) The person who has been granted the data protection management degree pursuant to paragraph (1) may represent or promote the said data protection management degree.

(4) The Minister of Science, ICT and Future Planning may withdraw the degree granted as such when finding out any reason which falls on any of the following subparagraph; provided, however, that the Minister shall cancel the said degree in case of subparagraph 1: (Amended Mar. 23, 2013; Dec. 1, 2015)

1. Where the data protection management degree has been granted by fraud or other unjust means; or

2. Where the degree criteria subject to paragraph (5) fail to be satisfied.

(5) The criteria for grant of degree, the method, procedure and tariffs of grant of degree subject to paragraph (1), the duration of degree, the method and procedure of withdrawal of degree subject to paragraph (4), and other necessary matters shall be prescribed by the Presidential Decree.

(Article Newly Inserted Feb. 17, 2012)

Articles 48 through 48-4 Omitted

Article 49 (Protection of Secrets, etc.)

No one is allowed to damage the information of other persons or infringe upon, steal or leak the secrets of other persons, which are processed, stored or transmitted via the information and communications networks.

Article 49-2 (Prohibition of Collection of Personal Information by Means of Deceptive Activities)

(1) No one shall collect, or entice other person to provide with, the personal information of other person by means of deceptive activities in the information and communications networks.

(2) Any information and communications service provider shall report to the Minister of Science, ICT and Future Planning, the Korea Communications Commission or the Korea Information and Security Agency immediately upon finding out the violation of paragraph (1). (Amended Apr. 22, 2009; Mar. 22, 2016)

(3) The Minister of Science, ICT and Future Planning, the Korea Communications Commission or the Korea Information and Security Agency shall, upon receiving the report pursuant to paragraph (2) or finding out the violation of paragraph (1), take necessary measures prescribed in the following subparagraphs: (Amended Apr. 22, 2009; Mar. 22, 2016)

1. Collecting and disseminating the violation of paragraph (1);

2. Forecasting or warning of similar violations; and

3. Emergency measures to prevent present and further violations including request for blocking the access paths or request for notification of users’information exposed to the violations under paragraph (1) to the information and communications service provider.

(4) The Minister of Science, ICT and Future Planning or the Korea Communications Commission may order the information and communications service provider, prior to taking measures subject to paragraph (3) iii, to take necessary measures including sharing information in relation to deceptive activities via information and communications networks among service providers.

(Inserted Mar. 22, 2016)

Article 50 (Restrictions on Transmitting Advertisement Information Made for Profit) (1) Anybody, who intends to transmit via electronic transmission media any advertisement information made for profit, shall obtain the prior explicit consent of the relevant addressee; provided, however, that the same shall not apply to any of the following subparagraphs: (Amended Mar. 22, 2016)

1. Where somebody, who collects directly from the addressees the contact points through transactions of goods and services, intends to transmit the advertisement information made for profit within the period as prescribed by the Presidential Decree regarding the same kind of goods, etc. processed by himself and traded with the receiver; and

2. Where a call center operator subject to the Act Regarding Visiting Sales, etc. solicits over the telephone with his/her voice after informing the addressee of the sources of personal information.

(2) Notwithstanding paragraph (1), anybody, who intends to transmit via electronic transmission media any advertisement information made for profit, shall not transmit advertisement information made for profit if the addressee expresses refusal of such information or withdraw prior consent.

(3) Anybody, who intends to transmit any advertisement information made for profit via electronic transmission media to the addressee during the hours from 9:00 p.m. to 8:00 a.m. the next day, shall obtain the separate prior consent of the relevant addressee in spite of paragraph (1); provided, however, that the same shall not apply to the media as prescribed by the Presidential Decree.

(4) Anybody, who transmits advertisement information made for profit via electronic transmission media, shall indicate concretely the matters stated in the following subparagraphs in such a manner as prescribed by the Presidential Decree:                      1. The name and contact points of the sender; and

2. Other matters regarding the measure and methods to easily indicate the refusal of, or withdrawal of consent to, such information.

(5) Anybody, who transmits advertisement information made for profit via electronic transmission media, shall not take any measure specified in the following subparagraphs:

1. Measures to avoid and hinder the refusal or withdrawal of consent of the addressee of advertisement information;

2. Measures to automatically generate the contact points of addressee i.e., by combining numbers, codes or letters into new telephone numbers or e-mail addresses;

3. Measures to automatically register telephone numbers or e-mail addresses in order to transmit advertisement information made for profit;

4. Measures to conceal the identity of the sender of advertisement information or the source of advertisement transmission; or

5. Various measures to induce reply by deceiving the addressee for the purpose to transmit advertisement information made for profit.

(6) Anybody, who transmits advertisement information for profit via electronic transmission media, shall take necessary measures in such a manner as prescribed by the Presidential Decree lest the addressee should be charged the monetary cost incurred when telephoning a message to refuse, or withdraw the consent of, such information.

(7) Anybody, who transmits advertisement information for profit via electronic transmission media, shall, when the addressee expresses prior consent pursuant to paragraph (1), or refusal to receive or withdrawal of consent to receive pursuant to paragraph (2), inform to the addressee the result after processing prior consent, refusal to receive or withdrawal of consent as prescribed by the Presidential Decree.

(8) Anybody, who has obtained the consent pursuant to paragraphs (1) or (3), shall confirm periodically whether the addressee really consented to receive such advertisement information as prescribed by the Presidential Decree.

(Article Amended May 28, 2014)

Article 50-2 Deleted (May 28, 2014)

Article 50-3 (Entrusting Transmission of Advertisement Information Made for Profit)

(1) Anybody, who entrusts other person with a task to transmit advertisement information made for profit, shall control and supervise him/her lest the trustee should violate Article 50. (Amended May 28, 2014)

(2) Anybody, who is entrusted by a person with a task to transmit advertisement information made for profit pursuant to paragraph (1), shall be deemed an employee of such person in compensating the damage caused by violating the relevant acts related with such task.

Article 50-4 (Restrictions on Information Transmission Services, etc.)

(1) The information and communications service provider may take measures to refuse to provide the relevant services in any of the following subparagraphs:

1. Where obstacles occur or are expected to occur in providing services owing to transmitting or receiving advertisement information;                                                  

2. Where users would not want to receive advertisement information; or                        

3. Deleted (Amended May 28, 2014)                                                                                         

(2) The information and communications service provider, which intends to take measures to refuse pursuant to paragraph (1) or (4), shall include such provisions as how to refuse the relevant services in an end-user agreement with the user of such services. (Amended May 28, 2014)                                                                                  

(3) The information and communications service provider, which intends to take measures to refuse pursuant to paragraph (1) or

Article 50-5 (Installation of Advertisement Programs for Profit, etc.)

The information and communications service provider, which intends to show up advertisement information made for profit or install the programs to collect personal information in the users’ computer or other data processing devices as prescribed by the Presidential Decree, shall obtain the consent of users. In this case, it shall notify the usage of such programs and the method how to delete.

Article 50-6 (Distribution of Softwares to Block the Transmission of Advertisement Programs Made for Profit)

(1) The Korea Communications Commission may develop and distribute softwares and computer programs by which the addressee can conveniently block or report the advertisement information made for profit transmitted in violation of Article 50.

(2) The Korea Communications Commission may provide necessary support to the relevant public institutions, corporations, associations, etc. in order to promote the development and distribution of softwares and computer programs to block and report pursuant to paragraph (1).

(3) The Korea Communications Commission may advise the information and communications service provider to take such necessary measures as development of technologies, education, public relations, etc. for the protection of addressees when the services of the information and communications service provider are used to transmit the advertisement information made for profit in violation of Article 50.

(4) Necessary matters for the development and distribution pursuant to paragraph (1) and the support pursuant to paragraph (2) shall be prescribed by the Presidential Decree.

Article 50-7 (Restrictions on Posting Advertisement Information Made for Profit)

(1) Anybody, who intends to post any advertisement information made for profit on the Internet homepage, shall obtain prior consent of the webmaster or homepage manager; provided, however, that the same does not apply to a bulletin board which anybody has an easy access and may post messages without authorization.

(2) Notwithstanding paragraph (1), anybody, who intends to post any advertisement information made for profit on the Internet homepage, shall not post advertisement information made for profit if the webmaster or homepage manager expresses explicit refusal of posting such information or withdraw prior consent.

(3) A system operator or administrator of the Internet homepage may take such measures as deleting the advertisement information made for profit which is posted in violation of paragraph (1) or (2).

(ArticleAmended May 28, 2014)

Article 50-8 (Prohibition of Transmission of Advertisement Information for Illegal Act)

Nobody shall transmit advertisement information regarding goods or services prohibited by this Act or other acts via the information and communications networks.

Article 51 (Restrictions on Outflow of Material Information into Foreign Countries)

(1) The government may have each information and communications service provider or the relevant user of information and communications services take measures necessary to prevent material information regarding the domestic industry, economy, science and technology, etc. from being flowed out of Korea into foreign countries via the information and communications networks.

(2) The scope of material information referred to in paragraph (1) shall be as follows:

1. Security information related with the national security and major policy information; or

2. Information regarding state-of-the-art technologies or equipment developed domestically.

(3) The government may have each information and communications service provider processing the information referred to any of the subparagraphs of paragraph (2) take the following measures: (Amended Mar. 22, 2016)

1. Establishing systemic and technological devices to prevent improper utilization of the information and communications networks;

2. Taking systemic and technological measures to block the illegal destruction or manipulation of information; or

3. Taking measures to prevent the leakage of material information acquired in the course of processing information by the information and communications service provider.

Article 52 (Korea Information and Security Agency)

(1) The government shall establish the Korea Information and Security Agency (hereinafter referred to as “KISA“) to implement efficiently such policies as to enhance the information and communications networks (excluding the establishing, improving and managing such networks), as to promote the safe usage, and as to support the international cooperation and going abroad related with broadcasting and communications.

(2) KISA shall be a juridical person.

(3) KISA shall conduct the business referred to in the following subparagraphs: (Amended Mar. 23, 2013; Nov. 19, 2014; Jun. 22, 2015)                                                 

1. To survey and research into legal regimes, policies and systems for the utilization and protection of the information and communications networks, and the international cooperation and going abroad related with broadcasting and communications;              

2. To do research and analysis of statistics related with the utilization and protection of the information and communications networks;                                                              

3. To analyze negative effects of informatization and to research into countermeasures;

4. To conduct public relations, education and training for the utilization and protection of the information and communications networks;                                                           

5. To secure data protection in the information and communications networks, and to achieve technological development and standardization related with the Internet address resources;                                                                                                                          

6. To help establish the policy for the data protection industries, and to conduct related technological development and training of human resources;                                         

7. To implement and support the assessment, certification, etc. of data protection including the DPMS certification and the assessment and certification of data protection system;                                                                                                                                

8. To do research into effective measures for data protection, and to support the development and distribution of data protection technologies;                                        

9. To support the operation of the Dispute Mediation Committee and to opérate the Reporting Center for Personal Information Infringement;                                             

10. To do counseling and process claims regarding the transmission of advertisement information and the Internet advertisement;                                                                   

11. To deal with and analyze causes of the incidents infringing upon the information and communications networks, and to operate the incident response system;                

12. To manage the authentication of electronic signature pursuant to Article 25(1) of the Electronic Signature Act;                                                                                                

13. To support the efficient operation of the Internet and the promotion of utilization thereof;                                                                                                                            

14. To help protect the stored information of the Internet users;                                      

15. To support the service policy related with the Internet;                                           

16. To protect users in the Internet, and to help flow and disseminate sound information;

17. To conduct business regarding the Internet addresses under the Act on the Internet Resources;                                                                                                                       

18. To support operation of the Internet Address Dispute Mediation Committee pursuant to Article 16 of the Act on the Internet Resources;                                         

19. To support operation of the Mediation Committee pursuant to Article 25(7) of the Act on the Promotion of Data Protection Industry;                                                           

20. To assist the international cooperation, going abroad and overseas public relations related with broadcasting and communications;                                                            

21. Other activities incidental to the business of subparagraphs 1 through 20; and

22. Other tasks prescribed by this Act, and other acts and regulations to be conducted by KISA, or entrusted by the Minister of Science, ICT and Future Planning and the Minister of Interior, the Korea Communications Commission, or the head of other administrative agencies;                                                                                                  

(4) The government may make contributions to cover expenses necessary for the operation of KISA.

(5) The provisions regulating the incorporated foundation in the Civil Act shall apply mutatis mutandis to the matters not prescribed by this Act with respect to KISA.

(6) Other person than KISA shall not use the name of the Korea Information and Security Agency.

(7) Other matters necessary to operate, and conduct business of, KISA shall be prescribed by the Presidential Decree.

CHAPTER VII.- COMMUNICATIONS BILLING SERVICES

Articles 53 – 61 Omitted

CHAPTER VIII.- INTERNATIONAL COOPERATION

Article 62 (International Cooperation)

In performing the function stated in the following subparagraphs, the government shall cooperate with other states or international organizations:

1. Cross-border transfer of personal information and data protection;

2. Protection of the youth in the information and communications network;

3. Prevention of the incidents threatening the safety of information and communications network; and

4. Other activities to ensure safe and sound utilization of information and communications services.

Article 63 (Protection of Cross-Border Transfer of Personal Information)

(1) The information and communications service provider, etc. shall not enter into any international contract of which contents violate the provisions of this Act with respect to the personal information of users.

(2) The information and communications service provider, etc. shall obtain the consent of users when they intend to provide (including being subject to inquiry), entrust processing, store (hereinafter referred to as “transfer” in this Article) the personal information of such users to abroad; provided, however, that, if it is necessary to perform the contract for providing information and communications services and to enhance users convenience, etc., the provisions regarding the consent of users subject to entrusting processing and storing personal information abroad may not apply in case of disclosing under Article 27-2(1), or notifying to users by means as prescribed by Presidential Decree like email, all items of subparagraphs of paragraph (3). (Amended Mar. 22, 2016)

(3) The information and communications service provider, etc. shall, when they intend to obtain the consent pursuant to paragraph (2), notify the user in advance of the whole matters stated in the following subparagraphs:

1. The items of personal information to be transferred;

2. The state to which personal information will be transferred, the date and time of transfer and the method thereof;

3. The name (referring to the company name and the contact points of the officer in charge of data protection in case of a juridical person) of a person who will be provided with the personal information; and

4. The purpose of utilization, and the period of retention and utilization, of personal information on the part of a person who will be provided with the personal information.

(4) The information and communications service provider, etc. shall take the protective measures as prescribed by the Presidential Decree when they transfer the personal information to abroad with the consent pursuant to paragraph (2).

CHAPTER IX.- SUPPLEMENTARY PROVISIONS

Article 64 (Submission of Materials, etc.)

(1) The Minister of Science, ICT and Future Planning or the Korea Communications Commission may request the information and communications service provider, etc. (in this Article, including any person to whom Article 67 applies mutatis mutandis) to submit relevant goods, documents, etc. in case any of the following subparagraphs shall apply:

1. Where the violation of this Act is detected or knowingly suspected;

2. Where the violation of this Act is reported or any claim thereon is received; or

3. Where such other cases as prescribed by the Presidential Decree are necessary to protect the users.

(2) The Korea Communications Commission may request the information and communications service provider, etc. to have access to, or submit, data with respect to the name, address, resident registration number, period of utilization, etc. of the person who transmitted advertisement information made for profit in violation of this Act in order to take the measures stated in the following subparagraphs against such transmitter:                                                                                                                         1. Corrective measures pursuant to paragraph (4);

2. Imposition of fine for negligence pursuant to Article 76; and

3. Other measures amounting to the above-mentioned subparagraphs.

(3) When the information and communications service provider, etc. fails to submit materials pursuant to paragraphs (1) and (2), or it is deemed to have violated this Act, the Minister of Science, ICT and Future Planning or the Korea Communications Commission may have its officials enter the business place of the information and communications service provider, etc. and other concerned persons related with breach of the relevant laws to inspect its current business operations and examine ledger and books, or other documents, etc. (Amended Mar. 29, 2011; Mar. 23, 2013; Mar. 22, 2016)

(4) The Minister of Science, ICT and Future Planning or the Korea Communications Commission may order that the information and communications service provider, etc. in violation of this Act should take necessary corrective measures, and demand such information and communications service provider, etc., who has been ordered to do so, to make such fact public. In this case, such necessary matters as the method how to make it public, the criteria and procedure thereof, etc. shall be prescribed by the Presidential Decree.

(5) The Minister of Science, ICT and Future Planning or the Korea Communications Commission may, when it ordered necessary corrective measures pursuant to paragraph (4), make the fact public. In this case, such necessary matters as the method how to make it public, the criteria and procedure thereof, etc. shall be prescribed by the Presidential Decree.

(6) The Minister of Science, ICT and Future Planning or the Korea Communications Commission shall, when it requests the relevant information and communications service provider, etc. to submit or have access to data, etc. pursuant to paragraphs (2) and (3), notify in writing (including the electronic message) of the reason for request, legal grounds, time limit of submission thereof or the date and time to have access thereto, the content of data to be submitted or accessed in detail.

(7) In case of inspection pursuant to paragraphs (3), the inspection plan including the inspection date and time, reasons for inspection, particulars to be inspected shall be notified to the relevant information and communications service provider, etc. at least seven days before the scheduled inspection date; provided, however, that the same does not apply in case of emergency or when it deems such prior notification inappropriate to attain the inspection purpose because of probable destruction of evidences.

(8) The officials, who conduct the inspection pursuant to paragraph (3), shall carry certificates showing their authority, produce them to persons concerned, and deliver them the document containing officials’ names, inspection hours, purposes thereof, etc.

(9) The Minister of Science, ICT and Future Planning or the Korea Communications Commission shall, when it received, had access to, or inspected the data, etc. pursuant to paragraphs (1) and (3), notify in writing the relevant information and communications service provider, etc. of the inspection result (in case of making an order to take corrective measures subsequent to the inspection, including such order).

(10) The Minister of Science, ICT and Future Planning or the Korea Communications Commission shall, for the purpose of request of submission or inspection of data, etc. pursuant to paragraphs (1) and (4), may ask the head of KISA for technical advices and other necessary support.

(11) Any request of submission of, access to, or inspection of, data, etc. pursuant to paragraphs (1) and (4) shall be made within the minimum scope necessary to implement this Act, and shall not be misused for other purposes.

Article 64-2 (Preservation and Destruction of Materials, etc.)

(1) The Minister of Science, ICT and Future Planning or the Korea Communications Commission shall not provide to a third party the documents, materials, etc. submitted or collected pursuant to Article 64 nor make them public, if and when it is requested by the relevant information and communications service provider, etc. to preserve such materials.

(2) In case the Minister of Science, ICT and Future Planning or the Korea Communications Commission received the materials submitted via the information and communications networks, or made them digitalized, it shall take systemic and technological security measures lest the personal information, trade secrets etc. should be leaked out.

(3) The Minister of Science, ICT and Future Planning or the Korea Communications Commission shall destroy immediately the documents, materials, etc. submitted or collected pursuant to Article 64, if there occurs a case applicable to any of the following subparagraphs except otherwise specifically provided in other acts. The same shall apply to the person to whom the Minister of Science, ICT and Future Planning or the Korea Communications Commission delegates or entrusts the whole or part of its authority pursuant to Article 65:                                                                                        1. Where the purpose for which the request for submission of materials, visit and inspection, order to take corrective measures, etc. take place pursuant to Article 64 has been attained;

2. Where an administrative judgment is filed in disobedience of the order to take corrective measures pursuant to Article 64(4), or, in case of the administrative lawsuit, the relevant administrative dispute settlement proceedings have been closed;

3. Where the fine for negligence is levied pursuant to Article 76(4) and there is no objection thereto until the period of objection is over pursuant to Article 76(5); or

4. Where any objection is raised against the imposition of fine for negligence pursuant to Article 76(4) and the non-litigation proceedings of the competent court with jurisdiction are over.

Article 64-3 (Imposition, etc. of Penalty Surcharge)

(1) In case an action is in violation of any of the following subparagraphs, the Korea Communications Commission may impose the penalty surcharge3) amounting to not more than three percent (3/100) of total sales related with such violation on the wrong-doing information and communications service provider, etc.. the penalty surcharge of not more than 100 million won may be imposed to the violator of subparagraph 6: (Amended Feb. 17, 2012; May 28, 2014; Mar. 22, 2016)

1. To collect personal information without obtaining the consent of a user in violation of Article 22(1) including the case of application mutatis mutandis pursuant to Article 67;

2. To collect personal information which is most likely to infringe upon the right and interest, or the privacy, of an individual without obtaining the consent of the subject in violation of Article 23(1) including the case of application mutatis mutandis pursuant to Article 67;

3. To utilize personal information in violation of Article 24 including the case of application mutatis mutandis pursuant to Article 67;

4. To provide personal information to a third party in violation of Article 24-2 including the case of application mutatis mutandis pursuant to Article 67;

5. To entrust handling of personal information without obtaining the consent of a user in violation of Article 25(1) including the case of application mutatis mutandis pursuant to Article 67;

5-2. To allow negligent management, supervision or education under Article 25(4), including the case of application mutatis mutandis pursuant to Article 67, to cause the trustee in violation of Chapter IV;

6. To leave the personal information of a user lost, stolen, leaked, forged, altered or damaged, and fail to take measures required by Articles 28(1) ii through v including the case of application mutatis mutandis pursuant to Article 67;

7. To collect the personal information of a minor of age below 14 without obtaining the consent of his/her legal representative in violation of Article 31(1) including the case of application mutatis mutandis pursuant to Article 67; or 8. To provide the personal information of users abroad without obtaining their consent thereto in violation of the main sentence of Article 63(2).

(2) In case the penalty surcharge is imposed pursuant to paragraph (1), if such information and communications service provider, etc. denies to submit data for the calculation of sales or submits false data, its sales amount may be estimated on the basis of financial statements and other accounting information of the information and communications service provider, etc. with a similar size, and the business data including the number of subscribers, tariff table of users, etc. provided, however, that, in such a case of no sales report at all or the difficulty to calculate the amount of sales as prescribed by the Presidential Decree, the penalty surcharge of not more than 400 million won may be imposed to such operator.

(3) When imposing the penalty surcharge pursuant to paragraph (10, the Korea Communications Commission shall take the particulars stated in the following subparagraphs into consideration:

1. The substance and status of violations;

2. The duration and times of violations; and

3. The size of profit acquired out of violations.

(4) The penalty surcharge pursuant to paragraph (1) shall be assessed with the provision of paragraph (3) taken into consideration, but the detailed criteria and procedure for the assessment of penalty surcharge shall be prescribed by the Presidential Decree.

(5) When the person, who is required to pay the penalty surcharge pursuant to paragraph (1), fails to pay the penalty surcharge until the due date, the Korea Communications Commission shall collect the additional charge amounting to six percent per annum (6% p.a.) of such penalty surcharge for the period from the following day of the due date.

(6) When the person, who is required to pay the penalty surcharge pursuant to  paragraph (1), fails to pay the penalty surcharge until the due date, the Korea Communications Commission shall press for the payment by designating the extended period. If and when the person fails to pay the penalty surcharge and the additional charge for the extended period pursuant to paragraph (5), the Korea Communications Commission finally shall collect the penalty surcharge and the additional charge likewise by the disposition for recovery of the National Tax arrears.

(7) In case the penalty surcharge imposed pursuant to paragraph (1) is refunded owing to the court judgment, etc., the additional fee in the amount of six percent per annum (6% p.a.) of such penalty surcharge to be refunded shall be paid for the period from the payment date of penalty surcharge to the refund date.

Article 64-4 (Hearings)

The Minister of Science, ICT and Future Planning or the Korea Communications Commission shall hold hearings in case any of the following subparagraphs shall apply:

1. Where it intends to withdraw the designation of the certification agency pursuant to Article 9(2);

2. Where it intends to withdraw the designation of the identification agency pursuant to Article 23-4(1);

3. Where it intends to cancel the DPMS certification pursuant to Article 47(10) including the case of application mutatis mutandis pursuant to Article 47-3(3);

4. Where it intends to withdraw the designation of the DPMS Certification Agency pursuant to Article 47-2(1) including the case of application mutatis mutandis pursuant to Article 47-3(4);

5. Where it intends to cancel the data protection management degree pursuant to Article 47-5(4); or

6. Where it intends to cancel the registration pursuant to Article 55(1).

(Article Inserted Dec. 1, 2015)

Article 65 (Delegation and Entrustment of Authority)

(1) The authority of the Minister of Science, ICT and Future Planning or the Korea Communications Commission under this Act may be delegated or entrusted in part to the head of its administrative agency under the control of the Ministry of Science, ICT and Future Planning or the head of the Regional Post Agency in such a manner as prescribed by the Presidential Decree.

(2) The Minister of Science, ICT and Future Planning may entrust the Project to promote the utilization of the information and communications networks, etc. pursuant to Article 13 to the National Information Society Agency (NIA) established pursuant to Article 14 of the Nation’s Informatiztion Framework Act in such a manner as prescribed by the Presidential Decree.

(3) The Minister of Science, ICT and Future Planning or the Korea Communications Commission may entrust doing job to request the submission of, and inspect, the materials pursuant to Articles 64(1) and (2) to KISA in such a manner as prescribed by the Presidential Decree.

(4) The provision of Article 64(8) shall apply mutatis mutandis to the employees of KISA who are subject to paragraph (3).

Article 65-2 Deleted

Article 66 (Confidentiality, etc.)

Any person who is or was engaged in the business stated in the following subparagraphs shall not leak secrets acquired while performing his/her duties to any other person, or use such secrets for other purposes than the initial duties; provided, however, that the same shall not apply where other acts specifically prescribe otherwise:

1. Deleted

2. Certification of DPMS under Article 47;

2-2. Certification of PIMS under Article 47-3;

3. Assessment of the data protection system under Article 52(3) iv;

4. Deleted

5. Mediation of any dispute conducted by the defamation dispute mediation panel under Article 44-10.

Article 67 (Application mutatis mutandis to Broadcasting Service provider)

(1) The provisions of Chapter IV shall apply mutatis mutandis to the person who falls under Article 2 iii Items a through e and Article 2 vi, ix, xii and xiv of the Broadcasting Act, and would collect, use and provide to a third party personal information of audience and viewers. In this case, the “information and communications service provider” and the “information and communications service provider, etc.” shall be deemed the “person who falls under Article 2 iii Items Ga through Ma and Article vi, ix, xii and xiv of the Broadcasting Act,” and the “user” shall be deemed the “audience and viewers,” respectively.

(2) The provisions of Articles 22, 23, 23-2 through 23-4, 24, 24-2, 26, 26-2, 27, 27-2, 27-3, 28, 28-2, 29, 30, 30-2 and 31 shall apply mutatis mutandis to the trustee as prescribed in Article 25(1).

(Article Inserted Feb. 17, 2012)

Article 68 Deleted (Mar. 22, 2010)

Article 68-2 Deleted (Jun. 22, 2015)

Article 69 (Legal Fiction of Officials in Applying Penal Provisions)

The officers and employees of NIA and KISA, who are conducting the job entrusted by the Minister of Science, ICT and Future Planning or the Korea Communications Commission pursuant to Articles 65(2) and (3), shall be deemed government officials in the application of Articles 129 through 132 of the Criminal Act.

Article 69-2 (Accusation)

(1) When the Korea Communications Commission deems any of the subparagraphs of Article 64-3(1) to be applicable, the Commission may accuse the breaching information and communications service provider, etc. to the investigation authorities including the prosecution office.

(2) The Korea Communications Commission may recommend the information and communications service provider, etc. in violation of this Act in relation to personal information protection to take a disciplinary measure of the person responsible therefor (including a representative and/or director and officer responsible in charge). In this case, the person who has received such recommendation shall be respectful of it and notify the Korea Communications Commission of the result. (Inserted Mar. 22, 2016)

CHAPTER X.- PENAL PROVISIONS

Article 70 (Penal Provisions)

(1) Any person who has defamed other person by alleging openly facts via the information and communications networks with the purpose of slandering him/her shall be subject to imprisonment with prison labor for not more than 3 years or by a fine not exceeding 30 million won. (Amended May 28, 2014)

(2) Any person who has defamed other person by alleging openly false facts via the information and communications networks with the purpose of slandering him/her shall be subject to imprisonment with prison labor for not more than 7 years or the suspension of qualification for not more than 10 years, or by a fine not exceeding 50 million won.

(3) The offense stated in paragraphs (1) and (2) shall not be indicted against the will expressed by the victim.

Article 70-2 (Penal Provisions)

Any person who has relayed or distribute malicious programs in violation of Article 48(2) shall be subject to imprisonment with prison labor for not more than 7 years or by a fine not exceeding 70 million won.

Article 71 (Penal Provisions)

(1) Any person referred to in the following subparagraphs shall be subject to imprisonment with prison labor for not more than 5 years or by a fine not exceeding 50 million won:

1. A person who has collected the personal information of users without the consent of users in violation of Article 22(1) including the case of application mutatis mutandis under Article 67;

2. A person who has collected the personal information likely to excessively infringe upon the right, interest and privacy of the individual without the consent of users in violation of Article 23(1) including the case of application mutatis mutandis under Article 67;

3. A person who has utilized the personal information of users, provided such personal information to a third party, or received such personal information knowingly for profit or unjust purposes in violation of Articles 24, 24-2(1) and (2) or 26(3) including the case of application mutatis mutandis under Article 67;

4. A person who has entrusted handling of the personal information without the consent of users in violation of Article 25(1) including the case of application mutatis mutandis under Article 67;

5. A person who has damaged, infringed upon or leaked the personal information of users in violation of Article 28-2(1) including the case of application mutatis mutandis under Article 67;

6. A person who has received the personal information for profit or unjust purposes knowing such information leaked out in violation of Article 28-2(2);

7. A person who has provided or utilized the personal information without taking necessary measures in violation of Article 30(5) including the case of application mutatis mutandis under Articles 30(7), 31(3) and 67;

8. A person who has collected the personal information of a minor below 14 without the consent of his/her legal representative in violation of Article 31(1) including the case of application mutatis mutandis under Article 67;

9. A person who has conveyed or distributed malicious programs in violation of Article 48(2);

10. A person who has caused troubles in the information and communications networks in violation of Article 48(3); and

11. A person who has damaged the information of other person, or infringed upon, stolen or leaked the secrets of other person in violation of Article 49.

(2) An attempted crime of paragraph (1) ix shall be punished. (Inserted Mar. 22, 2016)

Article 72 (Penal Provisions)

(1) Any person referred to in the following subparagraphs shall be subject to imprisonment with prison labor for not more than 3 years or by a fine not exceeding 30 million won: (Amended Jan. 20, 2015; Mar. 27, 2015)

1. A person who has infiltrated the information and communications networks in violation of Article 48(1);

2. A person who has collected the personal information of other person in violation of Article 49-2(1);

2-2. A person who has transmitted the advertisement information in violation of Article 50-8 taking advantage of large-scale catastrophic situation subject to 14(1) of the Framework Act on the Management of Disasters and Safety;

3. A person who has done business without registration required by Article 53(1);

4. A person who has lent money, or has arranged, intermediated, solicited and promoted such transaction by conducting action applicable to any of the following Items:

a. To do transactions of communications billing services by pretending to sell or provide the goods or services, or exceeding the real sales, or to let others do so on his/her behalf; or

b. To purchase the goods or services at a discount which were bought or used by the user of communications billing services just after such user was induced to buy or use such goods or services by means of the communications billing services.

5. A person who has leaked the secrets to other person acquired while performing his/her duties, or utilized such secrets for other purpose than the initial duties in violation of Article 66.

(2) Deleted (Mar. 22, 2016)

Article 73 (Penal Provisions)

Any person referred to in the following subparagraphs shall be subject to imprisonment with prison labor for not more than 2 years or by a fine not exceeding 20 million won: (Amended May 28, 2014; Mar. 22, 2016)

1. A person who has lost, stolen, leaked, forged, altered or damaged the personal information of users by failing to take such technological and managerial measures as prescribed in Articles 28(1) ii through v including the case of application mutatis mutandis under Article 67;

1-2. A person who fails to destroy personal information in violation of Article 29(1) including the case of application mutatis mutandis under Article 67;

2. A person who has provided media materials harmful to the youth for profit without indicating the harmful nature in violation of Article 42;

3. A person who has transmitted to the youth, or exhibit publicly without taking any measure off-limits to the youth the information to advertize the media materials harmful to the youth in violation of Article 42-2;

4. A person who has used the information of users for other purposes tan filing civil or criminal lawsuits;

5. A person who has not observed the order of the Korea Communications Commission pursuant to Articles 44-7(2) and (3);

6. A person who has not preserved the relevant materials in violation of the order pursuant to Article 48-4(3);

7. A person who has enticed other person to provide with personal information in violation of Article 49-2 (1); or

8. A person who has not observed the order pursuant to Article 61.

Article 74 (Penal Provisions)

(1) Any person referred to in the following subparagraphs shall be subject to imprisonment with prison labor for not more than 1 year or by a fine not exceeding 10 million won: (Amended Feb. 17, 2012; May 28, 2014)

1. A person who has put any label on goods, or sold such goods bearing such label or displayed such goods for the purpose of selling them in violation of  Article 8 (4);

2. A person who has distributed, sold, rented, or openly displayed lascivious codes, letters, sounds, images or video clips in violation of Article 44-7(1) i;

3. A person who has repeatedly sent codes, letters, sounds, images or video clips inciting fears and uneasiness to other person in violation of Article 44-7(1) iii;

4. A person who has taken measures in violation of Article 50(5);

5. Deleted (May 28, 2014)

6. A person who has transmitted advertisement information in violation of Article 50-8; or

7. A person who has not registered the change of the registry nor reported business transfer, or the merger and succession of business in violation of Article 53(4).

(2) The offense stated in paragraph (1) iii shall not be indicted against the Will expressed by the victim.

Article 75 (Joint Penal Provisions)

If a representative of a corporation, or the agent, manager or other employee of a corporation or an individual violated the provisions of Articles 71 through 73 or 74 (1) with respect to the business of such corporation or individual, the actor shall be punished, but also the corporation or individual shall be subject to a fine prescribed in the relevant Article; provided, however, that the same shall not apply where such corporation or individual was not negligent in taking due care and supervisory duty to do the relevant business.

Article 75-2 (Confiscation and Additional Imposition of Fine)

The monies or other profits acquired by a person who committed any of the crimes set forth in Article 71(1) i through viii, Article 72(1) ii and Article 73 i, i-2, vii in relation to the relevant violations may be confiscated, and, if such confiscation is impossible, its equivalent amount may be imposed additionally. In this case, such confiscation or additional imposition my be levied in addition to other punishment. (Inserted Mar. 22, 2016)

Article 76 (Fine for Negligence)

(1) A person who is referred to in the following subparagraphs and abets other person to do the action applicable to Items 7 through 11 shall be subject to a fine for negligence not exceeding 30 million won: (Amended Mar. 29, 2011; Feb. 17, 2012; Mar. 23, 2013; May 28, 2014; Jun. 22, 2015; Dec. 1, 2015; Mar. 22, 2016)

1. A person who has denied services in violation of Articles 22-2(2) or 23(3) including the case of application mutatis mutandis under Article 67;

1-2. A person who has failed to take measures necessary for the protection of personal information of users including methods of consent to, and withdrawal from, the authorized access in violation of Article 22-2(3) including the case of application mutatis mutandis under Article 67;

2. A person who collects and uses resident registration numbers in violation of Article 23-2(1) or fails to take necessary measures in violation of Article 23-2(2) including the case of application mutatis mutandis under Article 67;

2-2. A person who has failed to notify or report to users, the Korea Communications Commission and KISA in violation of Article 27-3(1) including the case of application mutatis mutandis under Article 67, or delays exceeding 24 hours to notify or report with no justifiable reasons;

2-3. A person who has failed to explain or deceptively explained subject to Article 27-3(3);

3. A person who has failed to take technological and managerial measures as prescribed in Articles 28(1) i and vi including the case of application mutatis mutandis under Article 67);

4. A person who has failed to destroy personal information in violation of Article 29(2) including the case of application mutatis mutandis under Article 67;

5. A person who has failed to take necessary measures in violation of Articles 30(3), (4) and (6) including the case of application mutatis mutandis under Articles 30(7), 31(3) and 67);

5-2. A person who has failed to notify the detailed statement on the use of the personal information in violation of the main sentence of Articles 30-2(1) including the case of application mutatis mutandis under Article 67;

6. Deleted (May 28, 2014)

6-2. A person who has failed to report the designation of the chief privacy officer in violation of Articles 45-3 (1);

6-3. A person who has failed to obtain the DPMS certification in violation of Articles 47 (2);

7. A person who has transmitted advertisement information made for profit in violation of Articles 50 (1) through (3);

8. A person who has failed to indicate advertisement information or indicated fraudulently in violation of Articles 50 (4) or (5);                                                            

9. A person who has got the addressee charged the cost in violation of Article 50 (6);

9-2. A person who has failed to confirm the consent to receive in violation of Articles 50(8);

10. A person who has installed the programs without obtaining the consent of users in violation of Article 50-5;

11. A person who has posted advertisement information made for profit on the Internet homepage in violation of Article 50-7 (1) or (2); or

12. A person who has not observed the order to take corrective measures delivered by the Minister of Science, ICT and Future Planning or the Korea Communications Commission pursuant to Article 64(4) in violation of this Act.

(2) A person referred to in the following subparagraphs shall be subject to a fine for negligence not exceeding 20 million won: (Amended Mar. 22, 2016)

1. A person who has failed to make public or notify the users of entrusting the handling of personal information in violation of Article 25(2) including the case of application mutatis mutandis under Article 67;

1-2. A person who has re-entrusted to a third person without obtaining the consent of the initial information and communications service provider, etc. In violation of Article 25(7) including the case of application mutatis mutandis under Article 67;

2. A person who has failed to notify the users of transferring the personal information in violation of Articles 26(1) and (2) including the case of application mutatis mutandis under Article 67;

3. A person who has failed to designate the officer in charge of data protection in violation of Article 27(1) including the case of application mutatis mutandis under Article 67;

4. A person who has failed to make public the personal information policy statement in violation of Article 27-2(1) including the case of application mutatis mutandis under Article 67; or

5. A person who has provided the personal information of users abroad without disclosing all the items of subparagraphs of Article 63(3) or informing users of such fact in violation of the proviso of Article 63(2).

(3) A person referred to in the following subparagraphs shall be subject to a fine for negligence not exceeding 10 million won: (Amended Apr. 5, 2011; Feb. 17, 2012; Jun. 22, 2015; Dec. 1, 2015; Mar. 22, 2016)

1. Deleted (Jun. 22, 2015)

2. Deleted (Jun. 22, 2015)

2-2. A person who has conducted the identification operations without appropriate designation of the identification agency in violation of Article 23-3(1);

2-3. A person who has failed to notify to users, or report to the Korea Communications Commission, the recess of the identification operations pursuant to Article 23-3(2) or the repeal of the identification operations pursuant to Article 23-3(3);

2-4. A person who continues to conduct identification operations in spite of the suspension of identification operations or withdrawal of designation of the identification agency pursuant to Article 23-4(1);

2-5. A person who fails to entrust processing personal information to a trustee in writing in violation of Article 25(6) including the case of application mutatis mutandis under Article 67;                                                                                                                         

3. A person who has failed to designate the officer in charge of youth protection in violation of Article 42-3(1);

4. A person who has failed to keep information in custody in violation of Article 43;

5. A person who has failed to insure the information and communications facilities in violation of Article 46 (2);

6. Deleted (Dec. 1, 2015);

7. A person who has made fraudulent promotion on the result of authentication of the data protection management system in violation of Articles 47(9) and 47-3(3);

8. Deleted

9. Deleted

10. A person who has failed to inform the user of software in violation of Article 47-4(3);

11. A person who has not observed the order of correction pursuant to Article 48-2(4);

12. A person who has obstructed, rejected or dodged the entry and inspection of business pursuant to Article 48-4 (4);

12-2. A person who has failed to observe the order of the Minister of Science, ICT and Future Planning or the Korea Communications Commission in violation of Article 49-2(4).

12-3. A person who has failed to inform to the addressee the result after processing prior consent, refusal to receive or withdrawal of consent in violation of Article 50(7).

12-4. A person who fails to take necessary measure in violation of Article 50-4(4).

13. A person who has used the name of KISA in violation of Article 52(6);

14. A person who has failed to report the recess, closure or dissolution of business in violation of Article 53(4);

15. A person who has failed to report the general terms and conditions of business in violation of Article 56(1);

16. A person who has failed to take managerial and technological measures in violation of Article 57(2);

17 through 21. Omitted 4)

22. A person who has failed to submit related goods and documents, etc. pursuant to Article 64(1) or submitted false goods and documents, etc.;

23. A person who has denied the access to data and request of data production pursuant to Article 64(2); or

24. A person who has rejected, obstructed or dodged the entry and inspection of business pursuant to Article 64(3).

(4) The fine for negligence stated in paragraphs (1) through (3) shall be imposed and collected by the Minister of Science, ICT and Future Planning or the Korea Communications Commission as prescribed by the Presidential Decree.

(5) Any person who is dissatisfied with a fine for negligence imposed pursuant to paragraph (4) may file an objection with the Minister of Science, ICT and Future Planning or the Korea Communications Commission within 30 days from the day of notification of such disposition.

(6) If any person who has been subject to a fine for negligence pursuant to paragraph (4) filed an objection pursuant to paragraph (5), the Minister of Science, ICT and Future Planning or the Korea Communications Commission shall promptly notify the competent court of the fact, and the competent court shall, upon receiving the notification thereof, put the case on trial in accordance with the Non-Contentious Litigation Procedure Act.

(7) If any person fails to file an objection within the period under paragraph (5) and would not pay the fine for negligence, the fine for negligence in question shall be collected likewise by the disposition for recovery of the national taxes in arrears.

ADDENDA

(Act nº 6360, January 1, 2001)

Article 1 (Enforcement Date)

This Act shall enter into force on July 1, 2001.

Articles 2 and 3. Omitted

Article 4 (Transitional Measures Regarding Application of Penal Provisions)

The application of the penal provisions to any act committed prior to the enforcement of this Act shall be governed by the previous provisions.

Article 5. Omitted

Article 6 (Relations to Other Acts and Regulations)

If other acts and regulations cite the former “Act on the Promotion, etc. Of  Utilization of Information System” or its provisions at the time of enforcement of this Act and if there exist corresponding provisions thereto in this Act, this Act or the corresponding provisions in this Act shall be regarded as being cited.

ADDENDA

Omitted for the period from December 2001 to December 2008.

ADDENDA

(Act nº 9637, July 23, 2009)

Article 1 (Enforcement Date)

This Act shall enter into force on the day when 3 months elapse after its promulgation for the establishment of the Korea Internet and Security Agency.

Articles 2 and 3 Omitted

Article 4 (Amendment to Other Acts) Omitted

Article 5 (Relations to Other Acts and Regulations)

If other acts and regulations cite the former “Act on Promotion of Information and Communications Network Utilization and Data Protection, etc.” or its provisions at the time of enforcement of this Act and if there exist corresponding provisions thereto in this Act, this Act or the corresponding provisions in this Act shall be regarded as being cited.

ADDENDUM

(Act nº 10138, March 17, 2010)

This Act shall enter into force on the day of promulgation.

ADDENDA

(Act nº 10165, September 23, 2010)

Article 1 (Enforcement Date)

This Act shall enter into force on the day when 6 months elapse after its promulgation.

Articles 2 through 5 Omitted

Article 6 (Amendment to Other Acts)

(9) The part of the Act on Promotion of Information and Communications Network Utilization and Data Protection, etc. shall be amended as follows:

Article 68 shall be deleted.

Article 7 Omitted

ADDENDA

(Act nº 10465, September 30, 2011)

Article 1 (Enforcement Date)

This Act shall enter into force on the day when 6 months elapse after its promulgation (in line with the enforcement the Personal Information Protection Act).

Articles 2 through 5 Omitted

Article 6 (Amendment to Other Acts)

(11) The part of the Act on Promotion of Information and Communications Network Utilization and Data Protection, etc. shall be amended as follows: (. . .) the Minister of Public Administration and Security, the Minister of Knowledge and Economy or the Korea Communications Commission shall read the Minister of Knowledge and Economy or the Korea Communications Commission; and the Minister of Public Administration and Security or the Korea Communications Commission shall read the Korea Communications Commission, respectively.

Article 7 Omitted

ADDENDA

Omitted for the period from April 2011 to September 2011.

ADDENDA

(Act nº 11322, August 18, 2012)

Article 1 (Enforcement Date)

This Act shall enter into force on the day when 6 months elapse after its promulgation; provided, however, that the revised provisions of Articles 45, 45-2, 45-3, 46-3, 47, 47-2, 47-3, 47-5, 52(3) vii, 66 and 76(3) vi through ix shall enter into force one year after its promulgation.

Article 2 (Transitional Measures Regarding the Restriction of Collection and Use of Resident Registration Number)

(1) The information and communications service provider, who has provided membership application method by means of resident registration number at the time of enforcement of this Act, shall destroy its resident registration number data within two years therefrom; provided, however, that the same shall not apply to any of the subparagraphs of Article 23-2(1).

(2) The failure to destroy the resident registration number data within the period prescribed in paragraph (1) shall be deemed in violation of the revised provision of Article 23-2(1).

Article 3 (Transitional Measures Regarding the Repeal of Data Protection Safety Diagnosis)

Omitted

Article 4 (Transitional Measures Regarding the Authentication of Personal Information Protection Management System)

Omitted

Article 5 (Transitional Measures Regarding Fine for Negligence)

The application of the fine for negligence to any act committed prior to the enforcement of this Act shall be governed by the previous provisions.

ADDENDA

(Act nº 11690, March 23, 2013)

Article 1 (Enforcement Date)

(1) This Act shall enter into force on the day of promulgation.5)

(2) Omitted

Articles 2 through 5 Omitted

Article 6 (Amendment to Other Acts)

(687) The part of the Act on Promotion of Information and Communications Network Utilization and Data Protection, etc. shall be amended as follows: (. . .) the Minister of Knowledge and Economy shall read the Minister of Science, ICT and Future Planning.

ADDENDA

(Act nº 12681, May 28, 2014)

Article 1 (Enforcement Date)

(1) This Act shall enter into force on the day when 6 months elapse after its promulgation; provided, however, that the revised provisions of Articles 44(3), 44-5 and 76(1) vi shall enter into force on the day of promulgation.

Article 2 (Transitional Measures Regarding Penalty Surcharge and Penal Provisions)

The application of the penalty surcharge and penal provisions to any act committed prior to the enforcement of this Act shall be governed by the previous provisions.

ADDENDA

(Act nº 13344, July 22, 2015)

Article 1 (Enforcement Date)

This Act shall enter into force on the day when 6 months elapse after its promulgation.

Article 2 (Exemplary Application of Administrative Disposition)

The amendments of Article 55(1) shall apply to the administrative disposition on the violations prior to the enforcement of this Act.

ADDENDA

(Act nº 13520, December 1, 2015)

Article 1 (Enforcement Date)

This Act shall enter into force on the day when 6 months elapse after its promulgation; provided, however, that the amendments of Articles 29(2) and (3) shall enter into force on the day of promulgation.

Article 2 (Exemplary Application of Destruction, etc. of Personal Information)

The amendments of Article 29(2) and (3) shall apply to the personal  information collected and transferred prior to the entry into force of the said amendments.

Article 3 (Exemplary Application of Omission of DPMS Certification Examination)

The amendments of Article 47(3) shall apply to the person who applied for the DPMS certification prior to the enforcement of this Act, and has undergone the said procedure.

Article 4 (Transitional Measures Regarding DPMS Certification)

The imposition of the fine for negligence on the violations prior to the enforcement of this Act shall be subject to the previous penal provisions.

ADDENDA

(Act nº 14080, March 22, 2016)

Article 1 (Enforcement Date)

This Act shall enter into force on the day when 6 months elapse after its promulgation; provided, however, that the amendments of Articles 22(2), 76(1) i and 76(1) i-2 shall enter into force when one year elapses after promulgation; the amendments of Articles 32(2) and (3), 32-2(3) on July 25, 2016; the amendment of Article 52(4) on the day of promulgation, respectively.

Article 2 (Exemplary Application of Damages)

The amendments of Articles 32(2), 32(3) and 32-2(3) shall apply to the claim for damages arising out of the loss, theft, leakage, forgery, alteration of, or damage to, personal information after the entry into force of the same amendments.

Article 3 (Transitional Measures Regarding Guide of Data Exposed to Violations)

The information and communications service provider shall establish the facilities to send guide message to users pursuant to the amendment of Article 49-2(3) within six months after the promulgation of this Act.

Article 4 (Transitional Measures Regarding Penal Provisions)

In case of application of penal provisions against violations prior to the entry into force of this Act, the previous provisions shall apply.

Article 5 (Amendment to Other Act)

The part of the Internet Address Resources Act shall be amended as follows:

Of the first sentence of Article 15(2), “Article 71 i” shall be “Article 71(1) i”, and “Article 76(1) i through v” shall be “Article 76(1) i through v (excluding Article 76(1) i-2)”

——————————————————–

1) Translation of the provisions of Articles unrelated with data protection is Omitted

2) The provisions regarding the Personal Information Dispute Mediation Committee were deleted on March 29, 2011 when the Personal Information Protection Act was promulgated.

3) In this Act, the penalty surcharge means the administrative penalty.

4) These are violators in relation to communications billing services.

5) This amendment was in line with the enforcement of the newly amended Government Organization Act.

29Oct/21

Act nº 14080, Mar. 22, 2016. Internet Address Resources Act

Internet Address Resources Act

CHAPTER I.- GENERAL PROVISIONS

Article 1 (Purpose)      

The purpose of this Act is to contribute to improving citizens’ lives and enhancing public welfare by facilitating utilization of information and communications networks, protecting personal information of people using information and communications services, and developing an environment in which people can utilize information and communications networks in a healthier and safer way.

(Amended by Act nº 9119, Jun. 13, 2008)

Article 2 (Definitions)             

(1)       The definitions of terms used in this Act shall be as follows: (Amended by Act nº 7139, Jan. 29, 2004; Act nº 8289, Jan. 26, 2007; Act nº 8778, Dec. 21, 2007; Act nº 9119, Jun. 13, 2008; Act nº 10166, Mar. 22, 2010; Act nº 12681, May 28, 2014; Act nº 13343 Jun. 22, 2015)

1.         The term “information and communications network” means an information and communications system for collecting, processing, storing, searching, transmitting or receiving information by using telecommunications facilities and equipment prescribed in subparagraph 2 of Article 2 of the Telecommunications Business Act or computers and applied computer technology;

2.         The term “information and communications services” means the telecommunications services prescribed in subparagraph 6 of Article 2 of the Telecommunications Business Act and services of providing information or intermediating the provision of information by using such telecommunications services;

3.         The term “providers of information and communications services” means the telecommunications business operators prescribed in subparagraph 8 of Article 2 of the Telecommunications Business Act and other persons who provide information or intermediate to provide information commercially by utilizing services provided by a telecommunications business operator;

4.         The term “users” means persons who use information and communications services rendered by providers of information and communications services;

5.         The term “electronic document” means data prepared and transmitted, received, or stored electronically in a standardized document by a device capable of processing information, such as a computer;

6.         The term “personal information” means the information pertaining to an individual alive, which contains information identifying a specific person with a name, a national identification number, or similar in the form of a code, letters, voice, sound, motion picture, or any other form (including information that makes it impracticable to identify a specific person by itself, but that enables to identify such person easily if combined with another information);

7.         The term “intrusion” means an event resulting from an attack on an information and communications network or an information system related to such network by means of hacking, computer virus, logic bomb, mail bomb, denial of service, high-power electromagnetic wave, etc.;

8.         Deleted.; (by Act Nº13343 Jun. 22, 2015)

9.         The term “message board” means, regardless of its name, a computer program or a technical device with which users can publish information in the form of a code, letters, voice, sound, image, motion picture, or any other form purposely to disclose the information to the public by using an information and communications network;

10.       The term “telecommunications billing services” means information and communications services to perform the following business activities:

(a)        Business activities of charging and collecting prices for goods or services sold or provided by a third person (hereinafter referred to as “goods or services”) together with charges for the telecommunications services provided;

(b)       Business activities of transmitting and receiving information of transactions electronically so that prices for goods or services sold or provided by a third person can be billed or collected together with charges for the telecommunications services provided by oneself, or settling, on behalf of another person, or intermediating payments for such prices;

11.       The term “provider of telecommunications billing services” means a person who provides telecommunications billing services after being registered under Article 53;

12.       The term “user of telecommunications billing services” means a person who purchases or uses goods or services by using telecommunications billing services rendered by a provider of telecommunications billing services;

13.       The term “electronic transmission medium” means a medium transmitting codes, letters, voices, images or motion pictures to addressees in an electronic form, such as an electronic document, via information and communications networks.

(2)       Except as otherwise provided for in paragraph (1), definitions of terms used in this Act shall be governed by the Framework Act on National Informatization. (Amended by Act nº 9119, Jun. 13, 2008; Act nº 11690, Mar. 23, 2013)

Article 3 (Responsibilities of Providers and Users of Information and Communications Services)            

(1)       Every provider of information and communications services shall contribute to protection of rights and interests of users and enhancement of users’ abilities to use information by protecting personal information of users and providing information and communications services in a sounder and safer way.

(2)       Every user shall make efforts to help to establish a healthier information society.

(3)       The Government may provide support to organizations composed of providers or users of information and communications services for their activities for protecting personal information and protecting juvenile in information and communications networks.

(Amended by Act nº 9119, Jun. 13, 2008)

Article 4 (Preparation of Policy on Promotion of Utilization of Information and Communications Networks and Protection of Information)           

(1)       The Minister of Science, ICT and Future Planning or the Korea Communications Commission shall prepare policies to lay a foundation for an information society through the promotion of utilization of information and communications networks, the stable management and operation of such networks, the protection of personal information of users, and other related activities (hereinafter referred to as “promotion of utilization of information and communication networks, the protection of information, or other related matters”). (Amended by Act nº 10465, Mar. 29, 2011; Act nº 11690, Mar. 23, 2013)

(2)       The policies under paragraph (1) shall contain descriptions of the following:

1.         Development and dissemination of technology related to the information and communications networks;

2.         Standardization of information and communications networks;

3.         Promotion of the use of information and communications networks, including the development of content of information and applied service for information and communications networks under Article 11;

4.         Facilitation of sharing information through information and communications networks;

5.         Promotion of use of internet;

6.         Protection of personal information collected, processed, stored and used via information and communications networks, and development and dissemination of technology related thereto;

7.         Protection of juvenile in information and communications networks;

8.         Enhancement of safety and reliability of information and communications networks;

9.         Other matters necessary for the promotion of utilization of information and communications networks, the protection of information, or other related matters.

(3)       When the Minister of Science, ICT and Future Planning or the Korea Communications Commission prepares the policy under paragraph (1), he or she shall ensure that the policy conforms to the basic plan for national informatization under Article 6 of the Framework Act on National Informatization. (Amended by Act nº 10465, Mar. 29, 2011; Act nº 11690, Mar. 23, 2013) (Amended by Act nº 9119, Jun. 13, 2008)

Article 5 (Relationship to Other Acts)           

Except as otherwise provided for in any other Act, the promotion of use of information and communications networks, the protection of information, or other related matters shall be governed by the provisions of this Act: Provided, That this Act shall take precedence over the Electronic Financial Transaction Act, in cases where a plicable f this Act and a plicable f the Electronic Financial Transaction Act are plicable to the telecommunications billing service under Chapter VII.

(Amended by Act nº 9119, Jun. 13, 2008)

CHAPTER II.- PROMOTION OF UTILIZATION OF INFORMATION AND COMMUNICATIONS NETWORK

Article 6 (Development of Technology)        

(1)       The Minister of Science, ICT and Future Planning may engage the relevant research institute, as prescribed by Presidential Decree, to implement a project for research and development, technical cooperation, transfer of technology, technical guidance, or similar, in order to promote the development of technology and equipment related to information and communications networks. (Amended by Act nº 11690, Mar. 23, 2013)

(2)       The Government may provide financial support to a research institute that implement a project for research and development or similar in accordance with paragraph (1) for all or part of the cost and expenses incurred in such project.

(3)       Necessary matters concerning the disbursement and management of cost and expenses under paragraph (2) shall be prescribed by Presidential Decree.

(Amended by Act nº 9119, Jun. 13, 2008)

Article 7 (Management and Dissemination of Technology-Related Information)   

(1)       The Minister of Science, ICT and Future Planning shall manage, systematically and comprehensively, the information pertaining to technology and equipment related to information and communications networks (hereafter referred to as “technology-related information” in this Article). (Amended by Act nº 11690, Mar. 23, 2013)

(2)       The Minister of Science, ICT and Future Planning may, if necessary for managing technology-related information systematically and comprehensively, request data relevant to technology-related information from the relevant administrative agency and a national or public research institute. In such cases, the head of such agency or institute shall, upon such request, comply with the request, unless any particular reason exists. (Amended by Act nº 11690, Mar. 23, 2013)

(3)       The Minister of Science, ICT and Future Planning shall perform projects for dissemination of technology-related information, so that technology-related information can be used promptly and easily. (Amended by Act nº 11690, Mar. 23, 2013)

(4)       Necessary matters concerning the scope of technology and equipment related to information and communications networks, which shall be disseminated pursuant to paragraph (3), shall be prescribed by Presidential Decree.

(Amended by Act nº 9119, Jun. 13, 2008)

Article 8 (Standardization and Certification of Information and Communications Networks)       

(1)       The Minister of Science, ICT and Future Planning shall establish and provide a public notice the standards for information and communications networks in order to promote the use of information and communications networks, and may recommend providers of information and communication services or the persons who manufacture or supply products related to information and communications networks to comply with the standards: Provided, That the matters for which the Korean Industrial Standards under Article 12 of the Industrial Standardization Act have already been established shall comply with such standards. (Amended by Act nº 11690, Mar. 23, 2013)

(2)       A person who manufactures or supplies a product related to information communications in conformity with the standards publicly notified pursuant to paragraph (1) may put on the product a mark stating that the product conforms to the standards, subject to the prior certification of the certifying institution under Article 9 (1).

(3)       In cases where a product falls under the proviso to paragraph (1) and the certification under Article 15 of the Industrial Standardization Act has been already given to the product, the product shall be deemed to have been certified pursuant to paragraph (2).

(4)       No person but those who hold the certification under paragraph (2) may put a mark verifying that his or her product conforms to the standards or put any similar mark, nor may sell a product with any similar mark or display such a product for the purpose of sale.

(5)       The Minister of Science, ICT and Future Planning may order a person, who sells a product in violation of paragraph (4) or displays such a product for the purpose of sale to collect and recall the product or to obtain certification to put such a mark, or may take any other corrective measure as may be necessary. (Amended by Act nº 11690, Mar. 23, 2013)

(6)       Necessary matters concerning the subject matters of the standardization, the method and procedure for such standardization, and a mark of certification under paragraphs (1) through (3), and the collection, recall, corrective measures, etc. under paragraph (5) shall be prescribed by Ordinance of the Ministry of Science, ICT and Future Planning. (Amended by Act nº 11690, Mar. 23, 2013) (Amended by Act nº 9119, Jun. 13, 2008)

Article 9 (Designation of Certifying Institutions)      

(1)       The Minister of Science, ICT and Future Planning may designate an institution to certify products related to information and communications networks (hereinafter referred to as a “certifying institution”), which are manufactured or supplied by a person, and conforming to the standards publicly notified pursuant to the main sentence of Article 8 (1). (Amended by Act nº 11690, Mar. 23, 2013)

(2)       The Minister of Science, ICT and Future Planning may, if a certifying institution falls under any of the following subparagraphs, revoke the designation or give an order of business suspension for a prescribed period of time not exceeding six months: Provided, That the Minister of Science, ICT and Future Planning shall revoke the designation of a certifying institution without an exception, if it falls under subparagraph 1: (Amended by Act nº 11690, Mar. 23, 2013)

1.         If the institution is designated by fraud or other improper means;

2.         If the institution has not continued its certification service for one year or longer without a justifiable reason; and

3.         If the institution fails to meet the standards for designation under paragraph (3).

(3)       Necessary matters concerning the standards and procedures for designation under paragraph (1) and, the criteria for revocation of designation and for business suspension of a certifying institution under paragraph (2), and other related matters shall be prescribed by Ordinance of the Ministry of Science, ICT and Future Planning. (Amended by Act nº 11690, Mar. 23, 2013) (Amended by Act nº 9119, Jun. 13, 2008)

Article 10 (Support for Development of Content of Information)    

With an aim of securing national competitiveness and enhancing the public interest, the Government may provide financial and technical support, or otherwise, to the persons who develop ontento f information distributed through information and communications networks.

(Amended by Act nº 9119, Jun. 13, 2008)

Article 11 (Acceleration of Development of Applied Services for Information and Communications Networks)        

(1)       The Government may provide financial and technical support, or otherwise as may be necessary, to any State agency, local government, public institution that develops and operates applied services for improving efficiency in processing its business affairs or automatizing or upgrading process of its business affairs by utilizing information and communications network (hereinafter referred to as “applied services for information and communications networks”).

(2)       The Government may provide financial and technical support, or otherwise as may be necessary, to private sector with an aim of facilitating the development of applied services for information and communications networks by private sector and shall take the following measures for nurturing technical human resources necessary to develop applied services for information and communications networks:

1.         Support for internet education conducted by schools in various levels and other educational institutions;

2.         Extension of internet education for citizens;

3.         Support for projects to cultivate technical human resources specializing in information and communications networks;

4.         Establishment of and support for institutions to cultivate technical human resources specializing in information and communications networks;

5.         Support for development and dissemination of educational programs for utilizing information and communications networks;

6.         Support for establishment of the technical qualification system related to information and communications networks and support for supply of technical human resources specializing in information and communications networks on demand;

7.         Other matters necessary for cultivate technical human resources related to information and communications networks.

(Amended by Act nº 9119, Jun. 13, 2008)

Article 12 (Establishment of System for Sharing Information)        

(1)       The Government may encourage to build up a system for sharing information through linked operation and standardization of information and communications networks or in any other way so that the networks can be made efficient use of.

(2)       The Government may provide financial and technical support, or otherwise as may be necessary, to any person who builds up a system for sharing information under paragraph (1).

(3)       Necessary matters concerning the encouragement and support under paragraphs (1) and (2) shall be prescribed by Presidential Decree.

(Amended by Act nº 9119, Jun. 13, 2008)

Article 13 (Projects for Promoting Use of Information and Communications Networks)   

(1)       The Minister of Science, ICT and Future Planning may implement projects designed to promote efficient use and dissemination of technology, equipment, and applied services related to information and communications networks, as prescribed by Presidential Decree, in order to promote the use of information and communications networks in various areas of public service, local communities, industry, life, and social welfare and eliminate gaps in accessibility to information. (Amended by Act nº 11690, Mar. 23, 2013)

(2)       The Government may provide financial and technical support, or otherwise as may be necessary, to the persons who participate in the projects under paragraph (1).

(Amended by Act nº 9119, Jun. 13, 2008)

Article 14 (Proliferation of Internet)  

The Government shall induce public and private sectors to use internet facilities available in public and private sectors so that internet can be proliferated, expand the user base for internet through education and public relations activities on internet, and prepare and enforce a policy to eliminate gaps in accessibility to internet between localities, genders, and ages.

(Amended by Act nº 9119, Jun. 13, 2008)

Article 15 (Improvement of Quality of Internet Service)      

(1)       The Minister of Science, ICT and Future Planning shall prepare and enforce a policy to protect rights and interests of users of internet service and to ensure improvement of quality of internet service and stable availability of internet service. (Amended by Act nº 11690, Mar. 23, 2013)

(2)       The Minister of Science, ICT and Future Planning may, if deemed necessary for enforcing the policy under paragraph (1), prescribe and give a public notice of the standards for measuring and assessing the quality of internet service, hearing opinions of organizations of providers and users of information and communications services and others. (Amended by Act nº 11690, Mar. 23, 2013)

(3)       Every provider of information and communications services may voluntarily assess the current status of quality of his or her own internet service in accordance with the standards under paragraph (2) and notify the results thereof to users.

(Amended by Act nº 9119, Jun. 13, 2008)

Articles 16 and 17 Deleted. (by Act nº 7142, Jan. 29, 2004)             

CHAPTER III.- DELETED

Articles 18 through 21 Deleted. (by Act nº13343 Jun. 22, 2015)      

CHAPTER IV.- PROTECTION OF PERSONAL INFORMATION

SECTION 1.- Collection, Use, and Provision of Personal Information

Article 22 (Consent to Collection and Use of Personal Information)           

(1)       A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters:

1.         Purposes of collection and use of the personal information;

2.         Items of personal information that he or she intends to collect;

3.         Period of time during which he or she intends to possess and use the personal information.

(2)       A provider of information and communications services may collect and use personal information of a user without the consent under paragraph (1) in any of the following cases:

1.         If the personal information is necessary in fulfilling the contract for provision of information and communications services, but it is obviously difficult to get consent in an ordinary way due to any economic or technical reason;

2.         If it is necessary in paying charges on the information and communication services rendered;

3.         If a specific provision exists in this Act or any other Act otherwise.

(Amended by Act nº 9119, Jun. 13, 2008)

Article 22-2 (Consent to Access Authority)   

(1)       Where a provider of information and communications services needs authority to access (hereinafter referred to as “access authority”) information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users:

1.         In the case of access authority certainly necessary to provide the relevant services:

(a)        Items of the information and functions for which access authority is necessary;

(b)       Ground that access authority is necessary.

2.         In the case of access authority not certainly necessary to provide the relevant services:

(a)        Items of the information and functions for which access authority is necessary;

(b)       Ground that access authority is necessary;

(c)        Fact that users may give no consent to the permission on access authority.

(2)       No provider of information and communications services shall refuse to provide the relevant services to users on the ground that the users give no consent to the establishment of access authority not certainly necessary to provide the relevant services.

(3)       The persons manufacturing and providing a basic operating system (referring to an operating environment in which softwares installed in mobile devices can be run) of mobile devices, the manufacturers of mobile devices, and the persons manufacturing and providing a software for mobile devices shall take measures necessary for protecting users’ information, such as devising methods for users to give or revoke consent to access authority where the provider of information and communications services intends to access the information stored and functions installed in mobile devices.

(4)       The Scope of, and methods for consenting to, access authority referred to in paragraph (1), measures necessary for protecting users’ information referred to in paragraph (3), and other necessary matters shall be prescribed by Presidential Decree.

(Article Inserted by Act nº 14080, Mar. 22, 2016)

Article 23 (Restrictions on Collection of Personal Information)      

(1)       No provider of information and communications services may collect personal information regarding any person, such as his or her ideology, beliefs, family relationship status, kinship and matrimonial relationship, educational background, and medical history, which is anticipated to otherwise infringe seriously upon any right, interest, or privacy of the person: Provided, That he or she may collect such personal information within the minimum scope necessary where he or she obtains consent of the user under Article 22 (1) or such personal information is specially permitted as personal information that may be collected pursuant to any other Act. (Amended by Act nº 12681, May 28, 2014)

(2)       Where a provider of information and communications services collects personal information of a user, he or she shall only collect personal information within the minimum scope necessary to provide information and communications services. (Amended by Act nº 12681, May 28, 2014)

(3)       No provider of information and communications services shall refuse to provide such services on the ground that a user does not provide personal information other than the minimum personal information required. In such cases, the minimum personal information required means information that is specifically required to perform essential functions of the relevant services. (Inserted by Act nº 12681, May 28, 2014) (Amended by Act nº 9119, Jun. 13, 2008)

Article 23-2 (Restriction on Use of Resident Registration Numbers)           

(1)       Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users’ resident registration numbers: (Amended by Act nº 10560, Apr. 5, 2011)

1.         Where the provider is designated as the identification service agency pursuant to Article 23-3;

2.         Where collection/use of users’ resident registration numbers is authorized by statutes;

3.         Where the Korea Communications Commission makes a public announcement for the provider of information and communications services who inevitably collects/uses users’ resident registration numbers for his or her business purposes.

(2)       Even where the collection/use of users’ resident registration numbers is authorized pursuant to paragraph (1) 2 or 3, an identification method without using the users’ resident registration numbers (hereinafter referred to as “alternative means”) shall be provided.

(Amended by Act nº 11322, Feb. 17, 2012)

Article 23-3 (Designation of Identification Service Agency, etc.)    

(1)       The Korea Communications Commission may, after reviewing each item of the following subparagraphs, designate a person as an identification service agency who is deemed competent to safely and reliably perform the affairs of development, provision and administration of the alternative means (hereinafter referred to as “identification service”):

1.         A plan for physical/technological/administrative measures in order to secure safety of the identification service;

2.         Technological/financial capability necessary for performing the identification service;

3.         Appropriateness of the scale of facilities relevant to the identification service.

(2)       When the identification service agency intends to suspend all or part of identification service, it shall determine and notify a suspension period to the users no later than 30 days prior to the intended date of suspension and shall report the same to the Korea Communications Commission. In this case, the suspension period shall not exceed six months.

(3)       When the identification service agency intends to discontinue the identification affairs, it shall notify the intention to the users no later than 60 days prior to the intended date of discontinuation and shall report the same to the Korea Communications Commission.

(4)       Necessary matters concerning the criteria for each standard subject to the review and the designation procedure of identification service agency under paragraph (1), suspension or discontinuation of the identification affairs under paragraphs (2) and (3) and other matters shall be determined by Presidential Decree.

(Article Inserted by Act nº 10560, Apr. 5, 2011)

Article 23-4 (Suspension of Identification Service and Cancelation of Designation of Identification Service Agency)           

(1)       When the identification service agency falls under any of the following subparagraphs, the Korea Communications Commission may determine the period of suspension within six months and order suspension of all or part of the identification service, or cancel designation of identification service agency: Provided, That in cases where falling under subparagraph 1 or 2, the Korea Communications Commission shall cancel designation of identification service agency:

1.         Where an identification service agency is designated by falsity or other fraudulent methods;

2.         Where a person who has received the order for suspension of identification service fails to suspend the affairs in violation of the order;

3.         Where a person fails to start the identification service within six months from the date of being designated, or suspend the service continuously for six months or more;

4.         Where it becomes not suitable for the standard of designation pursuant to Article 23-3 (4).

(2)       Standards and procedures for any dispositions pursuant to paragraph (1) and other necessary matters shall be determined by Presidential Decree.

(Article Inserted by Act nº 10560, Apr. 5, 2011)

Article 24 (Restriction on Use of Personal Information)       

No provider of information and communications services may use personal information collected in accordance with Article 22 and the proviso to Article 23 (1) for any purpose other than the purpose consented by the relevant user or the purpose specified in any subparagraph of Article 22 (2).

(Amended by Act nº 9119, Jun. 13, 2008)

Article 24-2 (Consent to Provision of Personal Information)           

(1)       Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters:

1.         The person to whom the personal information is furnished;

2.         Purposes of use of the personal information of the person to whom the personal information is furnished;

3.         Items of the personal information furnished;

4.         Period of time during which the person to whom the personal information is furnished will possess and use the personal information.

(2)       A person who received any personal information of a user from a provider of information and communications services in accordance with paragraph (1) shall not furnish the personal information to a third party or use it for any purpose other than the purpose originally agreed upon at the time when the information was furnished without consent of the user or a specific provision otherwise specified in any other Act.

(3)       When the provider, etc. of information and communications services under Article 25 (1) is given the consent to furnishing user’s information under paragraph (1) and to the entrustment of management of personal information under Article 25 (1), he or she shall obtain such consent apart from the consent to collection/use of personal information pursuant to Article 22, and shall not refuse to provide its service on the ground of a user’s refusal of aforementioned consent. (Inserted by Act nº 10560, Apr. 5, 2011; Act nº 14080, Mar. 22, 2016)

(Amended by Act nº 9119, Jun. 13, 2008)

Article 25 (Entrustment of Management of Personal Information)  

(1)       A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a “provider of information and communications services or similar”) shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as “entrustment of management of personal information”) so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users’ personal information (hereinafter referred to as “management”), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: (Amended by Act Nº 14080, Mar. 22, 2016)

1.         Any person to whom the management of personal information is entrusted (hereinafter referred to as a “trustee”);

2.         Details of the business affairs subject to the entrustment of management of personal information.

(2)       A provider of information and communications services or similar may omit the procedures for notification and consent under paragraph (1) for entrusting the management of personal information, where the personal information is required to comply with the contract on the provision of the information and communications services and enhance convenience of users and where all the matters prescribed in subparagraphs of paragraph (1) have been disclosed to the public under Article 27-2 (1) or notified to users in a manner prescribed by Presidential Decree, such as by electronic mails. The same shall apply where there exists a change in a matter prescribed in any subparagraph of paragraph (1). (Amended by Act nº 12681, May 28, 2014; Act nº 14080, Mar. 22, 2016)

(3)       A provider of information and communications services or similar shall, when he or she entrusts the management of personal information to a third party, define the scope of purposes, in advance, within which the trustee is allowed to manage personal information of users, and the trustee shall not manage the personal information of users beyond the scope of purposes. (Amended by Act nº 14080, Mar. 22, 2016)

(4)       A provider of information and communications services or similar shall control, supervise and educate the trustee to ensure that the trustee does not violate any provision of this Chapter. (Amended by Act nº 14080, Mar. 22, 2016)

(5)       If the trustee violates any provision of this Chapter in connection with the business affairs related to the entrustment of management of personal information and inflicts damages upon a user, the trustee shall be deemed an employee of the provider of information and communications services or similar in determining liability for such damages. (Amended by Act nº 14080, Mar. 22, 2016)

(6)       A provider, etc. of information and communications shall, when entrusting a trustee with management of personal information, do so in writing. (Inserted by Act nº 14080, Mar. 22, 2016)

(7)       A trustee may re-entrust a third party with affairs entrusted pursuant to paragraph (1) only where the trustee obtains consent from the provider, etc. of information and communications services. (Inserted by Act nº 14080, Mar. 22, 2016)

(Amended by Act nº 9119, Jun. 13, 2008)

Article 26 (Transfer of Personal Information Following Transfer of Business)       

(1)       Where a provider of information and communications services or similar transfers personal information of users to a third party due to transfer of business, in whole or in part, merger, or any similar cause, he or she shall notify the users of all the following matters by publishing them on its internet homepage or by electronic mail or any other means specified by Presidential Decree:

1.         The fact that the personal information is to be transferred;

2.         The name (referring to the name of a legal corporation, if the person is a legal corporation; hereafter the same shall apply in this Article), address, and telephone number of a person to whom the personal information is to be transferred (hereinafter referred to as a “transferee of business or similar”), and other contact information of the person;

3.         The methods and procedures available for revocation of consent, where a user does not want his or her personal information transferred to a third party.

(2)       If any personal information is transferred to a transferee of business, etc., he or she shall immediately notify the users of such fact and his or her name, domicile, telephone number and other contact details according to methods prescribed by Presidential Decree, such as the posting of such information on the Internet homepage or email. (Amended by Act nº 12681, May 28, 2014)

(3)       A transferee of business or similar may use or furnish personal information only within the scope of purposes originally defined for which any provider of information and communications services or similar uses or furnishes the personal information of users: Provided, That the same shall not apply where he or she separately obtains consent from users.

(Amended by Act nº 9119, Jun. 13, 2008)

Article 26-2 (Method Applicable in Obtaining Consent)      

The method plicable in obtaining the consent under Article 22 (1), the proviso to Article 23 (1), Article 24-2 (1) or (2), Article 25 (1), the proviso to Article 26 (3), or Article 63 (2) (hereinafter referred to as “consent to collection, use, provision, and similar disposition of personal information”) shall be prescribed by Presidential Decree, considering media for collection of personal information, peculiarities of each type of business, number of users, and other related factors.

(Amended by Act nº 9119, Jun. 13, 2008)

SECTION 2.- MANAGEMENT, DESTRUCTION, ETC. OF PERSONAL INFORMATION

Article 27 (Designation of Person Responsible for Management of Personal Information)            

(1)       Every provider of information and communications services or similar shall designate a person responsible for protection of personal information so that he or she protects the personal information of users and process complaints from users in connection with the personal information: Provided, That a provider of information and communications services or similar may, if he or she falls under the criteria prescribed by Presidential Decree for the number of employees, number of users, and other related matters, omit such designation. (Amended by Act nº 14080, Mar. 22, 2016)

(2)       If a provider of information and communications services or similar does not designate a person responsible for protection of personal information under the proviso to paragraph (1), the business owner or representative of the provider or similar shall be the person responsible for protection of personal information. (Amended by Act nº 14080, Mar. 22, 2016)

(3)       The qualification requirements for a person responsible for protection of personal information and other matters necessary for designation of such person shall be prescribed by Presidential Decree. (Amended by Act nº 14080, Mar. 22, 2016)

(4)       Where a person responsible for protection of personal information becomes aware of a fact of violation of this Act or other relevant statute, he or she shall take measures for improvement immediately, and if necessary, report the measures for improvement to the business owner or representative of the provider, etc. of information and communications services: Provided, That the provisions concerning reporting of measures for improvement shall not apply where the business owner or representative is the person responsible for protection of personal information pursuant to paragraph (2). (Inserted by Act nº 14080, Mar. 22, 2016) (Amended by Act nº 9119, Jun. 13, 2008)

Article 27-2 (Public Disclosure of Policy on Managing Personal Information)       

(1)       Every provider of information and communications services or similar shall, when he or she manages personal information of users, establish and disclose its policy on managing personal information to the public in a manner specified by Presidential Decree so that users become aware of the policy easily at any time. (Amended by Act nº 14080, Mar. 22, 2016)

(2)       The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: (Amended by Act nº 11322, Feb. 17, 2012; Act nº 14080, Mar. 22, 2016)

1.         Purposes of collection and use of personal information, items of personal information collected, and methods of collection;

2.         The name of the person (referring to the name of a legal entity, if the person is a legal entity) to whom personal information is furnished, if the personal information is furnished to a third party, purposes of use of the person to whom the personal information is furnished, and items of the personal information furnished;

3.         The period of time during which the personal information is possessed and used, and the procedure and method for destruction of the personal information (including the ground for preservation and items of preserved personal information, if it is required to preserve the personal information in accordance with the proviso to the part above subparagraphs of Article 29 (1));

4.         Details of business affairs subject to the entrustment of management of personal information and the trustee (they shall be included in the policy on management, only where this subparagraph is applicable);

5.         Rights of users and their legal representatives and methods for the exercise of such rights;

6.         Matters concerning installation, operation, and denial of a device that collect personal information automatically, such as an information file for access to internet;

7.         The name and address of the person responsible for protection of personal information or the department responsible for business affairs related to the protection of personal information and processing related complaints and other contact information of such person or department.

(3)       Every provider of information and communications services or similar shall, when he or she revises the policy on managing personal information under paragraph (1), give public notice of the reasons for and details of such revision without delay in a manner specified by Presidential Decree, and take measures to make users aware of the details of the revision easily at any time. (Amended by Act nº 14080, Mar. 22, 2016) (Amended by Act nº 9119, Jun. 13, 2008)

Article 27-3 (Notification/Reports on Leakage of Personal Information)    

(1)       When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as “leakages, etc.”), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users’ contact information is unknown or other good cause exists: (Amended by Act nº 12681, May 28, 2014; Act nº 14080, Mar. 22, 2016)

1.         Each item of the personal information leaked;

2.         Point of time the personal information is leaked;

3.         Measures available for users to take;

4.         Countermeasures to be taken by a provider of information and communications services or similar;

5.         Responsible departments and contact information to be used for the users who seek consultations, etc., to submit their application for such consultations.

(2)       The Korea Internet Security Agency in receipt of a report under paragraph (1) shall immediately inform the Korea Communications Commission of such fact. (Inserted by Act nº 12681, May 28, 2014)

(3)       A provider of information and communications services, etc. shall explain just cause under the main sentence of and proviso to paragraph (1) to the Korea Communications Commission. (Inserted by Act nº 12681, May 28, 2014)

(4)       Matters necessary for methods and procedures, etc., for the notification and report pursuant to paragraph (1) shall be prescribed by Presidential Decree.

(5)       A provider of information and communications services, etc. shall prepare countermeasures against the leakages, etc. of personal information, and shall seek measures to minimize any damage thereof. (Amended by Act nº 14080, Mar. 22, 2016) (Article Inserted by Act nº 11322, Feb. 17, 2012)

Article 28 (Protective Measures for Personal Information)   

(1)       Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: (Amended by Act nº 14080, Mar. 22, 2016)

1.         Establishment and implementation of an internal control plan for managing personal information in a safe way;

2.         Installation and operation of an access control device, such as a system for blocking intrusion to cut off illegal access to personal information;

3.         Measures for preventing fabrication and alteration of access records;

4.         Measures for security by using encryption technology and other methods for safe storage and transmission of personal information;

5.         Measures for preventing intrusion of computer viruses, including installation and operation of vaccine software;

6.         Other protective measures necessary for securing safety of personal information.

(2)       Every provider of information and communications services or similar shall restrict the persons who may manage users’ personal information to the minimum extent. (Amended by Act nº 14080, Mar. 22, 2016) (Amended by Act nº 9119, Jun. 13, 2008)

Article 28-2 (Prohibition on Disclosure of Personal Information)    

(1)       A person who manages or has ever manages personal information of users shall not damage, intrude on, or disclosed personal information that he or she learned in the course of performing his or her duty. (Amended by Act nº 14080, Mar. 22, 2016)

(2)       No one shall be knowingly provided with any disclosed personal information for profit or any unlawful purpose.

(Amended by Act nº 9119, Jun. 13, 2008)

Article 29 (Destruction of Personal Information)      

(1)       A provider of information and communications services or similar shall, if any of the followings occurs, destroy the relevant personal information without delay so that such personal information cannot be recovered or reproduced: Provided, That the same shall not apply where it is required to preserve the personal information in accordance with any other Act: (Amended by Act nº 11322, Feb. 17, 2012; Act nº 12681, May 28, 2014)

1.         When the purpose of collection and use of personal information with consent obtained in accordance with Article 22 (1), the proviso to Article 23 (1), or Article 24-2 (1) or (2) or the purpose under any subparagraph of Article 22 (2) has been achieved;

2.         When a period during which it is allowed to possess and use personal information with consent obtained in accordance with Article 22 (1), the proviso to Article 23 (1), or Article 24-2 (1) or (2) ends;

3.         When a period during which it is allowed to possess and use personal information in accordance with Article 27-2 (2) 3 ends, if the personal information has been collected and used without consent of users under Article 22 (2);

4.         When the business is permanently closed down.

(2)       The provider of information and communications services or similar shall, in an effort to protect personal information of the users who do not use information and communications services for a period of one year, take necessary measures, such as destruction of personal information, as prescribed by Presidential Decree: Provided, That the period is otherwise provided either in accordance with other statue or at the request of the users, such provisions shall apply.(Inserted by Act nº 11322, Feb. 17, 2012; Act nº 13520, Dec. 1, 2015)

(3)       The provider, etc. of information and communications services shall notify , until 30 days before expiration of the period under paragraph (2), the users of the matters prescribed by Presidential Decree such as the fact that the personal information will be destroyed, the expiration date of the period and items of personal information subject to destruction, in a manner prescribed by Presidential Decree such as by email. (Inserted by Act nº 13520, Dec. 1, 2015)

(Amended by Act nº 9119, Jun. 13, 2008)

SECTION 3.- RIGHTS OF USERS

Article 30 (Rights of Users)    

(1)       Every user may, at any time, revoke his or her consent given to a provider of information and communications services or similar to allow the provider to collect, use, or furnish his or her personal information.

(2)       Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error:

1.         Personal information of the user, which the provider of information and communications services or similar possesses;

2.         Details of which the provider of information and communications services or similar has used personal information of the user or furnished it to a third party;

3.         Details of which the user has given a consent to he provider of information and communications services or similar to collect, use, or furnish his or her personal information.

(3)       If a user withdraws his or her consent pursuant to paragraph (1), a provider of information and communications services, etc. shall immediately take necessary measures, such as the destruction of collected personal information in an irrecoverable or in unreproducible way. (Amended by Act nº 12681, May 28, 2014)

(4)       A provider of information and communications services or similar shall, in receipt of a request to peruse or furnish matters in accordance with paragraph (2), take necessary measures without delay.

(5)       A provider of information and communications services or similar shall, in receipt of a request for correction of an error in accordance with paragraph (2), correct the error, notify the user of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use the relevant personal information or furnish it to a third party until he or she completes taking such measures: Provided, That he or she may furnish the personal information to a third party or use the information, if requested to furnish the personal information pursuant to any other Act.

(6)       A provider of information and communications services or similar shall make how to revoke consent under paragraph (1), how to request to peruse personal information or furnish such information under paragraph (2), and how to request correction of an error, easier than how to collect personal information.

(7)       Paragraphs (1) through (6) shall apply mutatis mutandis to a transferee of business or similar. In such cases, “provider of information and communications services or similar” shall be deemed “transferee of business or similar.”

(Amended by Act nº 9119, Jun. 13, 2008)

 Article 30-2 (Notification of Details of Use of Personal Information)        

(1)       A provider of information and communications services or similar falling under the standards determined by Presidential Decree shall periodically notify the users of the details of using personal information of such users (including details of the provision under Article 24-2 and of the entrustment of management of personal information under Article 25) in accordance with Article 22 and the proviso to Article 23 (1): Provided, That this shall not apply in cases where the provider of information and communications services or similar does not collect any contact information or other personal information that can be notified to users. (Amended by Act nº 14080, Mar. 22, 2016)

(2)       Types of personal information to be notified to users, frequency and method of notifying the information pursuant to paragraph (1) and other matters necessary for notification of details of using such personal information shall be determined Presidential Decree.

(Article Inserted by Act nº 11322, Feb. 17, 2012)

Article 31 (Rights of Legal Representative)  

(1)       A provider of information and communications services or similar shall, if he or she desires to obtain consent of a child of less than 14 years on collection, use, furnishing, and other disposition of personal information, obtain consent from his or her legal representative. In such cases, the provider of information and communications services may demand the child to furnish minimum information, such as the legal representative’s name, necessary to obtain consent from the legal representative.

(2)       A legal representative may exercise rights of a user under Article 30 (1) and (2) with respect to personal information of the relevant child.

(3)       Article 30 (3) through (5) shall apply to a legal representative’s revocation of consent under paragraph (2) and his or her demand for perusal or correction of an error.

(Amended by Act nº 9119, Jun. 13, 2008)

Article 32 (Compensation)      

(1)       Where a user suffers any damage caused by a violation of any provision of this Chapter by a provider, etc. of information and communications services, he or she may claim compensation for damage against the said provider, etc. of information and communications services. In this case, that provider of information and communications services or similar shall not be exonerated from liability if failing to prove that there is neither intention nor gross negligence on the part of the said provider. (Amended by Act nº 14080, Mar. 22, 2016)

(2)       Where any damage occurs to a user because personal information has been lost, stolen, leaked, forged, altered, or damaged due to intention or gross negligence on the part of the provider, etc. of information and communications services or similar, a court may determine the amount of compensation to the extent not exceeding three times the said damage: Provided, That this shall not apply where the provider, etc. of information and communications services proves that there is neither intention nor gross negligence on the part of the said provider. (Inserted by Act nº 14080, Mar. 22, 2016)

(3)       Where a court determines the amount of compensation referred to in paragraph (2), it shall take the following matters into account: (Inserted by Act nº 14080, Mar. 22, 2016)

1.         Degree of acknowledging the intention or the likeliness of the occurrence of damage;

2.         Scale of damage sustained due to the relevant violation;

3.         Economic benefits acquired by the provider, etc. of information and communications services by committing the relevant violation;

4.         Fines and penalty surcharges due to violations;

5.         Period, number, etc. of violations;

6.         Status of assets of the provider, etc. of information and communications services;

7.         Degree of efforts of the provider, etc. of information and communications services to withdraw the relevant personal information after the user’s personal information has been lost, stolen or leaked;

8.         Degree of efforts of the provider, etc. of information and communications services to remedy damage to the user.

(Amended by Act nº 9119, Jun. 13, 2008)

Article 32-2 (Claim for Statutory Damages)  

(1)       Where a user falls under each of the following subparagraphs, he or she may claim resonable compensation not exceeding three million won as damages, in lieu of claiming damages under Article 32 from a provider of information and communications services, etc. within a period prescribed by Presidential Decree. In such cases, the relevant provider of information and communications services, etc. cannot be exempt from responsibility unless he or she proves that there is no intention or negligence: (Amended by Act nº 14080, Mar. 22, 2016)

1.         Where the provider of information and communications services, etc. violates any of the provisions of this Chapter by intention or negligence;

2.         Where personal information is lost, stolen, leaked, forged, altered or damaged.

(2)       Where a claim for compensation under paragraph (1) is filed, a court may acknowledge a reasonable amount of loss within the limits prescribed in paragraph (1), taking into account the relevance of all pleadings and the outcomes of examination of evidence.

(3)       A user claiming compensation for damage pursuant to Article 32 may change such claim to the claim referred to in paragraph (1) before the argument of the inquisition is closed. (Inserted by Act nº 14080, Mar. 22, 2016)

(Article Inserted by Act nº 12681, May 28, 2014)

Article 32-3 (Deletion and Blocking of Exposed Personal Information)      

(1)       A provider, etc. of information and communications services shall ensure that users’ personal information such as resident registration numbers, account numbers and credit cards information is not exposed to the public through information and communications networks.

(2)       Upon the request of the Korea Communications Commission or the Korea Internet and Security Agency, a provider, etc. of information and communications services shall take necessary measures such as deleting and blocking exposed personal information referred to in paragraph (1).

(Article Inserted by Act nº 14080, Mar. 22, 2016)

SECTION 4 Deleted.

Articles 32-3 through 40 Deleted (by Act nº 10465, Mar. 29, 2011)            

CHAPTER V.- PROTECTION OF USERS IN INFORMATION AND COMMUNICATIONS NETWORKS

Article 41 (Preparation of Policy on Protection of Juvenile)             

(1)       The Korea Communications Commission shall prepare a policy on the following measures to protect juvenile from unwholesome information for juvenile (hereinafter referred to as “unwholesome information for juvenile”), such as information of obscenities and violence, circulated through information and communications networks:

1.         Development and dissemination of content-screening software;

2.         Development and dissemination of technology for protection of juvenile;

3.         Education and public relations activities for protection of juvenile;

4.         Other matters specified by Presidential Decree for protection of juvenile.

(2)       The Korea Communications Commission may, in an effort to implement the policy under paragraph (1), support activities conducted by the Korea Communications Standards Commission under Article 18 of the Establishment and Operation of the Korea Communications Commission Act (hereinafter referred to as the “Communications Standards Commission”), organizations of providers or users of information and communications services, and other relevant specialized institutions for protection of juvenile.

(Amended by Act nº 9119, Jun. 13, 2008)

Article 42 (Labeling of Media Unwholesome for Juvenile)  

A person who provides information to the general public purposely to make it public through telecommunications services rendered by a telecommunications business operator (hereinafter referred to as “information provider”) and who intends to provide any unwholesome medium for juvenile as defined in subparagraph 3 of Article 2 of the Juvenile Protection Act among the media under subparagraph 2 (e) of Article 2 of the aforesaid Act shall put a label indicating that the information is an unwholesome medium for juvenile by the labeling method specified by Presidential Decree. (Amended by Act nº 11048, Sep. 15, 2011)

(Amended by Act nº 9119, Jun. 13, 2008)

Article 42-2 (Prohibition on Advertisement of Unwholesome Media for Juvenile)             

No one may transmit, to a juvenile under subparagraph 1 of Article 2 of the Juvenile Protection Act, any information containing an advertisement of an unwholesome medium for juvenile as defined in subparagraph 3 of Article 2 of the aforesaid Act among the media under subparagraph 2 (e) of Article 2 of the aforesaid Act in the form of code, letter, voice, sound, image, or motion picture through an information and communications network or display such medium to the general public without taking any measure to restrict access by a juvenile. (Amended by Act nº 11048, Sep. 15, 2011)

(Amended by Act nº 9119, Jun. 13, 2008)

Article 42-3 (Designation of Person Responsible for Protection of Juvenile)          

(1)       A provider of information and communications services whose the average number of users per day, sales, and other related factors fall under the criteria prescribed by Presidential Decree shall designate a person responsible for protection of juvenile to keep juvenile from unwholesome information to juvenile in the information and communication network.

(2)       The person responsible for protection of juvenile shall be chosen from among executive officers of the relevant business operator or the persons in a position equivalent to the head of a department responsible for business affairs related to protection of juvenile.

(3)       The person responsible for protection of juvenile shall block and control unwholesome information for juvenile in the information and communications network, and shall perform business affairs for protection of juvenile, including establishment of a plan for protection of juvenile from unwholesome information for juvenile.

(4)       Necessary matters concerning the designation of a person responsible for protection of juvenile under paragraph (1) shall be prescribed by Presidential Decree.

(Amended by Act nº 9119, Jun. 13, 2008)

Article 43 (Duty of Provider of Visual or Sound Information to Keep Information)          

(1)       An information provider specified by Presidential Decree among those who engage in a business of providing unwholesome media for juvenile as defined in subparagraph 3 of Article 2 of the Juvenile Protection Act among the media under subparagraph 2 (e) of Article 2 of the aforesaid Act in a way to make it impossible to store or record the unwholesome media in a user’s computer shall keep relevant information. (Amended by Act nº 11048, Sep. 15, 2011)

(2)       The period of time during which an information provider under paragraph (1) is obligated to keep relevant information shall be prescribed by Presidential Decree.

(Amended by Act nº 9119, Jun. 13, 2008)

Article 44 (Protection of Rights in Information and Communications Network)    

(1)       No user may circulate any information violative of other person’s rights, including invasion of privacy and defamation, through an information and communications network.

(2)       Every provider of information and communications services shall make efforts to prevent any information under paragraph (1) from being circulated through the information and communications network operated and managed by it.

(3)       The Korea Communications Commission may prepare a policy on technological development, education, public relations activities, and other activities to prevent violation of other persons’ rights by information circulated through information and communications networks, including invasion of privacy and defamation, and may recommend providers of information and communications services to adopt the policy. (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12681, May 28, 2014)

(Amended by Act nº 9119, Jun. 13, 2008)

Article 44-2 (Request for Deletion of Information)   

(1)       Where information provided through an information and communications network purposely to be made public intrudes on other persons’ privacy, defames other persons, or violates other persons’ right otherwise, the victim of such violation may request the provider of information and communications services who managed the information to delete the information or publish a rebuttable statement (hereinafter referred to as “deletion or rebuttal”), presenting explanatory materials supporting the alleged violation. (Amended by Act nº 14080, Mar. 22, 2016)

(2)       A provider of information and communications services shall, upon receiving a request for deletion or rebuttal of the information under paragraph (1), delete the information, take a temporary measure, or any other necessary measure, and shall notify the applicant and the publisher of the information immediately. In such cases, the provider of information and communications services shall make it known to users that he or she has taken necessary measures by posting a public notification on the relevant message board or in any other way.

(3)       A provider of information and communications services shall, if there is any unwholesome medium for juvenile published in violation of the labeling method under Article 42 in the information and communications network operated and managed by him or her or if a content advertising any unwholesome medium for juvenile is displayed in such network without any measures to restrict access by juvenile under Article 42-2, delete such content without delay.

(4)       A provider of information and communications services may, if it is difficult to judge whether information violates any right or it is anticipated that there will probably be a dispute between interested parties, take a measure to block access to the information temporarily (hereinafter referred to as “temporary measures”), irrespective of a request for deletion of the information under paragraph (1). In such cases, the period of time for the temporary measure shall not exceed 30 days.

(5)       Every provider of information and communications services shall clearly state the details, procedure, and other matters concerning necessary measures in its standardized agreement in advance.

(6)       A provider of information and communications services may, if he or she takes necessary measures under paragraph (2) for the informations circulated through the information and communications network operated and managed by it, have its liability for damages caused by such informations mitigated or discharged.

(Amended by Act nº 9119, Jun. 13, 2008)

Article 44-3 (Discretionary Temporary Measures)    

(1)       A provider of information and communications services may, if it finds that information circulated through the information and communications network operated and managed by him or her intrudes on someone’s privacy, defames someone, or violates someone’s rights, take temporary measures at its discretion.

(2)       The latter part of Article 44-2 (2), the latter part of Article 44-2 (4), and Article 44-2 (5) shall apply mutatis mutandis to the temporary measures under paragraph (1).

(Amended by Act nº 9119, Jun. 13, 2008)

Article 44-4 (Self Regulation)            

An organization of providers of information and communications services may establish and implement a code of conduct applicable to providers of information and communications services with an objective to protect users and render information and communications services in a safer and more reliable way.

(Amended by Act nº 9119, Jun. 13, 2008)

Article 44-5 (Identity Verification of Users of Message Boards)     

(1)       Any of the following persons shall, if he or she intends to install and operate a message board, take necessary measures, as prescribed by Presidential Decree (hereinafter referred to as “measures for identity verification”), including preparation of methods and procedures for verifying identity of users of the message board:

1.         A State agency, local government, public enterprise, quasi-government agency under Article 5 (3) of the Act on the Management of Public Institutions, or a local government-invested public corporation or a local government public corporation under the Local Public Enterprises Act (hereinafter referred to as “public institution”);

2.         Deleted. (by Act nº 12681, May 28, 2014)

(2)       Deleted. (by Act nº 12681, May 28, 2014)

(3)       The Government shall prepare a policy to develop a safer and more reliable system to verify identity of users under paragraph (1).

(4)       A public institution, etc. may have its liability for damages caused by fraudulent use of a user’s identity by a third party mitigated or discharged, if it has taken the measures for identity verification under paragraph (1) with care as a good manager. (Amended by Act nº 12681, May 28, 2014)

(Amended by Act nº 9119, Jun. 13, 2008)

Article 44-6 (Claim to Furnish User’s Information)  

(1)       A person who alleges that information published or circulated by a specific user has intruded on his or her privacy, defamed him or her, or violated his or her rights may file a claim with the defamation dispute conciliation division under Article 44-10 to demand the relevant provider of information and communications services to furnish the information he or she possesses about the alleged offender (referring to the minimum information specified by Presidential Decree, including the name and address, necessary for filing a civil or criminal complaint), along with materials supporting his or her allegation of the violation, in order to file a civil or criminal complaint against the alleged offender.

(2)       The defamation dispute conciliation division shall, upon receiving a claim under paragraph (1), make a decision on whether to furnish information, hearing the opinion of the relevant user, unless it is impossible to contact the relevant user or there is any particular reason otherwise.

(3)       A person who receives information about the relevant user under paragraph (1) may not use the information for any purpose other than the purpose of filing a civil or criminal complaint.

(4)       Other matters necessary for the contents of a claim to furnish information of a user and the procedure therefor shall be prescribed by Presidential Decree.

(Amended by Act nº 9119, Jun. 13, 2008)

Article 44-7 (Prohibition on Circulation of Unlawful Information)  

(1)       No one may circulate information falling under any of the following subparagraphs through an information and communications network: (Amended by Act nº 11048, Sep. 15, 2011; Act nº 14080, Mar. 22, 2016)

1.         Information with an obscene content distributed, sold, rented, or displayed openly in the form of code, words, sound, image, or motion picture;

2.         Information with a content that defames other persons by divulging a fact, false fact, openly and purposely to disparage the person’s reputation;

3.         Information with a content that arouses fear or apprehension by reaching other persons repeatedly in the form of code, words, sound, image, or motion picture;

4.         Information with a content that mutilates, destroys, alters, or forges an information and communications system, data, a program, or similar or that interferes with the operation of such system, data, program, or similar without a justifiable ground;

5.         Information with a content that falls within an unwholesome medium for juvenile under the Juvenile Protection Act and that is provided for profit without fulfilling the duties and obligations under relevant statutes, including the duty to verify the opposite party’s age and the duty of labeling;

6.         Information with a content that falls within speculative activities prohibited by statutes;

6-2.      Information regarding content of transactions of personal information in violation of this Act or other statutes concerning the protection of personal information;

7.         Information with a content that divulges a secret classified by statutes or any other State secret;

8.         Information with a content that commits an activity prohibited by the National Security Act;

9.         Other information with a content that attempts, aids, or abets to commit a crime.

(2)       The Korea Communications Commission may order a provider of information and communications services or a manager or an operator of a message board to reject, suspend, or restrict management of information under paragraph (1) 1 through 6 and 6-2, subject to deliberation by the Communications Standards Commission: Provided, That if the information falls under paragraph (1) 2 or 3, the Commission shall not issue an order to reject, suspend, or restrict such management against the intention specifically manifested by the victim of the relevant information. (Amended by Act nº 14080, Mar. 22, 2016)

(3)       The Korea Communications Commission shall order a provider of information and communications services or a manager or an operator of a message board to reject, suspend, or restrict management of information under paragraph (1) 7 through 9, if the information falls under all the following subparagraphs: (Amended by Act nº 14080, Mar. 22, 2016)

1.         There was a request from the head of a related central administrative agency;

2.         A demand for correction was made pursuant to subparagraph 4 of Article 21 of the Act on the Establishment and Operation of Korea Communications Commission after deliberation by the Communications Standards Commission within seven days from the date on which the request under subparagraph 1 had been received;

3.         The provider of information and communications services or the manager or operator of the message board has not complied with the demand for correction.

(4)       The Korea Communications Commission shall give an opportunity to the provider of information and communications services or the manager, operator, or relevant user of the message board to whom an order is to be issued pursuant to paragraph (2) or (3) to present his or her opinion in advance: Provided, That the Commission may not give an opportunity to present an opinion, if a case falls under any of the following subparagraphs:

1.         If it is necessary to make an urgent disposition for public safety and welfare;

2.         If there is a ground specified by Presidential Decree to believe that it is obviously impracticable or evidently unnecessary to hear an opinion;

3.         If a person concerned clearly manifests his or her intent to give up the opportunity to present his or her opinion.

(Amended by Act nº 9119, Jun. 13, 2008)

Articles 44-8 and 44-9 Deleted. (by Act Nº 8867, Feb. 29, 2008)     

Article 44-10 (Defamation Dispute Conciliation Division)   

(1)       The Communications Standards Commission shall have the defamation dispute conciliation division comprised of five members or less for efficient conciliation of disputes arising in connection with information that intrudes other persons’ privacy, defames other persons, or violates other persons’ rights including a member or more holding qualification of attorney-at-law.

(2)       The members of the defamation dispute conciliation division shall be commissioned by the chairperson of the Communications Standards Commission with consent of the Communications Standards Commission.

(3)       Articles 33-2 (2) and 35 through 39 shall apply mutatis mutandis to the procedure for conciliation of disputes by the defamation dispute conciliation division. In such cases, “Dispute Mediation Committee” shall be construed as “Communications Standards Commission,” and “disputes over personal information” as “disputes arising in connection with information that intrudes privacy, defames other persons, or violates other persons’ rights among information circulated through information and communications networks.”

(4)       Necessary matters concerning the installation and operation of the defamation dispute conciliation division and the conciliation of disputes, and other related matters shall be prescribed by Presidential Decree.

(Amended by Act nº 9119, Jun. 13, 2008)

CHAPTER VI.- SECURING OF STABILITY OF INFORMATION AND COMMUNICATIONS NETWORK

Article 45 (Securing of Stability of Information and Communications Network)   

(1)       Every provider of information and communications services shall take protective measures to secure the reliability of the information and security of the information and communications networks.

(2)       The Minister of Science, ICT and Future Planning may prescribe and provide a public notice of guidelines for protective measures for information (hereinafter referred to as “information protection guidelines”), specifying details of the protective measures under paragraph (1), and may recommend providers of information and communications services to observe the guidelines. (Amended by Act nº 11322, Feb. 17, 2012; Act nº 11690, Mar. 23, 2013)

(3)       The information protection guidelines shall contain descriptions of the following matters: (Amended by Act nº 14080, Mar. 22, 2016)

1.         Technical and physical protective measures, including installation and operation of an information protection system, for a person with no due authorization to prevent or counteract access to invasion upon an information and communications network;

2.         Technical protective measures for preventing unlawful leakage, forgery. alteration, or deletion of information;

3.         Technical and physical protective measures for securing the state of enabling continuous use of information and communications networks;

4.         Administrative protective measures for stabilization of information and communications networks and protection of information, including securing human resources, organization, and expenses and establishing related plans.

(Amended by Act nº 9119, Jun. 13, 2008)

Article 45-2 (Preliminary Examination on Information Protection)  

(1)       A provider of information and communications services shall, if he or she intends to newly establish an information and communications network or to provide information and communications services, take the matters regarding information protection into account in planning or designing thereof.

(2)       The Minister of Science, ICT and Future Planning may recommend a person who intends to implement the information and communications services or the telecommunications businesses falling under any of the following subparagraphs to take protective measures in accordance with the preliminary examination standards as determined by Presidential Decree: (Amended by Act nº 11690, Mar. 23, 2013)

1.         The information and communications services or telecommunications businesses as determined by Presidential Decree, for which authorization or permission by the Minister of Science, ICT and Future Planning should be obtained or registration with or report to the Korea Communications Commission should be made pursuant to this Act or other Acts and subordinate statutes;

2.         The information and communications services or the telecommunications businesses as determined by Presidential Decree and financed by the Minister of Science, ICT and Future Planning for all or part of the business expenses thereof.

(3)       Standards, methods, procedures, fees for the preliminary examination on protection of information pursuant to paragraph (2) and other necessary matters shall be determined by Presidential Decree.

(Article Inserted by Act nº 11322, Feb. 17, 2012)

Article 45-3 (Designation, etc. of Chief Information Protection Officers)   

(1)       A provider of information and communications services may designate a chief information protection officer at a level of an executive officer for security of information and communications system, etc. and for safe administration of information: Provided, That in cases of any provider of information and communications services whose number of employees, number of users, etc. meet standards prescribed by Presidential Decree, he or she shall report its designation of the chief information protection officer to the Minister of Science, ICT and Future Planning. (Amended by Act nº 12681, May 28, 2014)

(2)       Methods and procedures for reporting under paragraph (1) shall be prescribed by Presidential Decree. (Inserted by Act nº 12681, May 28, 2014)

(3)       A chief information protection officer shall be responsible for the following matters:

1.         Establishment and administration/operation of an administrative system for information protection;

2.         Analysis/evaluation and improvement of the weakness of information protection;

3.         Prevention of and response to an intrusion;

4.         Preparation of preliminary measures for information protection and designing/realization, etc. of security measures;

5.         Review of a preliminary security for information protection;

6.         Review of the encryption of an important information and the suitability of a security server;

7.         Other matters, such as taking necessary measures for protection of information pursuant to this Act or other relevant statutes.

(4)       A provider of information and communications services may establish and operate an association of chief information protection officers comprised of chief information protection officers prescribed in paragraph (1) in order to jointly perform prevention/response in cases of intrusion, sharing necessary information and other joint programs prescribed by Presidential Decree.

(5)       The Government may provide financial support to the association of chief information protection officers under paragraph (4) for expenses, in whole or in part, incurred in conducting its activities. (Amended by Act nº 12681, May 28, 2014; Act nº 13343, Jun. 22, 2015)

(Article Inserted by Act nº 11322, Feb. 17, 2012)

Article 46 (Protection of Clustered Information and Communications Facilities)   

(1)       Every business operator who operates and manages clustered information and communications facilities to render information and communications services on behalf of another person (hereinafter referred to as “business operator of clustered information and communications facilities”) shall take protective measures as prescribed by Presidential Decree to pérate the information and communications facilities stably.

(2)       Every business operator of clustered information and communications facilities shall purchase insurance policies as prescribed by Presidential Decree to cover damages that may be caused by destruction or damage of the clustered information and communications facilities or any other trouble in operation.

(Amended by Act nº 9119, Jun. 13, 2008)

Article 46-2 (Emergency Countermeasures of Business Operators of Clustered Information and Communications Facilities)     

(1)       A business operator of clustered information and communications facilities may, if any of the following events occurs, suspend rendering relevant services, in whole or in part, as stipulated in the standardized user agreement: (Amended by Act nº 9637, Apr. 22, 2009; Act nº 11690, Mar. 23, 2013)

1.         If it is anticipated that an abnormality found in the information system of a person who uses clustered information and communications facilities (hereinafter referred to as “user of facilities”) will probably cause a serious trouble to the information system of other users of facilities or clustered information and communications facilities;

2.         If it is anticipated that an intrusion from outside will probably cause a serious trouble to the clustered information and communications facilities;

3.         If there occurs a serious intrusion and the Minister of Science, ICT and Future Planning or the Korea Internet and Security Agency requests to suspend the services.

(2)       A business operator of clustered information and communications facilities shall, when it suspends its services in accordance with paragraph (1), immediately notify users of facilities of the suspension of services, specifically stating the reasons for the suspension, the date, time, period, and details of the suspension, and other related matters.

(3)       A business operator of clustered information and communications facilities shall, once the event that caused suspension of services terminates, resume its services immediately.

(Amended by Act nº 9119, Jun. 13, 2008)

Article 46-3 Deleted. (by Act nº 11322, Feb. 17, 2012)         

Article 47 (Certification of Information Security Management System)      

(1)       With respect to the person who has established and operates a comprehensive management system, including administrative and technical protective measures, for securing stability and reliability of an information and communications network (hereinafter referred to as “information security management system”), the Minister of Science, ICT and Future Planning may certify as to whether he or she meets the standards under paragraph (4). (Amended by Act nº 11322, Feb. 17, 2012; Act nº 11690, Mar. 23, 2013; Act nº 13520, Dec. 1, 2015)

(2)       A telecommunication business operator under subparagraph 8 of Article 2 of the Telecommunications Business Act, or any of the following persons, who provides or intermediates the provision of information by using telecommunications services of any telecommunication business operator, shall receive the certification under paragraph (1): (Inserted by Act nº 11322, Feb. 17, 2012; Act nº 13520, Dec. 1, 2015)

1.         A person who renders information and communications services as prescribed by Presidential Decree as a person who has obtained the permission pursuant to Article 6 (1) of the Telecommunications Business Act;

2.         A business operator of clustered information and communications facilities;

3.         A person falling under the standards determined by Presidential Decree, whose annual sales or tax revenue, etc. is not less than 150 billion won, whose sales of the sector of information and communications services of the previous year is not less than 10 billion won, or whose average number of daily users over the past three months is not less than one million.

(3)       Where a person required to be certified in accordance with paragraph (2) is certified for conformity with international standards for information protection or takes measures for information protection, as prescribed by Ordinance of the Ministry of Science, ICT and Future Planning, the Minister of Science, ICT and Future Planning may omit part of certification examination under paragraph (1). In this case, the detailed scope of omitted certification examination shall be determined and publicly notified by the Minister of Science, ICT and Future Planning. (Inserted by Act nº 13520, Dec. 1, 2015)

(4)       The Minister of Science, ICT and Future Planning may, for the purpose of certification for information security management system under paragraph (1), determine and give a public notice of other necessary matters such as certification criteria, including countermeasures for managerial, technical and physical protection. (Amended by Act nº 11322, Feb. 17, 2012; Act nº 11690, Mar.23. 2013; Act nº 13520, Dec. 1, 2015)

(5)       The period of validity of the certification for an information security management system under paragraph (1) shall be three years: Provided, That upon the receipt of any rating for information protection and management in accordance with Article 47-5 (1), the certification under paragraph (1) shall be deemed effective during the period of validity of such rating. Act Nº (Inserted by Act nº 11322, Feb. 17, 2012; Act nº 13520, Dec. 1, 2015)

(6)       The Minister of Science, ICT and Future Planning may have the Korea Internet Security Agency or any institution (hereinafter referred to as a “certification body of information security management systems”) designated by the Minister of Science, ICT and Future Planning perform the following affairs related to the certification under paragraphs (1) and (2): (Inserted by Act nº 11322, Feb. 17, 2012; Act nº 11690, Mar.23. 2013; Act Nº Act nº 13520, Dec. 1, 2015)

1.         Examination (hereinafter referred to as an “examination of certification” of verifying whether the information security management systems by established by an applicant for certification meets the standards for certification under paragraph (4);

2.         Review on the results of examination of certification;

3.         Issuance and management of written certifications;

4.         Ex post facto management of granted certifications;

5.         Fosterage and qualification management of the certification examiners of information security management systems;

6.         Other affairs concerning the certification for information security management systems.

(7)       The Minister of Science, ICT and Future Planning may, if necessary for the efficient conduct of affairs related to certification, designate an institution for performing affairs related to examination of certification (hereinafter referred to as an “examination institution for information security management systems”). (Inserted by Act nº 13520, Dec. 1, 2015)

(8)       The Korea Internet Security Agency, a certification body for information security management systems, and an examination institution for information security management systems shall, in order to enhance the efficiency of information security management systems, perform ex post facto management at least once a year and notify the Minister of Science, ICT and Future Planning of the results thereof. (Inserted by Act nº 11322, Feb. 17, 2012; Act nº 11690, Mar.23. 2013; Act nº 13520, Dec. 1, 2015)

(9)       A person who has received certification of an information security management systems in accordance with paragraphs (1) and (2) may indicate or publicize the content of the certification, as prescribed by Presidential Decree. (Amended by Act nº 11322, Feb. 17, 2012; Act nº 13520, Dec. 1, 2015)

(10)     The Minister of Science, ICT and Future Planning may revoke the certification where any of the following grounds are found: Provided, That for the cases falling under subparagraph 1, the Minister of Science, ICT and Future Planning shall revoke the certification: (Inserted by Act nº 11322, Feb. 17, 2012; Act nº 11690, Mar.23. 2013; Act nº 13520, Dec. 1, 2015)

1.         Having received the certification of an information security management systems in a false or otherwise unjustifiable manner;

2.         Falling short of the standards for certification under paragraph (4);

3.         Refusing or obstructing the ex post facto management under paragraph (8).

(11)     Methods and procedures for, and scope and fees of, certification under paragraphs (1) and (2), methods and procedures for ex post facto management under paragraph (8), methods and procedures for revoking certification under paragraph (10), and other necessary mattes shall be prescribed by Presidential Decree. (Amended by Act Nº 11322, Feb. 17, 2012; Nº 13520, Dec. 1, 2015)

(12)     Standards and procedures for, and period of validity, the designation of a certification body for information security management systems and an examination institution for information security management systems shall be prescribed by Presidential Decree. (Amended by Act Nº 11322, Feb. 17, 2012; ct Nº 13520, Dec. 1, 2015)

(Amended by Act nº 9119, Jun. 13, 2008)

 Article 47-2 (Revocation of Designation of Certification Body of and Examination Institution for Information Security Management Systems)         

(1)       If a legal entity or organization designated as a certification body for information security management system or an examination institution for information security management systems pursuant to Article 47 falls under any of the following subparagraphs, the Minister of Science, ICT and Future Planning may revoke the designation or order it to suspend the relevant business, entirely or partially, for a prescribed period of time not exceeding one year: Provided, That the designation shall be revoked without an exception, if the legal entity or organization falls under subparagraph 1 or 2: (Amended by Act Nº 11322, Feb. 17, 2012; Act Nº 11690, Mar. 23, 2013; Act Nº 13520, Dec. 1, 2015)

1.         If it has obtained the designation of a certification body or an examination institution for information security management systems by deceit or in any other fraudulent mean;

2.         If it has granted or examined certification during a business suspension period;

3.         If it has not performed certification or examination of certification without justifiable grounds;

4.         If it has performed certification or examination of certification, in violation of Article 47 (11);

5.         If it no longer meets the criteria for designation under Article 47 (12).

(2)       Matters necessary for the revocation of designation and suspension of business under paragraph (1) and other related matters shall be prescribed by Presidential Decree.

(Amended by Act nº 9119, Jun. 13, 2008)

 Article 47-3 (Certification of Personal Information Management System)             

(1)       With respect to a person who established and is operating a comprehensive management system including administrative, technical and physical protective measures in order to systematically and continuously perform the activities for protection of personal information in the information and communications network (hereinafter referred to as “personal information management system”), the Korea Communications Commission may certify as to whether the management system meets the standards pursuant to paragraph (2).

(2)       The Korea Communications Commission may, for the certification of personal information management system pursuant to paragraph (1), determine and give a public notice of standards for the certification including administrative, technical and physical protective measures and other necessary matters.

(3)       Concerning the institutions which implement the personal information management system and the follow-up management, etc., Article 47 (6) through (12) shall apply mutatis mutandis thereto. In this case, the term “paragraphs (1) and (2)” shall be deemed “paragraph (1)”. (Amended by Act Nº 13520, Dec. 1, 2015)

(4)       Concerning the revocation of designation, etc. of a certifying institution of the personal information management system, Article 47-2 shall apply mutatis mutandis thereto.

(Article Inserted by Act nº 11322, Feb. 17, 2012)

Article 47-4 (Protection of User Information)           

(1)       The Government may prescribe guidelines necessary for protection of information of users to recommend users to observe the guidelines, and may take necessary measures for preventing intrusions and precluding spread of intrusions, such as inspection of weaknesses and technical support.

(2)       A major provider of information and communications services may, if it is foreseen that a serious problem is likely to occur in the information system of a user who uses the services, the information and communications network, or similar provided by it because of an occurrence of a serious intrusion on its information and communications network, request the user to take necessary protective measures as stipulated by the standard user agreement, and may place a temporary restriction on access to the relevant information and communications network if the user does not perform as requested.

(3)       A software business operator under Article 2 of the Software Industry Promotion Act shall, when he or she produced a program that improves weaknesses in security, notify the Korea Internet and Security Agency of its production, and shall notify users of the software of the production at least twice within one month from the date of production. (Amended by Act Nº 9637, Apr. 22, 2009)

(4)       Specific details that shall be stipulated by the standard user agreement with respect to the request for protective measures under paragraph (2) and other related matters shall be prescribed by Presidential Decree.

(Amended by Act nº 9119, Jun. 13, 2008)

 Article 47-5 (Management Rating for Information Protection)       

(1)       A person who has obtained the certification for information security management system pursuant to Article 47 is entitled to receive the management rating for information protection from the Minister of Science, ICT and Future Planning in order to enhance level of a corporate’s management of its comprehensive information protection and to secure users’ reliability on information protection services. (Amended by Act Nº 11690, Mar. 23, 2013)

(2)       The Minister of Science, ICT and Future Planning may authorize the Korea Internet and Security Agency to perform the affairs of rating under paragraph (1). (Amended by Act Nº 11690, Mar. 23, 2013)

(3)       A person who has obtained the management rating for information protection pursuant to paragraph (1) may indicate the obtained rating or advertise details of such rating as determined by Presidential Decree.

(4)       In cases where the Minister of Science, ICT and Future Planning finds causes falling under any of the following subparagraphs, the Minister may revoke the aforementioned rating: Provided, That for the cases falling under subparagraph 1, the Minister shall revoke the granted rating: (Amended by Act Nº 11690, Mar. 23, 2013; Act Nº 13520, Dec. 1, 2015)

1.         Where a person obtained the management rating for information protection, by fraud or other improper means;

2.         Where falling short of the standards of rating pursuant to paragraph (5).

(5)       Standards of review in assigning the rating pursuant to paragraph (1), the method, procedure and fee of assigning the rating, the effective term of rating, the method/procedure of revocation of rating pursuant to paragraph (4) and other necessary matters shall be prescribed by Presidential Decree.

(Article Inserted by Act nº 11322, Feb. 17, 2012)

Article 48 (Prohibition on Intrusive Acts, etc. on Information and Communications Network)     

(1)       No one shall intrude on an information and communications network without a rightful authority for access or beyond a permitted authority for access.

(2)       No one shall mutilate, destroy, alter, or forge an information and communications system, data, program, or similar without a justifiable grounds, nor shall convey or spread a program that is likely to interrupt operation of such system, data, program, or similar (hereinafter referred to as “malicious program”).

(3)       No one shall cause a trouble to an information and communications network to interfere with stable operation of the information and communications network in purpose by sending a large amount of signals or data, letting the network process an illegitimate order or doing the similar actions.

(Amended by Act nº 9119, Jun. 13, 2008)

 Article 48-2 (Countermeasures, etc. against Intrusion Cases)          

(1)       The Minister of Science, ICT and Future Planning shall perform the following business affairs to take proper countermeasures against intrusion, and may have the Korea Internet and Security Agency perform all or part of the business affairs, if necessary to do so: (Amended by Act Nº 9637, Apr. 22, 2009; Act Nº 11690, Mar. 23, 2013)

1.         Collection and spread of information about intrusion;

2.         Precaution and warning of intrusion;

3.         Emergency measures against intrusion;

4.         Other countermeasures against intrusion prescribed by Presidential Decree.

(2)       A person falling under any of the following subparagraphs shall furnish the Minister of Science, ICT and Future Planning or the Korea Internet and Security Agency with the information related to intrusion cases, including statistics by type of intrusion cases, statistics of traffic of the relevant information and communications network, and statistics of use by access channel, as prescribed by Presidential Decree: (Amended by Act Nº 9637, Apr. 22, 2009; Act Nº 11690, Mar. 23, 2013)

1.         A major provider of information and communications services;

2.         A business operator of clustered information and communications facilities;

3.         Other persons specified by Presidential Decree among those who operate an information and communications network.

(3)       The Korea Internet and Security Agency shall analyze the information under paragraph (2) and report it to the Minister of Science, ICT and Future Planning. (Amended by Act Nº 9637, Apr. 22, 2009; Act Nº 11690, Mar. 23, 2013)

(4)       If a business operator who is obligated to furnish the information in accordance with paragraph (2) refuses to do without a justifiable ground or furnishes false information, the Minister of Science, ICT and Future Planning may order the business operator to make a correction within a reasonable period of time prescribed by the Commission. (Amended by Act Nº 11690, Mar. 23, 2013)

(5)       The Minister of Science, ICT and Future Planning or the Korea Internet and Security Agency shall use the information furnished in accordance with paragraph (2) properly within the extent necessary for taking countermeasures against intrusion. (Amended by Act Nº 9637, Apr. 22, 2009; Act Nº 11690, Mar. 23, 2013)

(6)       The Minister of Science, ICT and Future Planning or the Korea Internet and Security Agency may, if necessary to take countermeasures against intrusion, request a person falling under any subparagraph of paragraph (2) to provide human resources for assistance. (Amended by Act Nº 9637, Apr. 22, 2009; Act Nº 11690, Mar. 23, 2013)

(Amended by Act nº 9119, Jun. 13, 2008)

 Article 48-3 (Report, etc. on Intrusion Cases)          

(1)       A person falling under any of the following subparagraphs shall, where he or she discovers an intrusion, immediately report it to the Minister of Science, ICT and Future Planning or the Korea Internet and Security Agency. In such cases, a notice given in accordance with Article 13 (1) of the Act on the Protection of Information and Communications Infrastructure shall be deemed a report under the foregoing sentence: (Amended by Act Nº 9637, Apr. 22, 2009; Act Nº 11690, Mar. 23, 2013)

1.         A provider of information and communications services;

2.         A business operator of clustered information and communications facilities.

(2)       The Minister of Science, ICT and Future Planning or the Korea Internet and Security Agency shall, upon receiving a report of intrusion under paragraph (1) or being aware of an intrusion, take necessary measures under subparagraphs of Article 48-2 (1). (Amended by Act Nº 9637, Apr. 22, 2009; Act Nº 11690, Mar. 23, 2013)

(Amended by Act nº 9119, Jun. 13, 2008)

 Article 48-4 (Analysis, etc. of Cause of Intrusion Cases)     

(1)       A person who operates an information and communications network, including a provider of information and communications services, shall analyze causes of intrusion and keep damage from intrusion at bay, whenever an intrusion occurs.

(2)       The Minister of Science, ICT and Future Planning may, when a serious intrusion occurs in an information and communications network operated by a provider of information and communications services, organize a private-public joint investigation team having expertise in protection of information to conduct an analysis on causes of such intrusion in order to preclude spread of damage, take countermeasures against the intrusion, recover from damage and prevent recurrence of such intrusion. (Amended by Act Nº 11690, Mar. 23, 2013)

(3)       The Minister of Science, ICT and Future Planning may, if deemed necessary for analyzing causes of an intrusion pursuant to paragraph (2), order a provider of information and communications services and a business operator of clustered information and communications facilities to preserve relevant data, such as access records of the relevant information and communications network. (Amended by Act Nº 11690, Mar. 23, 2013)

(4)       The Minister of Science, ICT and Future Planning may, if deemed necessary for analyzing causes of an intrusion, demand a provider of information and communications services and a business operator of clustered information and communications facilities to submit data related to the intrusion, and also may order the private-public joint investigation team under paragraph (2) to enter into a place of business of a person involved to conduct investigation into the causes of the intrusion: Provided, That submission of data corresponding to access log data under subparagraph 11 of Article 2 of the Protection of Communications Secrets Act shall be governed by the provisions of the aforesaid Act. (Amended by Act Nº 11690, Mar. 23, 2013)

(5)       The Minister of Science, ICT and Future Planning or the private-public joint investigation team shall not use the information learned through the data submitted and the investigation conducted in accordance with paragraph (4) for any purpose other than analysis of causes of the intrusion and preparation of countermeasures, and shall destroy it immediately after the analysis of causes is completed. (Amended by Act Nº 11690, Mar. 23, 2013)

(6)       Necessary matters concerning the organization of the private-public joint investigation team under paragraph (2) and the protection of data submitted in relation to an intrusion in accordance with paragraph (4), and other related matters shall be prescribed by Presidential Decree.

(Amended by Act nº 9119, Jun. 13, 2008)

 Article 49 (Protection of Secrets, etc.)          

No one shall mutilate another person’s information processed, stored, or transmitted through an information and communications network, nor shall infringe, misappropriate, or divulge another person’s secret.

(Amended by Act nº 9119, Jun. 13, 2008)

 Article 49-2 (Prohibition on Collection, etc. of Personal Information by Acts of Deceit)  

(1)       No one shall collect another person’s information through an information and communications network by an act of deceit, nor shall entice another person by an act of deceit to furnish information.

(2)       A provider of information and communications services shall, whenever it discovers a violation of paragraph (1), immediately report it to the Minister of Science, Information and Communications Technology (ICT) and Future Planning, the Korea Communications Commission, or the Korea Internet and Security Agency. (Amended by Act Nº 9637, Apr. 22, 2009; Act Nº 14080, Mar. 22, 2016)

(3)       The Minister of Science, Information and Communications Technology (ICT) and Future Planning, the Korea Communications Commission, or the Korea Internet and Security Agency shall, upon receiving a report under paragraph (2) or becoming aware of a violation of paragraph (1), take the following measures as may be necessary: (Amended by Act Nº 9637, Apr. 22, 2009; Act Nº 14080, Mar. 22, 2016)

1.         Collection and diffusion of the information related to the violation;

2.         Precaution and warning of similar damage;

3.         Emergency Measures to prevent damage and spread thereof, including requesting the relevant provider of information and communications services to block access paths or to inform the users of the fact that they are exposed to an act of violating paragraph (1).

(4)       The Minister of Science, Information and Communications Technology (ICT) and Future Planning, or the Korea Communications Commission may, for taking measures referred to in paragraph (3) 3, order providers of information and communications services to take necessary measures, such as sharing among themselves information regarding acts of deceit through information and communications networks. (Inserted by Act nº 14080, Mar. 22, 2016)

(Amended by Act nº 9119, Jun. 13, 2008)

Article 50 (Restrictions on Transmission of Advertising Information for Profit)    

(1)       If any person intends to transmit advertising information for profit by using an electronic transmission medium, he or she shall obtain explicit prior consent from an addressee to whom such information is addressed: Provided, That where he or she falls under any of the following, he or she need not obtain prior consent: (Amended by Act Nº 14080, Mar. 22, 2016)

1.         Where a person who has directly collected contact details from the addressee in his or her dealings of goods, etc. intends to transmit advertising information for profit on the same kinds of goods, etc. as those he or she manages and has dealt with the addressee within a period prescribed by Presidential Decree;

2.         Where a telemarketer under the Act on Door-to-Door Sales, Etc. informs prospective customers of the collection source of their personal information by voice, and solicits them to buy products or services by means of telephone call.

(2)       Notwithstanding paragraph (1), where an addressee expresses his or her intention to refuse to receive information or revokes his or her prior consent, no person who intends to transmit advertising information for profit by using an electronic transmission medium shall transmit advertising information for profit.

(3)       Notwithstanding paragraph (1), a person who intends to transmit advertising information for profit by using an electronic transmission medium during the time between 9:00 pm and 8:00 am of the following day shall obtain express prior consent from the addressee of such information: Provided, That in cases of media prescribed by Presidential Decree, the forgoing shall not apply thereto.

(4)       A person who transmits advertising information for profit by using an electronic transmission medium shall specify the following matters in advertising information, as prescribed by Presidential Decree:

1.         The name and contact details of a sender;

2.         Matters concerning measures and methods by which an addressee can easily express his or her intention to refuse to receive information or to revoke his or her consent to receive information.

(5)       No person who transmits advertising information for profit by using an electronic transmission medium shall take any of the following measures:

1.         Measures to avoid or interfere with an addressee’s refusal to receive or revocation of his or her consent to receive advertising information;

2.         Measures to automatically generate an addressee’s contact information, such as telephone numbers and email addresses, by combining figures, codes, or letters;

3.         Measures to automatically register telephone numbers or email addresses for the purpose of transmitting advertising information for profit;

4.         Various measures to hide the identity of the sender of advertising information or the source from which advertising is transmitted;

5.         Various measures to induce an addressee to reply by deceiving him or her for the purpose of transmitting advertising information for profit.

(6)       A person who transmits advertising information for profit by using an electronic transmission medium shall take necessary measures so that an addressee does not incur any cost, such as telephone charges, when the addressee refuses to receive or revokes his or her consent to receive such information, as prescribed by Presidential Decree.

(7)       Where an addressee gives prior consent under paragraph (1) or expresses his or her intention to refuse to receive or revoke his or her consent to receive advertising information under paragraph (2), a person who intends to transmit advertising information for profit by using an electronic transmission medium shall inform the relevant addressee of the outcomes of measures taken in relation to consent to receive, refusal to receive, or revocation of consent to receive advertising information, as prescribed by Presidential Decree.

(8)       A person who obtains consent to receive advertising information pursuant to paragraph (1) or (3) shall regularly verify whether an addressee of advertising information consents to receive such information, as prescribed by Presidential Decree.

(This Article Wholly Amended by Act Nº 12681, May 28, 2014)

 Article 50-2 Deleted. (by Act Nº 12681, May 28, 2014)      

 Article 50-3 (Commissioned Transmission of Advertising Information for Profit)            

(1)       A person who has commissioned a third party to transmit advertising information for profit on his or her behalf shall control and oversee the person to whom the transmission was commissioned to ensure that the person does not violate Article 50. (Amended by Act Nº 12681, May 28, 2014)

(2)       A person to whom transmission of advertising information for profit has been commissioned under paragraph (1) shall be deemed an employee of the person who has commissioned the transmission of information in determining liability for damages caused by a violation of an Act related to such business affair.

(Amended by Act nº 9119, Jun. 13, 2008)

 Article 50-4 (Restrictions on Rendering Information Transmission Services)        

(1)       A provider of information and communications services may take measures to refuse rendering corresponding services in any of the following cases:

1.         If transmission or reception of advertising information hinders or is likely to hinder rendering the services;

2.         If a user does not want to receive advertising information;

3.         Deleted. (by Act Nº 12681, May 28, 2014)

(2)       If a provider of information and communications services intends to take any measure for refusal under paragraph (1) or (4), he or she shall include matters concerning the refusal of the relevant services in the terms and conditions of a contract for use of information and communications services which he or she concludes with the user of such services. (Amended by Act Nº 12681, May 28, 2014)

(3)       A provider of information and communications services shall inform interested persons, such as users to whom such services are provided, of the fact that he or she has taken measures for refusal under paragraph (1) or (4): Provided, That where it is impracticable to inform them of the fact in advance, he or she shall inform them of the fact immediately after it has taken measures for refusal. (Amended by Act Nº 12681, May 28, 2014)

(4)       Where services which a provider of information and communications services provides to users under a contract for use are used for transmitting advertising information for profits, in violation of Article 50 or 50-8, the relevant provider of information and communications services shall formulate necessary measures, such as refusal to provide the relevant services or fix of problmes of information and communications networks or services. (Inserted by Act nº 12681, May 28, 2014)

(Amended by Act nº 9119, Jun. 13, 2008)

Article 50-5 (Installation of Advertising Program for Profit)           

A provider of information and communications services shall, when it intends to install a program designed to display advertising information or collect personal information in a user’s computer or any other information processing device specified by Presidential Decree, obtain consent from the user. In such cases, it shall notify the purpose of use of the program and the method of deletion.

(Amended by Act nº 9119, Jun. 13, 2008)

 Article 50-6 (Distribution of Software Designed to Block Transmission of Advertising Information for Profit)  

(1)       The Korea Communications Commission may develop and distribute software or computer programs designed for addressees to conveniently block or report any advertising information for profit when it is transmitted in violation of Article 50.

(2)       The Korea Communications Commission may provide necessary support to related public agencies, legal entities, organizations, or similar for facilitating the development and distribution of software or computer programs for cutting off or reporting transmission under paragraph (1).

(3)       If telecommunications services rendered by a provider of information and communications services are used in transmitting advertising information for profit in violation of Article 50, the Korea Communications Commission may recommend the provider of information and communications services to take necessary measures, such as development of technology, education, and public relations activities to protect addressees.

(4)       The method of the development and distribution under paragraph (1) and the matters necessary for the support under paragraph (2) shall be prescribed by Presidential Decree.

(Amended by Act nº 9119, Jun. 13, 2008)

 Article 50-7 (Restrictions on Posting of Advertising Information for Profit)         

(1)       Where any person intends to post advertising information for profit on an Internet website, he or she shall obtain prior consent from the operator or the manager of an Internet website: Provided, That in cases of a message board to which any person can have easy access without special authority and on which any person can post his or her message, he or she need not obtain prior consent.

(2)       Notwithstanding paragraph (1), where the operator or the manager of an Internet website explicitly expresses his or her intention to refuse to post a notice or to revoke his or her prior consent, no person who intends to post advertising information for profit shall post advertising information for profit.

(3)       The operator or the manager of the Internet website may take measures, such as deletion of advertising information for profit posted, in violation of paragraph (1) or (2).

(This Article Wholly Amended by Act Nº 12681, May 28, 2014)

 Article 50-8 (Prohibition on Transmission of Advertising Information for Unlawful Act)            

No one shall transmit any advertising information for goods or services prohibited by this Act or any other Act through an information and communications network.

(Amended by Act nº 9119, Jun. 13, 2008)

 Article 51 (Restriction, etc. on Outflow of Important Information to Abroad)       

(1)       The Government may have providers or users of information and communications services to take necessary measures to prevent outflow abroad of any important information about industry, economy, science, technology, etc. of this county through information and communications networks.

(2)       The scope of the important information under paragraph (1) shall be as follows:

1.         Information related to the national security and major policies;

2.         Information about details of cutting-edge science and technology or equipment developed within this country.

(3)       The Government may have the providers of information and communications services that manage the information under subparagraphs of paragraph (2) take the following measures: (Amended by Act Nº 14080, Mar. 22, 2016)

1.         Installation of a systematic or technical device for preventing unlawful use of information and communications networks;

2.         Systematic and technical measures for preventing unlawful destruction or manipulation of information;

3.         Measures for preventing leakage of important information that providers of information and communications services have learned while managing the information.

(Amended by Act nº 9119, Jun. 13, 2008)

 Article 52 (Korea Internet and Security Agency)     

(1)       The Government shall establish the Korea Internet and Security Agency (hereinafter referred to as the “Internet and Security Agency”) to upgrade the information and communications network (excluding matters concerning establishment, improvement and management of information and telecommunications network), encourage the safe use thereof, and promote the international cooperation and advancement into the overseas market in relation to broadcasting and communications. (Amended by Act Nº 9637, Apr. 22, 2009)

(2)       The Internet and Security Agency shall be a legal entity. (Amended by Act Nº 9637, Apr. 22, 2009)

(3)       The Internet and Security Agency shall perform the following business affairs: (Amended by Act Nº 9637, Apr. 22, 2009; Act Nº 11322, Feb. 17, 2012; Act Nº 11690, Mar. 23, 2013; Act Nº 12844, Nov. 19, 2014; Act Nº13343 Jun. 22, 2015)

1.         Survey and research of laws, policies and systems for the use and protection of the information and telecommunications network, promotion of the international cooperation and advancement into the overseas market in relation to broadcasting and communications, etc.;

2.         Survey and research of statistics concerning the use and protection of the information and telecommunications network;

3.         Analysis of negative effects arising from the use of the information and telecommunications network and research on countermeasures;

4.         Public relations activities, education, and training for using and protecting the information and telecommunications network;

5.         Information protection for the information and telecommunications network, development of technologies concerning the Internet address resources and standardization thereof;

6.         Support for policies for the information security industry, development of relevant technology and fostering of human resources;

7.         Certification of the information security management system, implementation of and support for certification, evaluation, etc. of the information protection, such as evaluation or certification of the information security system;

8.         Research of measures to protect personal information and support for development and proliferation of protection technology;

9.         Support for the operation of the Dispute Mediation Committee and operation of the privacy call center;

10.       Transmission of promotional information and consultation on and processing of complaints related to Internet advertisements;

11.       Operation of a system to deal with intrusion cases of information and telecommunications network, analyze the causes thereof, and respond thereto;

12.       Management of certification of digital signatures under Article 25 (1) of the Digital Signature Act;

13.       Support for an efficient operation of the Internet and encouragement of wider use thereof;

14.       Support for the protection of stored information of the Internet users;

15.       Support for service policies pertaining to the Internet;

16.       Protection of users and support for the proliferation of sound information on the Internet;

17.       Affairs related to the management of Internet address resources under the Internet Address Resources Act;

18.       Support for the operation of the Internet Address Dispute Resolution Committee under Article 16 of the Internet Address Resources Act;

19.       Support for operation of the conciliation committee under Article 25 (7) of the Act on the Promotion of Information Security Industry;

20.       Support for such international cooperation, overseas expansion and overseas publicity activities as are concerning broadcasting and communications;

21.       Businesses incidental to those referred to in subparagraphs 1 through 20;

22.       Other businesses determined to fall under the affairs of, or entrusted to, the Internet and Security Agency in accordance with this Act, or any other statute, or other businesses entrusted by the Minister of Science, ICT and Future Planning, the Minister of Interior, the Korea Communications Commission, or the head of any other administrative agency.

(4)       Expenses necessary for the business affairs of the Internet and Security Agency shall be funded by the following financial resources: (Amended by Act Nº 14080, Mar. 22, 2016)

1.         Government’s contributions;

2.         Revenues accrued from businesses referred to in each subparagraph of paragraph (3);

3.         Other revenues accrued from operating the Internet and Security Agency.

(5)       The provisions governing incorporated foundations under the Civil Act shall apply mutatis mutandis to any matter not provided for in this Act with respect to the Internet and Security Agency. (Amended by Act Nº 9637, Apr. 22, 2009)

(6)       Any person, other than the Internet and Security Agency, shall not use the name called “Korea Internet and Security Agency.” (Amended by Act Nº 9637, Apr. 22, 2009)

(7)       Matters necessary for the operation of the Internet and Security Agency and performance of its business affairs shall be prescribed by Presidential Decree. (Amended by Act Nº 9637, Apr. 22, 2009) (Amended by Act nº 9119, Jun. 13, 2008)

CHAPTER VII.- TELECOMMUNICATIONS BILLING SERVICES

Article 53 (Registration, etc. of Provider of Telecommunications Billing Services)           

(1)       A person who intends to render telecommunications billing services shall meet the following requirements and complete registration with the Minister of Science, ICT and Future Planning as prescribed by Presidential Decree: (Amended by Act Nº 8867, Feb. 29, 2008; Act Nº 11690, Mar. 23, 2013)

1.         Financial soundness;

2.         A plan for protection of users of telecommunications billing services;

3.         Human resources and physical facilities required for carrying on the business;

4.         A business plan.

(2)       A person eligible for the registration under paragraph (1) shall be either a company under Article 170 of the Commercial Act or a legal entity under Article 32 of the Civil Act and the total amount of its capital, contributions, or fundamental property shall not be less than the amount specified by Presidential Decree and more than 500 million won.

(3)       Notwithstanding Article 22 of the Telecommunications Business Act, a provider of telecommunications billing services may omit reporting as a value-added telecommunications business operator. (Amended by Act Nº 10166, Mar. 22, 2010)

(4)       Articles 23 through 26 of the Telecommunications Business Act shall apply mutatis mutandis to a revision to registration of a provider of telecommunications billing services, the transfer or acquisition of business, or the merger or inheritance of business, the succession to business, the cessation, discontinuance, dissolution, or similar of business of a provider of telecommunications billing services. In such cases, “special telecommunications business operator” shall be construed as “provider of telecommunications billing services,” and “special telecommunications business” as “telecommunications billing services.” (Amended by Act Nº 10166, Mar. 22, 2010)

(5)       Detailed requirements and procedure for the registration under paragraph (1) and other necessary matters shall be prescribed by Presidential Decree.

(Article Inserted by Act Nº 8778, Dec. 21, 2007)

Article 54 (Disqualification from Registration)         

A person falling under any of the following subparagraphs shall be disqualified for the registration under Article 53: (Amended by Act Nº 8867, Feb. 29, 2008; Act Nº 11690, Mar. 23, 2013)

1.         A legal entity in which case one year has not elapsed since its business was discontinued pursuant to Article 53 (4) or a person who was a major shareholder of such legal entity at the time when its business was discontinued (referring to an investor specified by Presidential Decree; hereinafter the same shall apply), if one year has not elapsed since the date of discontinuance;

2.         A legal entity in which case three years have not elapsed since its registration was revoked pursuant to Article 55 (1) or a person who was a major shareholder of such legal entity at the time when its registration was revoked, if three years have not elapsed since the date of revocation;

3.         A legal entity that are still under rehabilitation proceedings under the Debtor Rehabilitation and Bankruptcy Act or a major shareholder of such legal entity;

4.         A person who did not perform his or her obligations within an agreed time limit in a banking transaction or any other commercial transaction and who is specified by the Minister of Science, ICT and Future Planning;

5.         A legal entity any of whose major shareholders falls under any provision of subparagraphs 1 through 4.

(Article Inserted by Act nº 8778, Dec. 21, 2007)

Article 55 (Order to Revoke Registration)     

(1)       Where a provider of telecommunications billing services makes a registration by fraud or other improper means, the Minister of Science, ICT and Future Planning shall revoke the registration. (Amended by Act nº13343 Jun.22, 2015)

(2)       The procedure for the disposition under paragraph (1) and other necessary matters shall be prescribed by Presidential Decree.

(Article Inserted by Act nº 8778, Dec. 21, 2007)

Article 56 (Reporting on Standard Contract Form)   

(1)       Every provider of telecommunications billing services shall prepare a standard contract form on telecommunications billing services and report it to the Minister of Science, ICT and Future Planning (including reporting on a revision thereto). (Amended by Act Nº 8867, Feb. 29, 2008; Act Nº 11690, Mar. 23, 2013)

(2)       The Minister of Science, ICT and Future Planning may, if it is found that a standard contract form under paragraph (1) is likely to undermine users’ interest of telecommunications billing services, recommend the relevant provider of telecommunications billing services to revise the standard contract form. (Amended by Act Nº 8867, Feb. 29, 2008; Act Nº 11690, Mar. 23, 2013)

(Article Inserted by Act nº 8778, Dec. 21, 2007)

Article 57 (Securing Safety in Telecommunications Billing Services)         

(1)       Every provider of telecommunications billing services shall perform his or her duty to pay attention as a good manager so that telecommunications billing services may be provided in a safe manner. (Amended by Act Nº 12681, May 28, 2014)

(2)       Every provider of telecommunications billing services shall take administrative measures, including formulation of guidelines for work process and classification of accounts, and technical measures, including establishment of an information protection system, to secure safety and reliability of transactions through telecommunications billing services as prescribed by Presidential Decree.

(Article Inserted by Act nº 8778, Dec. 21, 2007)

Article 58 (Rights of Providers of Telecommunications Billing Services)   

(1)       When the price for goods, etc. sold or provided must be paid, or a provider of telecommunications billing services charges the price therefor, it shall notify the users of telecommunications billing services of the following matters: (Amended by Act nº 10560, Apr. 5, 2011; Act nº 12681, May 28, 2014)

1.         Date and time telecommunications billing services are used;

2.         Trade name and contact information of the other party (referring to a person who sells and/or provides goods/services in a transaction through telecommunications billing services; hereinafter referred to as “other party to a transaction”);

3.         Amount purchased/used through telecommunications billing services and details thereof;

4.         Methods of raising an objection and contact information.

(2)       A provider of telecommunications billing services shall provide users of telecommunications billing services with a method by which users can verify the details of purchase and use, and shall also furnish a user, upon request, with a written statement on the details of purchase and use (including an electronic document; hereinafter the same shall apply) within two weeks from the date requested.

(3)       A user of telecommunications billing services discovers that the telecommunications billing services have been rendered against his or her will, he or she may request the provider of telecommunications billing services to make corrections (excluding cases where there is an intentional act or negligence on the part of the user of the telecommunications billing services), and where the provider of telecommunications billing services finds that the user’s request for making corrections is reasonable, he or she shall withhold the payment of the price for use to a seller and notify the user of the results thereof within two weeks from the date such correction was requested. (Amended by Act Nº 12681, May 28, 2014)

(4)       Every provider of telecommunications billing services shall preserve records of telecommunications billing services during the period, within the limit of five years, prescribed by Presidential Decree.

(5)       Where a provider of telecommunications billing services (a person who provides services under Article 2 (1) 10 (a)) provides telecommunications billing services or increases the upper limits of use, it shall obtain consent from a user of the relevant telecommunications billing services in advance. (Inserted by Act nº 12681, May 28, 2014)

(6)       When a provider of telecommunications billing services (a person who provides services under Article 2 (1) 10 (a)) amends any of the contractual terms and conditions, he or she shall notify users of the amendment thereof one month prior to the effective date of the amended contractual terms and conditions. In such cases, a user who has an objection to the amended contractual terms and conditions may terminate the contract for telecommunications billing services. (Inserted by Act nº 12681, May 28, 2014)

(7)       The period, types, and scope of the details of purchase and use which a provider of telecommunications billing services should provide pursuant to paragraph (2), types and methods of preservation of the records which a provider of telecommunications billing services should preserve pursuant to paragraph (4), and matters necessary for the termination of the contract, such as methods of notifying amendment to the contractual terms and conditions, the period and procedures for raising an objection, shall be prescribed by Presidential Decree. (Amended by Act Nº 12681, May 28, 2014)

(8)       The Minister of Science, ICT, and Future Planning shall prescribe and provide a public notice of matters necessary for methods for giving consent, etc. under paragraph (5). (Inserted by Act nº 12681, May 28, 2014)

(9)       The Minister of Science, ICT, and Future Planning may prescribe and give a public notice of detailed matters concerning methods for settling accounts, etc. so that telecommunications billing services are not provided against the will of users of telecommunications billing services. (Inserted by Act nº 12681, May 28, 2014)

(Article Inserted by Act nº 8778, Dec. 21, 2007)

Article 59 (Dispute Resolution)          

(1)       Every provider of telecommunications billing services may install and operate an institution or organization that voluntary resolves disputes to protect rights and interests of users.

(2)       Every provider of telecommunications billing services shall prepare a procedure for raising an objection by users of telecommunications billing services in connection with the services and redressing damages to their rights, as prescribed by Presidential Decree, and where he or she enters into a contract for telecommunications billing services, he or she shall stipulate such procedure in the terms and conditions of the contract. (Amended by Act Nº 12681, May 28, 2014)

(Article Inserted by Act nº 8778, Dec. 21, 2007)

Article 60 (Liability for Damages)     

(1)       A provider of telecommunications billing services shall be liable for damages caused to a user of the telecommunications billing services while rendering the services: Provided, That the same shall not apply in cases where the damages were caused by an intentional act or gross negligence on the part of the user of the telecommunications billing services.

(2)       A provider of telecommunications billing services shall negotiate with the claimant to damages for agreement on compensation for the damages under paragraph (1).

(3)       If parties fail to or are unable to reach an agreement on compensation for damages under paragraph (2), either party may file an application for decision with the Korea Communications Commission. (Amended by Act Nº 8867, Feb. 29, 2008)

(Article Inserted by Act nº 8778, Dec. 21, 2007)

Article 61 (Restriction on Use of Telecommunications Billing Services)    

The Minister of Science, ICT and Future Planning may order a provider of telecommunications billing services to deny, suspend, or place a restriction on the services against a person falling under any of the following subparagraphs: (Amended by Act Nº 8867, Feb. 29, 2008; Act Nº 11048, Sep. 15, 2011; Act Nº 11690, Mar. 23, 2013)

1.         A person who sells, lends, provides any unwholesome medium for juvenile to juvenile in violation of Article 16 of the Juvenile Protection Act;

2.         A person who undermines interests of users of telecommunications billing services seriously by enticing the users to purchase or use goods or services in any of the following means:

(a)        Transmitting any advertising information for profit in violation of Article 50;

(b)       Deceiving or enticing users of telecommunications billing services wrongfully;

3.         A person who sells or renders goods or services prohibited by this Act or any other Act.

(Article Inserted by Act nº 8778, Dec. 21, 2007)

CHAPTER VIII INTERNATIONAL COOPERATION

 Article 62 (International Cooperation)          

The Government shall maintain cooperate reciprocally with other nations or international organizations in carrying out the following affairs:

1.         Affairs related to the transfer of personal information between nations and the protection of personal information;

2.         Affairs for the protection of juvenile in information and communications networks;

3.         Affairs for the prevention of acts that undermine safety of information and communications networks;

4.         Other affairs for the facilitation of sounder and safer use of information and communications services.

(Amended by Act nº 9119, Jun. 13, 2008)

 Article 63 (Protection of Personal Information Transferred Abroad)          

(1)       Any provider of information and communications services or similar shall not conclude an international contract with any term or condition in violation of this Act with respect to personal information of users.

(2)       A provider, etc. of information and communications services shall obtain consent of the users in the case of intending to provide (including being inquired of), entrust management of, or deposit, such users’ personal information, to overseas (hereafter referred to as “transfer” in this Article): Provided, That the said provider, etc. of information and communications services may not go through a procedure for consent to either entrustment of management, or deposit, of the relevant personal information where such transfer is necessary for implementing a contract on the provision of information and communications services and promoting the users’ convenience, and such provider, etc. discloses all the matters referred to in each subparagraph of paragraph (3) pursuant to Article 27-2 (1) or informs such matters to the users in a manner prescribed by Presidential Decree, including by means of email. (Amended by Act Nº 14080, Mar. 22, 2016)

(3)       A provider of information and communications services or similar who desires to obtain the consent under paragraph (2) shall notify the relevant user of all the following matters in advance:

1.         Items of the personal information transferred;

2.         A nation to which the personal information is to be transferred, the date and time, and methods of transfer;

3.         The name of the person to whom the personal information is to be transferred (referring to the name of a legal entity and the contact information of the person responsible for management of information, if the person is a legal entity);

4.         The purposes of use of the person to whom the personal information is to be transferred, and the period of time for possession and use of the personal information.

(4)       A provider of information and communications services or similar shall, when it transfers personal information to abroad with consent under paragraph (2), take protective measures, as prescribed by Presidential Decree.

(Amended by Act nº 9119, Jun. 13, 2008)

CHAPTER IX SUPPLEMENTARY PROVISIONS

 Article 64 (Submission of Data)        

(1)       The Minister of Science, ICT and Future Planning or the Korea Communications Commission may require a provider of information and communications services or similar (including a person to whom this Article shall apply mutatis mutandis pursuant to Article 67; hereafter the same shall apply in this Article) to submit related articles, documents, and others in any of the following cases: (Amended by Act Nº 10465, Mar. 29, 2011; Act Nº 11322, Feb. 17, 2012; Act Nº 11690, Mar. 23, 2013)

1.         If he or she becomes aware of a violation or suspected violation of this Act;

2.         If he or she receives a report or petition on a violation of this Act;

2-2.      If it occurs, or is likely to occur, an event/accident or others which noticeably damages safety and reliability of users’ information;

3.         If there is any other ground specified by Presidential Decree to believe that it is necessary for the protection of users.

(2)       The Korea Communications Commission may, when it intends to take the following measures against a person who transmitted any advertising information for profit in violation of this Act, request a provider of information and communications services or similar to let it peruse or to submit data of the person who transmitted the advertising information, such as the name, address and national identification number of the person and the period of time of access:

1.         Corrective measures under paragraph (4);

2.         Imposition of administrative fines under Article 76;

3.         Any similar measures.

(3)       The Minister of Science, ICT and Future Planning or the Korea Communications Commission may, if a provider, etc. of information and communications services fails to submit data under paragraph (1) or (2) or if it is found that a provider of information and communications services or similar has violated this Act, assign public officials under his or her control to enter the place of business of the person concerned related to the such violation of this Act, including the provider, etc. of information and communications services, to inspect the current status of business, account books, documents, and others. (Amended by Act Nº 10465, Mar. 29, 2011; Act Nº 11690, Mar. 23, 2013; Act Nº 14080, Mar. 22, 2016)

(4)       The Minister of Science, ICT and Future Planning or the Korea Communications Commission may order a provider of information and communications services or similar who violated this Act to take corrective measures as may be necessary to stop or correct the violation, and may also require a provider of information and communications services or similar to whom it was ordered to take corrective measures to announce to the public the fact that it received the order to take such corrective measures. In such cases, the matters necessary for the method, guidelines, and procedure for the public announcement and other related matters shall be prescribed by Presidential Decree. (Amended by Act Nº 10465, Mar. 29, 2011; Act Nº 11690, Mar. 23, 2013)

(5)       The Minister of Science, ICT and Future Planning or the Korea Communications Commission may, when he or she issued an order to take corrective measures as may be necessary pursuant to paragraph (4), disclose to the public the fact that he or she issued the order to take corrective measures. In such cases, the matters necessary for the method, guidelines, and procedure for the public disclosure and other related matters shall be prescribed by Presidential Decree. (Amended by Act Nº 10465, Mar. 29, 2011; Act Nº 11690, Mar. 23, 2013)

(6)       The Minister of Science, ICT and Future Planning or the Korea Communications Commission shall, when he or she demands submission or inspection of data or other materials pursuant to paragraph (1) or (2), give a written notice (including an electronic document), specifically stating the reasons and legal authority for such demand, the time limit for submission or the date and time for inspection, the details of data subject to the submission or inspection, and other related matters. (Amended by Act Nº 10465, Mar. 29, 2011; Act Nº 11690, Mar. 23, 2013)

(7)       When a inspection under paragraph (3) is to be conducted, the plan for the inspection, including the date and time of, and the reasons for and details of the inspection, shall be notified to the relevant provider of information and communications services or similar no later than seven days before the commencement of the inspection: Provided, That the plan for such inspection shall not be notified in an emergency case or if it is deemed impossible to accomplish the purposes of the inspection because of anticipated destruction of evidence or any other factor if a prior notice is given.

(8)       The public officials who inspect pursuant to paragraph (3) shall carry an identification indicating their authority with them to present it to people concerned, and shall deliver to the people concerned a document stating their names, the time and purposes of access, and other related matters, whenever they access to a place of business.

(9)       The Minister of Science, ICT and Future Planning or the Korea Communications Commission shall, where he or she receives, peruses, or inspects data or any other material submitted pursuant to any provision of paragraphs (1) through (3), notify the relevant provider of information and communications services or similar of the results thereof (including the details of disposition, in cases where he or she intends to make a disposition, such as an order to take corrective measures, as a result of the inspection) in writing. (Amended by Act Nº 10465, Mar. 29, 2011; Act Nº 11690, Mar. 23, 2013)

(10)     The Minister of Science, ICT and Future Planning or the Korea Communications Commission may ask technical advice or any other support of the head of the Internet and Security Agency as may be necessary in demanding submission of data or conducting an inspection pursuant to paragraphs (1) through (4). (Amended by Act Nº 9637, Apr. 22, 2009; Act Nº 10465, Mar. 29, 2011; Act Nº 11690, Mar. 23, 2013)

(11)     The demand for submission of data or any other materials and the inspections under paragraphs (1) through (3) shall be limited to the least extent necessary for the enforcement of this Act, and shall be not abused for any other purpose.

(Amended by Act nº 9119, Jun. 13, 2008)

 Article 64-2 (Protection and Destruction of Data, etc.)        

(1)       The Minister of Science, ICT and Future Planning or the Korea Communications Commission shall not, if asked by a provider of information and communications services or similar to protect documents, data, or any other materials submitted or collected pursuant to Article 64, furnish them to a third party or disclose them to the general public. (Amended by Act Nº 10465, Mar. 29, 2011; Act Nº 11690, Mar. 23, 2013)

(2)       The Minister of Science, ICT and Future Planning or the Korea Communications Commission shall, when having received data submitted through an information and communications network or converted collected data or any other materials into an electronic format, take systematic and technical measures for security to protect personal information, trade secret, or similar from being leaked. (Amended by Act Nº 10465, Mar 29, 2011; Act Nº 11690, Mar. 23, 2013)

(3)       The Minister of Science, ICT and Future Planning or the Korea Communications Commission shall, if any of the following events occurs, immediately destroy documents, data, or any other materials submitted or collected pursuant to Article 64, except as specifically provided for otherwise by any other Act. The same shall apply to a person to whom the authority of the Minister of Science, ICT and Future Planning or the Korea Communications Commission has been delegated or entrusted in whole or in part under Article 65: (Amended by Act Nº 10465, Mar. 29, 2011; Act Nº 11690, Mar. 23, 2013)

1.         If the objectives of demanding submission of data, conducting a field inspection, or issuing an order to take corrective measures pursuant to Article 64 have been achieved;

2.         If an administrative trial or administrative litigation is filed against an order issued to take corrective measures pursuant to Article 64 (4), when proceedings of such administrative trial are completed;

3.         If a disposition is made to impose an administrative fine under Article 76 (4) and there is no objection to it, when the time period to raise an objection under paragraph (5) ends;

4.         If there is an objection filed against disposition of an administrative fine under Article 76 (4), when the proceedings for the non-contentious case procedure are closed at the competent court.

(Amended by Act nº 9119, Jun. 13, 2008)

 Article 64-3 (Imposition, etc. of Penalty Surcharges)           

(1)       The Korea Communications Commission may impose, on a provider of information and communications services or similar, an amount equivalent to 3/100 or less of its sales related to a violation as a penalty surcharge, where he or she performs any of the following acts: (Amended by Act Nº 11322, Feb. 17, 2012; Act Nº 12681, May 28, 2014; Act Nº 14080, Mar. 22, 2016)

1.         Where he or she collects personal information without consent of the relevant user in violation of Article 22 (1) (including cases where Article 22 (1) shall apply mutatis mutandis pursuant to Article 67);

2.         Where he or she collects personal information that is likely to seriously undermine rights, interests, or privacy of a person without consent of the relevant user in violation of Article 23 (1) (including cases where Article 23 (1) shall apply mutatis mutandis pursuant to Article 67);

3.         Where he or she uses personal information in violation of Article 24 (including cases where Article 24 shall apply mutatis mutandis pursuant to Article 67);

4.         Where he or she furnishes a third party with personal information in violation of Article 24-2 (including cases where Article 24-2 shall apply mutatis mutandis pursuant to Article 67);

5.         Where he or she entrusts a third party with the management of personal information without consent of the relevant user in violation of Article 25 (1) (including cases where Article 25 (1) shall apply mutatis mutandis pursuant to Article 67);

5-2.      Where a trustee violates the provisions of Chapter IV because it has neglected its control, supervision or education under Article 25 (4) (including cases where Article 25 (4) shall apply mutatis mutandis pursuant to Article 67);

6.         Where he or she has lost, stolen, divulged, forged, altered, or mutilated a user’s personal information, and not taken measures under Article 28 (1) 2 through 5 (including cases where Article 28 (1) 2 through 5 shall apply mutatis mutandis pursuant to Article 67);

7.         Where he or she collects personal information of a child under 14 years old without consent of his or her legal representative in violation of Article 31 (1) (including cases where Article 31 (1) shall apply mutatis mutandis pursuant to Article 67);

8.         Where he or she provides any user’s personal information to overseas without obtaining consent from the user in violation of the main sentence of Article 63 (2).

(2)       Where a provider of information and communications services or similar on whom penalty surcharge under paragraph (1) has been imposed refuses to submit data for computation of its sales or submits any false data, the sales may be estimated on the basis of accounting records such as financial statements, and the current status of business, such as the number of subscribers and the service charges of other providers of information and communications services which is similar in size: Provided, That penalty surcharge not exceeding 400 million won may be imposed where there was no sales or it is impracticable to compute the sales and where there is a ground specified by Presidential Decree. (Amended by Act Nº 11322, Feb. 17, 2012)

(3)       The Korea Communications Commission shall, when it intends to impose penalty surcharge under paragraph (1), take the following factors into consideration:

1.         The substance and degree of the violation;

2.         The duration and frequency of the violation;

3.         The amount of profits acquired by the violation.

(4)       The penalty surcharge under paragraph (1) shall be computed by taking the factors under paragraph (3) into consideration, but the specific guidelines and procedures for the computation shall be prescribed by Presidential Decree.

(5)       The Korea Communications Commission shall, if a person who is obligated to pay penalty surcharges under paragraph (1) fails to pay them by a deadline, collect an additional charge equivalent to 6/100 of the unpaid penalty surcharge per annum beginning on the day immediately following the deadline.

(6)       The Korea Communications Commission shall, if a person who is obligated to pay penalty surcharges under paragraph (1) fails to pay them by a deadline, remind the person to pay them within a period of time prescribed by the Commission, and shall collect them in accordance with the precedents for disposition against default on national taxes, if the person fails to pay the penalty surcharges and the additional charges under paragraph (5) within the prescribed period of time.

(7)       Where penalty surcharges imposed pursuant to paragraph (1) shall be refunded due to a judgment of a court or any other reason, an additional amount equivalent to 6/100 of the penalty surcharge per annum shall be paid from the date the penalty surcharges are paid and until the date they are refunded.

(Article Inserted by Act nº 9119, Jun. 13, 2008)

Article 64-4 (Hearing)             

The Minister of Science, ICT and Future Planning or the Korea Communications Commission shall hold a hearing in cases falling under any of the following subparagraphs:

1.         in the case of intending to revoke the designation of a certification body in accordance with Article 9 (2);

2.         in the case of intending to revoke the designation of an identification service agency in accordance with Article 23-4 (1);

3.         in the case of intending to revoke certification of an information security management system in accordance with Article 47 (10) (including cases where Article 47 (10) applies mutatis mutandis in accordance with Article 47-3 (3));

4.         in the case of intending to revoke the designation of a certification body for information security management system in accordance with Article 47-2 (1) (including cases where Article 47-2 (1) applies mutatis mutandis in accordance with Article 47-3 (4));

5.         in the case of intending to revoke any rate of information security management system in accordance with Article 47-5 (4);

6.         in the case of intending to revoke the registration in accordance with Article 55 (1).

(Article Inserted by Act nº 13520, Dec. 1, 2015)

Article 65 (Delegation and Entrustment of Authority)          

(1)       The Minister of Science, ICT and Future Planning or the Korea Communications Commission may delegate or entrust part of his or her authority under this Act to the heads of agencies under the control of the Ministry of Science, ICT and Future Planning or the presidents of the regional Korea posts, as prescribed by Presidential Decree. (Amended by Act Nº 10465, Mar. 29, 2011; Act Nº 11690, Mar. 23, 2013)

(2)       The Minister of Science, ICT and Future Planning may entrust projects under Article 13 for facilitating the use of information and communications networks to the National Information Society Agency under Article 14 of the Framework Act on National Informatization, as prescribed by Presidential Decree. (Amended by Act Nº 11690, Mar. 23, 2013)

(3)       The Minister of Science, ICT and Future Planning or the Korea Communications Commission may entrust the Internet and Security Agency with business affairs related to demanding submission of data and conducting inspections pursuant to Article 64 (1) and (2), as prescribed by Presidential Decree. (Amended by Act Nº 9637, Apr. 22, 2009; Act Nº 10465, Mar. 29, 2011; Act Nº 11690, Mar. 23, 2013)

(4)       Article 64 (8) shall apply mutatis mutandis to employees of the Internet and Security Agency under paragraph (3). (Amended by Act Nº 9637, Apr. 22, 2009)

(Amended by Act nº 9119, Jun. 13, 2008)

Article 65-2 Deleted. (by Act nº 7812, Dec. 30, 2005)          

Article 66 (Confidentiality. etc.)        

A person who engages or engaged in a job related to any of the following business affairs shall not divulge to another person any secret that he or she has learned while performing his or her duties, nor use it for any purpose other than performance of his or her duties: Provided, That the same shall not apply if any other Act specifically provides otherwise: (Amended by Act Nº 11322, Feb. 17, 2012)

1.         Deleted; (by Act nº 10465, Mar. 29, 2011);

2.         Certification of information security management system under Article 47;

2-2.      Affairs of the certification of personal information management system pursuant to Article 47-3;

3.         Assessment of information protection systems under Article 52 (3) 4;

4.         Deleted; (by Act nº 11322, Feb. 17, 2012) ;

5.         Conciliation of disputes by the defamation dispute conciliation division under Article 44-10.

(Amended by Act nº 9119, Jun. 13, 2008)

Article 67 (Application Mutatis Mutandis to Broadcasting Business Operator)      

(1)       Chapter 4 shall apply mutatis mutandis to the cases where a person falling under subparagraph 3 (a) through (e) of Article 2, subparagraph 6, 9, 12 and 14 of the Broadcasting Act collects/uses or provides personal information of viewers. In this case, the term “provider of information and communications services” or “provider of information and communications services or similar” shall be construed as “person falling under subparagraph 3 (a) through (e) of Article 2, subparagraph 6, 9, 12 and 14 of the Broadcasting Act” and the term “users” shall be construed as “viewers”.

(2)       Articles 22, 23, 23-2 through 23-4, 24, 24-2, 26, 26-2, 27, 27-2, 27-3, 28, 28-2, 29, 30, 30-2 and 31 shall apply mutatis mutandis to the trustees under Article 25 (1).

(Article Inserted by Act nº 11322, Feb. 17, 2012)

Article 68 Deleted. (by Act nº 10165, Mar. 22, 2010)           

Article 68-2 Deleted (by Act nº 13343, Jun. 22, 2015)          

Article 69 (Legal Fiction as Public Official in Application of Penalty Provisions)  

Executives and employees of the National Information Society Agency and the Internet and Security Agency who engage in the business affairs entrusted by the Minister of Science, ICT and Future Planning or the Korea Communications Commission pursuant to Article 65 (2) or (3) shall be deemed public officials in applying Articles 129 through 132 of the Criminal Act. (Amended by Act Nº 9637, Apr. 22, 2009; Act Nº 10465, Mar. 29, 2011; Act Nº 11690, Mar. 23, 2013)

(Amended by Act nº 9119, Jun. 13, 2008)

 Article 69-2 (Accusation)      

(1)       In cases where an act falling under any subparagraph of Article 64-3 (1) is deemed existing, the Korea Communications Commission may accuse the responsible provider of information and communications services or similar to the local prosecutor’s office or other investigative agencies.

(2)       The Korea Communications Commission may recommend a provider, etc. of information and communications services violating this Act with respect to the protection of personal information to take disciplinary action against the responsible person (including its representative and responsible executive officers). In this case, the person in receipt of such recommendation shall have regard thereto and notify the Korea Communications Commission of the result thereof. (Inserted by Act nº 14080, Mar. 22, 2016)

(Article Inserted by Act nº 11322, Feb. 17, 2012)

CHAPTER X.- PENALTY PROVISIONS

Article 70 (Penalty Provisions)           

(1)       A person who commits defamation of another person by disclosing a fact to the public through an information and communications network purposely to disparage his or her reputation shall be punished by imprisonment with labor for up to three years, or by fine not exceeding 30 million won. (Amended by Act Nº 12681, May 28, 2014)

(2)       A person who commits defamation of another person by disclosing a false fact to the public through an information and communications network purposely to disparage his or her reputation shall be punished by imprisonment with labor for up to seven years, by suspension of qualification for up to ten years, or by fine not exceeding 50 million won.

(3)       The public prosection may not prosecute a person who committed a crime under paragraph (1) or (2) against the victim’s will explicitly manifested.

(Amended by Act nº 9119, Jun. 13, 2008)

 Article 70-2 (Penalty Provisions)       

A person who conveys or spread a malicious program in violation of Article 48 (2) shall be punished by imprisonment with labor of up to seven years or by fine not exceeding 70 million won.

(Article Inserted by Act nº 14080, Mar. 22, 2016)

Article 71 (Penalty Provisions)           

Any of the following persons shall be punished by imprisonment with labor for up to five years or by fine not exceeding 50 million won: (Amended by Act Nº 14080, Mar. 22, 2016)

1.         A person who collects personal information without consent of the relevant user in violation of Article 22 (1) (including cases to which the aforesaid provision shall apply mutatis mutandis pursuant to Article 67);

2.         A person who collects personal information that is likely to seriously undermine rights, interests, or privacy of an individual without consent of the relevant user in violation of Article 23 (1) (including cases to which the aforesaid provision shall apply mutatis mutandis pursuant to Article 67);

3.         A person who uses or furnishes a third party with personal information, or who knowingly received such personal information for profit or for any other wrongful purpose, in violation of Article 24, 24-2 (1) or (2), or 26 (3) (including cases to which any of the aforesaid provisions shall apply mutatis mutandis pursuant to Article 67);

4.         A person who entrusts someone with management of personal information without consent of the relevant user in violation of Article 25 (1) (including cases to which the aforesaid provision shall apply mutatis mutandis pursuant to Article 67);

5.         A person who mutilates, infringes, or divulges personal information in violation of Article 28-2 (1) (including cases to which the aforesaid provision shall apply mutatis mutandis pursuant to Article 67);

6.         A person who knowingly receives any divulged personal information for profit or for any other wrongful purpose in violation of Article 28-2 (2);

7.         A person who furnishes someone with personal information or uses thereof without taking necessary measures in violation of Article 30 (5) (including cases to which the aforesaid provision shall apply mutatis mutandis pursuant to Articles 30 (7), 31 (3), or 67);

8.         A person who collects personal information of a child under 14 years old without consent of his or her legal representative in violation of Article 31 (1) (including cases to which the aforesaid provision shall apply mutatis mutandis pursuant to Article 67);

9.         A person who intrudes on an information and communications network in violation of Article 48 (1);

10.       A person who causes a trouble to an information and communications network in violation of Article 48 (3);

11.       A person who mutilates another person’s information or who infringes, misappropriates, or divulges another person’s secret in violation of Article 49.

(2)       An attempt to commit a crime referred to in paragraph (1) 9 shall be punished. (Inserted by Act nº 14080, Mar. 22, 2016)

(Amended by Act nº 9119, Jun. 13, 2008)

Article 72 (Penalty Provisions)           

(1)       A person falling under any of the following subparagraphs shall be punished by imprisonment with labor for up to three years or by a fine not exceeding 30 million won: (Amended by Act Nº 12014, Jan. 20, 2015; Act No .13343 Jun. 22, 2015)

1.         Deleted; (by Act nº 14080, Mar. 22, 2016)

2.         A person who collects another person’s personal information in violation of Article 49-2 (1);

2-2.      A person who transmits any advertising information in violation of Article 50-8 by using the situation of any large-scale disaster under Article 14 (1) of the Framework Act on the Management of Disasters and Safety;

3.         A person who carries on a business without the registration under Article 53 (1);

4.         A person who lends a loan to someone or intermediates such loan by committing any of the following acts:

(a)        Conducting, or engaging someone to conduct vicariously, a transaction through telecommunications billing services by pretending sale or supply of goods or services or billing more than an actual selling price;

(b)       Engaging a user of telecommunications billing services to purchase or use certain goods or services through telecommunications billing services and then purchasing, at a discount, the goods or services purchased or used by the user of telecommunications billing services;

5.         A person who divulges to another person any secret known to him or her while performing his or her duties or uses such secret for any purpose other than his or her duties in violation of Article 66.

(2)       Deleted. (by Act nº 14080, Mar. 22, 2016)

(Amended by Act nº 9119, Jun. 13, 2008)

Article 73 (Penalty Provisions)           

Any of the following persons shall be punished by imprisonment with labor for not more than two years or by a fine not exceeding 20 million won: (Amended by Act Nº 12681, May 28, 2014; Act Nº 14080, Mar. 22, 2016)

1.         A person who has a user’s personal information lost, stolen, leaked, forged, altered, or damaged because he or she has not taken technical and administrative measures under any provision of Article 28 (1) 2 through 5 (including cases where the aforesaid provision is applied mutatis mutandis pursuant to Article 67);

1-2.      A person who fails to destroy personal information, in violation of Article 29 (1) (including cases where the aforesaid provision is applied mutatis mutandis pursuant to Article 67);

2.         A person who provides an unwholesome medium for juveniles for profit without labeling it as an unwholesome medium in violation of Article 42;

3.         A person who transmits to a juvenile any information containing advertisement of an unwholesome medium for juveniles or displays such information openly without taking any measures to restrict access by juveniles in violation of Article 42-2;

4.         A person who uses a user’s information for any purpose other than filing a civil or criminal lawsuit in violation of Article 44-6 (3);

5.         A person who fails to perform an order of the Korea Communications Commission under Article 44-7 (2) or (3);

6.         A person who fails to preserve relevant data in violation of an order issued pursuant to Article 48-4 (3);

7.         A person who entices another person to furnish him or her with personal information in violation of Article 49-2 (1);

8.         A person who fails to perform an order issued pursuant to Article 61.

(Amended by Act nº 9119, Jun. 13, 2008)

 Article 74 (Penalty Provisions)          

(1)       Any of the following persons shall be punished by imprisonment with labor for up to one year or by a fine not exceeding 10 million won: (Amended by Act Nº 11322, Feb. 17, 2012; Act Nº 12681, May 28, 2014)

1.         A person who puts any similar label on a product or sells a product bearing any similar label, or who displays such product with intent to sell it, in violation of Article 8 (4);

2.         A person who distributes, sells, lends, or openly displays any obscene codes, letters, sound, images, or motion pictures in violation of Article 44-7 (1) 1;

3.         A person who makes any codes, letters, sound, images, or motion pictures arousing fear or apprehension reach another person repeatedly in violation of Article 44-7 (1) 3;

4.         A person who takes measures, in violation of Article 50 (5);

5.         Deleted. (by Act nº 12681, May 28, 2014)

6.         A person who transmits any advertising information, in violation of Article 50-8;

7.         A person who fails to file for any revision to registration, or who fails to file a report on transfer, acquisition, merger, or inheritance of business, in violation of Article 53 (4).

(2)       The public prosecution may not prosecute a person who committed a crime under paragraph (1) 3 against the victim’s will explicitly manifested.

(Amended by Act nº 9119, Jun. 13, 2008)

 Article 75 (Joint Penalty Provisions)             

If a representative of a corporation, or an agent, an employee, or other servant of the corporation commits a violation under Articles 71 through 73 or 74 (1) in connection with the business of the corporation or the individual, not only shall such violator be punished accordingly, but the corporation or the individual shall be punished by a fine under the relevant Article: Provided, That this shall not apply where the corporation or individual has not been negligent in giving the due attention and supervision concerning the relevant duties to prevent such violation.

(This Article Amended by Act Nº 10138, Mar. 17, 2010)

 Article 75-2 (Confiscation and Additional Collection)         

Money and goods, or other profits received by a person committing any offence referred to in Article 71 (1) 1 through 8, Article 72 (1) 2, and subparagraphs 1, 1-2 and 7 of Article 73 with respect to the relevant violation may be confiscated, and if impossible to confiscate such money and goods or other profits, the value thereof may be additionally collected. In this case, the penalty of confiscation or additional collection may be imposed in addition to any other penalty.

(Article Inserted by Act nº 14080, Mar. 22, 2016)

Article 76 (Administrative Fines)       

(1)       Any of the following persons and a person who made a third party commit an act falling under subparagraphs 7 through 11, shall be punished by an administrative fine not exceeding 30 million won: (Amended by Act Nº 10465, Mar. 29, 2011; Act Nº 11322, Feb. 17, 2012; Act Nº 11690, Mar. 23, 2013; Act Nº 12681, May 28, 2014; Act Nº 13520, Dec. 1, 2015; Act Nº 14080, Mar. 22, 2016)

1.         A person who refuses to provide services, in violation of Article 22-2 (2), or Article 23 (3) (including where the aforesaid provisions shall apply mutatis mutandis pursuant to Article 67);

1-2.      A person who fails to take measures necessary to protect users’information such as devising methods for users to give or revoke consent to access authority, in violation of Article 22-2 (3) (including where the aforesaid provision shall apply mutatis mutandis pursuant to Article 67);

2.         A person who collects or uses resident registration numbers in violation of Article 23-2 (1) or fails to take necessary measures in violation of Article 23-2 (2) (including cases where the aforesaid provision applies mutatis mutandis pursuant to Article 67);

2-2.      A person who either fails, in obtaining consent to provision of personal information or entrustment of management thereof, to obtain it separately from consent to collection and use of personal information, or refuses to provide services on the ground that there exists no consent to such provision or entrustment, in violation of Article 24-2 (3) (including cases where Article 24-2 (3) shall apply mutatis mutandis in accordance with Article 67);

2-3.      A person who fails to give notice or report to users, the Korea Communications Commission, and the Korea Internet Security Agency, in violation of Article 27-3 (1) (including where the aforesaid provision shall apply mutatis mutandis pursuant to Article 67), or gives notice or reports thereto after 24 hours have elapsed without just cause;

2-4.      A person who fails to provide an explanation under Article 27-3 (3) or makes a false explanation;

3.         A person who fails to take technical and administrative measures under Article 28 (1) (including cases to which the aforesaid provisions shall apply mutatis mutandis pursuant to Article 67);

4.         A person who fails to take measures, such as the destruction of personal information, in violation of Article 29 (2) (including cases where the aforesaid provision apply mutatis mutandis pursuant to Article 67);

5.         A person who fails to take necessary measures, in violation of Article 30 (3), (4), or (6) (including cases to which the aforesaid provisions shall apply mutatis mutandis pursuant to Article 30 (7), 31 (3), or 67);

5-2.      A person who fails to notify details of personal information used, in violation of the main sentence of Article 30-2 (1) (including cases to which the aforesaid provisions shall apply mutatis mutandis pursuant to Article 67);

6.         Deleted. (by Act Nº 12681, May 28, 2014)

6-2.      A person who fails to report the designation of the chief information protection officer, in violation of Article 45-3 (1);

6-3.      A person who fails to receive certification of an information security management system in violation of Article 47 (2);

7.         A person who transmits any advertising information for profit, in violation of Article 50 (1) through (3);

8.         A person who fails to state the matters required to be stated, or who states false information on such matters, when he or she transmitted any advertising information, in violation of Article 50 (4);

9.         A person who makes an addressee bear the burden of any expense, in violation of Article 50 (6);

9-2.      A person who fails to verify whether an addressee gives consent to receive advertising information, in violation of Article 50 (8);

10.       A person who installs a program without consent of the relevant user, in violation of Article 50-5;

11.       A person who posts any advertising information for profit on an Internet webpage, in violation of Article 50-7 (1) or (2);

12.       A person who fails to observe an order issued by the Minister of Science, ICT and Future Planning or the Korea Communications Commission pursuant to Article 64 (4) in violation of this Act.

(2)       Any of the following persons shall be punished by an administrative fine not exceeding 20 million won: (Amended by Act Nº 14080, Mar. 22, 2016)

1.         A person who fails to disclose or notify the matters concerning the entrustment of management of personal information to users, in violation of Article 25 (2) (including cases to which the aforesaid provision shall apply mutatis mutandis pursuant to Article 67);

1-2.      A person who re-entrusts a third party with the management of personal information without obtaining a consent from a provider, etc. of information and communications, in violation of Article 25 (7) (including cases to which the aforesaid provision shall apply mutatis mutandis pursuant to Article 67);

2.         A person who fails to notify a user of transfer of personal information in violation of Article 26 (1) or (2) (including cases to which the aforesaid provision shall apply mutatis mutandis pursuant to Article 67);

3.         A person who fails to designate a person responsible for protection of personal information, in violation of Article 27 (1) (including cases to which the aforesaid provision shall apply mutatis mutandis pursuant to Article 67);

4.         A person who fails to disclose the policy on managing personal information, in violation of Article 27-2 (1) (including cases to which the aforesaid provision shall apply mutatis mutandis pursuant to Article 67);

5.         A person who discloses all the matters referred to in each subparagraph of Article 63 (3) in violation of the proviso to Article 63 (2) or entrusts the management of, or deposits, user’s personal information, to overseas without informing the user.

(3)       Any of the following persons shall be punished by an administrative fine not exceeding 10 million won: (Amended by Act Nº 9637, Apr. 22, 2009; Act Nº 10560, Apr. 5, 2011; Act Nº 11322, Feb. 17, 2012; Act Nº 12681, May 28, 2014; Act Nº 13520, Dec. 1, 2015; Act Nº 14080, Mar. 22, 2016)

1.         and 2. Deleted; (by Act Nº Act Nº13343 Jun. 22, 2015)

2-2.      A person who engages in the identification service without being designated as the identification service agency, in violation of Article 23-3 (1);

2-3.      A person who fails to notify the suspension of identification service under Article 23-3 (2) or the discontinuation of identification service under Article 23-3 (3) to users or report the same to the Korea Communications Commission;

2-4.      A person who continuously engages in identification service notwithstanding disposition for suspension of identification service and cancelation of the identification service agency under Article 23-4 (1);

2-5.      A person who fails to entrust in writing the management of personal information in violation of Article 25 (6) (including cases to which the aforesaid provision shall apply mutatis mutandis pursuant to Article 67);

3.         A person who fails to designate a person responsible for protection of juveniles in violation of Article 42-3 (1);

4.         A person who fails to preserve information, in violation of Article 43;

5.         A person who fails to be subscribed insurance, in violation of Article 46 (2);

6.         Deleted; (by Act Nº 13520, Dec. 1, 2015);

7.         A person who falsely advertises details of the certification he or she has obtained, in violation of Article 47 (9);

8.         and 9. Deleted; (by Act Nº 11322, Feb. 17, 2012)

10.       A person who fails to give notice to users of software, in violation of Article 47-4 (3);

11.       A person who fails to comply with an order issued pursuant to Article 48-2 (4) to take corrective measures;

11-2.    A person who fails to report any intrusion, in violation of Article 48-3 (1);

12.       A person who interferes with, refuses, or evades access to the place of business to conduct an inspection under Article 48-4 (4);

12-2.    A person who fails to comply with an order issued by the Minister of Science, Information and Communications Technology (ICT) and Future Planning, or the Korea Communications Commission, in violation of Article 49-2 (4);

12-3.    A person who fails to inform the results of handling the consent to receive, refusal to receive, or revocation of consent to receive, advertising information, in violation of Article 50 (7);

12-4.    A person who fails to take necessary measures, in violation of Article 50-4 (4);

13.       A person who uses the name of the Korea Internet and Security Agency, in violation of Article 52 (6);

14.       A person who fails to file a report on cessation, discontinuance, or dissolution of business, in violation of Article 53 (4);

15.       A person who fails to report a standard contract form, in violation of Article 56 (1);

16.       A person who fails to take administrative or technical measures, in violation of Article 57 (2);

17.       A person who fails to notify a user of telecommunications billing services of the date and time, etc. when the aforementioned services are used, in violation of Article 58 (1);

18.       A person who fails to provide a user of telecommunications billing services with the method by which the user can verify the details of purchase or use, or who fails to comply with a request by a user of telecommunications billing services to provide such method, in violation of Article 58 (2);

19.       A person who fails to withhold the payment of the price though a request for making a correction on a telecommunications bill which he or she has received from a user of telecommunications billing services is reasonable or to notify the user of telecommunications billing services of the results of the measures taken in response to a request of the user, in violation of Article 58 (3);

20.       A person who fails to preserve records of telecommunications billing services, in violation of Article 58 (4);

20-2.    A person who provides telecommunications billing services or increases the amount of the upper limits of use without obtaining consent from a user of telecommunications billing services, in violation of Article 58 (5);

20-3.    A person who fails to give notice concerning amendment to the contractual terms and conditions of telecommunications billing services, in violation of Article 58 (6);

21.       A person who fails to prepare the procedure for raising an objection by users of telecommunications billing services and redressing their infringed rights, or to stipulate such procedure when he or she enters into a contract for telecommunications billing services, in violation of Article 59 (2);

22.       A person who fails to submit, or who falsely submitted, goods, documents, or any other material under Article 64 (1);

23.       A person who fails to comply with a request for inspection or submission of data under Article 64 (2);

24.       A person who refuses, interferes with, or evades the access and inspection under Article 64 (3).

(4)       The administrative fines prescribed in paragraphs (1) through (3) shall be imposed and collected by the Minister of Science, ICT and Future Planning or the Korea Communications Commission, as prescribed by Presidential Decree. (Amended by Act Nº 10465, Mar. 29, 2011; Act Nº 11690, Mar. 23, 2013)

(5)       A person who is dissatisfied with disposition to impose a fine for negligence under paragraph (4) may file an objection with the Minister of Science, ICT and Future Planning or the Korea Communications Commission within 30 days from the date which he or she is notified of such disposition. (Amended by Act Nº 10465, Mar. 29, 2011; Act Nº 11690, Mar. 23, 2013)

(6)       The Minister of Science, ICT, and Future Planning, or the Korea Communications Commission shall, upon receiving an objection filed in accordance with paragraph (5) by a person dissatisfied with the disposition for an administrative fine under paragraph (4), notify the competent court of the objection without delay, and the competent court shall, upon receiving such notice, put the case to trial on fines for negligence pursuant to the Non-Contentious Case Procedure Act. (Amended by Act Nº 10465, Mar. 29, 2011; Act Nº 11690, Mar. 23, 2013)

(7)       Where neither objection is raised nor an administrative fine paid within a period prescribed in paragraph (5), the administrative fine shall be collected in the same manner as delinquent national taxes are collected.

(Amended by Act nº 9119, Jun. 13, 2008)

ADDENDA

Article 1 (Enforcement Date)

This Act shall enter into force on July 1, 2001.

Article 2 (Transitional Measures following Change of Basis for Establishing Korea Information Security Center and of Its Name)

(1)       The Korea Information Security Center established pursuant to Article 14-2 of the Framework Act on National Informatization at the time that this Act enters into force shall be deemed the Korea Information Security Agency established pursuant to Article 52 of this Act.

(2)       Any act performed by and any legal relations maintained by the Korea Information Security Center at the time when this Act enters into force shall be deemed performed and maintained by the Korea Information Security Agency.

(3)       The name of the Korea Information Security Center on the register book and other public registers at the time when this Act enters into force shall be deemed the name of the Korea Information Security Agency.

Article 3 (Transitional Measures Following Change of Name of Korea Information and Communications Promotion Association)

(1)       The Korea Information and Communications Promotion Association as at the time when this Act enters into force shall be deemed the Korea Association of Information and Telecommunication.

(2)       Any act performed and any legal relations maintained by the Korea Information and Communications Promotion Association at the time when this Act enters into force shall be deemed performed and maintained by the Association.

(3)       The name of the Korea Information and Communications Promotion Association on the register book and other public registers at the time that this Act enters into force shall be deemed the name of the Korea Association of Information and Telecommunication.

Article 4 (Transitional Measures concerning Application of Penalty Provisions)

The application of the penal provisions to any act committed prior to the enforcement of this Act shall be governed by the previous provisions.

Article 5 Omitted.

Article 6 (Relations to Other Statutes)

If other Acts and subordinate statutes cite the former Act on Promotion, etc. of Utilization of Information System or the provisions thereof at the time this Act enters into force and if there exist corresponding provisions thereto in this Act, this Act or the corresponding provisions in this Act shall be regarded as being cited.

ADDENDA (Act Nº 6585, Dec. 31, 2001)

Article 1 (Enforcement Date)

This Act shall enter into force on April 1, 2002.

Articles 2 through 4 Omitted.

ADDENDA (Act Nº 6797, Dec. 18, 2002)

(1)       (Enforcement Date) This Act shall enter into force after the lapse of one month from the date of its promulgation: Provided, That the amended provisions of Articles 50 (2) and (5), 56 (3) and (4), 60 and 67 (1) (limited to the provisions of subparagraphs 15-2 and 15-4) shall enter into force after the lapse of six months from the date of its promulgation.

(2)       (Transitional Measures concerning Application of Administrative Fine) The application of the administrative fine to the act of violation committed prior to the enforcement of this Act shall be governed by the previous provisions.

ADDENDA (Act Nº 7139, Jan. 29, 2004)

(1)       (Enforcement Date) This Act shall enter into force on the date of its promulgation: Provided, That the amended provisions of Articles 28, 45 (4), 46-3, 47-2 (4) and 48-4 (6) shall enter into force on the date on which six months lapse from the date of promulgation of this Act.

(2)       (Transitional Measures concerning Application of Administrative Fines) The application of the administrative fine to the act of violation committed prior to the enforcement of this Act shall be governed by the previous provisions.

ADDENDA (Act Nº 7142, Jan. 29, 2004)

Article 1 (Enforcement Date)

This Act shall enter into force six months after the date of its promulgation.

Articles 2 through 4 Omitted.

ADDENDUM (Act Nº 7262, Dec. 30, 2004)

This Act shall enter into force three months after the date of its promulgation.

ADDENDA (Act Nº 7796, Dec. 29, 2005)

Article 1 (Enforcement Date)

This Act shall enter into force on July 1,2006.

Articles 2 through 6 Omitted.

ADDENDUM (Act Nº 7812, Dec. 30, 2005)

This Act shall enter into force three months after the date of its promulgation.

ADDENDA (Act Nº 7917, Mar. 24, 2006)

(1)       (Enforcement Date) This Act shall enter into force three months after the date of its promulgation.

(2)       (Transitional Measures concerning Safety Check of Information Protection) Where a company specializing in information protection consulting under Article 17 of the Act on the Protection of Information and Communications Infrastructure has commenced the works of safety check of information protection before the enforcement of this Act, it may continue to perform the works of safety check of information protection pursuant to the previous provisions, notwithstanding the amended provisions of Article 46-3 (1).

ADDENDUM (Act Nº 8030, Oct. 4, 2006)

This Act shall enter into force three months after the date of its promulgation.

ADDENDA (Act Nº 8031, Oct. 4, 2006)

Article 1 (Enforcement Date)

This Act shall enter into force on the date of its promulgation. (Proviso Omitted.)

Articles 2 through 6 Omitted.

ADDENDA (Act Nº 8289, Jan. 26, 2007)

Article 1 (Enforcement Date)

This Act shall enter into force six months after the date of its promulgation.

Article 2 (Transitional Measures for Prohibition on Illegal Communications)

The orders issued by the Minister of Information and Communication to reject, suspend or restrict handling of telecommunications services pursuant to Article 53 of the Telecommunications Business Act before this Act enters into force shall be deemed to have been issued pursuant to the amended provisions of Article 44-7 of this Act.

Article 3 (Transitional Measures for Change in Authority for Establishment of Information and Communications Ethics Committee)

(1)       The Information and Communications Ethics Committee established pursuant to Article 53-2 of the former Telecommunications Business Act as of the enforcement date of this Act shall be deemed the Information and Communications Ethics Committee established pursuant to the amended provisions of Article 44-8 of this Act.

(2)       The acts done by or against the Information and Communications Ethics Committee and other legal relationships with the Information and Communications Ethics Committee under the former provisions before this Act enters into force shall be deemed the acts done by or against the Information and Communications Ethics Committee and other legal relationships with the Information and Communications Ethics Committee under the amended provisions of Article 44-8 of this Act.

Article 4 (Transitional Measures for Collection, Use, and Provision of Personal Information)

(1)       Consent obtained from a user in relation to collection, use, provision, or similar of personal information in accordance with the former provisions of Article 22, 23, 24, or 54 as of the enforcement date of this Act shall be deemed consent obtained lawfully in accordance with the amended provisions of Article 22, 23, 24, 24-2, or 54.

(2)       Handling of personal information, which has been entrusted lawfully in accordance with the former provisions of Article 25 as of the enforcement date of this Act shall be deemed to have been entrusted with consent obtained lawfully in accordance with the amended provision of Article 25 (1).

(3)       An act performed by a person who succeeded rights and obligations of a provider of information and communications services or similar in accordance with the former provisions of Article 26 as of the enforcement of this Act to use or provide personal information shall be deemed to have been performed with consent obtained lawfully in accordance with the amended provision of Article 26 (3).

Article 5 (Transitional Measures for Application of Penalty Provisions)

Acts committed before this Act enters into force shall be governed by the former penal provisions.

Article 6 Omitted.

ADDENDA (Act Nº 8486, May 25, 2007)

Article 1 (Enforcement Date)

This Act shall enter into force one year after the date of its promulgation.

Articles 2 through 10 Omitted.

ADDENDA (Act Nº 8778, Dec. 21, 2007)

Article 1 (Enforcement Date)

This Act shall enter into force three months after the date of its promulgation.

Article 2 (Transitional Measures for Registration of Providers of Telecommunications Billing Services)

(1)       A person who renders telecommunications billing services at the time when this Act enters into force shall complete the registration with the Minister of Information and Communication in accordance with the amended provision of Article 53 (1) within three months from the date this Act enters into force.

(2)       A provider of telecommunications billing services who is registered in accordance with Article 28 (2) of the Electronic Financial Transaction Act at the time when this Act enters into force shall submit a written statement certifying the registration with the Minister of Information and Communication within three months from the date this Act enters into force.

(3)       A person who submits a written statement in accordance with paragraph (2) shall be deemed to have been registered in accordance with the amended provision of Article 53 (1).

ADDENDA (Act Nº 8852, Feb. 29, 2008)

Article 1 (Enforcement Date)

This Act shall enter into force on the date of its promulgation. (Proviso Omitted.)

Articles 2 through 7 Omitted.

ADDENDA (Act Nº 8867, Feb. 29, 2008)

Article 1 (Enforcement Date)

This Act shall enter into force on the date of its promulgation. (Proviso Omitted.)

Articles 2 through 12 Omitted.

ADDENDA (Act Nº 9119, Jun. 13, 2008)

(1)       (Enforcement Date) This Act shall enter into force six months after the date of its promulgation.

(2)       (Transitional Measures for Application of Penalty Provisions and Administrative Fines) An act committed before this Act enters into force shall be governed by the former penal provisions and the former provisions concerning administrative fines.

ADDENDA (Act Nº 9637, Apr. 22, 2009)

Article 1 (Enforcement Date)

This Act shall enter into force three months after the date of its promulgation.

Article 2 (Preparation for Establishment of Korea Internet and Security Agency)

(1)       The Korea Communications Commission may perform preparatory activities to establish the Korea Internet and Security Agency by commissioning not less than five incorporators before this Act enters into force.

(2)       The incorporators shall prepare the articles of incorporation of the Korea Internet and Security Agency and obtain approval from the Korea Communications Commission.

(3)       The incorporators, upon obtaining approval under paragraph (2), shall register the incorporation of the Korea Internet and Security Agency by joint signature and turn over the administrative responsibility to the President of Korea Internet and Security Agency.

(4)       The incorporators shall be deemed decommissioned at the time the take-over of the administrative responsibility is complete pursuant to paragraph (3).

Article 3 (Transitional Measures concerning Succession of Korea Information Security Agency, Korea Internet and Security Agency and Korea IT International Cooperation Agency)

(1)       The administrative responsibilities of the Korea Information Security Agency under Article 52 of the Act on Promotion of Information and Communications Infrastructure (hereinafter referred to as the “Korea Information Security Agency”), the Korea Internet and Security Agency under Article 9 of the Internet Address Resources Act (hereinafter referred to as the “Korea Internet and Security Agency”), and the Korea IT International Cooperation Agency under Article 24-2 of the Framework Act on Informatization Promotion (hereinafter referred to as the “Korea IT International Cooperation Agency”), which are governed by the previous provisions at the time this Act enters into force, shall be comprehensively succeeded to the Korea Internet and Security Agency under this Act.

(2)       The previous rights, obligations, properties of the Korea Information Security Agency, the Korea Internet and Security Agency and the Korea IT International Cooperation Agency as at the time this Act enters into force shall be comprehensively succeeded to the Korea Internet and Security Agency under this Act.

(3)       The previous employment relationship covering the employees of the Korea Information Security Agency, the Korea Internet and Security Agency and the Korea IT International Cooperation Agency as at the time this Act enters into force shall be comprehensively succeeded to the Korea Internet and Security Agency under this Act.

(4)       The previous activities performed by or in relation to the Korea Information Security Agency, the Korea Internet and Security Agency and the Korea IT International Cooperation Agency as at the time this Act enters into force shall be deemed to have been performed by or in relation to the Korea Internet and Security Agency under this Act.

(5)       The titles of the Korea Information Security Agency, the Korea Internet and Security Agency and the Korea IT International Cooperation Agency indicated on the register as at the time this Act enters into force or other public books shall be deemed to be those of the Korea Internet and Security Agency under this Act.

Article 4 Omitted.

Article 5 (Relations with Other Statutes)

Where the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. or the provisions thereof are cited in other statutes as at the time this Act enters into force, and any provision corresponding thereto exists in this Act, this Act or the corresponding provision of this Act shall be deemed to have been cited in lieu of the previous provision.

ADDENDUM (Act Nº 10138, Mar. 17, 2010)

This Act shall enter into force three months after the date of its promulgation.

ADDENDA (Act Nº 10165, Mar. 22, 2010)

Article 1 (Enforcement Date)

This Act shall enter into force six months after the date of its promulgation. (Proviso Omitted.)

Articles 2 through 7 Omitted.

ADDENDA (Act Nº 10166, Mar. 22, 2010)

Article 1 (Enforcement Date)

This Act shall enter into force six months after the date of its promulgation.

Articles 2 through 9 Omitted.

ADDENDA (Act Nº 10465, Mar. 29, 2011)

Article 1 (Enforcement Date)

This Act shall enter into force six months after the date of its promulgation.

(Proviso Omitted.)

Articles 2 through 7 Omitted.

ADDENDA (Act Nº 10560, Apr. 5, 2011)

Article 1 (Enforcement Date)

This Act shall enter into force three months after the date of its promulgation.

Article 2 (General Transitional Measures)

Previous acts of the identification service agency which developed and provided the previous identification affairs as at the time of enforcement of this Act shall be deemed to have been legitimately developed and provided if the agency obtains the designation of identification service agency pursuant to this Act.

Article 3 (Transitional Measures concerning Designation of Identification Service Agency)

A person who was conducting the identification service as at the time of enforcement of this Act shall be designated, within three months after enforcement date of this Act, as an identification service agency by the Korea Communications Commission pursuant to the amended provision of Article 23-3 (1).

ADDENDA (Act Nº 11048, Sep. 15, 2012)

Article 1 (Enforcement Date)

This Act shall enter into force one year after the date of its promulgation.

(Proviso Omitted.)

Articles 2 through 5 Omitted.

ADDENDA (Act nº 11322, Feb. 17, 2012)

Article 1 (Enforcement Date)

This Act shall enter into force six months after the date of its promulgation: Provided, That the amended provisions of Articles 45, 45-2, 45-3, 46-3, 47, 47-2, 47-3, 47-5, 52 (3) 7, 66 and 76 (3) 6 through 9 shall enter into force after the lapse of one year from the date of its promulgation.

Article 2 (Transitional Measures concerning Restriction on Collection/Use of Resident Registration Number)

(1)       A provider of information and communications services who provides methods of subscription for membership by using the subscriber’s resident registration number as at the time of enforcement of this Act shall destroy all the resident registration numbers possessed by the provider within two years after enforcement date of this Act: Provided, That this shall not apply in cases where falling under any of the subparagraphs under Article 23-2 (1).

(2)       In cases where a provider of information and communications services fails to destroy the resident registration numbers possessed by him or her within the period under paragraph (1), the amended provisions of Article 23-2 (1) shall be deemed violated.

Articles 3 (Transitional Measures concerning Abolition of the Safety Inspection on Protection of Information)

A business operator who received a safety inspection on the protection of information pursuant to previous provisions as at the time of enforcement of this Act shall be deemed, during the concerning year in which he or she received the safety inspection on the protection of information, as the business operator who received the certification of an information security management system pursuant to the amended provisions of Article 47 (2).

Articles 4 (Transitional Measures concerning Certification of Personal Information Management System)

A person who received the certification personal information management system from the Korea Internet and Security Agency as at the time of enforcement of this Act shall be deemed to have received the certification of personal information management system pursuant to the amended provisions of Article 47-3.

Articles 5 (Transitional Measures concerning Administrative Fine)

Upon imposing administrative fine with respect to any violative acts committed before enforcement of this Act, the previous provisions shall apply thereto.

ADDENDA (Act Nº 11690, Mar. 23, 2013)

Article 1 (Enforcement Date)

This Act shall enter into force on the date of its promulgation.

Articles 2 through 7 Omitted.

ADDENDA (Act Nº 12681, May 28, 2014)

Article 1 (Enforcement Date)

This Act shall enter into force six months after the date of its promulgation:

Provided, That the amended provisions of Articles 44 (3), 44-5 and 76 (1) 6 shall enter into force on the date of their promulgation.

Article 2 (Transitional Measures concerning Penalty Surcharges and Penalty Provisions)

When penalty surcharges and penalty provisions apply to offenses committed before this Act enters into force, the former provisions shall apply thereto.

ADDENDA (Act Nº 12844, Nov. 19, 2014)

Article 1 (Enforcement Date)

This Act shall enter into force on the date of its promulgation: Provided That, among the Acts amended pursuant to Article 6 of Addenda, the amended parts of the Acts that were promulgated before this Act enters into force but their enforcement dates have yet to arrive shall enter into force on their respective dates of enforcement.

Articles 2 through 7 Omitted.

ADDENDUM (Act Nº 13014, Jan. 20, 2015)

This Act shall enter into force three months after the date of its promulgation.

ADDENDUM (Act Nº 13280, Mar. 27, 2015)

This Act shall enter into force on the date of its promulgation.

ADDENDA (Act Nº 13343, Jun. 22, 2015)

Article 1 (Enforcement Date)

This Act shall enter into force six months after the date of its promulgation.

Articles 2 through 3 Omitted.

ADDENDA (Act Nº 13344, Jun. 22, 2015)

Article 1 (Enforcement Date)

This Act shall enter into force six months after the date of its promulgation.

Article 2 (Applicability concerning Administrative Dispositions)

The amended provisions of Article 55 (1) shall apply even to administrative dispositions against violations committed before this Act enters intro force.

ADDENDA (Act nº 13520, Dec. 1, 2015)

Article 1 (Enforcement Date)

This Act shall enter into force six months after the date of its promulgation:

Provided, That the amended provisions of Articles 29 (2) and (3) shall enter into force on the date of its promulgation.

Article 2 (Applicability concerning Destruction, etc. of Personal Information)

The amended provisions of Article 29 (2) and (3) shall apply even to the personal information collected or provided before such amended provisions enter into force.

Article 3 (Applicability concerning Omission of Examination of Certification for Information Security Management System)

The amended provisions of Article 47 (3) shall apply even to persons who have made an application for the certification for an information security management system, procedures for which are underway.

Article 4 (Transitional Measures concerning Certification of Information Security Management System)

A person who has not received the certification for an information security management system shall receive the certification within six months after this Act enters into force, in accordance with the amended provisions of Article 47 (2).

Article 5 (Transitional Measures concerning Administrative Fines)

When applying administrative fines to the violations committed before this Act enters into force, the previous provisions of this Act shall apply.

ADDENDA (Act Nº 14080, Mar. 22, 2016)

Article 1 (Enforcement Date)

This Act shall enter into force six months after the date of its promulgation:

Provided, That the amended provisions of Articles 22-2 and 76 (1) 1 and 1-2 shall enter into force one year after the date of its promulgation, the amended provisions of Article 32 (2) and (3) and 32-2 (3) shall enter into force on July 25, 2016, and the amended provision of Article 52 (4) shall enter into force on the date of its promulgation.

Article 2 (Applicability concerning Compensation for Damage)

The amended provisions of Articles 32 (2) and (3), and 32-2 (3) shall apply beginning from the first claim for compensation for damage against any information lost, stolen, leaked, forged, altered or damaged after the said amended provisions enter into force.

Article 3 (Transitional Measures concerning Informing Fact of Exposure to Act of Violation)

A provider of information and communications services shall, no later than six months after this Act enters into force, establish equipment, by means of which informing messages can be sent to users pursuant to the amended provisions of Article 49-2 (3).

Article 4 (Transitional Measures concerning Penalty Provision)

The former provisions shall govern when applying penalty provisions to the act committed before this Act enters into force.

Article 5 Omitted.

01May/20

Personal Information Protection Act. (PIPA), established by Act nº 10465, Mar. 29, 2011

Personal Information Protection Act. (PIPA), established by Act nº 10465, Mar. 29, 2011, amended by Act nº 11690, Mar. 23, 2013, amended by Act nº 11990,  Aug. 6, 2013, amended by Act nº 12504, Mar. 24, 2014, amended by Act nº 12844, Nov. 19, 2014, amended by Act nº 13423, Jul. 24, 2015, amended by Act nº 14107,  Mar. 29,  2016, amended by Act nº 14765, Apr. 18, 2017, amended by Act nº 14839, Jul. 26, 2017

CHAPTER I.- GENERAL PROVISIONS

Article 1 (Purpose)

The purpose of this Act is to provide for the processing and protection of personal information for the purposes of protecting the freedom and rights of individuals, and further realizing the dignity and value of the individuals. (Amended by Act nº 12504, Mar. 24, 2014)

Article 2 (Definitions)

The terms used in this Act shall be defined as follows: (Amended by Act nº 12504, Mar. 24, 2014)

1. The term “personal information” means information relating to a living individual that makes it possible to identify the individual by his/her full name, resident registration number, image, etc. (including information which, if not by itself, makes it possible to identify any specific individual if combined with other information);

2. The term “processing” means the collection, generation, connecting, interlocking, recording, storage, retention, value-added processing, editing, retrieval, output, correction, recovery, use, provision, and disclosure, destruction of personal information and other similar activities;

3. The term “data subject” means an individual who is identifiable by the information processed hereby to become the subject of that information;

4. The term “personal information file” means a set or sets of personal information arranged or organized in a systematic manner based on a certain rule for easy access to the personal information;

5. The term “personal information controller” means a public institution, legal person, organization, individual, etc. that processes personal information directly or indirectly to operate the personal information files for official or business purposes;

6. The term “public institution” means any of the following institutions:

(a) The administrative bodies of the National Assembly, the Courts, the Constitutional Court, and the National Election Commission; the central administrative agencies (including agencies under the Presidential Office and the Prime Minister’s Office) and their affiliated entities; and local governments;

(b) Other national agencies and public entities prescribed by Presidential Decree;

7. The term “visual data processing devices” means the devices prescribed by Presidential Decree, which are continuously installed at a certain place to take pictures of persons or images of things, or transmit such pictures or images via wired or wireless networks.

Article 3 (Principles for Protecting Personal Information)

(1) The personal information controller shall specify and explicit the purposes for which personal information is processed; and shall collect personal information lawfully and fairly to the minimum extent necessary for such purposes.

(2) The personal information controller shall process personal information in a manner compatible with the purposes for which the personal information is processed, and shall not use it beyond such purposes.

(3) The personal information controller shall ensure personal information is accurate, complete, and up to date to the extent necessary in relation to the purposes for which the personal information is processed.

(4) The personal information controller shall manage personal information safely according to the processing methods, types, etc. of personal information, taking into account the possibility of infringement on the data subject rights and the severity of the relevant risks.

(5) The personal information controller shall make public its privacy policy and other matters related to personal information processing; and shall guarantee the data subject rights, such as the right to access their personal information.

(6) The personal information controller shall process personal information in a manner to minimize the possibility to infringe on the privacy of a data subject.

(7) The personal information controller shall endeavor to process personal information in anonymity, if possible.

(8) The personal information controller shall endeavor to obtain trust of data subjects by observing and performing such duties and responsibilities as provided for in this Act and other related statutes.

Article 4 (Rights of Data Subjects)

A data subject has the following rights in relation to the processing of his/her own personal information:

1. The right to be informed of the processing of such personal information;

2. The right to consent or not, and to elect the scope of consent, to the processing of such personal information;

3. The right to confirm the processing of such personal information, and to request access (including the provision of copies; hereinafter the same applies) to such personal information;

4. The right to suspend the processing of, and to request a correction, erasure, and destruction of such personal information;

5. The right to appropriate redress for any damage arising out of the processing of such personal information in a prompt and fair procedure.

Article 5 (Obligations of State, etc.)

(1) The State and a local government shall formulate policies to prevent harmful consequences of beyond-purpose collection, abuse and misuse of personal information, indiscrete surveillance and pursuit, etc. and to enhance the dignity of human beings and individual privacy.

(2) The State and a local government shall establish policy measures, such as improving statutes, necessary to protect the data subject rights as provided for in Article 4.

(3) The State and a local government shall respect, promote, and support self-regulating data protection activities of personal information controllers to improve irrational social practices relating to the processing of personal information.

(4) The State and a local government shall enact or amend any statutes or municipal ordinances in conformity with the purpose of this Act.

Article 6 (Relationship to other Acts)

The protection of personal information shall be governed by this Act, except as otherwise specifically provided for in other Acts.  (Amended by Act nº 12504, Mar. 24, 2014)

CHAPTER II.- ESTABLISHMENT OF PERSONAL INFORMATION PROTECTION POLICIES, ETC.

Article 7 (Personal Information Protection Commission)

(1) The Personal Information Protection Commission (hereinafter referred to as the “Protection Commission”) shall be established under the Presidential Office to deliberate and resolve on matters relating to the protection of personal information. The Protection Commission shall independently conduct functions belonging to its authority.

(2) The Protection Commission shall be comprised of not more than 15 Commissioners, including one Chairperson and one Standing Commissioner, who shall be a public official in political service.

(3) The Chairperson shall be commissioned by the President from among non-public official Commissioners.

(4) The Commissioners shall be appointed or commissioned by the President from among the following persons. In this case, five Commissioners shall be appointed or commissioned from among the candidates elected by the National Assembly, and other five Commissioners from among the candidates designated by the Chief Justice of the Supreme Court:

1. Persons recommended by the civil society organizations or consumer groups related to the protection of personal information;

2. Persons recommended by the trade associations comprised of personal information controllers;

3. Other persons who have abundant academic knowledge and experience related to personal information.

(5) The term of office for the Chairperson and Commissioners shall be three years, renewable for only one further term.

(6) Meetings of the Protection Commission shall be convened by the Chairperson when the Chairperson deems it necessary or not less than 1/4 of the Commissioners demand it.

(7) The resolution of a meeting of the Protection Commission shall be made by the affirmative votes of a majority of present Commissioners if not less than 1/2 of the Commissioners are present at the meeting.

(8) A secretariat shall be established within the Protection Commission to support the administration of the Protection Commission.

(9) Except as otherwise expressly provided for in paragraphs (1) through (8), matters necessary for the organizational structure and operation of the Protection Commission shall be prescribed by Presidential Decree.

Article 8 (Functions, etc. of Protection Commission)

(1) The Protection Commission shall deliberate and resolve on the following matters:  (Amended by Act nº 13423, Jul. 24, 2015)

1. Matters concerning the assessment of data breach incident factors under Article 8-2;

1-2. Matters concerning the establishment of the Master Plan referred to in Article 9 and the Implementation Plans referred to in Article 10;

2. Matters concerning the improvement of policies, systems, and statutes;

3. Matters concerning the coordination of positions taken by public institutions with respect to the processing of personal information;

4. Matters concerning the interpretation and operation of statutes related to the protection of personal information;

5. Matters concerning the use and provision of personal information under Article 18 (2) 5;

6. Matters concerning the results of the privacy impact assessment under Article 33 (3);

7. Matters concerning the presentation of opinions under Article 61 (1);

8. Matters concerning recommendation on measures under Article 64 (4);

9. Matters concerning the publication of processing results under Article 66;

10. Matters concerning the preparation and submission of annual reports under Article 67 (1);

11. Matters referred to a meeting by the President, the Chairperson of the Commission, or at least two Commissioners of the Protection Commission with respect to the protection of personal information;

12. Other matters on which the Protection Commission deliberates or resolves pursuant to this Act or other statutes.

(2) The Protection Commission may take the following measures if necessary to deliberate and resolve on the matters provided for in paragraph (1): (Amended by Act nº 13423, Jul. 24, 2015)

1. Listening to the opinions of relevant public officials, specialists in data protection, civic organizations and related business operators;

2. Request of relevant materials from the relevant agencies or inquiry of facts.

(3) The relevant agencies in receipt of a request made under paragraph (2) 2, shall comply with the request, except in extenuating circumstances.  (Inserted by Act nº 13423, Jul. 24, 2015)

(4) Upon deliberating and resolving on the matters provided for in paragraph (1) 2, the Protection Commission may advise the improvement of such matters to the relevant agency.  (Inserted by Act nº 13423, Jul. 24, 2015)

(5) The Protection Commission may inspect whether its advice given under paragraph (4) has been implemented or not.  (Inserted by Act nº 13423, Jul. 24, 2015)

Article 8-2 (Assessment of Data Breach Incident Factors)

(1) The head of a central administrative agency shall request the Protection Commission to assess data breach incident factors where the policy or system in need of personal information processing is adopted or changed by the enactment or amendment of any statute under his/her jurisdiction.

(2) Upon receipt of a request made pursuant to paragraph (1), the Protection Commission may advise the head of the relevant agency of the matters necessary to improve the relevant statute by analyzing and reviewing the data breach incident factors of such statute.

(3) Necessary matters concerning the procedure and method to assess the data breach incident factors under paragraph (1) shall be prescribed by Presidential Decree.

(Article Inserted by Act nº 13423, Jul. 24, 2015)

Article 9 (Master Plan)

(1) The Protection Commission shall establish a Master Plan to protect personal information (hereinafter referred to as a “Master Plan”) every three years in consultation with the heads of relevant central administrative agencies to ensure the protection of personal information and the rights and interests of data subjects.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 13423, Jul. 24, 2015)

(2) The Master Plan shall include the following:

1. Basic goals and intended directions of the protection of personal information;

2. Improvement of systems and statutes related to the protection of personal information;

3. Measure to prevent personal information breaches;

4. How to vitalize self-regulation to protect personal information;

5. How to promote education and public relations to protect personal information;

6. Training of specialists in the protection of personal information;

7. Other matters necessary to protect personal information.

(3) The National Assembly, the Court, the Constitutional Court, and the National Election Commission may establish and implement its own Master Plan to protect personal information of relevant institutions, including affiliated entities.

Article 10 (Implementation Plan)

(1) The head of a central administrative agency shall establish an implementation plan to protect personal information each year in accordance with the Master Plan and submit it to the Protection Commission, and shall execute the implementation plan subject to the deliberation and resolution of the Protection Commission.

(2) Matters necessary for the establishment and execution of the implementation plan shall be prescribed by Presidential Decree.

Article 11 (Request for Materials, etc.)

(1) To efficiently establish the Master Plan, the Protection Commission may request materials or opinions regarding the status of regulatory compliance, personal information management, etc. by personal information controllers from personal information controllers, the heads of related central administrative agencies, the heads of local governments and related organizations or associations, etc. (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 13423, Jul. 24, 2015)

(2) The Minister of the Interior and Safety may survey the level and status of personal information protection toward personal information controllers, the heads of related central administrative agencies, the heads of local governments and related organizations or associations, etc., if necessary to promote personal information protection policies, to assess outcomes of such policies, etc. (Inserted by Act nº 13423, Jul. 24, 2015; Act nº 14839, Jul. 26, 2017)

(3) To efficiently establish and promote implementation plans, the head of a central administrative agency may request the materials referred to in paragraph (1) in the fields under his/her jurisdiction from personal information controllers. (Amended by Act nº 13423, Jul. 24, 2015)

(4) Any person in receipt of a request to furnish the materials under paragraphs (1) through (3) shall comply with the request except in extenuating circumstances.  (Amended by Act nº 13423, Jul. 24, 2015)

(5) The scope and method to furnish the materials under paragraphs (1) through (3) and other necessary matters shall be prescribed by Presidential Decree.  (Amended by Act nº 13423, Jul. 24, 2015)

Article 12 (Personal Information Protection Guidelines)

(1) The Minister of the Interior and Safety may establish the Standard Personal Information Protection Guidelines (hereinafter referred to as the “Standard Guidelines”) regarding the personal information processing standard; types of personal information breaches; preventive measures, etc.; and may encourage personal information controllers to comply with the Standard Guidelines.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(2) The head of a central administrative agency may establish the personal information protection guidelines regarding the personal information processing in the fields under his/her jurisdiction in accordance with the Standard Guidelines; and may encourage personal information controllers to comply with such guidelines.

(3) The National Assembly, the Court, the Constitutional Court, and the National Election Commission may establish and implement its own or its affiliated entities’ personal information protection guidelines.

Article 13 (Promotion and Support of Self-Regulation)

The Minister of the Interior and Safety shall establish policies necessary for the following matters to promote and support self-regulating data protection activities of personal information controllers: (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

1. Education and public relations concerning protecting personal information;

2. Promoting and supporting agencies and organizations related to the protection of personal information;

3. Introducing and facilitating ePRIVACY Mark system;

4. Assisting personal information controllers in establishing and implementing self-regulatory rules;

5. Other matters necessary to support the self-regulating data protection activities of personal information controllers.

Article 14 (International Cooperation)

(1) The Government shall establish policy measures necessary to enhance the personal information protection standard in the international environment.

(2) The Government shall establish relevant policy measures so that the rights of data subjects may not be infringed on owing to the cross-border transfer of personal information.

CHAPTER III.- PROCESSING OF PERSONAL INFORMATION

SECTION 1.- Collection, Use, Provision, etc. of Personal Information

Article 15 (Collection and Use of Personal Information)(1) A personal information controller may collect personal information in any of the following circumstances, and use it with the scope of the purpose of collection:

1. Where the consent is obtained from a data subject;

2. Where special provisions exist in laws or it is inevitable to observe legal obligations;

3. Where it is inevitable so that a public institution may perform the duties under its jurisdiction as prescribed by statutes, etc.;

4. Where it is inevitably necessary to execute and perform a contract with a data subject;

5. Where it deems necessary explicitly for the protection, from impending danger, of life, body or economic profits of a data subject or a third party in case that the data subject or his/her legal representative is not in a position to express intention, or prior consent cannot be obtained owing to unknown addresses;

6. Where it is necessary to attain the justifiable interest of a personal information controller, which is explicitly superior to that of a data subject. In this case, it is allowed only when substantial relation exists with the justifiable interest of the personal information controller and it does not go beyond the reasonable scope.

(2) A personal information controller shall inform a data subject of the following matters when it obtains the consent under paragraph (1) 1. The same shall apply when any of the following is modified.

1. The purpose of the collection and use of personal information;

2. Particulars of personal information to be collected;

3. The period for retaining and using personal information;

4. The fact that the data subject is entitled to deny consent, and disadvantage affected resultantly from the denial of consent.

Article 16 (Limitation to Collection of Personal Information)

(1) A personal information controller shall collect the minimum personal information necessary to attain the purpose in the case applicable to Article 15 (1). In this case, the burden of proof that the minimum personal information is collected shall be borne by the personal information controller.

(2) A personal information controller shall collect personal information by informing a data subject of the fact concretely that he/she may deny the consent to the collection of other personal information than the minimum information necessary in case of collecting the personal information by the consent of the data subject.  (Inserted by Act nº 11990, Aug. 6, 2013)

(3) A personal information controller shall not deny the provision of goods or services to a data subject on ground that the data subject would not consent to the collection of personal information exceeding minimum requirement.  (Amended by Act nº 11990, Aug. 6, 2013)

Article 17 (Provision of Personal Information)

(1) A personal information controller may provide (or share; hereinafter the same shall apply) the personal information of a data subject to a third party in any of the following circumstances:

1. Where the consent is obtained from the data subject;

2. Where the personal information is provided within the scope of purposes for which it is collected pursuant to Article 15 (1) 2, 3, and 5.

(2) A personal information controller shall inform a data subject of the following matters when it obtains the consent under paragraph (1) 1. The same shall apply when any of the following is modified:

1. The recipient of personal information;

2. The purpose for which the recipient of personal information uses such information;

3. Particulars of personal information to be provided;

4. The period for which the recipient retains and uses personal information;

5. The fact that the data subject is entitled to deny consent, and disadvantage affected resultantly from the denial of consent.

(3) A personal information controller shall inform a data subject of the matters provided for in paragraph (2), and obtain the consent from the data subject in order to provide personal information to a third party overseas; and shall not enter into a contract for the cross-border transfer of personal information in violation of this Act.

Article 18 (Limitation to Out-of-Purpose Use and Provision of Personal Information)

(1) A personal information controller shall not use personal information beyond the scope provided for in Article 15 (1), or provide it to any third party beyond the scope provided for in Article 17 (1) and (3).

(2) Notwithstanding paragraph (1), where any of the following subparagraphs applies, a personal information controller may use personal information or provide it to a third party for other purpose than the intended one, unless it is likely to infringe on unfairly the interest of a data subject or third party: Provided, That subparagraphs 5 through 9 are applicable only to public institutions:

1. Where additional consent is obtained from the data subject;

2. Where special provisions exist in other laws;

3. Where it is deemed necessary explicitly for protecting, from impending danger, life, body or economic profits of the data subject or third party where the data subject or his/her legal representative is not in a position to express his/her intention, or prior consent cannot be obtained owing to unknown addresses;

4. Where personal information is provided in a manner keeping a specific individual unidentifiable necessarily for such purposes as compiling statistics or academic research;

5. Where it is impossible to perform the duties under its jurisdiction as provided for in any Act, unless the personal information controller uses personal information for other purpose than the intended one, or provides it to a third party, and it is subject to the deliberation and resolution by the Commission;

6. Where it is necessary for providing personal information to a foreign government or international organization to perform a treaty or other international convention;

7. Where it is necessary for the investigation of a crime, indictment and prosecution;

8. Where it is necessary for the court to proceed the case;

9. Where it is necessary for punishment, probation and custody.

(3) A personal information controller shall inform the data subject of the following matters when it obtains the consent under paragraph (2) 1. The same shall apply when any of the following is modified.

1. The recipient of personal information;

2. The purpose of use of personal information (where personal information is provided, it means the purpose of use by the recipient);

3. Particulars of personal information to be used or provided;

4. The period for retaining and using personal information (where personal information is provided, it means the period for retention and use by the recipient);

5. The fact that the data subject is entitled to deny consent, and disadvantage affected resultantly from the denial of consent.

(4) Where a public institution uses personal information, or provides it to a third party under paragraph (2) 2 through 6, 8, and 9 for other purpose than the intended one, the public institution shall post the legal grounds for such use or provision, purpose and scope, and other necessary matters on the Official Gazette or its website, as prescribed by Ordinance of the Ministry of the Interior and Safety.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(5) Where a personal information controller provides personal information to a third party for other purpose than the intended one in any case provided for in paragraph (2), the personal information controller shall request the recipient of the personal information to limit the purpose and method of use and other necessary matters, or to prepare necessary safeguards to ensure the safety of the personal information. In such cases, the person in receipt of such request shall take necessary measures to ensure the safety of the personal information.

Article 19 (Limitation to Use and Provision of Personal Information on Part of Its Recipients)

A person who receives personal information from a personal information controller shall not use the personal information, or provide it to a third party, for any purpose other than the intended one, except in the following circumstances:

1. Where additional consent is obtained from the data subject;

2. Where special provisions exist in other laws.

Article 20 (Notification on Sources, etc. of Personal Information Collected from Third Parties)

(1) When a personal information controller processes personal information collected from third parties, the personal information controller shall immediately notify the data subject of the following matters at the request of such data subject:

1. The source of collected personal information;

2. The purpose of processing personal information;

3. The fact that the data subject is entitled to demand suspension of processing personal information.

(2) Notwithstanding paragraph (1), when a personal information controller satisfying the criteria prescribed by Presidential Decree taking into account the types and amount of processed personal information, number of employees, amount of sales, etc., collects personal information from third parties and processes upon obtaining consent as provided for in Article 17 (1) 1, the personal information controller shall notify the data subject of the matters referred to in paragraph (1): Provided, That this shall not apply where the information collected by the personal information controller does not contain any personal information, such as contact information, through which the notification can be given to the data subject.  (Inserted by Act nº 14107, Mar. 29, 2016)

(3) Necessary matters in relation to the timing, method, and procedure of giving notification to the data subject pursuant to the main sentence of paragraph (2), shall be prescribed by Presidential Decree.  (Inserted by Act nº 14107, Mar. 29, 2016)

(4) Paragraph (1) and the main sentence of paragraph (2) shall not apply to any of the following circumstances: Provided, That it is explicitly superior to the rights of data subjects under this Act: (Amended by Act nº 14107, Mar. 29, 2016)

1. Where personal information, which is subject to a notification request, is included in the personal information files referred to in Article 32 (2);

2. Where such notification is likely to cause harm to the life or body of any other person, or unfairly damages the property and other profits of any other person.

Article 21 (Destruction of Personal Information)

(1) A personal information controller shall destroy personal information without delay when the personal information becomes unnecessary owing to the expiry of the retention period, attainment of the purpose of processing the personal information, etc.: Provided, That this shall not apply where the retention of such personal information is mandatory by other statutes.

(2) When a personal information controller destroys personal information pursuant to paragraph (1), necessary measures to block recovery and revival shall be taken.

(3) Where a personal information controller is obliged to retain, rather than destroy, personal information pursuant to the proviso to paragraph (1), the relevant personal information or personal information files shall be stored and managed separately from other personal information.

(4) Other necessary matters, such as the methods to destroy personal information and its destruction process, shall be prescribed by Presidential Decree.

Article 22 (Methods of Obtaining Consent)

(1) To obtain the consent of a data subject (including his/her legal representative as stated in paragraph (6): hereafter in this Article the same applies) to the processing of his/her personal information pursuant to this Act, a personal information controller shall present the request for consent to the data subject in an explicitly recognizable manner which distinguishes matters requiring consent from the other matters, and obtain his/her consent thereto, respectively.  (Amended by Act nº 14765, Apr. 18, 2017)

(2) To obtain the consent referred to in paragraph (1) in writing (including an electronic document defined in subparagraph 1 of Article 2 of the Framework Act on Electronic Documents and Transactions), a personal information controller shall state the significant matters prescribed by Presidential Decree, such as the purpose of collecting and using personal information and particulars of the personal information that he/she intends collect and use, as prescribed by Ordinance of the Ministry of the Interior and Safety in an explicit and easily recognizable manner.  (Inserted by Act nº 14765, Apr. 18, 2017; Act nº 14839, Jul. 26, 2017)

(3) To obtain the consent of a data subject to the processing of his/her personal information pursuant to Articles 15 (1) 1, 17 (1) 1, 23 (1) 1, and 24 (1) 1, a personal information controller shall distinguish personal information that requires the data subject’s consent to processing, from the personal information that requires no consent in executing a contract with the data subject. In such cases, the burden of proof that no consent is required in processing the personal information shall be borne by the personal information controller.  (Amended by Act nº 14107, Mar. 29, 2016; Act nº 14765, Apr. 18, 2017)

(4) To obtain the consent of a data subject to the processing of his/her personal information in order to promote goods or services or solicit purchase thereof, a personal information controller shall notify the data subject of the fact in an explicitly recognizable manner, and obtain his/her consent thereto.  (Amended by Act nº 14765, Apr. 18, 2017)

(5) A personal information controller shall not deny the provision of goods or services to a data subject on ground that the data subject would not consent to the matter eligible for selective consent pursuant to paragraph (3), or would not consent pursuant to paragraph (4) and Article 18 (2) 1.  (Amended by Act nº 14765, Apr. 18, 2017)

(6) When it is required to obtain consent pursuant to this Act to process personal information of a child under 14 years of age, a personal information controller shall obtain the consent of his/her legal representative. In such cases, minimum personal information necessary to obtain the consent of the legal representative may be collected directly from such child without the consent of his/her legal representative.  (Amended by Act nº 14765, Apr. 18, 2017)

(7) Except as otherwise expressly provided for in paragraphs (1) through (6), other matters necessary in relation to detailed methods to obtain the consent of data subjects and the minimum information referred to in paragraph (6) shall be prescribed by Presidential Decree, in consideration of the collection media of personal information.  (Amended by Act nº 14765, Apr. 18, 2017)

SECTION 2 Limitation to Processing of Personal Information

Article 23 (Limitation to Processing of Sensitive Information)(1) A personal information controller shall not process any information prescribed by Presidential Decree (hereinafter referred to as “sensitive information”), including ideology, belief, admission to or withdrawal from a trade union or political party, political opinions, health, sexual life, and other personal information that is likely to threat the privacy of any data subject noticeably: Provided, That this shall not apply in any of the following circumstances:  (Amended by Act nº 14107, Mar. 29, 2016)

1. Where the personal information controller informs the data subject of the matters provided for in Article 15 (2) or 17 (2), and obtains the consent of the data subject apart from the consent to the processing of other personal information;

2. Where other statutes require or permit the processing of sensitive information.

(2) Where a personal information controller processes sensitive information pursuant to paragraph (1), the personal information controller shall take measures necessary to ensure safety pursuant to Article 29 so that the sensitive information may not be lost, stolen, divulged, forged, altered, or damaged.  (Inserted by Act nº 14107, Mar. 29, 2016)

Article 24 (Limitation to Processing of Personally Identifiable Information)(1) A personal information controller shall not process any information prescribed by Presidential Decree that can be used to identify an individual in accordance with statutes (hereinafter referred to as “personally identifiable information”), except in any of the following cases:

1. Where the personal information controller informs a data subject of the matters provided for in Article 15 (2) or 17 (2), and obtains the consent of the data subject apart from the consent to the processing of other personal information;

2. Where other statutes require or permit the processing of personally identifiable information in a concrete manner.

(2) Deleted.  (Act nº 11990, Aug. 6, 2013)

(3) Where a personal information controller processes personally identifiable information pursuant to paragraph (1), the personal information controller shall take measures necessary to ensure safety, including encryption, as prescribed by Presidential Decree, so that the personally identifiable information may not be lost, stolen, divulged, forged, altered, or damaged.  (Amended by Act nº 13423, Jul. 24, 2015)

(4) The Minister of the Interior and Safety shall regularly inspect whether a personal information controller meeting the criteria prescribed by Presidential Decree based on the types and amount of processed personal information, number of employees, amount of sales, etc., has taken the measures necessary to ensure safety pursuant to paragraph (3), as prescribed by Presidential Decree.  (Inserted by Act nº 14107, Mar. 29, 2016; Act nº 14839, Jul. 26, 2017)

(5) The Minister of the Interior and Safety may authorize specialized institutions prescribed by Presidential Decree to conduct the inspection referred to in paragraph (4).  (Inserted by Act nº 14107, Mar. 29, 2016; Act nº 14839, Jul. 26, 2017)

Article 24-2 (Limitation to Processing of Resident Registration Numbers)

(1) Notwithstanding Article 24 (1), a personal information controller shall not process any resident registration number, except in any of the following cases: (Amended by Act nº 14107, Mar. 29, 2016; Act nº 14839, Jul. 26, 2017)

1. Where any Act, Presidential Decree, National Assembly Regulations, Supreme Court Regulations, Constitutional Court Regulations, National Election Commission Regulations, or Board of Audit and Inspection Regulations require or permit the processing of resident registration numbers in a concrete manner;

2. Where it is deemed explicitly necessary for protecting, from impending danger, life, body and property of a data subject or a third party;

3. Where it is inevitable to process resident registration numbers in line with subparagraphs 1 and 2 in circumstances prescribed by Ordinance of the Ministry of the Interior and Safety.

(2) Notwithstanding Article 24 (3), a personal information controller shall retain resident registration numbers in safety by means of encryption so that the resident registration numbers may not be lost, stolen, divulged, forged, altered, or damaged. In such cases, any necessary matters in relation to the scope of encryption objects, encryption timing by object, etc. shall be prescribed by Presidential Decree, based on the amount of personal information processed, data breach impact, etc.  (Inserted by Act nº 12504, Mar. 24, 2014; Act nº 13423, Jul. 24, 2015)

(3) A personal information controller shall provide data subjects with an alternative sign-up tool without using their resident registration numbers in the stage of being admitted to membership via the website while processing the resident registration numbers pursuant to paragraph (1).

(4) The Minister of the Interior and Safety may prepare and support measures, such as legislative arrangements, policy-making, necessary facilities, and system build-up to assist a personal information controller in providing the methods referred to in paragraph (3).  (Amended by Act nº 12504, Mar. 24, 2014; Act nº 14839, Jul. 26, 2017)

(Article Inserted by Act nº 11990, Aug. 6, 2013)

Article 25 (Limitation to Installation and Operation of Visual Data Processing Devices)

(1) No one shall install and operate any visual data processing device at open places, except in any of the following circumstances:

1. Where statutes allow it in a concrete manner;

2. Where it is necessary for the prevention and investigation of crimes;

3. Where it is necessary for the safety of facilities and prevention of fire;

4. Where it is necessary for regulatory control of traffic;

5. Where it is necessary for the collection, analysis, and provision of traffic information.

(2) No one shall install and operate any visual data processing device so as to look into the places which is likely to threat individual privacy noticeably, such as a bathroom, restroom, sauna, and dressing room used by many unspecified persons: Provided, That the same shall not apply to the facilities prescribed by Presidential Decree, which detain or protect persons in accordance with statutes, such as correctional facilities and mental health care centers.

(3) The head of a public institution who intends to install and operate visual data processing devices pursuant to paragraph (1) and a person who intends to install and operate visual data processing devices pursuant to the proviso to paragraph (2) shall gather opinions of relevant specialist and interested persons through the formalities prescribed by Presidential Decree such as public hearings and information sessions.

(4) A person who intends to install and operate visual data processing devices pursuant to paragraph (1) (hereinafter referred to as “VDPD operator”) shall take necessary measures including posting on a signboard the following matters, so that data subjects may recognize such devices with ease: Provided, That this shall not apply to military installations defined in subparagraph 2 of Article 2 of the Protection of Military Bases and Installations Act, important national facilities defined in subparagraph 13 of Article 2 of the United Defense Act, and other facilities prescribed by Presidential Decree:  (Amended by Act nº 14107, Mar. 29, 2016)

1. The purpose and place of installation;

2. The scope and hours of photographing;

3. The name and contact information of the person in charge of its management;

4. Other matters prescribed by Presidential Decree.

(5) A VDPD operator shall not handle arbitrarily the visual data processing devices for other purposes than the initial one; direct the said devices toward different spots; nor use sound recording functions.

(6) Every VDPD operator shall take measures necessary to ensure safety pursuant to Article 29 so that the personal information may not be lost, stolen, divulged, forged, altered, or damaged.  (Amended by Act nº 13423, Jul. 24, 2015)

(7) Every VDPD operator shall establish the appropriate policy to operate and manage the visual data processing devices, as prescribed by Presidential Decree. In this case, he/she may be discharged to make the Privacy Policy pursuant to Article 30.

(8) A VDPD operator may outsource the installation and operation of visual data processing devices to a third party: Provided, That the public institutions shall comply with the procedures and requirements prescribed by Presidential Decree when outsourcing the installation and operation of visual data processing devices to a third party.

Article 26 (Limitation to Personal Information Processing Subsequent to Outsourcing of Work)

(1) A personal information controller shall undergo paper-based formalities stating the following when outsourcing personal information processing to a third party:

1. Prevention of personal information processing for other purposes than the outsourced purpose;

2. Technical and managerial safeguards of personal information;

3. Other matters prescribed by Presidential Decree to manage personal information safely.

(2) A personal information controller that outsources personal information processing pursuant to paragraph (1) (hereinafter referred to as “outsourcer”) shall disclose the details of the outsourced work and the entity that processes personal information (hereinafter referred to as “outsourcee”) under an outsourcing contract in the manner prescribed by Presidential Decree so that data subjects may recognize it with ease at any time.

(3) The outsourcer shall, in case of outsourcing the promotion of goods or services, or soliciting of sales thereof, notify data subjects of the outsourced work and the outsourcee in the manners prescribed by Presidential Decree. The same shall apply where the outsourced work or the outsourcee has been changed.

(4) The outsourcer shall educate the outsourcee so that personal information of data subjects may not be lost, stolen, leaked, forged, altered, or damaged owing to the outsourcing of work, and supervise how the outsourcee processes such personal information safely by inspecting the status of processing, etc., as prescribed by Presidential Decree.  (Amended by Act nº 13423, Jul. 24, 2015)

(5) An outsourcee shall not use any personal information beyond the scope of the work outsourced by the personal information controller, nor provide personal information to a third party.

(6) With respect to the compensation of damage arising out of the processing of personal information outsourced to an outsourcee in violation of this Act, the outsourcee shall be deemed an employee of the personal information controller.

(7) Articles 15 through 25, 27 through 31, 33 through 38, and 59 shall apply mutatis mutandis to outsourcees.

Article 27 (Limitation to Transfer of Personal Information following Business Transfer, etc.)

(1) A personal information controller shall notify in advance the data subjects of the following matters in the manner prescribed by Presidential Decree in the case of transfer of personal information to a third party owing to the transfer of some or all of his/her business, a merger, etc.:

1. The fact that the personal information will be transferred;

2. The name (referring to the company name in case of a legal person), address, telephone number and other contact information of the recipient of the personal information (hereinafter referred to as “business transferee”);

3. The method and procedure to withdraw the consent if the data subject would not want the transfer of his/her personal information.

(2) Upon receiving personal information, the business transferee shall, without delay, notify data subjects of the fact in the manner prescribed by Presidential Decree: Provided, That this shall not apply where the personal information controller has already notified the data subjects of the fact of such transfer pursuant to paragraph (1).

(3) Upon receiving personal information owing to business transfer, a merger, etc., the business transferee may use, or provide a third party with, the personal information only for the initial purpose prior to transfer. In this case, the business transferee shall be deemed the personal information controller.

Article 28 (Supervision of Personal Information Handlers)

(1) While processing personal information, a personal information controller shall conduct appropriate control and supervision against the persons who process the personal information under his/her command and supervision, such as an officer or employee, temporary agency worker and part-time worker (hereinafter referred to as “personal information handler”) to ensure the safe management of the personal information.

(2) A personal information controller shall provide personal information handlers with necessary educational programs on a regular basis in order to ensure the appropriate handling of personal information.

CHAPTER IV SAFEGUARD OF PERSONAL INFORMATION

Article 29 (Duty of Safeguards)

Every personal information controller shall take such technical, managerial, and physical measures as establishing an internal management plan and preserving log-on records, etc. that are necessary to ensure safety as prescribed by Presidential Decree so that the personal information may not be lost, stolen, divulged, forged, altered, or damaged.  (Amended by Act nº 13423, Jul. 24, 2015)

Article 30 (Establishment and Disclosure of Privacy Policy)

(1) Every personal information controller shall establish the personal information processing policy including the following matters (hereinafter referred to as “Privacy Policy”). In such cases, public institutions shall establish the Privacy Policy for the personal information files to be registered pursuant to Article 32: (Amended by Act nº 14107, Mar. 29, 2016)

1. The purposes for which personal information is processed;

2. The period for processing and retaining personal information;

3. Providing personal information to a third party (if applicable);

4. Outsourcing personal information processing (if applicable);

5. The rights and obligations of data subjects and legal representatives, and how to exercise the rights;

6. Contact information, such as the name of the privacy officer designated under Article 31 or the name, telephone number, etc. of the department which performs the duties related to personal information protection and handles related grievances;

7. Installing and operating an automatic collection tool of personal information, including Internet access data files, and the denial thereof (if applicable);

8. Other matters prescribed by Presidential Decree regarding the processing of personal information.

(2) Upon establishing or modifying the Privacy Policy, every personal information controller shall disclose the Privacy Policy in the way prescribed by Presidential Decree so that data subjects may recognize it with ease.

(3) Where there exist discrepancies between the Privacy Policy and the agreement executed by and between the personal information controller and data subjects, what is beneficial to the data subjects prevails.

(4) The Minister of the Interior and Safety may formulate the Privacy Policy Guidelines and encourage personal information controllers to comply with such Guidelines.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

Article 31 (Designation of Privacy Officers)

(1) A personal information controller shall designate a privacy officer who comprehensively takes charge of personal information processing.

(2) Every privacy officer shall perform the following functions:

1. To establish and implement a personal information protection plan;

2. To conduct a regular survey of the status and practices of personal information processing, and to improve shortcomings;

3. To treat grievances and remedial compensation in relation to personal information processing;

4. To build the internal control system to prevent the divulgence, abuse, and misuse of personal information;

5. To prepare and implement an education program about personal information protection;

6. To protect, control, and manage the personal information files;

7. Other functions prescribed by Presidential Decree for the appropriate processing of personal information.

(3) In performing the functions provided for in paragraph (2), every privacy officer may inspect the status of personal information processing and systems frequently, if necessary, and may request a report thereon from the relevant parties.

(4) Where a privacy officer becomes aware of any violation of this Act or other relevant statutes in relation to the protection of personal information, the privacy officer shall take corrective measures immediately, and shall report such corrective measures to the head of the institution or organization to which he/she belongs, if necessary.

(5) A personal information controller shall not have the privacy officer give or take disadvantage without any justifiable ground while performing the functions provided for in paragraph (2).

(6) The requirements for designation as privacy officers, functions, qualifications, and other necessary matters, shall be prescribed by Presidential Decree.

Article 32 (Registration and Disclosure of Personal Information Files)

(1) When operating personal information files, the head of a public institution shall register the following matters with the Minister of the Interior and Safety. The same shall also apply where the registered matters are modified.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

1. The titles of the personal information files;

2. The grounds and purposes for operating the personal information files;

3. Particulars of personal information recorded in the personal information files;

4. The method of processing personal information;

5. The period for retaining personal information;

6. The recipient of personal information, if it is provided routinely or repetitively;

7. Other matters prescribed by Presidential Decree.

(2) Paragraph (1) shall not apply to any of the following personal information files:

1. Personal information files that record the national security, diplomatic secrets, and other matters relating to grave national interests;

2. Personal information files that record the investigation of crimes, indictment and prosecution, punishment, and probation and custody, corrective orders, protective orders, security observation orders, and immigration;

3. Personal information files that record the investigations of violations of the Punishment of Tax Offenses Act and the Customs Act;

4. Personal information files exclusively used for internal job performance of public institutions;

5. Classified personal information files pursuant to other statutes.

(3) If necessary, the Minister of the Interior and Safety may review the registration and content of the personal information files referred to in paragraph (1), and advise the head of the relevant public institution to make improvements.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(4) The Minister of the Interior and Safety shall make public the status of personal information files registered under paragraph (1) so that anyone may access them with ease.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(5) Necessary matters regarding the registration referred to in paragraph (1), the method, scope, and procedure of public disclosure referred to in paragraph (4), shall be prescribed by Presidential Decree.

(6) The registration and public disclosure of the personal information files retained by the National Assembly, the Court, the Constitutional Court and the National Election Commission (including their affiliated entities) shall be prescribed by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, and the National Election Commission Regulations.

Article 32-2 (Certification of Personal Information Protection)

(1) The Minister of the Interior and Safety may certify whether the data processing and other data protection-related activities of a personal information controller abide by this Act, etc.  (Amended by Act nº 14839, Jul. 26, 2017)

(2) The certification provided for in paragraph (1) shall be effective for three years.

(3) In any of the following cases, the Minister of the Interior and Safety may revoke the certification granted under paragraph (1), as prescribed by Presidential Decree: Provided, That it shall be revoked in cases falling under subparagraph 1: (Amended by Act nº 14839, Jul. 26, 2017)

1. Where personal information protection has been certified by fraud or other unjust means;

2. Where follow-up management provided for in paragraph (4) has been denied or obstructed;

3. Where the certification criteria provided for in paragraph (8) have not been satisfied;

4. Where personal information protection-related statutes are breached seriously.

(4) The Minister of the Interior and Safety shall conduct follow-up management at least once annually to maintain the effectiveness of the certification of personal information protection.  (Amended by Act nº 14839, Jul. 26, 2017)

(5) The Minister of the Interior and Safety may authorize the specialized institutions prescribed by Presidential Decree to perform the duties related to certification under paragraph (1), revocation of certification under paragraph (3), follow-up management under paragraph (4), management of certification examiners under paragraph (7).  (Amended by Act nº 14839, Jul. 26, 2017)

(6) Any person who has obtained certification pursuant to paragraph (1) may indicate or publicize the certification, as prescribed by Presidential Decree.

(7) Qualifications of certification examiners who conduct the certification examination pursuant to paragraph (1), grounds for disqualification, and other relevant matters, shall be prescribed by Presidential Decree based on specialty, career, and other necessary matters.

(8) Other matters necessary for the certification criteria, method, procedure, etc. subject to paragraph (1), including whether the personal information management system, guarantee of data subjects’ rights, and safeguards are consistent with this Act, shall be prescribed by Presidential Decree.

(Article Inserted by Act nº 13423, Jul. 24, 2015)

Article 33 (Privacy Impact Assessment)(1) In the case of a probable breach of personal information of data subjects arising out of the operation of personal information files meeting the criteria prescribed by Presidential Decree, the head of a public institution shall conduct an assessment to analyze and improve risk factors (hereinafter referred to as “privacy impact assessment”), and submit the result thereof to the Minister of the Interior and Safety. In such cases, the head of the public institution shall request the privacy impact assessment from any of the institutions designated by the Minister of the Interior and Safety (hereinafter referred to as “PIA institution“).  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(2) The privacy impact assessment shall cover the following matters:

1. The number of personal information being processed;

2. Whether the personal information is provided to a third party;

3. The probability to violate the rights of the data subjects and the degree of risks;

4. Other matters prescribed by Presidential Decree.

(3) The Minister of the Interior and Safety may provide his/her opinion subject to the deliberation and resolution by the Protection Commission upon receiving the results of the privacy impact assessment conducted under paragraph (1).  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(4) The head of the public institution shall register the personal information files in accordance with Article 32 (1), for which the privacy impact assessment has been conducted pursuant to paragraph (1), with the results of the privacy impact assessment attached thereto.

(5) The Minister of the Interior and Safety shall take necessary measures, such as fostering relevant specialists, and developing and disseminating criteria for the privacy impact assessment, to promote the privacy impact assessment.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(6) Necessary matters in relation to the privacy impact assessment, such as the criteria for designation as PIA institutions, revocation of designation, assessment criteria, method and procedure, etc. pursuant to paragraph (1), shall be prescribed by Presidential Decree.

(7) Matters regarding the privacy impact assessment conducted by the National Assembly, the Court, the Constitutional Court and the National Election Commission (including their affiliated entities) shall be prescribed by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, and the National Election Commission Regulations.

(8) A personal information controller other than public institutions shall proactively endeavor to conduct a privacy impact assessment, if a breach of personal information of data subjects is highly probable in operating the personal information files.

Article 34 (Data Breach Notification, etc.)

(1) A personal information controller shall notify the aggrieved data subjects of the following matters without delay when he/she becomes aware their personal information has been divulged:

1. Particulars of the personal information divulged;

2. When and how personal information has been divulged;

3. Any information about how the data subjects can do to minimize the risk of damage from divulgence;

4. Countermeasures of the personal information controller and remedial procedure;

5. Help desk and contact points for the data subjects to report damage.

(2) A personal information controller shall prepare countermeasures to minimize the risk of damage where personal information is divulged.

(3) Where a breach of personal information above the scale prescribed by Presidential Decree arises, the personal information controller shall, without delay, report the results of notification given under paragraph (1) and the results of measures taken under paragraph (2) to the Minister of the Interior and Safety and the specialized institution designated by Presidential Decree. In such cases, the Minister of the Interior and Safety and the specialized institution designated by Presidential Decree may provide technical assistance for preventing or recovering further damage, etc.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(4) Necessary matters in relation to the timing, method and procedure for data breach notification pursuant to paragraph (1), shall be prescribed by Presidential Decree.

Article 34-2 (Imposition, etc. of Penalty Surcharges)

(1) The Minister of the Interior and Safety may impose and collect a penalty surcharge not exceeding 500 million won where a personal information controller has failed to prevent any loss, theft, divulgence, forgery, alteration, or damage of resident registration numbers: Provided, That this shall not apply where the personal information controller has fully taken measures necessary to ensure safety under Article 24 (3) to prevent any loss, theft, divulgence, forgery, alteration, or damage of resident registration numbers.  (Amended by Act nº 12844, Nov. 19, 2014; Act nº 13423, Jul. 24, 2015; Act nº 14839, Jul. 26, 2017)

(2) The Minister of the Interior and Safety shall consider the following when imposing the penalty surcharge pursuant to paragraph (1): (Amended by Act nº 12844, Nov. 19, 2014; Act nº 13423, Jul. 24, 2015; Act nº 14839, Jul. 26, 2017)

1. Efforts being taken to perform the measures necessary to ensure safety under Article 24 (3);

2. Status of the resident registration numbers which have been lost, stolen, divulged, forged, altered or damaged;

3. Fulfillment of subsequent measures to prevent further damage.

(3) The Minister of the Interior and Safety shall collect a late-payment penalty prescribed by Presidential Decree in an amount not exceeding 6/100 per annum of the unpaid penalty surcharge for the period beginning on the day following the payment deadline and ending on the day immediately preceding the day the penalty surcharge is paid where a person liable to pay the penalty surcharge under paragraph (1) fails to pay it by the payment deadline. In such cases, the late-payment penalty shall be collected for a maximum period of 60 months.  (Amended by Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(4) Where a person liable to pay the penalty surcharge under paragraph (1) fails to pay it by the payment deadline, the Minister of the Interior and Safety shall give notice with the period of payment specified in it; and where the penalty surcharge and late-payment penalty are not paid within the specified period, the Minister of the Interior and Safety shall collect such penalty surcharge and late-payment penalty in the same manner as delinquent national taxes are collected.  (Amended by Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(5) Other matters necessary for imposing and collecting penalty surcharges shall be prescribed by Presidential Decree.

(Article Inserted by Act nº 11990, Aug. 6, 2013)

CHAPTER V.- GUARANTEE OF RIGHTS OF DATA SUBJECTS

Article 35 (Access to Personal Information)

(1) A data subject may request access to his/her own personal information, which is processed by a personal information controller, from the personal information controller.

(2) Notwithstanding paragraph (1), where a data subject intends to request access to his/her own personal information from a public institution, the data subject may request such access directly from the said public institution, or indirectly via the Minister of the Interior and Safety, as prescribed by Presidential Decree.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(3) Upon receipt of a request for access filed under paragraphs (1) and (2), a personal information controller shall permit the data subject to access his/her own personal information for the period prescribed by Presidential Decree. In such cases, if a personal information controller finds any good cause for not permitting access for such period, the personal information controller may postpone access after notifying the relevant data subject of the said cause. If the said cause ceases to exist, the postponement shall be lifted without delay.

(4) In any of the following cases, a personal information controller may limit or deny access after it notifies a data subject of the cause:

1. Where access is prohibited or limited by Acts;

2. Where access may probably cause damage to the life or body of a third party, or improper violation of property and other benefits of a third party;

3. Where a public institution has grave difficulties in performing any of the following duties:

(a) Imposition, collection or refund of taxes;

(b) Evaluation of academic achievements or admission affairs at the schools of each level established under the Elementary and Secondary Education Act and the Higher Education Act, lifelong educational facilities established under the Lifelong Education Act, and other higher educational institutions established under other Acts;

(c) Testing and qualification examination regarding academic competence, technical capability and employment;

(d) Ongoing evaluation or decision-making in relation to compensation or grant assessment;

(e) Ongoing audit and examination under other Acts.

(5) Necessary matters in relation to the methods and procedures for filing requests for access; for limiting access; for giving notification, etc. pursuant to paragraphs (1) through (4) shall be prescribed by Presidential Decree.

Article 36 (Correction or Erasure of Personal Information)

(1) A data subject who has accessed his/her personal information pursuant to Article 35 may request a correction or erasure of such personal information from the relevant personal information controller: Provided, That the erasure is not permitted where the said personal information shall be collected by other statutes.

(2) Upon receipt of a request by a data subject pursuant to paragraph (1), the personal information controller shall investigate the personal information in question without delay; shall take necessary measures to correct or erase as requested by the data subject unless otherwise specifically provided by other statutes in relation to correction or erasure; and shall notify such data subject of the result.

(3) The personal information controller shall take measures not to recover or revive the personal information in case of erasure pursuant to paragraph (2).

(4) Where the request of a data subject falls under the proviso to paragraph (1), a personal information controller shall notify the data subject of the details thereof without delay.

(5) While investigating the personal information in question pursuant to paragraph (2), the personal information controller may, if necessary, request from the relevant data subject the evidence necessary to confirm a correction or erasure of the personal information.

(6) Necessary matters in relation to the request of correction and erasure, notification method and procedure, etc. pursuant to paragraphs (1), (2) and (4) shall be prescribed by Presidential Decree.

Article 37 (Suspension, etc. of Processing of Personal Information)

(1) A data subject may request the relevant personal information controller to suspend the processing of his/her personal information. In this case, if the personal information controller is a public institution, the data subject may request the suspension of processing of only the personal information contained in the personal information files to be registered pursuant to Article 32.

(2) Upon receipt of the request under paragraph (1), the personal information controller shall, without delay, suspend processing of some or all of the personal information as requested by the data subject: Provided, That, where any of the following is applicable, the personal information controller may deny the request of such data subject:

1. Where special provisions exist in law or it is inevitable to observe legal obligations;

2. Where it may probably cause damage to the life or body of a third party, or improper violation of property and other benefits of a third party;

3. Where the public institution cannot perform its work as prescribed by any Act without processing the personal information in question;

4. Where the data subject fails to express explicitly termination of the contract even though it is impracticable to perform the contract such as provision of service as agreed upon with the said data subject without processing the personal information in question.

(3) When denying the request pursuant to the proviso to paragraph (2), the personal information controller shall notify the data subject of the reason without delay.

(4) The personal information controller shall, without delay, take necessary measures including destruction of the relevant personal information when suspending the processing of personal information as requested by data subjects.

(5) Necessary matters in relation to the methods and procedures to request the suspension of processing, to deny such request, and to give notification, etc. pursuant to paragraphs (1) through (3) shall be prescribed by Presidential Decree.

Article 38 (Methods and Procedures for Exercise of Rights)

(1) A data subject may authorize his/her representative to file requests for access pursuant to Article 35, correction or erasure pursuant to Article 36, and suspension of processing pursuant to Article 37 (hereinafter referred to as “request for access, etc.”) in writing or by the methods and procedure prescribed by Presidential Decree.

(2) The legal representative of a child under 14 years of age may file a request for access, etc. to the personal information of the child with a personal information controller.

(3) A personal information controller may demand a fee and postage (only in case of a request to mail the copies), as prescribed by Presidential Decree, from a person who files a request for access, etc.

(4) A personal information controller shall prepare the detailed method and procedure to enable data subjects to file requests for access, etc., and publicly announce such method and procedure so that the data subjects may become aware of them.

(5) A personal information controller shall prepare, and guide towards, necessary procedure for data subjects to raise objections against its denial to a request for access, etc. from such data subjects.

Article 39 (Responsibility for Compensation)

(1) A data subject who suffers damage by reason of a violation of this Act by a personal information controller is entitled to claim compensation from the personal information controller for that damage. In this case, the said personal information controller may not be released from the responsibility for compensation if it fails to prove non-existence of his/her wrongful intent or negligence.

(2) Deleted.  (by Act nº 13423, Jul. 24, 2015)

(3) Where a data subject suffers damage out of loss, theft, divulgence, forgery, alteration, or damage of his/her own personal information, caused by wrongful intent or negligence of a personal information controller, the Court may determine the damages not exceeding three times such damage: Provided, That the same shall not apply to the personal information controller who has proved non-existence of his/her wrongful intent or negligence.  (Inserted by Act nº 13423, Jul. 24, 2015)

(4) The Court shall take into account the following when determining the damages pursuant to paragraph (3): (Inserted by Act nº 13423, Jul. 24, 2015)

1. The degree of wrongful intent or expectation of damage;

2. The amount of loss caused by the violation;

3. Economic benefits the personal information controller has gained in relation to the violation;

4. A fine and a penalty surcharge to be levied subject to the violation;

5. The duration, frequency, etc. of violations;

6. The property of the personal information controller;

7. The personal information controller’s efforts to retrieve the affected personal information exerted after the loss, theft, or divulgence of personal information;

8. The personal information controller’s efforts to remedy damage suffered by the data subject.

Article 39-2 (Claims for Statutory Compensation)

(1) Notwithstanding Article 39 (1), a data subject, who suffers damage out of loss, theft, divulgence, forgery, alteration, or damage of his/her own personal information, caused by wrongful intent or negligence of a personal information controller, may claim a reasonable amount of damages not exceeding three million won. In this case, the said personal information controller may not be released from the responsibility for compensation if it fails to prove non-existence of his/her wrongful intent or negligence.

(2) In the case of a claim made under paragraph (1), the Court may determine a reasonable amount of damages not exceeding the amount provided for in paragraph (1) taking into account all arguments in the proceedings and the results of examining evidence.

(3) A data subject who has claimed compensation pursuant to Article 39 may change such claim to the claim provided for in paragraph (1) until the closing of fact-finding proceedings.

(Article Inserted by Act nº 13423, Jul. 24, 2015)

CHAPTER VI.- PERSONAL INFORMATION DISPUTE MEDIATION COMMITTEE

Article 40 (Establishment and Composition)

(1) There shall be established a Personal Information Dispute Mediation Committee (hereinafter referred to as the “Dispute Mediation Committee”) to mediate disputes over personal information.

(2) The Dispute Mediation Committee shall be comprised of not more than 20 members, including one chairperson, and the members shall be ex officio and commissioned members.  (Amended by Act nº 13423, Jul. 24, 2015)

(3) The commissioned members shall be commissioned by the Chairperson of the Protection Commission from among the following persons, and public officials of the national agencies prescribed by Presidential Decree shall be ex officio members:  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 13423, Jul. 24, 2015)

1. Persons who once served as members of the Senior Executive Service of the central administrative agencies in charge of data protection, or persons who presently work or have worked at equivalent positions in the public sector and related organizations, and have job experience in data protection;

2. Persons who presently serve or have served as associate professors or higher positions in universities or in publicly recognized research institutes;

3. Persons who presently serve or have served as judges, public prosecutors, or attorneys-at-law;

4. Persons recommended by data protection-related civic organizations or consumer groups;

5. Persons who presently work or have worked as senior officers for the trade associations comprised of personal information controllers.

(4) The chairperson shall be commissioned by the Chairperson of the Protection Commission from among Committee members except public officials.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 13423, Jul. 24, 2015)

(5) The term of office for the chairperson and commissioned members shall be two years, and their term may be renewable for only one further term. (Amended by Act nº 13423, Jul. 24, 2015)

(6) In order to conduct dispute settlement efficiently, the Dispute Mediation Committee may, if necessary, establish a mediation panel that is comprised of not more than five Committee members in each sector of mediation cases, as prescribed by Presidential Decree. In this case, the resolution of the mediation panel delegated by the Dispute Mediation Committee shall be construed as that of the Dispute Mediation Committee.

(7) The Dispute Mediation Committee or a mediation panel shall be open with a majority of its members present, and its resolution shall be made by the affirmative votes of a majority of the members present.

(8) The Protection Commission may deal with the administrative affairs necessary for dispute mediation, such as receiving dispute mediation cases and fact-finding.  (Amended by Act nº 13423, Jul. 24, 2015)

(9) Except as otherwise expressly provided for in this Act, matters necessary to operate the Dispute Mediation Committee shall be prescribed by Presidential Decree.

Article 41 (Guarantee of Members’ Status)

None of the Committee members shall be dismissed or de-commissioned against his/her will except when he/she is sentenced to the suspension of qualification or a heavier punishment, or unable to perform his/her duties due to mental or physical incompetence.

Article 42 (Exclusion, Challenge, and Refrainment of Members)

(1) A member of the Dispute Mediation Committee shall be excluded from participating in the deliberation and resolution of a case requested for dispute mediation pursuant to Article 43 (1) (hereafter in this Article referred to as “case”) if:

1. The member or his/her current or former spouse is a party to the case or is a joint right holder or a joint obligator with respect to the case;

2. The member is or was a relative of a party to the case;

3. The member has given any testimony, expert opinion, or legal advice with respect to the case;

4. The member is or was involved in the case as an agent or representative of a party to the case.

(2) When any party finds it impracticable to expect a fair deliberation and resolution from a Committee member, he/she may file a challenge application with the chairperson. In this case, the chairperson shall determine the challenge application without any resolution of the Dispute Mediation Committee.

(3) When any committee member falls under the case of paragraph (1) or (2), he/she may refrain from the deliberation and resolution of the case.

Article 43 (Application for Mediation, etc.)

(1) Any person, who wants a dispute over personal information mediated, may apply for mediation of the dispute to the Dispute Mediation Committee.

(2) Upon receipt of an application for dispute mediation from a party to the case, the Dispute Mediation Committee shall notify the counterparty of the application for mediation.

(3) When a public institution is notified of dispute mediation under paragraph (2), the public institution shall respond to it except in extenuating circumstances.

Article 44 (Time Limitation of Mediation Proceedings)

(1) The Dispute Mediation Committee shall examine the case and prepare draft mediation within 60 days from the date of receiving an application pursuant to Article 43 (1): Provided, That the Dispute Mediation Committee may pass a resolution to extend such period by reason of inevitable circumstances.

(2) When the period is extended pursuant to the proviso to paragraph (1), the Dispute Mediation Committee shall inform the applicant of the reasons for extending the period and other matters concerning the extension of such period.

Article 45 (Request for Materials, etc.)

(1) Upon receipt of an application for dispute mediation pursuant to Article 43 (1), the Dispute Mediation Committee may request disputing parties to provide materials necessary to mediate the dispute. In this case, such parties shall comply with the request unless any justifiable ground exists.

(2) The Dispute Mediation Committee may require disputing parties or relevant witnesses to appear before the Committee to hear their opinions, if deemed necessary.

Article 46 (Settlement Advice before Mediation)

Upon receipt of an application for dispute mediation pursuant to Article 43 (1), the Dispute Mediation Committee may present a draft settlement to disputing parties and recommend a settlement before mediation.

Article 47 (Dispute Mediation)

(1) The Dispute Mediation Committee may prepare a draft mediation including the following matters:

1. Suspension of the violation to be investigated;

2. Restitution, compensation and other necessary remedies;

3. Any measure necessary to prevent recurrence of the identical or similar violations.

(2) Upon preparing a draft mediation pursuant to paragraph (1), the Dispute Mediation Committee shall present the draft mediation to each party without delay.

(3) Each party presented with the draft mediation prepared under paragraph (1) shall notify the Dispute Mediation Committee of his/her acceptance or denial of the draft mediation within 15 days from the date of receipt of such draft mediation, without which such mediation shall be deemed denied.

(4) If the parties accept the draft mediation, the Dispute Mediation Committee shall prepare a written mediation, and the chairperson of the Dispute Mediation Committee and the parties shall have their names and seals affixed thereon.

(5) The mediation agreed upon pursuant to paragraph (4) shall have the same effect as a settlement before the court.

Article 48 (Rejection and Suspension of Mediation)

(1) Where the Dispute Mediation Committee deems that it is inappropriate to mediate any dispute in view of its nature, or that an application for mediation of any dispute is filed for an unfair purpose, it may reject the mediation. In this case, the reasons why it rejects the mediation shall be notified to the applicant.

(2) If one of the parties files a lawsuit while mediation proceedings are pending, the Dispute Mediation Committee shall suspend the dispute mediation and notify the parties thereof.

Article 49 (Collective Dispute Mediation)

(1) The State, a local government, a data protection organization or institution, a data subject, and a personal information controller may request or apply for a collective dispute mediation (hereinafter referred to as “collective dispute mediation”) to the Dispute Mediation Committee where sufferings or infringement on rights take place to a multitude of data subjects in an identical or similar manner, and such incident is prescribed by Presidential Decree.

(2) Upon receipt of a request or an application for collective dispute mediation under paragraph (1), the Dispute Mediation Committee may commence, by its resolution, collective dispute mediation proceedings pursuant to paragraphs (3) through (7). In this case, the Dispute Mediation Committee shall publicly announce the commencement of such proceedings for a period prescribed by Presidential Decree.

(3) The Dispute Mediation Committee may accept an application from any data subject or personal information controller other than the parties to the collective dispute mediation to participate in the collective dispute mediation additionally as a party.

(4) The Dispute Mediation Committee may, by its resolution, select at least one person as a representative party, who most appropriately represents the common interest among the parties to the collective dispute mediation pursuant to paragraphs (1) and (3).

(5) When the personal information controller accepts a collective dispute mediation award presented by the Dispute Mediation Committee, the Dispute Mediation Committee may advise the personal information controller to prepare and submit a compensation plan for the benefit of the non-party data subjects suffered from the same incident.

(6) Notwithstanding Article 48 (2), if a group of data subjects among a multitude of data subject parties to the collective dispute mediation files a lawsuit before the court, the Dispute Mediation Committee shall not suspend the proceedings but exclude the relevant data subjects, who have filed the lawsuit, from the proceedings.

(7) The period for collective dispute mediation shall not exceed 60 days from the following day when public announcement referred to in paragraph (2) ends: Provided, That the period can be extended by the resolution of the Dispute Mediation Committee in extenuating circumstances.

(8) Other necessary matters, such as collective dispute mediation proceedings, shall be prescribed by Presidential Decree.

Article 50 (Mediation Proceedings, etc.)

(1) Except as otherwise expressly provided for in Articles 43 through 49, the method and proceedings to mediate disputes and matters necessary to deal with such dispute mediation shall be prescribed by Presidential Decree.

(2) Except as otherwise expressly provided for in this Act, the Judicial Conciliation of Civil Disputes Act shall apply mutatis mutandis to the operation of the Dispute Mediation Committee and dispute mediation proceedings.

CHAPTER VII.- CLASS-ACTION LAWSUIT OVER DATA BREACH

Article 51 (Parties to Class-Action Lawsuits, etc.)

Any of the following organizations may file a lawsuit (hereinafter referred to as “class-action lawsuit”) with the court to prevent or suspend data breach if a personal information controller rejects or would not accept the collective dispute mediation under Article 49:

1. A consumer group registered with the Fair Trade Commission pursuant to Article 29 of the Framework Act on Consumers that meets all of the following criteria:

(a) Its by-laws shall state the purpose to augment the rights and interests of data subjects constantly;

(b) The number of full members shall exceed 1000;

(c) Three years shall have passed since the registration under Article 29 of the Framework Act on Consumers;

2. A non-profit, non-governmental organization referred to in Article 2 of the Assistance for Non-Profit, Non-Governmental Organizations Act that meets all of the following criteria:

(a) At least 100 data subjects, who experienced the same sufferings as a matter of law or fact, shall submit a request to file a class-action lawsuit;

(b) Its by-laws shall state the purpose of data protection and it has conducted such activities for the most recent 3 years;

(c) The number of regular members shall be at least 5000;

(d) It shall be registered with any central administrative agency.

Article 52 (Exclusive Jurisdictions)

(1) A class-action lawsuit shall be subject to the exclusive jurisdiction of the competent district court (panel of judges) at the place of business or main office, or at the address of the business manager in the case of no business establishment, of the defendant.

(2) Where paragraph (1) applies to a foreign business entity, the same shall be determined by the place of business or main office, or the address of the business manager located in the Republic of Korea.

Article 53 (Retention of Litigation Attorney)

The plaintiff of a class-action lawsuit shall retain an attorney-at-law as a litigation attorney.

Article 54 (Application for Certification of Lawsuit)

(1) An organization that intends to file a class-action lawsuit shall submit to the court an application for certification of lawsuit describing the following as well as the petition:

1. Plaintiff and his/her litigation attorney;

2. Defendant;

3. Detailed violation of the rights of data subjects.

(2) An application for certification of lawsuit filed under paragraph (1) shall be accompanied by the following materials:

1. Materials that prove that the organization which has filed a lawsuit meets all criteria provided for in Article 51;

2. Documentary evidence that proves that the personal information controller has rejected the dispute mediation or would not accept the mediation award.

Article 55 (Requirements for Certification of Lawsuit, etc.)

(1) The court shall certify in a decision a class-action lawsuit only when all of the following requirements are satisfied:

1. That the personal information controller has rejected the dispute mediation or would not accept the mediation award;

2. That none of the descriptions in the application for certification of lawsuit filed under Article 54 is incomplete.

(2) The court decision that certifies, or rejects to certify, a class-action lawsuit may be objected by an immediate appeal.

Article 56 (Effect of Conclusive Judgment)

When a judgment dismissing a plaintiff’s complaint becomes conclusive, any other organizations provided for in Article 51 cannot file a class-action lawsuit regarding the identical case: Provided, That this shall not apply in any of the following circumstances:

1. Where, after the judgment became conclusive, new evidence has been found by the State, a local government, or a State or local government-invested institution regarding the said case;

2. Where the judgment dismissing the lawsuit proves to be caused intentionally by the plaintiff.

Article 57 (Application of the Civil Procedure Act, etc.)

(1) Except as otherwise expressly provided for in this Act, the Civil Procedure Act shall apply to class-action lawsuits.

(2) When a decision to certify a class-action lawsuit is made under Article 55, a preservation order provided for in PART IV of the Civil Execution Act may be issued.

(3) Matters necessary for class-action lawsuit proceedings shall be provided by the Supreme Court Regulations.

CHAPTER VIII.- SUPPLEMENTARY PROVISIONS

Article 58 (Partial Exclusion of Application)

(1) Chapter III through VII shall not apply to any of the following personal information:

1. Personal information collected pursuant to the Statistics Act for processing by public institutions;

2. Personal information collected or requested to be provided for the analysis of information related to national security;

3. Personal information processed temporarily where it is urgently necessary for the public safety and security, public health, etc.;

4. Personal information collected or used for its own purposes of reporting by the press, missionary activities by religious organizations, and nomination of candidates by political parties, respectively.

(2) Articles 15, 22, 27 (1) and (2), 34, and 37 shall not apply to any personal information that is processed by means of the visual data processing devices installed and operated at open places pursuant to Article 25 (1).

(3) Articles 15, 30 and 31 shall not apply to any personal information that is processed by a personal information controller to operate a group or association for friendship, such as an alumni association and a hobby club.

(4) In the case of processing personal information pursuant to paragraph (1), a personal information controller shall process the personal information to the minimum extent necessary to attain the intended purpose for a minimum period; and shall also make necessary arrangements, such as technical, managerial and physical safeguards, individual grievance treatment and other necessary measures for the safe management and appropriate processing of such personal information.

Article 59 (Prohibited Activities)

No person who processes or has ever processed personal information shall do any of the following activities:

1. To acquire personal information or to obtain consent to personal information processing by fraud, improper, or unjust means;

2. To divulge personal information acquired in the course of business, or to provide it for any third party’s use without authority;

3. To damage, destroy, alter, forge, or divulge other’s personal information without legal authority or beyond proper authority.

Article 60 (Confidentiality, etc.)

Any person who performs or has performed the following affairs shall not divulge any confidential information acquired in the course of performing his/her duties to any third party, nor use such information for any purpose other than for his/her duties: Provided, That, the same shall not apply where specific provisions exist in other Acts:

1. Affairs of the Protection Commission provided for in Article 8;

2. Impact assessments provided for in Article 33;

3. Dispute mediation of the Dispute Mediation Committee established under Article 40.

Article 61 (Suggestions and Advices for Improvements)

(1) The Minister of the Interior and Safety may suggest his/her opinion to any relevant agency subject to the deliberation and resolution by the Protection Commission, where he/she deems necessary with respect to the statutes or municipal ordinances containing provisions likely to affect the protection of personal information.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(2) The Minister of the Interior and Safety may advise a personal information controller to improve the status of personal information processing, where deemed necessary to protect personal information. In such cases, upon receiving the advice, the personal information controller shall endeavor to conscientiously comply with the advice; and shall inform the Minister of the Interior and Safety of its result.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(3) The head of a related central administrative agency may advise a personal information controller to improve the status of personal information processing pursuant to the Acts under his/her jurisdiction, where deemed necessary to protect personal information. In such cases, upon receiving the advice, the personal information controller shall endeavor to conscientiously comply with the advice; and shall inform the head of the related central administrative agency of its result.

(4) Central administrative agencies, local governments, the National Assembly, the Court, the Constitutional Court, and the National Election Commission may suggest their opinions, or provide guidance or inspection with respect to the protection of personal information to their affiliated entities and public institutions under their jurisdiction.

Article 62 (Reporting on Infringements, etc.)

(1) Anyone who suffers infringement on the rights or interests involving his/her personal information in the course of personal information processing by a personal information controller may report such infringement to the Minister of the Interior and Safety.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(2) The Minister of the Interior and Safety may designate a specialized institution to efficiently receive and handle the claim reports pursuant to paragraph (1), as prescribed by Presidential Decree. In such cases, such specialized institution shall establish and operate a personal information infringement call center (hereinafter referred to as “Privacy Call Center”). (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(3) The Privacy Call Center shall perform the following duties:

1. To receive the claim reports and provide counseling in relation to personal information processing;

2. To investigate and confirm the incidents and hear opinions of interested parties;

3. Duties incidental to subparagraphs 1 and 2.

(4) The Minister of the Interior and Safety may, if necessary, dispatch its public official to the specialized institution designated under paragraph (2) pursuant to Article 32-4 of the State Public Officials Act to efficiently investigate and confirm the incidents pursuant to paragraph (3) 2. (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

Article 63 (Requests for Materials and Inspections)

(1) The Minister of the Interior and Safety may request the relevant materials, such as goods and documents, from a personal information controller in any of the following cases: (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

1. Where any violation of this Act is found or suspected;

2. Where any violation of this Act is reported or a civil complaint thereon is received;

3. In cases prescribed by Presidential Decree where it is necessary to protect personal information of data subjects.

(2) Where a personal information controller fails to furnish the materials pursuant to paragraph (1) or is deemed to have violated this Act, the Minister of the Interior and Safety may require its public official to enter the offices or places of business of the personal information controller and other persons involved in such violation to inspect the status of business operations, ledgers, documents, etc. In such cases, the public official who conducts the inspection shall carry a certificate indicating his/her authority and produce it to the interested persons.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 13423, Jul. 24, 2015; Act nº 14839, Jul. 26, 2017)

(3) The head of a related central administrative agency may request the materials from a personal information controller pursuant to paragraph (1); or may inspect the personal information controller and other persons involved in the violation of the relevant Act pursuant to paragraph (2) in accordance with the Acts under his/her jurisdiction.  (Amended by Act nº 13423, Jul. 24, 2015)

(4) When finding or suspecting any violation of this Act, the Protection Commission may demand the Minister of the Interior and Safety or the head of a related central administrative agency to take measures provided for in paragraph (1) or (3). In such cases, upon receiving such demand, the Minister of the Interior and Safety or the head of the related central administrative agency shall comply therewith except in extenuating circumstances.  (Inserted by Act nº 13423, Jul. 24, 2015; Act nº 14839, Jul. 26, 2017)

(5) The Minister of the Interior and Safety and the head of a related central administrative agency shall not provide any third party with the documents, materials, etc. furnished or collected pursuant to paragraphs (1) and (2), nor make them public, except as otherwise required by this Act.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 13423, Jul. 24, 2015; Act nº 14839, Jul. 26, 2017)

(6) Where the Minister of the Interior and Safety and the head of a related central administrative agency receives the materials submitted via the information and communications networks, or make them digitalized, they shall take systematic and technical measures to prevent the divulgence of personal information, trade secrets, etc.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(7) The Minister of the Interior and Safety may inspect the status of personal information protection jointly with the head of a related central administrative agency for the prevention of personal information breach incidents and efficient response.  (Inserted by Act nº 13423, Jul. 24, 2015; Act nº 14839, Jul. 26, 2017)

Article 64 (Corrective Measures, etc.)

(1) Where the Minister of the Interior and Safety deems that any personal information breach is substantially grounded and negligence over such breach is likely to cause irreparable damage, he/she may order the violator of this Act (excluding the central administrative agencies, local governments, the National Assembly, the Court, the Constitutional Court, and the National Election Commission) to take any of the following measures:  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

1. To suspend personal information breach;

2. To temporarily suspend personal information processing;

3. Other measures necessary to protect personal information and to prevent personal information breach.

(2) Where the head of a related central administrative agency deems that any personal information breach is substantially grounded and negligence over such breach is likely to cause irreparable damage, he/she may order a personal information controller to take any of the measures provided for in paragraph (1) pursuant to the Acts under his/her jurisdiction.

(3) A local government, the National Assembly, the Court, the Constitutional Court, or the National Election Commission may order their affiliated entities and public institutions, which are found to violate this Act, to take any of the measures provided for in paragraph (1).

(4) When a central administrative agency, a local government, the National Assembly, the Court, the Constitutional Court, or the National Election Commission violates this Act, the Protection Commission may advise the head of the relevant agency to take any of the measures provided for in paragraph (1). In such cases, upon receiving the advice, the agency shall comply therewith except in extenuating circumstances.

Article 65 (Accusation and Advices for Disciplinary Action)

(1) Where reasonable grounds exist to suspect that a personal information controller has violated this Act or other data protection-related statutes, the Minister of the Interior and Safety may accuse the fact to the competent investigative agency.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(2) Where reasonable grounds exist to suspect that this Act or other data protection-related statutes are violated, the Minister of the Interior and Safety may advise the relevant personal information controller to take disciplinary action against the person responsible for it (including the representative and the executive officer in charge). In such cases, upon receiving the advice, the relevant personal information controller shall comply therewith; and shall notify the Minister of the Interior and Safety of the result.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 11990, Aug. 6, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(3) The head of a related central administrative agency may accuse a personal information controller pursuant to paragraph (1), or advise the head of the relevant affiliated agency, organization, etc. to take disciplinary action pursuant to paragraph (2), in accordance with the Acts under his/her jurisdiction. In such cases, upon receiving the advice under paragraph (2), the head of the relevant affiliated agency, organization, etc. shall comply therewith; and shall notify the head of the related central administrative agency of the result.

Article 66 (Disclosure of Results)

(1) The Minister of the Interior and Safety may disclose the advice for improvement pursuant to Article 61; the corrective measures pursuant to Article 64; the accusation or advice for disciplinary action pursuant to Article 65; and the imposition of administrative fines pursuant to Article 75 and its result, subject to deliberation and resolution by the Protection Commission.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(2) The head of a related central administrative agency may disclose the matters provided for in paragraph (1) in accordance with the Acts under his/her jurisdiction.

(3) The method, criteria, and procedure for disclosure pursuant to paragraphs (1) and (2), and other related matters, shall be prescribed by Presidential Decree.

Article 67 (Annual Reports)

(1) The Protection Commission shall prepare a report each year, based on necessary materials furnished by related agencies, etc., in relation to the establishment and implementation of personal information protection policy measures, and submit (including transmission via the information and communications networks) it to the National Assembly before the opening of the plenary session

(2) The annual report referred to in paragraph (1) shall contain the following matters:  (Amended by Act nº 14107, Mar. 29, 2016)

1. Infringement on the rights of data subjects and the status of remedies thereof;

2. Findings of the survey in relation to the status of personal information processing;

3. Status of implementation of the personal information protection policy measures and achievements thereof;

4. Overseas legislation and policy developments related with personal information;

5. Status of the enactment and amendment of the Acts, Presidential Decrees, the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, the National Election Commission Regulations, and the Board of Audit and Inspection Regulations, in relation to processing of resident registration numbers;

6. Other matters to be disclosed or reported in relation to the personal information protection policy measures.

Article 68 (Delegation and Entrustment of Authority)

(1) Authority of the Minister of the Interior and Safety or the head of a related central administrative agency under this Act may be partially delegated or entrusted, as prescribed by Presidential Decree, to the Special Metropolitan City Mayor, Metropolitan City Mayors, Do Governors, Special Self-Governing Province Governors, or the specialized institutions prescribed by Presidential Decree.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(2) The agencies to which authority of the Minister of the Interior and Safety or the head of a related central administrative agency has been partially delegated or entrusted pursuant to paragraph (1) shall notify the Minister of the Interior and Safety or the head of the related central administrative agency of the results of performing the affairs delegated or entrusted.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(3) Where delegating or entrusting a part of authority to a specialized institution pursuant to paragraph (1), the Minister of the Interior and Safety may grant a contribution to the specialized institution to cover expenses incurred in performing the affairs delegated or entrusted.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

Article 69 (Persons Deemed to be Public Officials for Purposes of Penalty Provisions)

Any executive or employee of a relevant agency that performs the affairs entrusted by the Minister of the Interior and Safety or the head of a related central administrative agency shall be deemed a public official for the purposes of Articles 129 through 132 of the Criminal Act.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

CHAPTER IX.- PENALTY PROVISIONS

Article 70 (Penalty Provisions)

Any of the following persons shall be punished by imprisonment with labor for not more than 10 years, or by a fine not exceeding 100 million won: (Amended by Act nº 13423, Jul. 24, 2015)

1. A person who causes the suspension, paralysis or other severe hardship of work of a public institution by altering or erasing the personal information processed by the public institution for the purpose of disturbing the personal information processing of such public institution;

2. A person who obtains any personal information processed by third parties by fraud or other unjust means or methods and provides it to a third party for a profit-making or unjust purpose, and a person who abets or arranges such conduct.

Article 71 (Penalty Provisions)

Any of the following persons shall be punished by imprisonment with labor for not more than 5 years, or by a fine not exceeding 50 million won: (Amended by Act nº 14107, Mar. 29, 2016)

1. A person who provides personal information to a third party without the consent of a data subject in violation of Article 17 (1) 1 even through Article 17 (1) 2 is not applicable, and a person who knowingly receives such personal information;

2. A person who uses personal information or provides personal information to a third party in violation of Articles 18 (1) and (2), 19, 26 (5), or 27 (3), and a person who knowingly receives such personal information for a profit-making or unfair purpose;

3. A person who processes sensitive information in violation of Article 23 (1);

4. A person who processes personally identifiable information in violation of Article 24 (1);

5. A person who divulges or provides a third party without authority with, the personal information acquired in the course of performing business in violation of subparagraph 2 of Article 59, and a person who knowingly receives such personal information for a profit-making or unfair purposes;

6. A person who damages, destroys, alters, forges, or divulges any third party’s personal information in violation of subparagraph 3 of Article 59.

Article 72 (Penalty Provisions)

Any of the following persons shall be punished by imprisonment with labor for not more than 3 years, or by a fine not exceeding 30 million won:

1. A person who arbitrarily handles visual data processing devices for any purpose other than the initial one, directs such devices toward different spots, or uses a sound recording function in violation of Article 25 (5);

2. A person who acquires personal information or obtains consent to personal information processing by fraud or other unjust means in violation of subparagraph 1 of Article 59, and a person who knowingly receives such personal information for a profit-making or unfair purpose;

3. A person who divulges confidential information acquired while performing his/her duties, or uses such information for other purposes than the initial one in violation of Article 60.

Article 73 (Penalty Provisions)

Any of the following persons shall be punished by imprisonment with labor for not more than 2 years, or by a fine not exceeding 20 million won: (Amended by Act nº 13423, Jul. 24, 2015; Act nº 14107, Mar. 29, 2016)

1. A person who fails to take necessary measures to ensure safety in violation of Article 23 (2), 24 (3), 25 (6), or 29 and causes personal information to be lost, stolen, divulged, forged, altered, or damaged;

2. A person who fails to take necessary measures to correct or erase personal information in violation of Article 36 (2), and continuously uses, or provides a third party with, the personal information;

3. A person who fails to suspend processing of personal information in violation of Article 37 (2), and continuously uses, or provides a third party with, the personal information.

Article 74 (Joint Penalty Provisions)

(1) If the representative of a corporation, or an agent or employee of, or any other person employed by, a corporation or an individual commits any of the offense provided for in Article 70 in connection with the business affairs of the corporation or individual, not only shall such offender be punished, but also the corporation or individual shall be punished by a fine not exceeding 70 million won: Provided, That the same shall not apply where such corporation or individual has not been negligent in taking due care and supervisory duty concerning the relevant business affairs to prevent such offense.

(2) If the representative of a corporation, or an agent or employee of, or any other person employed by, a corporation or an individual commits any of the offense provided for in Articles 71 through 73 in connection with the business affairs of the corporation or individual, not only shall such offender be punished, but also the corporation or individual shall be punished by a fine prescribed in the relevant Article: Provided, That the same shall not apply where such corporation or individual has not been negligent in taking due care and supervisory duty concerning the relevant business affairs to prevent such offense.

Article 74-2 (Confiscation, Additional Collection, etc.)

Any money or goods or other profits acquired by a person who has violated Articles 70 through 73 in relation to such violation shall be confiscated, or, if confiscation is impossible, the value thereof may be collected. In this case, such confiscation or additional collection may be levied in addition to other penalty provisions.

(Article Inserted by Act nº 13423, Jul. 24, 2015)

Article 75 (Administrative Fines)

(1) Any of the following persons shall be subject to an administrative fine not exceeding fifty million won: (Amended by Act nº 14765, Apr. 18, 2017)

1. A person who collects personal information, in violation of Article 15 (1);

2. A person who fails to obtain the consent of a legal representative, in violation of Article 22 (6);

3. A person who installs and operates a visual data processing device, in violation of Article 25 (2).

(2) Any of the following persons shall be subject to an administrative fine not exceeding thirty million won: (Amended by Act nº 11990, Aug. 6, 2013; Act nº 12504, Mar. 24, 2014; Act nº 13423, Jul. 24, 2015; Act nº 14107, Mar. 29, 2016; Act nº 14765, Apr. 18, 2017)

1. A person who fails to notify a data subject of necessary information, in violation of Article 15 (2), 17 (2), 18 (3), or 26 (3);

2. A person who denies the provision of goods or services to a data subject, in violation of Article 16 (3) or 22 (5);

3. A person who fails to notify a data subject of the matters provided for in Article 20 (1) or (2), in violation of Article 20 (1) or (2);

4. A person who fails to destroy personal information, in violation of Article 21 (1);

4-2. A person who processes resident registration numbers, in violation of Article 24-2 (1);

4-3. A person who fails to adopt encryption, in violation of Article 24-2 (2);

5. A person who fails to provide a data subject with an alternative method without using his/her resident registration number, in violation of Article 24-2 (3);

6. A person who fails to take measures necessary to ensure safety, in violation of Article 23 (2), 24 (3), 25 (6), or 29;

7. A person who installs and operates a visual data processing device, in violation of Article 25 (1);

7-2. A person who indicates and promotes the certification by fraud despite a failure to obtain such certification, in violation of Article 32-2 (6);

8. A person who fails to notify a data subject of the facts provided for in Article 34 (1), in violation of the same paragraph;

9. A person who fails to report the results of measures taken, in violation of Article 34 (3);

10. A person who limits or denies access to personal information, in violation of Article 35 (3);

11. A person who fails to take necessary measures to correct or erase personal information, in violation of Article 36 (2);

12. A person who fails to take necessary measures, such as destruction of the personal information whose processing has been suspended, in violation of Article 37 (4);

13. A person who fails to comply with corrective measures taken under Article 64 (1).

(3) Any of the following persons shall be subject to an administrative fine not exceeding ten million won: (Amended by Act nº 14765, Apr. 18, 2017)

1. A person who fails to store and manage personal information separately, in violation of Article 21 (3);

2. A person who obtains consent, in violation of Article 22 (1) through (4);

3. A person who fails to take necessary measures including posting on a signboard, in violation of Article 25 (4);

4. A person who fails to undergo paper-based formalities stating the matter provided for in Article 26 (1) when outsourcing the work, in violation of the same paragraph;

5. A person who fails to disclose the outsourced work and the outsourcee, in violation of Article 26 (2);

6. A person who fails to notify a data subject of the transfer of his/her personal information, in violation of Article 27 (1) or (2);

7. A person who fails to establish, or disclose, the Privacy Policy, in violation of Article 30 (1) or (2);

8. A person who fails to designate a privacy officer, in violation of Article 31 (1);

9. A person who fails to notify a data subject of necessary information, in violation of Article 35 (3) and (4), 36 (2) and (4), or 37 (3);

10. A person who fails to furnish materials, such as goods and documents pursuant to Article 63 (1), or who submits false materials;

11. A person who refuses, interferes with, or evades access or an inspection pursuant to Article 63 (2).

(4) Administrative fines provided for in paragraphs (1) through (3) shall be imposed and collected by the Minister of the Interior and Safety and the head of a related central administrative agency, as prescribed by Presidential Decree. In such cases, the head of a related central administrative agency shall impose and collect administrative fines from the personal information controllers in the field under his/her jurisdiction.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

Article 76 (Special Exemption to Application of Provisions on Administrative Fines)

For the purposes of the provisions on administrative fines provided for in Article 75, no additional administrative fine shall be imposed on any act subject to penalty surcharges pursuant to Article 34-2.

(Article Inserted by Act nº 11990, Aug. 6, 2013)

ADDENDA (Act nº 11690,  Mar. 23,  2013)

ADDENDA (Act nº 11990,  Aug. 6,  2013)

ADDENDUM (Act nº 12504,  Mar. 24,  2014)

ADDENDA (Act nº 12844,  Nov. 19,  2014)

ADDENDA (Act nº 13423,  Jul. 24,  2015)

ADDENDA (Act nº 14107,  Mar. 29,  2016)

ADDENDUM (Act nº 14765,  Apr. 18,  2017)

ADDENDA (Act nº 14839,  Jul. 26,  2017)

Article 1 (Enforcement Date)

This Act shall enter into force on the date of its promulgation: Provided, That any amendment to the Acts made pursuant to Article 5 of this Addenda, promulgated before this Act enters into force, which have not yet entered into force, shall enter into force on the date the corresponding Act takes effect.

Articles 2 through 6 Omitted.