Archivos de la etiqueta: public institution

10Nov/21

Act nº 9705, May 22, 2009, Electronic Government

Act nº 9705, May 22, 2009, Electronic Government (Amended by: Act nº 10012, Feb. 4, 2010, Act nº 10303, May 17, 2010, Act nº 10465, Mar. 29, 2011, Act nº 10580, Apr. 12, 2011, Act nº 11461, jun. 1, 2012, Act nº 11688, Mar. 23, 2013, Act nº 11690, Mar. 23, 2013, Act nº 11735, Apr. 5, 2013, Act nº 12346, Jan. 28, 2014, Act nº 12592, May 20, 2014, Act nº 12738, jun. 3, 2014, Act nº 13459, Aug. 11, 2015, Act nº 14474, Dec. 27, 2016, Act nº 14914, Oct. 24, 2017).

ELECTRONIC GOVERNMENT ACT

CHAPTER I.- GENERAL PROVISIONS

Article 1 (Purpose)

The purpose of this Act is to facilitate the efficient realization of electronic government, enhance productivity, transparency and democracy in the public administration, and improve the quality of life of citizens by providing for fundamental principles, procedures, methods of promotion, and other relevant matters for the electronic processing of administrative affairs.

Article 2 (Definitions)

The terms used in this Act shall be defined as follows: (Amended by Act n º 11690, Mar. 23, 2013; Act nº 12346, Jan. 28, 2014; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

1. The term “electronic government” means a government that efficiently coordinates administrative affairs between administrative agencies and public institutions (hereinafter referred to as “administrative agencies, etc.“) or conducts administrative affairs for citizens by digitalizing administrative affairs of administrative agencies, etc. using information technology;

2. The term “administrative agency” means an agency responsible for the processing of administrative affairs of the National Assembly, the Judiciary, the Constitutional Court, or the National Election Commission; a central administrative agency (including agencies under the jurisdiction of the President or of the Prime Minister; hereinafter the same shall apply) and an affiliate thereof; a local government;

3. The term “public institution” means any of the following:

(a) A corporation, organization, or institution under Article 4 of the Act on the Management of Public Institutions;

(b) A local government-invested public corporation or local government public corporation under the Local Public Enterprises Act;

(c) A special corporation established under a special-purpose Act;

(d) Any level of school, established under the Elementary and Secondary Education Act, the Higher Education Act, or any other Act;

(e) Other corporations, organizations, or institutions specified by Presidential Decree;

4. The term “central agency responsible for administrative affairs” means the National Assembly Secretariat for affiliates of the National Assembly, the National Court Administration for affiliates of the Judiciary, the Department of Court Administration of the Constitutional Court for affiliates of the Constitutional Court, the National Election Commission Secretariat for affiliates of the National Election Commission, and the Ministry of the Interior and Safety for central administrative agencies, their affiliates, and local governments;

5. The term “electronic government service” means any administrative service rendered by administrative agencies, etc., to other administrative agencies, etc. and citizens, enterprises, etc., through access to electronic government;

6. The term “administrative information” means data prepared or acquired and managed by administrative agencies, etc. within the scope of their duties, which have been processed by means of digital technology to be expressed in code, characters, voice, sound, images, or any other mode;

7. The term “electronic document” means standardized information prepared and transmitted, received, or stored in digital format by devices capable of processing information, such as computers;

8. The term “digitized document” means a document converted from a hard-copy or any other non-electronic version to a format that can be processed on information systems;

9. The term “administrative digital signature” means information by which one can verify the identity of any of the following agencies that have prepared an electronic document or the person directly in charge of the relevant work in any of such agencies as well as any modification to the electronic document, which is specific to the electronic document:

(a) An administrative agency;

(b) An auxiliary agency or support agency of an administrative agency;

(c) An institution, corporation, or organization that exchanges electronic documents with an administrative agency;

(d) An institution, corporation, or organization under Article 36 (2);

10. The term “information and communications network” means an information and communications system through which information is collected, processed, stored, searched, transmitted, or received by using telecommunications systems under subparagraph 2 of Article 2 of the Framework Act on Telecommunications or by utilizing telecommunications systems, computers, and computer technologies;

11. The term “information resources” means administrative information held by administrative agencies, etc.; information systems constructed so as to facilitate the collection, processing, and search of administrative information by electronic means; information technologies for the establishment of information systems; budgets and human resources for informatization and other related resources;

12. The term “information technology architecture” means a systematic framework formulated following the comprehensive analysis of the components of an entire organization, including the scope of its work, applications, data, technologies, and security, conducted based on specific guidelines and processes, and methodologies for optimizing the components through informatization, etc. based on such framework;

13. The term “information system” means a systematic network of devices and software for collecting, processing, storing, searching, transmitting, receiving, or using information;

14. The term “supervision of information system” means the comprehensive monitoring of matters regarding the construction, operation, etc., of the information system to resolve its problems from the third-person perspective by a person independent of the interests of the person awarding the contract for supervision and the person subject to supervision, with the aim of improving efficiency and ensuring safety of the information system;

15. The term “supervisor” means a person who meets the requirements specified in Article 60 (1) to perform supervision of an information system (hereinafter referred to as “supervisory duty”).

Article 3 (Duties of Administrative Agencies, etc. and Public Officials, etc.)

(1) The head of each administrative agency, etc. shall implement this Act and improve related systems with the aim of facilitating the realization of electronic government and improving the quality of life of citizens and shall actively cooperate in interlinking information and communications networks, sharing administrative information, etc.

(2) Public officials and employees of public institutions shall be capable of utilizing information technologies necessary for the electronic processing of their work and give priority to citizens’ convenience over the convenience of the relevant agencies in electronically processing their work.

Article 4 (Principles of Electronic Government)

(1) Each administrative agency, etc. shall consider, among other things, the following matters in materializing, operating, and developing electronic government, and take measures necessary therefor:

1. Digitizing public services and improving citizens’ convenience;

2. Innovating administrative affairs and improving their productivity and efficiency;

3. Ensuring the security and reliability of information systems;

4. Protecting personal information and privacy;

5. Expanding disclosure and sharing of administrative information;

6. Preventing duplicative investment and improving interoperability.

(2) Each administrative agency, etc. shall promote the realization, operation, and development of electronic government, based on an information technology architecture.

(3) Each administrative agency, etc. shall not require civil petitioners to submit matters that can be electronically verified through the sharing of administrative information between the agencies, etc.

(4) No personal information maintained and managed by administrative agencies, etc. shall be used against the wishes of the relevant person, unless otherwise provided for in other Acts or subordinate statutes.

Article 5 (Formulation of Master Plans for Electronic Government)

(1) The head of each central agency responsible for administrative affairs shall formulate a master plan for electronic government every five years combining the plans of each of administrative agencies, etc. referred to in Article 5-2 (1) to realize, operate, and develop electronic government.

(2) A master plan for electronic government under paragraph (1) (hereinafter referred to as “master plan for electronic government“) shall include the following matters:

1. Basic direction-setting for the realization and mid- and long-term development of electronic government;

2. Modification of related Acts and subordinate statutes and systems for the realization of electronic government;

3. Facilitation of the delivery and utilization of electronic government services;

4. Electronic administrative management;

5. Increased sharing and securement of safety of administrative information;

6. Adoption and utilization of information technology architecture;

7. Integration, sharing, and efficient management of information resources;

8. Standardization of electronic government, ensuring interoperability and expansion of services for sharing;

9. Promotion of electronic government projects and local informatization projects and the management of the outcomes thereof;

10. Re-design of work process for realization of electronic government;

11. International cooperation on electronic government;

12. Other matters necessary for the realization, operation, and development of electronic government, such as training of human resources for informatization.

(3) When the head of each related central administrative agency intends to formulate and implement an implementation plan for national informatization pursuant to Article 7 of the Framework Act on National Informatization, he/she shall take a master plan for electronic government into consideration.

(4) Matters necessary for the procedure, etc. for formulation of master plans for electronic government shall be prescribed by National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, the National Election Commission Regulations, and Presidential Decree.

(Article Amended by Act nº 12346, Jan. 28, 2014)

Article 5-2 (Formulation and Evaluation of Plan for Each Agency)

(1) The head of an administrative agency, etc. shall formulate a master plan for the realization, operation, and development of electronic government in a relevant agency (hereinafter referred to as “plan for each agency”) every five years and submit such plan to the head of the relevant central agency responsible for administrative affairs.

(2) The head of each administrative agency, etc. shall endeavor to secure financial resources necessary for the implementation of the plan for each agency.

(3) The head of each central agency responsible for administrative affairs may examine the current status of the plan for each administrative agency, etc. and the outcomes thereof.

(4) Matters necessary for the standards for formulation of the plan for each agency, procedures for the formulation and examination of the current status therof, etc. shall be prescribed by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, the National Election Commission Regulations, and Presidential Decree.

(Article Inserted by Act nº 12346, Jan. 28, 2014)

Article 5-3 (Electronic Government Day)

(1) In order to continuously accelerate the development of electronic government by, for example, informing the public about the excellence and convenience of electronic government and enhancing the national status of the Republic of Korea, June 24 shall be designated as the Electronic Government Day.

(2) The State may host events that meet the intent of the Electronic Government Day.

(Article Inserted by Act nº 14914, Oct. 24, 2017)

Article 6 (Relationship with other Acts)

Except as otherwise provided for in other Acts, this Act shall govern the realization, operation, and development of electronic government, such as digitization of public services and administrative management of administrative agencies, etc. and the sharing of administrative information.

CHAPTER II.- PROVISION AND UTILIZATION OF ELECTRONIC GOVERNMENT SERVICES

SECTION 1.- Electronic Processing of Civil Petitions

Article 7 (Application, etc. for Electronic Processing of Civil Petitions)

(1) The head of an administrative agency, etc. (including any person to whom administrative authority has been entrusted: hereafter the same shall apply in this Section) may allow citizens to file, report, or submit a civil application or petition (hereinafter referred to as “application, etc.”) in electronic form even where relevant Acts and subordinate statutes (including ordinances and municipal rules of a local government; hereinafter the same shall apply) require application, etc. for a civil petition, etc. subject to processing of the said agency in paper form, such as a written document, statement, or form.

(2) When the head of an administrative agency, etc. processes a civil petition, etc., he/she may give notice or notification (hereinafter referred to as “notice, etc.”) of the results of the processing in electronic form, if the petitioner wishes to receive such results in such manner or files an application, etc, for the civil petition, etc. in electronic form, even where relevant Acts and subordinate statutes require notice, etc. of the results of the processing in paper form, such as a written document, statement, or form.

(3) When filing an application, etc. or giving notice, etc. pursuant to paragraph (1) or (2), a digitized document may serve as a document to be attached to the electronic document.

(4) An application, etc. filed or notice, etc. provided in electronic form pursuant to paragraph (1) or (2) shall be deemed to have been filed or provided in compliance with the procedures provided for by relevant Acts and subordinate statutes.

(5) When the head of an administrative agency, etc. allows citizens to file an application, etc. or gives notice, etc. in electronic or digitized form pursuant to paragraphs (1) through (3), he/she shall publish the type of such application, etc. for or notice, etc. of the civil petition, etc. and the processing procedure therefor in advance via the Internet.

(6) Matters necessary for the utilization of digitized documents, verification of their authenticity, and other relevant matters shall be prescribed by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, the National Election Commission Regulations, or by Presidential Decree.

Article 8 (Electronic Verification, etc. of Required Documentation)

(1) The head of each administrative agency, etc. shall process relevant work after directly receiving an electronic document from an administrative agency, etc., if any document or certificate required to be attached or submitted by the civil petitioner is to be issued by the administrative agency, etc. in electronic form.

(2) A civil petition may be processed in accordance with paragraph (1) only where the civil petitioner pays the full fees prescribed by relevant Acts and subordinate statutes (including expenses incurred by an administrative agency, etc. in remitting fees to the issuing agency) to the administrative agency, etc. for the civil petition and required documents.

(3) If the head of an administrative agency, etc. can verify information about required documents by sharing administrative information pursuant to Article 36 (1), he/she may substitute such verification for the issuance of the documents. In such cases, the head of the administrative agency, etc. may waive or reduce fees for the relevant documents, subject to consultation with the heads of issuing agencies.

(4) Where the head of an administrative agency, etc. has processed required documents pursuant to paragraphs (1) through (3), such required documents are deemed processed in compliance with the procedures provided for by relevant Acts and subordinate statutes.

(5) When the head of each administrative agency, etc. intends to process required documents in a way specified in paragraphs (1) through (3), he/she shall publish the types and the scope of such required documents, related civil petitions, and other necessary matters in advance via the Internet.

(6) The procedure for processing work pursuant to paragraphs (1) through (5) and other relevant matters shall be prescribed by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, the National Election Commission Regulations, or by Presidential Decree.

Article 9 (Processing of Civil Petitions without Appearance)

(1) In order for civil petitioners to have their civil petitions, etc. processed without necessarily appearing in person at the relevant agency, the head of each administrative agency, etc. shall take measures, such as the improvement of relevant Acts and subordinate statutes and the establishment of facilities and systems as necessary.

(2) The head of an administrative agency, etc. may open and operate a window for electronic civil petitions on the Internet to implement a system for processing civil petitions without appearance pursuant to paragraph (1): Provided, That if a window has yet to be opened for electronic civil petitions, the head of the administrative agency, etc. may authorize an integrated electronic civil petition window under paragraph (3) to process electronic civil petitions, etc.

(3) The head of a central agency responsible for administrative affairs may provide support for administrative agencies, etc. to open and operate electronic civil petition windows and may open and operate an integrated electronic civil petition window by interlinking such windows.

(4) An application, etc. filed by a civil petitioner through an electronic civil petition window under paragraphs (2) and (3) is deemed an application, etc. filed in person with the competent agency responsible for the civil petition prescribed by relevant Acts and subordinate statutes.

(5) The head of an administrative agency, etc. may charge additional fees for processing civil petitions, etc. filed through an electronic civil petition window under paragraphs (2) and (3), apart from the fees prescribed by related Acts and subordinate statutes, if such fees are required by means prescribed in Article 14.

(6) The head of an administrative agency, etc. may waive or reduce fees for processing civil petitions, etc. submitted through an electronic civil petition window under paragraphs (2) and (3), notwithstanding the provisions of other Acts and subordinate statutes.

(7) Necessary matters concerning the opening and operation of an electronic civil petition window under paragraphs (1) through (4), processing fees under paragraph (5), and the scope of civil petitions, etc. subject to waiver or reduction of processing fees under paragraph (6), the rates of such waiver or reduction, and other related matters shall be prescribed by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, the National Election Commission Regulations, or by Presidential Decree.

Article 9-2 (Provision of Daily Life Information through Integrated Electronic Civil Petition Window)

(1) The Minister of the Interior and Safety may provide civil petitioners with the services through which such daily life information as the their health examination dates, vaccination dates, renewal dates of drivers’ license, etc. can be perused (hereinafter referred to as “life information viewing services” in this Article). In such cases, the Minister of the Interior and Safety may interlink the integrated electronic civil petition window under Article 9 (3) with information systems of other central administrative agencies, etc. following consultation with the heads of other central administrative agencies, etc. (Amended by Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(2) The types of daily life information viewing services provided under paragraph (1) shall be determined and publicly announced by the Minister of the Interior and Safety following consultation with the heads of related central administrative agencies, etc. (Amended by Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(3) In order to provide daily life information viewing services, the Minister of the Interior and Safety may request the heads of other central administrative agencies, etc. to provide data. In such cases, the related central administrative agencies, etc. upon receipt of such request for provision of data shall comply with such request, except in extenuating circumstances. (Amended by Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(4) The Minister of the Interior and Safety may provide daily life information viewing services only where the relevant civil petitioner agrees to do so. (Amended by Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(Article Inserted by Act nº 12346, Jan. 28, 2014)

Article 10 (Verification of Identities of Civil Petitioners, etc.)

Whenever it is necessary to verify the identity of a civil petitioner in processing a civil petition, etc., the head of an administrative agency, etc. may verify the identity with the petitioner’s officially authenticated digital signature under subparagraph 3 of Article 2 of the Digital Signature Act (hereinafter referred to as “authenticated digital signature“) or in ways prescribed by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, the National Election Commission Regulations, or by Presidential Decree.

Article 11 (Electronic Notice or Information)

(1) The head of an administrative agency, etc. may provide notice, etc. to a citizen by an electronic document, even where relevant Acts and subordinate statutes require to give such notice, etc. by a paper document, such as a written notice or information.

(2) Any notice, etc. given by an electronic document pursuant to paragraph (1) shall be deemed notice, etc. provided in compliance with the procedure provided for by relevant Acts and subordinate statutes.

(3) The head of each administrative agency, etc. shall, when he/she intends to provide notice, etc. by an electronic document pursuant to paragraph (1), publish the types of and procedure for giving such notice, etc. in advance via the Internet.

(4) Necessary matters concerning the provision of notice, etc. by an electronic document shall be prescribed by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, the National Election Commission Regulations, or by Presidential Decree.

Article 12 (Electronic Provision of Administrative Information)

(1) The head of each administrative agency, etc. shall separately provide citizens with information related to civil petitions, such as Acts relevant to civil petitions and subordinate statutes thereof, manuals related to the processing of civil petitions, and the guidelines for processing civil petitions, and other administrative information specified by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, the National Election Commission Regulations, or by Presidential Decree as administrative information related to citizens’ lives, by posting them on the Internet.

(2) The head of an administrative agency, etc. may separately provide citizens with information published in the Official Gazette, newspapers, bulletins, etc. by posting them on the Internet.

Article 12-2 (Designation of Public Services and Notification, etc. of Lists)

(1) The head of a central administrative agency, etc. shall designate the goods, services, etc. provided to those who fulfill prerequisites, such as the elderly, the disabled, and persons entitled to veterans benefits, as public services (hereinafter referred to as “public services”) in accordance with the Acts and subordinate statutes (including ordinances and regulations of local governments) under his/her jurisdiction, and shall notify the Minister of the Interior and Safety of such list. The same shall also apply to cases where a list of public services is modified. (Amended by Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(2) Matters necessary for the standards for designation of public services and notification, etc. of lists shall be prescribed by Presidential Decree.

(Article Inserted by Act nº 12346, Jan. 28, 2014)

Article 12-3 (Construction, Operation, etc. of Registration System)

(1) The Minister of the Interior and Safety may construct and operate a system for the registration, management, and utilization of lists of public services (hereinafter referred to as “registration system“). In such cases, such system can be interlinked with information systems of other central administrative agencies, etc., and consultations thereon shall be held with the relevant agencies. (Amended by Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(2) For the construction, operation, etc. of a registration system, the Minister of the Interior and Safety may request the provision of data on resident registration, family registration, national taxes, local taxes, finance, real estate, national pension, health insurance, etc. held by other administrative agencies, etc. after obtaining prior consent from the relevant civil petitioner. (Amended by Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(3) Article 42 (1) shall apply mutatis mutandis to prior consent set forth in paragraph (2).

(4) Where a civil petitioner’s individual consent to a request for provision of data under paragraph (2) is obtained, an application filed by a civil petitioner under Article 12-4 (1) shall be deemed a prior consent the Minister of the Interior and Safety is required to obtain from the civil petitioner under the same paragraph. (Amended by Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(5) Where necessary for the construction and operation of a registration system, the Minister of the Interior and Safety may advance pilot projects. (Amended by Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(6) Matters necessary for the construction and operation of a registration system shall be prescribed by Presidential Decree.

(Article Inserted by Act nº 12346, Jan. 28, 2014)

Article 12-4 (Provision, etc. of Lists of Public Services)

(1) If any civil petitioner applies for the perusal of lists of public services, the head of a local government (referring to the Mayor of a Special Self-Governing City, the Governor of a Special Self-Governing Province, the head of a Si/Gun/Gu (referring to an autonomous Gu); hereafter the same shall apply in this Article) may provide the lists of public services required by the civil petitioner through a registration system.

(2) When a civil petitioner provided with the lists of public services under paragraph (1) files an application for the provision of any civil services, the head of a local government shall forward the relevant application to the head of the relevant central administrative agency, etc.

(3) Matters necessary for the provision of lists of public services, application for public services, transfer, etc. shall be prescribed by Presidential Decree.

(Article Inserted by Act nº 12346, Jan. 28, 2014)

Article 13 (Bearing Expenses Incurred in Electronic Provision of Administrative Information)

(1) The head of an administrative agency, etc. may collect fees from a person, if any, who gains special benefits from administrative information provided via the Internet.

(2) Necessary matters concerning the criteria for collecting fees under paragraph (1), the procedures therefor, and other relevant matters shall be prescribed by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, the National Election Commission Regulations, or by Presidential Decree.

Article 14 (Electronic Payment of Taxes, etc.)

The head of an administrative agency, etc. may allow citizens to pay taxes, fees, administrative fines, penalty surcharges, penalties, fines, minor fines, etc. by means of electronic money, electronic payment, etc. through information and communications networks, even where other Acts and subordinate statutes require payment thereof by cash, revenue stamp, or other means.

Article 15 (Electronic Payment of Grants and Benefits)

When the head of an administrative agency, etc. pays specific grants and benefits to citizens pursuant to the provisions of any Act and subordinate statutes, he/she may pay such specific grants and benefits via information and communications networks.

SECTION 2.- Provision of Electronic Government Services and Promotion of Their Utilization

Article 16 (Development and Provision of Electronic Government Services)

(1) The head of each administrative agency, etc. shall develop and provide electronic government services for enhancing public welfare and convenience, ensuring people’s security, and facilitating business activities such as starting a business and establishing factories, and take measures to continuously supplement and improve such services.

(2) The head of each administrative agency, etc. shall ensure that users of its electronic government services have easy access to such services and utilize them in a safe and convenient manner and shall keep its electronic government services up-to-date.

(3) When the head of each administrative agency, etc. develops electronic government services, he/she shall take into account the demands and convenience of users of such services.

Article 17 (Increased User Involvement)

When the head of each administrative agency, etc. provides electronic government services, he/she shall guarantee opportunities for their users to participate in the relevant process and express various opinions by means, such as discussions, recommendations, and policy suggestions, and shall actively reflect such recommendations, policy suggestions, etc. in the process of amending relevant Acts and subordinate statutes and systems, improving the electronic government services, etc.

Article 18 (Introduction and Utilization of Ubiquitous Electronic Government Services)

(1) The head of each administrative agency, etc. shall deliver services for public administration, transportation, welfare, environment, disaster safety, etc. (hereafter referred to as “ubiquitous electronic government services” in this Article) that can be utilized by citizens, enterprises, etc. anywhere anytime, using advanced information and communications technologies, and shall formulate policies necessary therefor.

(2) The Minister of the Interior and Safety may pursue pilot projects, if necessary, to facilitate the introduction and utilization of ubiquitous electronic government services under paragraph (1). (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(3) Necessary matters concerning the introduction and utilization of ubiquitous electronic government services under paragraph (1) and pilot projects under paragraph (2) shall be prescribed by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, the National Election Commission Regulations, or by Presidential Decree.

Article 19 (Measures for Broader Use of Electronic Government Services)

The head of each administrative agency, etc. shall take necessary measures to ensure that citizens do not have difficulty accessing or utilizing electronic government services due to their economic, regional, physical, or social conditions.

Article 20 (Operation of Electronic Government Portal)

(1) The State shall establish, manage, and facilitate the use of an Internet-based integrated information system (hereinafter referred to as “electronic government portal“) to efficiently deliver electronic government services.

(2) Matters necessary for the establishment, management, and facilitation of the use of the electronic government portal shall be prescribed by Presidential Decree.

Article 21 (Engagement and Use of Private Sector in Electronic Government Services)

(1) The head of an administrative agency, etc. may develop and provide a new service in combination with a service delivered by an individual, enterprise, organization, etc. by entering into a memorandum of understanding, etc. therewith, in order to facilitate the use of electronic government services.

(2) The head of an administrative agency, etc. may provide necessary assistance to individuals, enterprises, organizations, etc. to develop and provide new services using specific technologies or administrative information of a highly public nature delivered as part of electronic government services (excluding personal information as defined in subparagraph 1 of Article 2 of the Personal Information Protection Act). (Amended by Act nº 10465, Mar. 29, 2011)

(3) Necessary matters concerning the memorandum of understanding under paragraph (1) and the criteria, procedures, etc. for assistance under paragraph (2) shall be prescribed by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, the National Election Commission Regulations, or by Presidential Decree.

Article 22 (Investigation and Analysis of Actual Use of Electronic Government Services)

(1) The head of an administrative agency, etc. shall, at regular intervals, investigate, analyze, and manage the actual use, etc. of the electronic government services delivered by the agency, and prepare measures to improve such use.

(2) Detailed matters necessary for the investigation, analysis, and management of the actual use of electronic government services under paragraph (1) shall be prescribed by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, the National Election Commission Regulations, or by Presidential Decree.

Article 23 (Efficient Management of Electronic Government Services)

(1) Where electronic government services provided by administrative agencies, etc. are similar to, or overlap with, one another, or their operational value is considered not high, the head of a central agency responsible for administrative affairs may recommend the integration or scrapping thereof, or other measures to improve such services. (Amended by Act nº 11688, Mar. 23, 2013)

(2) Necessary matters concerning the criteria and procedures for the integration or scrapping, etc. of electronic government services under paragraph (1) shall be prescribed by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, the National Election Commission Regulations, or by Presidential Decree.

Article 24 (Security Measures for Electronic Public Services)

(1) The Minister of the Interior and Safety shall formulate security measures related to electronic public services through prior consultation with the Director of the National Intelligence Service. (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(2) The head of each central administrative agency, each affiliate thereof, and each local government shall formulate and implement security measures for his/her agency in accordance with the security measures provided for in paragraph (1).

CHAPTER III.- ELECTRONIC ADMINISTRATIVE MANAGEMENT

Article 25 (Preparation, etc. of Electronic Documents)

(1) Documents of each administrative agency, etc. shall be prepared, dispatched, received, stored, preserved, and utilized basically in electronic form: Provided, That the same shall not apply where the nature of specific work requires any other format, or under exceptional circumstances.

(2) Each administrative agency, etc. shall make the forms of documents sent or received by such agency appropriate for electronic documents.

(3) Necessary matters concerning the preparation, delivery, receipt, storage, preservation, and utilization of electronic documents of each administrative agency, etc., the method of preparing forms of electronic documents, and other relevant matters shall be prescribed by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, the National Election Commission Regulations, or by Presidential Decree.

Article 26 (Formation, Effects, etc. of Electronic Documents, etc.)

(1) An electronic document prepared by an administrative agency, etc. shall be duly formed when it is approved (referring to approval by electronic means specified by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, the National Election Commission Regulations, or by Presidential Decree).

(2) An electronic document that has been approved by an ancillary agency or support agency of an administrative agency, etc. with power delegated by the administrative agency or vicariously for and on behalf of the administrative agency may be delivered with the administrative digital signature of the ancillary or support agency under Article 29.

(3) Any electronic document and digitized document under this Act shall have the same effect as a paper document, except as otherwise provided for in other Acts.

Article 27 (Transmission and Receipt of Electronic Documents)

(1) Any individual, corporation, or organization seeking to transmit to an administrative agency, etc. an electronic document that requires verification of the identity of the transmitter shall transmit such document with an authenticated digital signature or by electronic means recognized by other Acts and subordinate statutes as means that may be used for the verification of the identity of a person: Provided, That any public institution seeking to exchange electronic documents with an administrative agency shall use its administrative digital signature in transmitting and receiving such electronic documents.

(2) If clarification of the time of delivery or arrival of an electronic document is required, the electronic document shall be transmitted or received by electronic means specified by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, the National Election Commission Regulations, or by Presidential Decree so that the time of delivery or arrival can be objectively verified.

Article 28 (Timing of Delivery or Arrival of Electronic Documents)

(1) An electronic document transmitted to an administrative agency, etc. shall be deemed delivered by the transmitter at the time the transmission of the electronic document is electronically recorded by using an information system.

(2) An electronic document transmitted by an administrative agency, etc. shall be deemed to arrive at the addressee at the time it is entered in the information system, etc. designated by the addressee: Provided, That if the information system, etc. is not designated, such electronic document is deemed to arrive at the addressee at the time it is entered in the information system, etc. under the control of the addressee.

(3) If a transmitter had delivered a document, etc. required to arrive by a specific deadline in electronic form by electronic means described in Article 27 (2) prior to the deadline, but the document did not arrive by the deadline due to failure of the information system or related device of the addressee, the deadline that applies only to the transmitter is deemed to fall on the day immediately following the date on which the failure is eliminated.

(4) If an electronic document that arrives at, and is received by, an administrative agency, etc. is illegible, the administrative agency, etc. shall regard it as a defective document and shall demand the transmitter correct the defect within a period reasonably prescribed as necessary for such correction, while if an electronic document delivered by an administrative agency, etc. that arrives at the addressee is illegible, such document shall not be deemed a document that duly arrives.

Article 29 (Authentication of Administrative Digital Signatures)

(1) Each electronic document prepared by an administrative agency shall bear an administrative digital signature: Provided, That any administrative agency may use an authenticated digital signature to efficiently operate electronic transactions under subparagraph 5 of Article 2 of the Framework Act on Electronic Documents and Transactions. (Amended by Act nº 11461, Jun. 1, 2012)

(2) The head of each central agency responsible for administrative affairs shall authenticate administrative digital signatures.

(3) In authenticating administrative digital signatures under paragraph (2), the head of each central agency responsible for administrative affairs shall prepare technical standards for administrative digital signatures in consultation with the Minister of the Interior and Safety to increase compatibility with authenticated digital signatures and shall also prepare measures to link administrative digital signatures with authenticated digital signatures. (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(4) An administrative digital signature authenticated pursuant to paragraph (2) and applied to an electronic document shall be deemed the official seal or official authentication of the administrative agency or public institution indicated in the electronic document or the signature of the person in direct charge of relevant affairs in the relevant agency, and the content thereof shall be presumed not to have been modified after the administrative digital signature was applied thereto.

(5) Necessary matters concerning the authentication of administrative digital signatures shall be prescribed by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, the National Election Commission Regulations, or by Presidential Decree.

Article 30 (Electronic Management of Administrative Knowledge)

The head of an administrative agency, etc. may establish and operate an electronic processing system for utilizing matters deemed considerably valuable as data that can be used to make decisions on important policies thereof, out of administrative information relevant to duties under his/her jurisdiction, personal experiences, practical knowledge and techniques produced and circulated within the agency.

Article 30-2 (Inter-Linkage and Integration of Electronic Systems)

(1) For improving administrative efficiency and the integrated and efficient provision of services to the public, the head of a central administrative agency, etc., may interlink or integrate the electronic systems under his/her jurisdiction with those of other central administrative agencies, etc.

(2) Necessary matters concerning the standards for inter-linkage and integration of electronic systems and the procedures, methods, etc. therefor, shall be prescribed by Presidential Decree.

(Article Inserted by Act nº 12346, Jan. 28, 2014)

Article 30-3 (Construction and Utilization of Data-Sharing Hub)

(1) The Minister of the Interior and Safety may construct and operate a system for sharing data collected and managed through electronic systems (hereinafter referred to as “data-sharing hub“). (Amended by Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(2) The head of a central administrative agency, etc., may, through the data-sharing hub, jointly use the data collected and managed by the heads of other central administrative agencies, etc.

(3) Necessary matters concerning the scope of data and sharing procedures set forth in paragraphs (1) and (2) shall be prescribed by Presidential Decree. (Article Inserted by Act nº 12346, Jan. 28, 2014)

Article 30-4 (Collection and Utilization of Disclosed Internet Data)

(1) For the formulation of policies, decision-making, etc., the head of an administrative agency, etc. may collect and utilize disclosed Internet data, other than the personal information defined in subparagraph 1 of Article 2 of the Personal Information Protection Act, through the data-sharing hub.

(2) Necessary matters concerning the scope of collection of open Internet data, procedures for utilization thereof, etc. under paragraph (1), shall be prescribed by Presidential Decree.

(Article Inserted by Act nº 12346, Jan. 28, 2014)

Article 31 (Gathering Opinions through Information and Communications Networks)

(1) With regard to the enactment and amendment of an Act or a subordinate statute relevant to affairs under the control of an administrative agency, etc., the matters that require pre-announcement of administration pursuant to Article 46 (1) of the Administrative Procedures Act, and other matters that require holding of a public hearing, poll, or others pursuant to relevant Acts and subordinate statutes, the head of the responsible administrative agency, etc. shall proceed in tandem to gather opinions through information and communications networks.

(2) The head of each administrative agency, etc. shall allow a party or any interested party who has an opinion with regard to a disposition made by the agency to present his/her opinion through an information and communications network.

(3) The head of each administrative agency, etc. shall readjust relevant Acts and subordinate statutes and take other measures in order to facilitate the gathering and presentation of opinions under paragraphs (1) and (2).

(4) The head of each administrative agency, etc. shall, when he/she conducts any statistical survey subject to citizens, a survey on citizens’ satisfaction with the processing of civil petitions, or any similar survey, actively take measures to utilize information and communications networks.

 Article 32 (Electronic Performance of Work, etc.)

(1) The head of an administrative agency, etc. may adopt an online video conferencing method using information and communications networks in conducting administrative affairs. In such cases, the head of an administrative agency, etc. shall endeavor to preferentially utilize such online video conferencing when conducting business between distant locations. (Amended by Act nº 12346, Jan. 28, 2014)

(2) The head of a central agency responsible for administrative affairs may provide necessary assistance for the adoption, utilization, etc. of online video conferencing under paragraph (1). (Inserted by Act nº 12346, Jan. 28, 2014)

(3) The head of an administrative agency, etc. may, whenever necessary, allow his/her employees to conduct some form of remote work through information and communications networks without necessarily designating a specific place of service. In such cases, the head of an administrative agency, etc. shall formulate measures to prevent illegal access to information and communications networks and other security measures. (Amended by Act nº 12346, Jan. 28, 2014)

(4) The head of an administrative agency, etc. may provide online remote educational and training programs for his/her employees through information and communications networks. (Amended by Act nº 12346, Jan. 28, 2014)

(5) Matters necessary to facilitate the performance of remote work under paragraphs (1) through (4) shall be prescribed by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, the National Election Commission Regulations, or by Presidential Decree. (Amended by Act nº 12346, Jan. 28, 2014)

Article 33 (Reduction of Paper Documents)

(1) The head of each administrative agency, etc. shall minimize the formulation, receipt, circulation, and storage of paper documents by digitalizing administrative affairs and civil petitions, sharing administrative information with other agencies, or by other means, and shall formulate plans to continuously reduce paper documents in the relevant agency.

(2) The head of each administrative agency, etc. shall revise its methods of working, etc. in the relevant agency in a manner that minimizes unnecessary printing of paper documents in the process of formulating and reporting documents.

(3) With the aim of reducing paper documents, the head of each administrative agency, etc. shall amend or supplement Acts and subordinate statutes, directives, etc. that stipulate application, reports, submission, notice, or notification in paper form to allow such application, etc. by electronic means as well, except under exceptional circumstances.

(4) The head of a central agency responsible for administrative affairs may, if necessary, formulate and implement directives to reduce paper documents or investigate the actual use, etc. of paper documents.

Article 34 (Identities of Persons in Charge and their Rights of Access)

The head of each administrative agency, etc. shall manage and check the identity, rights of access, etc. of a person in charge of relevant work, seeking to access an information system or to use administrative information for electronically processing civil petitions or conducting relevant affairs, in a manner prescribed by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, the National Election Commission Regulations, or by Presidential Decree.

Article 35 (Prohibited Acts)

No person shall commit any of the following acts when handling or utilizing administrative information: (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

1. Forging, altering, damaging, or deleting administrative information for the purpose of interfering with affairs related to the processing of such information;

2. Forging, altering, damaging, or using an information system for the sharing of administrative information without good cause;

3. Disclosing or disseminating, to the public, any method or program by which administrative information can be altered or deleted;

4. Divulging administrative information, the disclosure of which is prohibited, without good cause;

5. Processing administrative information without due authority or beyond the authority accorded;

6. Aiding or abetting another person, without due authority, to use administrative information;

7. An agency having obtained the approval for sharing administrative information from the Minister of the Interior and Safety pursuant to Article 39 (2), but sharing administrative information in a manner that has not been approved or storing administrative information in an information system or storage device that has not been approved;

8. Receiving administrative information from an administrative agency, etc. or accessing administrative information by fraud or other improper means.

CHAPTER IV.- SHARING ADMINISTRATIVE INFORMATION

Article 36 (Efficient Management and Use of Administrative Information)

(1) The head of each administrative agency, etc. shall share administrative information collected and held by such agency with other administrative agencies, etc. that need such information and shall not endeavor to separately gather identical information where he/she can be provided with reliable administrative information from other administrative agencies, etc.

(2) The head of each administrative agency, etc. collecting and possessing administrative information (hereinafter referred to as “agency in possession of administrative information“) may allow other administrative agencies, etc., banks authorized to engage in banking business pursuant to Article 8 (1) of the Banking Act, and legal entities, organizations, or institutions specified by Presidential Decree to share administrative information held by the agency in possession of such administrative information. (Amended by Act nº 10303, May 17, 2010)

(3) The Minister of the Interior and Safety may publicly announce the detailed examination of the lists of administrative information held by administrative agencies, etc. and the outcomes thereof through information systems and conduct research on demand for the administrative information that administrative agencies, etc. need to share with each other. (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12346, Jan. 28, 2014; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(4) The head of each central agency responsible for administrative affairs shall promote the readjustment of relevant Acts, subordinate statutes, and systems in order to ensure the effective management of administrative information, such as production, processing, utilization, provision, storing, scrapping, etc. of administrative information.

(5) The Minister of the Interior and Safety may establish and publish guidelines for the criteria, procedures, etc. for sharing administrative information, in consultation with the heads of other central agencies responsible for administrative affairs. (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(6) Necessary matters concerning the methods, etc. for examination of lists of administrative information under paragraph (3) shall be prescribed by Presidential Decree. (Inserted by Act nº 12346, Jan. 28, 2014)

Article 37 (Administrative Information-Sharing Center)

(1) In order to ensure the effective sharing of administrative information, the Minister of the Interior and Safety may establish an Administrative Information-Sharing Center (hereinafter referred to as the “Sharing Center“) under his/her jurisdiction to implement policies necessary to share administrative information, as prescribed by Presidential Decree. (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(2) Any agency sharing administrative information pursuant to Article 36 (2) shall share such information through the Sharing Center unless good cause exists.

Article 38 (Administrative Information Subject to Sharing)

(1) Administrative information that can be shared through the Sharing Center pursuant to Articles 36 and 37 shall be as follows:

1. Administrative information necessary to process civil petitions, etc.;

2. Administrative information that can be used as reference to carry out administrative affairs, such as statistical information, bibliographic information, and policy information;

3. Administrative information deemed essential by an administrative agency, etc. to carry out its official duties prescribed by any Act and subordinate statutes, etc.

(2) Administrative information related to national security of the State, administrative information classified as confidential under any Act or subordinate statute, or any similar administrative information may be excluded from information subject to sharing.

(3) Each agency in possession of administrative information shall ensure that it provides the most up-to-date and accurate administrative information for sharing.

(4) Administrative information shall be shared to the extent necessary for satisfying the specific purpose of its use.

(5) The type, scope, category, etc. of information subject to sharing in the scope of administrative information under paragraph (1) shall be prescribed by Presidential Decree.

Article 39 (Applications for Sharing Administrative Information and Approvals thereof)

(1) Any agency intending to use administrative information through the Sharing Center pursuant to Article 37 (2) shall apply for the sharing of administrative information to the Minister of the Interior and Safety by specifying the administrative information to be subject to sharing and the scope thereof, the purpose and method of sharing, the agency in possession of such administrative information, etc., as prescribed by Presidential Decree. (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(2) Upon receipt of an application for the sharing of administrative information under paragraph (1), the Minister of the Interior and Safety may approve such application by specifying conditions for sharing, etc. as prescribed by Presidential Decree: Provided, That he/she shall not approve an application for sharing in any of the following cases: (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

1. Where the administrative information, the sharing of which has been applied for, is defined as confidential or non-disclosable by any other Act or an order delegated by such other Act (limited only to the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, the National Election Commission Regulations, the Board of Audit and Inspection Regulations, Presidential Decrees, ordinances of the Prime Minister, Ministerial ordinances, and municipal ordinances and rules);

2. Where the administrative information, the sharing of which has been applied for, is related to the guarantee of national security or the national defense, unification of the two Koreas, diplomatic relations, etc. and deemed likely to significantly harm the material national interest if it is so shared;

3. Where the administrative information, the sharing of which has been applied for, is deemed as unnecessary for the performance of inherent duties of the agency that has applied for the sharing (hereinafter referred to as “applicant agency“);

4. Other cases deemed likely to defeat the purpose of sharing administrative information under this Act or the security and reliability of administrative information prescribed by Presidential Decree.

(3) The Minister of the Interior and Safety shall, prior to the grant of the approval pursuant to paragraph (2), obtain the consent of the head of the agency holding relevant administrative information, and in such cases, the head of the agency holding relevant administrative information shall cooperate in sharing administrative information, except under exceptional circumstances. (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(4) Where administrative information that an applicant agency intends to share is a personal information file described in Article 32 of the Personal Information Protection Act, the Minister of the Interior and Safety shall grant the approval therefor pursuant to paragraph (2) after deliberation and resolution by the Personal Information Protection Committee referred to in Article 7 of the said Act: Provided, That this shall not apply where otherwise provided for in any other Act. (Amended by Act. nº 10465, Mar. 29, 2011; Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(5) The Minister of the Interior and Safety may approve the sharing of administrative information by simplifying or skipping the procedures described in paragraphs (1) through (4), in either of the following cases: (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 13459, Aug. 11, 2015; Act nº 14839, Jul. 26, 2017)

1. Where, with regard to an administrative affair, the sharing of which has already been approved, a simple change in its name, department in charge, etc. is to be made due to enactment or amendment of an Act or subordinate statutes;

2. Where sharing administrative information is required to process civil petitions listed in the standards for performing clerical services for civil petitions referred to in Article 36 (1) of the Civil Petitions Treatment Act.

(6) Where an administrative affair subject to sharing is an affair common to several administrative agencies, etc. as prescribed by Acts and subordinate statutes, the Minister of the Interior and Safety may approve the sharing of such administrative affair among all the agencies handling such affair, even though no separate application therefor is filed by individual agencies. (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(7) Each agency that has obtained approval pursuant to paragraph (2) shall designate any of the following persons to operate the relevant business as prescribed by Presidential Decree:

1. A person with the right to engage in overall management of matters related to the sharing in the relevant agency;

2. A person with the right to grant authority to access administrative information to responsible persons in the relevant agency;

3. A person with the right to access relevant work and administrative information processed by such sharing.

Article 40 (Constructive Review, Approval and Consultations)

(1) Where an applicant agency has obtained approval for sharing pursuant to Article 39 (2) with regard to administrative information set forth in the main sentences of the provisions referred to in each of the following subparagraphs, it shall be deemed capable of providing such administrative information to the applicant agency pursuant to the provisos to the corresponding provisions: (Amended by Act nº 12346, Jan. 28, 2014; Act nº 14474, Dec. 27, 2016)

1. Article 81-13 (1) of the Framework Act on National Taxes;

2. Article 116 (1) of the Customs Act;

3. Article 86 (1) of the Framework Act on Local Taxes.

(2) Where an applicant agency has obtained approval to share administrative information pursuant to Article 39 (2) and such administrative information contains any of the following, the following review, approval, consultations, etc. corresponding thereto shall be deemed done, obtained, or provided for such administrative information: (Amended by Act. nº 10580, Apr. 12, 2011; Act nº 12592, May 20, 2014; Act nº 12738, Jun. 3, 2014)

1. Review, approval, or consultation with regard to the use or utilization of computerized registration data as prescribed in Article 109 (2) of the Registration of Real Estate Act;

2. Review, approval, or consultation with regard to the use or utilization of computerized data on registration as prescribed in Article 13 (1) of the Act on the Registration, etc. of Family Relationships;

3. Review or approval with regard to the use or utilization of computer processing information data on resident registration as prescribed in Article 30 of the Resident Registration Act;

4. Review or approval with regard to the use or utilization of cadastral computerized data as prescribed in Article 76 of the Act on the Establishment, Management, etc. of Spatial Data;

5. Review or approval with regard to the use of computerized data as prescribed in Article 69 (2) of the Motor Vehicle Management Act;

6. Review or approval with regard to the use of computerized data as prescribed in Article 32 of the Building Act;

7. Review, approval or consultation with regard to the use or utilization of computerized registration data as prescribed in Article 21 (2) of the Commercial Registration Act.

Article 41 (Withdrawal or Suspension of Approval for Sharing Administrative Information)

(1) Where an agency using administrative information after obtaining the approval for sharing pursuant to Article 39 (2) (hereinafter referred to as “user agency“) or an employee belonging to such agency falls under any of the following, the Minister of the Interior and Safety may withdraw the approval granted to the relevant user agency: (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

1. Where the agency or employee violates the conditions for sharing determined pursuant to Article 39 (2);

2. Where an event corresponding to any of the subparagraphs of Article 39 (2) arises after the agency files an application for sharing;

3. Where the agency or employee commits a prohibited act under Article 35 or violates the duty to comply under Article 74;

4. Other cases similar to subparagraphs 1 through 3 where there is any unavoidable reason to justify prohibiting the sharing of administrative information, as prescribed by Presidential Decree.

(2) Where it is deemed that a reason falling under any of the subparagraphs of paragraph (1) arises temporarily, the Minister of the Interior and Safety may temporarily suspend the relevant user agency’s sharing of administrative information until the cause for the event is settled, notwithstanding paragraph (1). (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(3) Where any user agency sharing administrative information or any employee belonging to such agency falls under any of the subparagraphs of paragraph (1), an agency in possession of such administrative information may request the Minister of the Interior and Safety to withdraw the approval granted to the relevant agency for the sharing of administrative information under its jurisdiction or to temporarily suspend the relevant user agency’s sharing of such information. (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(4) Where the Minister of the Interior and Safety withdraws the approval for the sharing of administrative information under paragraph (1) or suspends such sharing under paragraph (2), he/she shall notify the relevant user agency and the agency in possession of such administrative information of the detailed grounds therefor. (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(5) Matters necessary for the withdrawal or suspension of sharing administrative information, and other relevant matters shall be prescribed by Presidential Decree.

Article 42 (Prior Consent of Owners of Information)

(1) When any user agency shares administrative information containing personal information through the Sharing Center, it shall obtain the prior consent of the owner of the said information as defined in subparagraph 3 of Article 2 of the Personal Information Protection Act (hereinafter referred to as “owner of information“) so that he/she is aware of the following matters. In such cases, the consent under Article 18 (2) 1, subparagraph 1 of Article 19 or Article 24 (1) 1 shall be deemed obtained. (Amended by Act. nº 10465, Mar. 29, 2011; Act nº 12346, Jan. 28, 2014)

1. The purpose of sharing the information;

2. The administrative information subject to sharing and the scope of sharing;

3. The name of the user agency sharing the information.

(2) Notwithstanding paragraph (1), where it is impossible for a user agency to obtain prior consent from the owner of information or it is deemed improper to obtain such prior consent in any of the following cases, the user agency shall make the matters listed in the subparagraphs of paragraph (1) known to the said owner of information after the relevant administrative information is shared, as prescribed by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, the National Election Commission Regulations, or by Presidential Decree: Provided, That where a user agency shares administrative information for a criminal investigation in the case of subparagraph 3, it shall make those listed in the subparagraphs of paragraph (1) known to the owner of information on or after the date public prosecution is initiated or a disposition not to arrest or initiate public prosecution (except for a decision to suspend indictment) is made with regard to the relevant case:

1. Where sharing the relevant information is urgently required to protect the life or body of the owner of information;

2. Where sharing the relevant information is unavoidable to impose a duty on the owner of information or revoke or withdraw any right or interest of the owner of information pursuant to any Act or subordinate statute;

3. Where sharing the relevant information is unavoidable to perform affairs related to sanctions on the owner of information who has violated any Act or subordinate statute, such as investigation or punishment of the owner of information;

4. Other cases deemed considerably improper to obtain the consent of the owner of information in performing affairs stipulated by an Act or subordinate statute, in consideration of the nature of the relevant affairs or information, as prescribed by Presidential Decree.

(3) The Minister of the Interior and Safety shall disclose the detailed scope of affairs and administrative information that can be shared without the prior consent of the owner of information pursuant to paragraph (2), as prescribed by Presidential Decree. (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

Article 43 (Rights of Owners of Information to Request Access)

(1) Any owner of information may apply to the Minister of the Interior and Safety or the head of the relevant user agency for access to the following matters with regard to the administrative information about him/herself, among the information shared through the Sharing Center: (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

1. The user agency;

2. The purpose of sharing the information;

3. The type of the information shared;

4. The time of sharing the information;

5. Legal grounds for sharing the administrative information.

(2) Upon receipt of an application filed by an owner of information under paragraph (1), the Minister of the Interior and Safety and the head of each user agency shall notify the owner of information about the matters listed in the subparagraphs of paragraph (1) within ten days from the date of filing an application, unless any good reason exists. In such cases, if there is any good reason making it impossible to give notice within ten days, he/she shall notify without delay when the relevant reason ceases to exist. (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(3) Where a user agency shares administrative information for a criminal investigation in cases under paragraph (2), it shall notify the owner of information thereof within 30 days of the date public prosecution is initiated or a disposition not to arrest or initiate public prosecution (except for a decision to suspend indictment) is made with regard to the relevant case.

(4) If a user agency fails to give notice under paragraph (2), the owner of information may directly apply to the Minister of the Interior and Safety for access to the matters listed in the subparagraphs of paragraph (1) related to him/herself, among the information shared by the user agency. (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(5) Matters necessary for the procedures for the access, etc. under paragraphs (1) through (4) shall be prescribed by Presidential Decree.

(6) The Minister of the Interior and Safety shall keep, manage, and disclose records related to the administrative information shared through the Sharing Center, such as its title and frequency of sharing, as prescribed by Presidential Decree. (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

Article 44 (Charges for Sharing Administrative Information)

(1) Any agency that provides administrative information through the Sharing Center may charge fees therefor, to the agency that uses the information.

(2) Necessary matters concerning the subject matters and scope of the charges for providing administrative information and other relevant matters shall be prescribed by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, the National Election Commission Regulations, or by Presidential Decree.

CHAPTER V.- STRENGTHENING OPERATIONAL BASIS FOR ELECTRONIC GOVERNMENT

SECTION 1.- Introduction and Utilization of Information Technology Architecture

Article 45 (Formulation, etc. of Master Plan for Information Technology Architecture)

(1) The Minister of the Interior and Safety shall formulate a master plan to introduce and disseminate an information technology architecture (hereinafter referred to as the “Master Plan“) in a systematic manner in consultation with the heads of related administrative agencies, etc. (Amended by Act nº 11688, Mar. 23, 2013; Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(2) The Minister of the Interior and Safety shall formulate a pan-Governmental information technology architecture in compliance with the Master Plan. (Amended by Act nº 11688, Mar. 23, 2013; Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(3) The Minister of the Interior and Safety shall establish and publish guidelines for the introduction and operation of an information technology architecture as well as the construction and operation of an information system, and the head of each administrative agency, etc. shall comply with such guidelines. (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(4) The Minister of the Interior and Safety shall formulate policies for interlinking an information technology architecture with related systems, such as budgets and performance, and for developing them in consultation with the heads of related central administrative agencies, and the head of each administrative agency, etc. shall endeavor to reflect such policies in any work under his/her jurisdiction, except under exceptional circumstances. (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

Article 46 (Introduction and Operation of Information Technology Architecture for each Agency)

(1) The head of each administrative agency, etc. prescribed by Presidential Decree (hereinafter referred to as “agency to introduce an architecture“) shall formulate a plan for the introduction of an information technology architecture and submit such plan to the Minister of the Interior and Safety, as prescribed by Presidential Decree. (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(2) The head of each agency to introduce an architecture shall introduce and operate the information technology architecture in accordance with the plan under paragraph (1) and maintain and develop the architecture, to ensure the efficient work processing and facilitation of informatization in the relevant agency.

Article 47 (Facilitating Introduction and Operation of Information Technology Architecture)

(1) In order to facilitate the introduction and operation of an information technology architecture, the Minister of the Interior and Safety may develop and disseminate a reference model for an information technology architecture jointly usable by administrative agencies, etc. (referring to a model for securing consistency, compatibility, etc. by defining the components of an information technology architecture in line with the standardized classification system and format; hereinafter the same shall apply). (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(2) The Minister of the Interior and Safety may provide administrative agencies, etc. seeking to introduce and operate an information technology architecture, with technology relating to the introduction and operation of such architecture, education and training, and other necessary assistance, as prescribed by Presidential Decree. (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(3) In order to make information relating to an information technology architecture available to every administrative agency, etc., the Minister of the Interior and Safety shall establish and operate a system for managing and providing information relating to the reference model, pan-Governmental information technology architecture, the current status of implementation and operation of the information technology architecture for each agency, and other relevant matters. (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(4) The Minister of the Interior and Safety may recommend that the private sector in close relationship with an administrative agency, etc., which establishes or operates an information system in connection with the information system of administrative agency, etc., implement and operate an information technology architecture. (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

Article 48 (Re-Design of Work Processes Compatible with Information and Communications Technologies)

(1) When the head of each administrative agency, etc. introduces information and communications technologies to any work under his/her jurisdiction, he/she shall re-design its pre-existing organization, placement of manpower, work processes, etc. in a manner compatible with the implementation of the information and communications technologies, and shall implement such re-design.

(2) If the scope of work process re-designed pursuant to paragraph (1) involves work of two or more administrative agencies, etc., the head of a relevant administrative agency, etc. may request the heads of related administrative agencies, etc. to cooperate in such re-design, and the heads of related administrative agencies, etc. so requested shall comply with such request, except under exceptional circumstances.

(3) The head of each administrative agency, etc. shall, if necessary, readjust Acts, subordinate statutes, and systems relevant to work under his/her jurisdiction in accordance with the re-design of work processes under paragraphs (1) and (2) and may request improvement of Acts, subordinate statutes, and systems under jurisdiction of other administrative agencies, etc.

SECTION 2.- Laying Groundwork for Efficient Management of Information Resources

Article 49 (Technical Evaluations for Securing Interoperability, etc.)

(1) When the head of an administrative agency, etc. intends to undertake a project to build an information system, the characteristics and the project size of which meet the criteria prescribed by Presidential Decree, he/she shall conduct technical evaluations of each of the following in accordance with the guidelines under Article 45 (3) before confirming the project plan:

1. Interoperability of the information system;

2. Information sharing;

3. Efficiency of the information system;

4. Technical convenience of access to information;

5. Technical suitability of establishment and operation of the information system.

(2) The head of an administrative agency, etc. may, if necessary, allow an agency meeting the qualifications prescribed by Presidential Decree to conduct technical evaluations under paragraph (1) before formulating the project plan.

Article 50 (Standardization)

The head of each central agency responsible for administrative affairs may take necessary measures for the standardization of official electronic documents, administrative codes, and computers and other devices commonly used by administrative agencies, etc., as prescribed by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, the National Election Commission Regulations, or by Presidential Decree.

Article 51 (Designation and Utilization of Services for Sharing)

(1) The head of a central agency responsible for administrative affairs may designate, modify, or revoke standardized information resources that can be utilized by multiple administrative agencies, etc. or the private sector (hereinafter referred to as “services for sharing“), among the information resources held by administrative agencies, etc., in consultation with the heads of related administrative agencies, etc. and may find and select outstanding information resources among them and distribute such resources to other administrative agencies, etc.

(2) The head of a central agency responsible for administrative affairs may build and operate a system to manage services for sharing to facilitate the efficient distribution and utilization of such services.

(3) The head of each administrative agency, etc. shall prioritize utilizing the services for sharing designated under paragraph (1) in building its information system, and register services that can be utilized by other administrative agencies, etc. or the private sector, among the services developed by the agency, with the system to manage services for sharing under paragraph (2) and continue to manage them.

(4) Any agency developing and distributing outstanding information resources may charge fees therefor to the agency that uses the information resources.

(5) The head of each central agency responsible for administrative affairs shall formulate policies for distributing and disseminating services for sharing.

(6) Detailed matters concerning the provisions of paragraphs (1) through (5) shall be prescribed by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, the National Election Commission Regulations, or by Presidential Decree.

Article 52 (Establishment of Information and Communications Networks)

(1) The head of each central agency responsible for administrative affairs shall formulate a plan for the establishment and operation of an information and communications network through which administrative agencies, etc. are integrated and interlinked, in consultation with the Minister of the Interior and Safety. (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(2) When the head of an administrative agency, etc. intends to establish and operate an information and communications network, he/she shall design and operate such network in a manner that can be linked to the information and communications networks of other administrative agencies, etc. to ensure the efficient operation of the networks and the smooth flow of various kinds of administrative information.

(3) The Minister of the Interior and Safety shall establish and implement a system for the use of information and communications services, necessary to enable administrative agencies, etc. to use information and communication networks at a minimum cost. (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

Article 53 (Formulation, etc. of Plans for Fostering Experts on Informatization)

(1) The head of a central agency responsible for administrative affairs may formulate and promote plans for fostering experts on informatization, developing experts on informatization, qualification systems, etc. with the aim of enhancing informatization capability of public officials and facilitating the efficient management of information resources.

(2) The head of each central administrative agency and the head of each local government shall formulate and implement its own action plan in accordance with the plans for fostering experts on informatization referred to in paragraph (1).

(3) Necessary matters concerning the development of experts on informatization, etc. other than those provided for in paragraphs (1) and (2) shall be prescribed by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, the National Election Commission Regulations, or by Presidential Decree.

Article 54 (Integrated Management of Information Resources)

(1) The head of each administrative agency, etc. shall systematically prepare and manage the current status of the information resources possessed by the relevant agency and statistical data thereon (hereinafter referred to as “current status of information resources, etc.”).

(2) The Minister of the Interior and Safety may survey the demand for informatization in order to facilitate the sharing of information resources between administrative agencies, etc. and their efficient management, and may establish integrated standards, principles, etc. for information resources (hereinafter referred to as “standards for integrating information resources“) for the comprehensive integration and management of information resources. (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12346, Jan. 28, 2014; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(3) Matters necessary for the preparation and management of the current status of information resources, etc., matters to be included in the standards for integrating information resources, and other relevant matters shall be prescribed by Presidential Decree.

Article 55 (Establishment and Operation of Local Information Integration Centers)

(1) A local government may establish and operate a Local Information Integration Center to efficiently manage information resources and promote informatization at the local level on an integrated basis and may, if necessary, establish and operate the Local Information Integration Center together with the State or any other local government or governments.

(2) The State may provide administrative, financial, technical, and other necessary assistance in establishing and operating the Local Information Integration Centers referred to in paragraph (1).

(3) The head of a local government intending to establish a Local Information Integration Center shall have prior consultation with the Minister of the Interior and Safety to prevent duplicative investment, etc, pursuant to Article 67 (1). (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(4) Matters necessary for the establishment and operation of the Local Information Integration Centers, other than those provided for in paragraphs (1) through (3), shall be prescribed by Presidential Decree.

SECTION 3.- Improving Safety and Reliability of Information Systems

Article 56 (Formulation and Implementation of Security Measures for Information and Communications Networks)

(1) The National Assembly, the Judiciary, the Constitutional Court, the National Election Commission, and the Executive Branch shall prepare security measures for ensuring the safety and reliability of information and communications networks, administrative information, etc. necessary for the realization of electronic government.

(2) The head of each administrative agency shall formulate and implement security measures for information and communications networks, administrative information, etc. under his/her jurisdiction in conformity with the security measures under paragraph (1).

(3) The head of each administrative agency shall take security measures, the safety of which has been confirmed by the Director of the National Intelligence Service, to prevent electronic documents from being forged, altered, damaged, or leaked in the course of preserving and circulating electronic documents through an information and communications network, and the Director of the National Intelligence Service may conduct an inspection to ensure such measures have been taken.

(4) Paragraph (3) shall be applicable to an agency responsible for processing administrative affairs of the National Assembly, the Judiciary, the Constitutional Court, or the National Election Commission, only if the head of the agency deems it necessary to take such measures: Provided, That the head of the agency shall, when he/she deems it unnecessary, take security measures similar to those provided for in paragraph (3).

Article 56-2 (Prevention of, Responses to, etc. System Failures)

(1) The head of each administrative agency shall formulate measures for preventing and responding to system failures for the stable operation and management of the information systems belonging to the relevant agency and the agencies under its jurisdiction.

(2) Matters necessary for the prevention of and response to system failures under paragraph (1), shall be prescribed by National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, the National Election Commission Regulations, and Presidential Decree.

(Article Inserted by Act nº 12346, Jan. 28, 2014)

Article 57 (Supervision of Information Systems in Administrative Agencies, etc.)

(1) The head of each administrative agency, etc. shall request a supervisory corporation under Article 58 (1) to supervise its information system, the characteristics and the project size of which meet the criteria prescribed by Presidential Decree: Provided, That the same shall not apply to electronic government projects prescribed by Presidential Decree the management of which is entrusted under Article 64-2. (Amended by Act nº 12346, Jan. 28, 2014)

(2) The head of each administrative agency, etc. shall, with regard to a project subject to supervision, allow his/her employees and the business operator constructing the relevant information system to provide necessary assistance to supervisors in performing their duties, and shall not intervene in, nor interfere with, their work without good cause.

(3) The head of each administrative agency, etc. shall, with regard to a project subject to supervision under paragraph (1), allow the business operator constructing the relevant information system to reflect the results of the supervision in the project.

(4) Notwithstanding paragraph (1), the head of an agency dealing with information prescribed by Presidential Decree, such as information for guaranteeing national security, may allow an institution determined by the head of the agency to supervise its information system.

(5) The Minister of the Interior and Safety shall determine and publicly announce standards necessary for carrying out supervision of information systems, such as the scope of supervision, procedures for supervision, matters to be observed, etc. (hereinafter referred to as “supervision standards“): Provided, That for matters relating to the security of information systems, he/she shall consult in advance with the heads of relevant agencies. (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(6) A corporation or institution carrying out supervision pursuant to paragraphs (1) and (4) shall verify whether the relevant information system is being developed and constructed appropriately, in compliance with the supervision standards.

(7) The scope of duty of a corporation or institution carrying out supervision pursuant to paragraph (6), procedures for supervision, and other necessary matters shall be prescribed by Presidential Decree.

Article 58 (Registration of Supervisory Corporations)

(1) Any person intending to carry out supervision of an information system shall register him/herself with the Minister of the Interior and Safety as a corporation after meeting requirements prescribed by Presidential Decree, such as technical and financial capability and other matters necessary for supervision of an information system. (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(2) When a corporation registered under paragraph (1) (hereinafter referred to as “supervisory corporation“) intends to modify any registered matters, he/she shall report such modification to the Minister of the Interior and Safety in advance: Provided, That this shall not apply to modification of any insignificant matters prescribed by Presidential Decree, such as modification of equity capital within the extent of registration requirements. (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(3) Matters necessary for the registration of supervisory corporations, modification of registered matters, and other relevant matters shall be prescribed by Presidential Decree.

Article 59 (Matters to be Observed by Supervisory Corporations)

(1) Each supervisory corporation shall require supervisors under Article 60 (1) to perform supervisory duties.

(2) No supervisory corporation shall prepare a false report on supervision, and it shall carry out supervision of information systems in good faith.

(3) No supervisory corporation shall allow another person to carry out supervision of information systems using its own name.

Article 60 (Supervisors)

(1) Any person intending to work as a supervisor shall meet specific requirements for qualification prescribed by Presidential Decree, such as technical requirements for each grade, and shall receive education necessary for performing supervisory duties, as prescribed by Presidential Decree.

(2) The Minister of the Interior and Safety shall issue supervisor’s certificates to persons satisfying the requirements for qualification under paragraph (1) and manage those certificates, as prescribed by Presidential Decree. (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(3) No supervisor shall allow another person to perform supervisory duties using his/her own name, or lend his/her supervisor’s certificate to another person.

Article 61 (Disqualification of Supervisory Corporations, etc.)

(1) No corporation with either of the following persons serving as its executive officer shall be registered as a supervisory corporation under Article 58 (1): (Amended by Act nº 12346, Jan. 28, 2014)

1. An incompetent under the adult guardianship or a quasi-incompetent under the limited guardianship;

2. An executive officer of a supervisory corporation of which registration has been revoked pursuant to Article 62, for whom two years have not elapsed from the date the registration was revoked (referring to a person who has committed an act constituting a cause for such revocation and its representative).

(2) No person corresponding to paragraph (1) 1 shall become a supervisor under Article 60.

(3) Matters necessary to confirm grounds for disqualification of supervisory corporations, etc. shall be prescribed by Presidential Decree.

Article 62 (Revocation of Registration of Supervisory Corporations, etc.)

(1) When any supervisory corporation falls under any of the following subparagraphs, the Minister of the Interior and Safety may revoke its registration or order suspension of its business for a prescribed period not exceeding one year: Provided, That he/she shall revoke the registration of a supervisory corporation where it falls under subparagraphs 1 through 3 or subparagraph 10: (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

1. Where its registration is made by fraud or other improper means;

2. Where it has been subject to a disposition for suspension of business on at least three occasions for the last three years;

3. Where it carries out supervision of an information system during the period of suspension of business: Provided, That this shall not apply where it carries out supervision during the period of suspension of business pursuant to Article 63;

4. Where it carries out supervision in breach of the supervision standards, in violation of Article 57 (6);

5. Where it falls short of the requirements for registration under Article 58 (1);

6. Where it fails to report, or falsely reports, modified matters under Article 58 (2);

7. Where it allows persons other than supervisors to perform supervisory duties, in violation of Article 59 (1);

8. Where it prepares a false report on supervision, in violation of Article 59 (2);

9. Where it allows another person to carry out supervision of information systems using its own name, in violation of Article 59 (3);

10. Where any of its executive officers falls under a ground for disqualification provided for in Article 61 (1): Provided, That this shall not apply where it appoints another executive officer instead of the relevant executive within six months of the date such executive officer falls under disqualification requirements.

(2) The Minister of the Interior and Safety shall hold a hearing if he/she intends to revoke the registration pursuant to paragraph (1). (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(3) Necessary matters concerning the standards and procedures for dispositions under paragraph (1) and other relevant matters shall be prescribed by Presidential Decree.

Article 63 (Continuance of Business, etc. of Supervisory Corporations on which Disposition of Revocation of Registration, etc. has been Imposed)

(1) Any supervisory corporation on which a disposition of revocation of registration or suspension of business has been imposed pursuant to Article 62 (1) may continue to perform its supervisory duties under a contract concluded before the relevant disposition was imposed. In such cases, the supervisory corporation shall, without delay, notify the relevant person awarding the contract of the details of such disposition.

(2) Where a person awarding a contract for the supervision of an information system is notified pursuant to paragraph (1) or learns the fact that revocation of registration or suspension of business has been imposed on the relevant supervisory corporation, he/she may terminate the contract only within 30 days from the date he/she learns such fact, except under exceptional circumstances.

CHAPTER VI.- PROMOTION OF POLICIES, ETC. FOR REALIZATION OF ELECTRONIC GOVERNMENT

Article 64 (Promotion of and Support for Electronic Government Projects)

(1) The head of each administrative agency, etc. shall actively pursue projects for the realization, operation, and development of electronic government (hereinafter referred to as “electronic government projects“).

(2) The Minister of the Interior and Safety may provide the heads of administrative agencies, etc. with administrative, financial, technical, or other support necessary to help them efficiently pursue electronic government projects. (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(3) Matters necessary for the selection and management of electronic government projects supported under paragraph (2) (hereinafter referred to as “supported electronic government projects“), and other relevant matters shall be prescribed by Presidential Decree.

Article 64-2 (Entrustment of Management of Electronic Government Projects)

(1) In order to efficiently implement electronic government projects, the heads of administrative agencies, etc. may entrust all or part of their business concerning the management and supervision of any of the following projects (hereinafter referred to as “management of electronic government projects“) to a person equipped with expertise and technical capacity, and the specific scope of electronic government projects which may be entrusted and the qualifications of a person eligible for being entrusted with the management of electronic government projects shall be prescribed by Presidential Decree:

1. Projects that significantly affect the efficiency in pubic services and public administration;

2. Projects that require special management because of a high level of difficulty;

3. Other cases where the heads of administrative agencies, etc. deem it necessary to entrust the management of electronic government projects.

(2) When the head of an administrative agency selects a person to whom he/she intends to entrust the management of electronic government projects (hereinafter referred to as “manager of electronic government projects“) pursuant to paragraph (1), he/she shall take into consideration human resources capable of managing such projects, a plan for conducting business, the past records of management of electronic government projects, etc., and detailed criteria for the selection shall be prescribed by Presidential Decree.

(3) No manager of electronic government projects shall give advice to anyone to have relevant electronic government projects subcontracted to him/herself or his/her affiliated company (referring to an affiliated company defined under subparagraph 3 of Article 2 of the Monopoly Regulation and Fair Trade Act).

(4) Where the head of an administrative agency entrusts the management of electronic government projects, he/she shall submit data about relevant electronic government projects, entrusted services, and performance of such services to the Minister of the Interior and Safety. (Amended by Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(5) The Minister of the Interior and Safety may determine and publicly notify matters necessary for the management of electronic government projects, including the guidelines for the calculation of fees for the entrustment under paragraph (1) and the submission of data under paragraph (4). (Amended by Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(Article Inserted by Act nº 11735, Apr. 5, 2013)

Article 64-3 (Liability, etc. of Manager of Electronic Government Projects)

The manager of electronic government projects shall be liable for any loss or damage suffered by a person from or in connection with his/her placing an order, which has been inflicted due to breach of contract or by intention or negligence in the course of the management of electronic government projects.

(Article Inserted by Act nº 11735, Apr. 5, 2013)

Article 65 (Promotion of and Support for Local Informatization Projects)

(1) The State and a local government may pursue the following local informatization projects with the aim of enhancing regional competitiveness and improving the quality of life for local residents:

1. Development and dissemination of local information services covering the history, culture, welfare, environment, etc. of the relevant region;

2. Construction of information systems and laying the foundations for informatization of the relevant region;

3. Intensive support for regions lagging behind in informatization;

4. Efficient management of information resources, such as integrated management of information systems and information services;

5. Other matters necessary for local informatization.

(2) A local government may pursue a local informatization project under paragraph (1) in collaboration with central administrative agencies or other local governments, if it is necessary to prevent duplicative investment, etc.

(3) The State and a local government may establish and operate a commonly applicable operating foundation for the efficient provision of services through integrated linkage between the public and private sector information systems in the relevant region. In such cases, they shall prepare measures to prevent unlawful access to information networks and other protective measures.

(4) In order to pursue local informatization projects under paragraphs (1) through (3), the State may provide administrative, financial, technical, and other necessary support, as prescribed by Presidential Decree.

(5) Matters necessary for the promotion of and support for local informatization projects, other than those provided for in paragraphs (1) through (4), shall be prescribed by Presidential Decree.

Article 66 (Promotion of Pilot Projects)

(1) The head of an administrative agency, etc. may promote a pilot project if necessary for the realization, operation, and development of electronic government and the facilitation of efficient informatization at the local level.

(2) Matters necessary for the implementation of pilot projects shall be prescribed by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, the National Election Commission Regulations, or by Presidential Decree.

Article 67 (Prior Consultation)

(1) When the head of an administrative agency, etc. intends to pursue an electronic government project or local informatization project for interconnection or sharing with other administrative agencies, etc., he/she shall have prior consultation with the heads of central agencies responsible for administrative affairs to prevent duplicative investment, etc.: Provided, That the local informatization projects being pursued by the head of a Si/Gun/Gu (referring to an autonomous Gu) shall be subject to consultation with the competent Special Metropolitan City Mayor, Metropolitan City Mayor or Do Governor. (Amended by Act nº 12346, Jan. 28, 2014)

(2) The head of each administrative agency, etc. shall reflect the results of prior consultations held under paragraph (1), in the course of pursuing the relevant project.

(3) Necessary matters concerning projects subject to prior consultation, the methods and procedures therefor, and other relevant matters shall be prescribed by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, the National Election Commission Regulations, or by Presidential Decree.

Article 68 (Analysis and Examination of Performance)

(1) The head of each central agency responsible for administrative affairs shall conduct comprehensive analysis and examination of the results and performance of major projects prescribed by Presidential Decree, such as projects concerning electronic government and local informatization which relate to multiple administrative agencies, etc., as well as the status of administrative information sharing, submit the results thereof to the National Assembly, and reflect such results in its business plan, etc. for the next year (Amended by Act nº 11688, Mar. 23, 2013)

(2) The Minister of the Interior and Safety shall, every year, analyze and examine the current status and outcomes of the introduction and operation of information technology architectures under Article 46 (2) and shall reflect the results thereof in the Master Plan. (Amended by Act nº 11688, Mar. 23, 2013; Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(3) Matters necessary for the analysis and examination of outcomes under paragraphs (1) and (2) shall be prescribed by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, the National Election Commission Regulations, or by Presidential Decree.

Article 69 (Cooperation, such as Submission of Materials)

(1)  If necessary for performing business affairs provided for in this Act, the head of a central agency responsible for administrative affairs may request the head of any related administrative agency, etc. to submit data, etc. for investigating the current conditions.

(2) The head of each related administrative agency, etc. shall actively cooperate with the request for submitting data under paragraph (1).

(3) The head of a central agency responsible for administrative affairs may provide statistical data, etc. collected pursuant to paragraph (1) upon receipt of a request of the head of any other administrative agency, etc.

Article 70 (International Collaboration for Electronic Government)

(1) The head of each central agency responsible for administrative affairs shall stay informed of international trends in electronic government and improve the international competitiveness of electronic government through international collaboration.

(2) The head of a central agency responsible for administrative affairs may carry out the following activities:

1. Collaboration with international organizations and foreign governments in connection with electronic government;

2. Management of an international rating index with regard to electronic government;

3. Other matters prescribed with regard to international collaboration for electronic government by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, the National Election Commission Regulations, or by Presidential Decree.

(3) The head of a central agency responsible for administrative affairs may request the head of a related administrative agency, etc. to cooperate in connection with international collaboration for electronic government, and the head of the related administrative agency, etc. so requested shall comply with such request, except under exceptional circumstances.

Article 71 (Designation, etc. of Specialized Institutions)

(1) The head of a central agency responsible for administrative affairs may designate specialized institutions to entrust them with business affairs in order to comprehensively and efficiently conduct the following affairs assigned to each agency: (Amended by Act nº 11735, Apr. 5, 2013)

1. Affairs related to the development, provision, and promotion of the use of electronic government services;

2. Affairs related to the sharing of administrative information;

3. Affairs related to the introduction and utilization of an information technology architecture;

4. Affairs related to research on and improvement of the supervision system;

5. Research on the entrustment of the management of electronic government projects under Article 64-2 (1) and on the improvement therein;

6. Affairs related to the promotion of and assistance in supported electronic government projects and local informatization projects;

7. Other affairs prescribed for the realization, operation, and development of electronic government by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, the National Election Commission Regulations, or by Presidential Decree.

(2) The head of a central agency responsible for administrative affairs may contribute or subsidize funds within budgetary limits as necessary for the performance of the affairs specified in paragraph (1) to the relevant specialized agency.

(3) Professional characteristics of the relevant affairs, etc. shall be considered in designating a specialized institution, and necessary matters concerning requirements, methods, and procedures for the designation of specialized institutions and other relevant matters shall be prescribed by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, the National Election Commission Regulations, or by Presidential Decree.

Article 72 (Establishment, etc. of Korea Local Information Research and Development Institute)

(1) At least two local governments may jointly establish a Korea Local Information Research and Development Institute (hereinafter referred to as the “Development Institute“) to jointly pursue informatization projects under their control.

(2) The Development Institute shall be a corporation.

(3) The Development Institute shall perform the following affairs:

1. Assistance in informatization projects being pursued by local governments for the realization of electronic government and the facilitation of local informatization;

2. Administrative affairs entrusted by a related central administrative agency or a local government in connection with the promotion of informatization of local governments;

3. Survey, research, education, and training to facilitate informatization of local governments;

4. Other projects determined by Presidential Decree for the facilitation of local informatization.

(4) The head of an administrative agency, etc. may entrust the Development Institute with the affairs assigned to the agency in order to efficiently pursue local informatization projects.

(5) A local government may contribute funds to the Development Institute so that it can be appropriated for the establishment, installation of facilities, and operation of the Development Institute, and the State may provide support as necessary for the Development Institute’s smooth performance of duties.

(6) The Development Institute may request an administrative agency, etc. to wholly or partially bear expenses incurred in providing its services.

(7) Except as otherwise provided for in this Act, provisions regarding incorporated foundations of the Civil Act shall apply mutatis mutandis to the Development Institute.

(8) Matters necessary for the promotion and support of local informatization by the Development Institute and other relevant matters shall be prescribed by Presidential Decree.

Article 73 (Delegation and Entrustment of Authority, etc.)

(1) The head of a central agency responsible for administrative affairs may delegate part of his/her authority under this Act to heads of affiliates under his/her control or the Special Metropolitan City Mayor, Metropolitan City Mayors, and Do Governors or may entrust such authority to the head of any other administrative agency, etc., as prescribed by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, the National Election Commission Regulations, or by Presidential Decree.

(2) The head of a central agency responsible for administrative affairs may entrust to any related corporation or organization some of its affairs under this Act, as prescribed by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, the National Election Commission Regulations, or by Presidential Decree.

Article 74 (Prevention of Divulgence of Confidential Information, etc.)

No person who was or is engaged in any of the following duties shall, without good cause, divulge to a third party any confidential information he/she acquires while performing his/her duties or steal such confidential information: (Amended by Act nº 11735, Apr. 5, 2013)

1. An administrative duty for which sharing administrative information is required;

2. A supervisory duty;

3. A duty of managing an electronic government project entrusted pursuant to Article 64-2 (1).

Article 75 (Legal Fiction as Public Official in Application of Penalty Provisions)

In applying Articles 129 through 132 of the Criminal Act, any of the following persons shall be deemed a public official, even though he/she is not a public official: (Amended by Act nº 11735, Apr. 5, 2013)

1. A person engaged in work relating to the sharing of administrative information;

2. A person working for an agency that receives administrative information (limited to persons relating to the sharing of administrative information);

3. A supervisor performing supervisory duties;

4. A person in charge of managing an electronic government project entrusted pursuant to Article 64-2 (1).

CHAPTER VII.- PENALTY PROVISIONS

Article 76 (Penalty Provisions)

(1) Any person who forges, alters, damages, or deletes administrative information in violation of subparagraph 1 of Article 35 shall be punished by imprisonment with labor for not more than ten years.

(2) Any of the following persons shall be punished by imprisonment with labor for not more than five years or by a fine not exceeding 50 million won:

1. A person who forges, alters, damages, or uses an information system for sharing administrative information without good cause, in violation of subparagraph 2 of Article 35;

2. A person who discloses or disseminates to the public, any method or program by which administrative information can be altered or deleted, in violation of subparagraph 3 of Article 35.

(3) Any of the following persons shall be punished by imprisonment with labor for not more than three years or by a fine not exceeding 30 million won:

1. A person who divulges administrative information, in violation of subparagraph 4 of Article 35;

2. A person who processes administrative information without due authority or beyond the authority accorded, in violation of subparagraph 5 of Article 35;

3. A person who aids or abets another person, without due authority, to use administrative information, in violation of subparagraph 6 of Article 35;

4. A person who shares administrative information in a manner that has not been authorized, or stores administrative information in an information system or a storage device that has not been authorized, in violation of subparagraph 7 of Article 35;

5. A person who divulges or steals any secret to which he/she has acquired in the course of his/her official duties, in violation of Article 74.

(4) Any person who receives administrative information from an administrative agency, etc. or peruses administrative information by fraud or other improper means, in violation of subparagraph 8 of Article 35, shall be punished by imprisonment with labor for not more than two years or by a fine not exceeding seven million won.

(5) Any person who carries out supervision of an information system without registration under Article 58 (1) shall be punished by imprisonment with labor for not more than two years or by a fine not exceeding 20 million won.

(6) Any person who allows another person to carry out supervision of an information systems using its own name or lends his/her supervisor’s certificate to another person, or any person who carries out supervision using another person’s name or borrows supervisor’s certificate shall be punished by imprisonment with labor for not more than one year or by a fine not exceeding ten million won.

Article 77 (Joint Penalty Provisions)

If the representative of a corporation, or an agent or employee of, or any other person employed, by a corporation or an individual commits a violation under Article 76 (3) 5 or Article 76 (5) or (6) in connection with the business affairs of the corporation or individual, not only shall such violator be punished, but also the corporation or individual shall be punished by a fine under the relevant provisions: Provided, That this shall not apply where such corporation or individual has not been negligent in giving due attention and supervision concerning the relevant duties to prevent such violation.

Article 78 (Administrative Fines)

(1) An administrative fine not exceeding 30 million won shall be imposed on any of the following persons:

1. A person who fails to obtain the prior consent of an owner of information, in violation of Article 42 (1);

2. A person who fails to notify an owner of information of the matters listed in the subparagraphs of Article 43 (1) without good cause, in violation of Article 42 (2) and (3).

(2) Administrative fines under paragraph (1) shall be imposed and collected by the Minister of the Interior and Safety. (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

ADDENDA

Article 1 (Enforcement Date)

This Act shall enter into force three months after the date of its promulgation: Provided, That the amended provisions of Article 5 (5) of this Addenda shall enter into force on January 1, 2011.

Article 2 (Repeal of other Act)

The Act on the Efficient Introduction, Operation, etc. of Information Systems is hereby repealed.

Article 3 (Transitional Measures concerning Sharing of Administrative Information)

(1) Any administrative information being shared through the Sharing Center under the previous provisions as at the time this Act enters into force shall be deemed authorized in accordance with the procedures determined by this Act.

(2) Any person corresponding to the amended provisions of the subparagraphs of Article 39 (7) shall be deemed designated in accordance with the procedures determined by this Act.

Article 4 (Transitional Measure following Repeal of the Act on the Efficient Introduction, Operation, etc. of Information Systems)

(1) Any agency designated as an agency introducing an information technology architecture under Article 5 of the previous Act on the Efficient Introduction, Operation, etc. of Information Systems (hereafter referred to as “Information Systems Act” in this Article) before this Act enters into force shall be deemed an agency designated under this Act.

(2) Any project on which supervision is carried out under Article 11 of the previous Information Systems Act as at the time this Act enters into force shall be deemed a project on which supervision is carried out under this Act.

(3) Any supervisory corporation registered as a supervisory corporation under Article 12 of the previous Information Systems Act before this Act enters into force shall be deemed registered under this Act.

(4) Any person educated as a supervisor under Article 14 of the previous Information Systems Act before this Act enters into force shall be deemed to have received education under this Act.

(5) Any person having received a supervisor’s certificate under Article 14 of the previous Information Systems Act before this Act enters into force shall be deemed to have received such certificate under this Act.

(6) Any administrative disposition imposed with regard to supervision on any information system under Article 16 of the previous Information Systems Act before this Act enters into force shall be deemed to have been imposed under this Act.

(7) Any application of penalty provisions or administrative dispositions with regard to a violation of any provision of the previous Information Systems Act before this Act enters into force shall be governed by the previous Information Systems Act.

Article 5 Omitted.

Article 6 (Relationship with other Acts and Subordinate Statues)

Where the previous Electronic Government Act or the previous Act on the Efficient Introduction, Operation, etc. of Information Systems, or the provisions thereof are cited in other Acts or subordinate statutes as at the time this Act enters into force, this Act or the corresponding provisons hereof shall be deemed cited in place of the previous provisions, if provisions corresponding thereto exist in this Act.

ADDENDA (Act nº 10303, May 17, 201)

Article 1 (Enforcement Date)

This Act shall enter into force six months after the date of its promulgation. (Proviso Omitted.)

Articles 2 through 10 Omitted.

ADDENDA (Act nº 10465, Mar. 29, 2011)

Article 1 (Enforcement Date)

This Act shall enter into force six months after the date of its promulgation. (Proviso Omitted.)

Articles 2 through 7 Omitted.

ADDENDA (Act nº 10580, Apr. 12, 2011)

Article 1 (Enforcement Date)

This Act shall enter into force six months after the date of its promulgation. (Proviso Omitted.)

Articles 2 through 5 Omitted.

ADDENDA (Act nº 11461, Jun. 1, 2012)

Article 1 (Enforcement Date)

This Act shall enter into force three months after the date of its promulgation.

Articles 2 through 10 Omitted.

ADDENDA (Act nº 11688, Mar. 23, 2013)

Article 1 (Enforcement Date)

This Act shall enter into force on the date of its promulgation.

Article 2 Omitted.

ADDENDA (Act nº 11690, Mar. 23, 2013)

Article 1 (Enforcement Date)

(1) This Act shall enter into force on the date of its promulgation.

(2) Omitted.

Articles 2 through 7 Omitted.

ADDENDUM (Act nº 11735, Apr. 5, 2013)

This Act shall enter into force three months after the date of its promulgation.

ADDENDA (Act nº 12346, Jan. 28, 2014)

Article 1 (Enforcement Date)

This Act shall enter into force six months after the date of its promulgation.

Article 2 (Applicability concerning Master Plans for Electronic Government)

The first master plan for electronic government under the amended provisions of Article 5 shall be formulated in the year immediately following the enforcement of this Act.

Article 3 (Applicability concerning Plan for Each Agency)

The first plan for each agency under the amended provisions of Article 5-2 shall be formulated in the year immediately following the enforcement of this Act.

Article 4 (Applicability concerning Supervision of Information Systems)

The amended provisions under the proviso to Article 57 (1) shall apply to electronic government projects, the notices of tender for the entrustment of management of which are announced after this Act enters into force.

Article 5 (Transitional Measures concerning Incompetents, etc.)

The incompetents under the adult guardianship or quasi-incompetents under the limited guardianship under the amended provisions of Article 61 (1) 1 shall be deemed to include persons currently incompetent or quasi-incompetent under Article 2 of the Addenda to the partially amended Civil Act (Act nº 10429).

ADDENDA (Act nº 12592, May 20, 2014)

Article 1 (Enforcement Date)

This Act shall enter into force six months after the date of its promulgation.

Articles 2 through 5 Omitted.

ADDENDA (Act nº 12738, Jun. 3, 2014)

Article 1 (Enforcement Date)

This Act shall enter into force one year after the date of its promulgation. (Proviso Omitted.)

Articles 2 and 3 Omitted.

ADDENDA (Act nº 12844, Nov. 19, 2014)

Article 1 (Enforcement Date)

This Act shall enter into force on the date of its promulgation. (Proviso Omitted.)

Articles 2 through 7 Omitted.

ADDENDA (Act nº 13459, Aug. 11, 2015)

Article 1 (Enforcement Date)

This Act shall enter into force six months after the date of its promulgation.

Articles 2 through 5 Omitted.

ADDENDA (Act nº 14474, Dec. 27, 2016)

Article 1 (Enforcement Date)

This Act shall enter into force three months after the date of its promulgation.

Articles 2 through 14 Omitted.

ADDENDA (Act nº 14839, Jul. 26, 2017)

Article 1 (Enforcement Date)

This Act shall enter into force on the date of its promulgation: Provided, That among the Acts amended in accordance with Article 5 of these Addenda, amendments to Acts, which were promulgated before this Act enters into force, but the dates on which they are to enter into force have yet to arrive, shall enter into force on the enforcement dates of the respective Acts.

Articles 2 through 6 Omitted.

ADDENDUM (Act nº 14914, Oct. 24, 2017)

This Act shall enter into force on the date of its promulgation.

01May/20

Personal Information Protection Act. (PIPA), established by Act nº 10465, Mar. 29, 2011

Personal Information Protection Act. (PIPA), established by Act nº 10465, Mar. 29, 2011, amended by Act nº 11690, Mar. 23, 2013, amended by Act nº 11990,  Aug. 6, 2013, amended by Act nº 12504, Mar. 24, 2014, amended by Act nº 12844, Nov. 19, 2014, amended by Act nº 13423, Jul. 24, 2015, amended by Act nº 14107,  Mar. 29,  2016, amended by Act nº 14765, Apr. 18, 2017, amended by Act nº 14839, Jul. 26, 2017

CHAPTER I.- GENERAL PROVISIONS

Article 1 (Purpose)

The purpose of this Act is to provide for the processing and protection of personal information for the purposes of protecting the freedom and rights of individuals, and further realizing the dignity and value of the individuals. (Amended by Act nº 12504, Mar. 24, 2014)

Article 2 (Definitions)

The terms used in this Act shall be defined as follows: (Amended by Act nº 12504, Mar. 24, 2014)

1. The term “personal information” means information relating to a living individual that makes it possible to identify the individual by his/her full name, resident registration number, image, etc. (including information which, if not by itself, makes it possible to identify any specific individual if combined with other information);

2. The term “processing” means the collection, generation, connecting, interlocking, recording, storage, retention, value-added processing, editing, retrieval, output, correction, recovery, use, provision, and disclosure, destruction of personal information and other similar activities;

3. The term “data subject” means an individual who is identifiable by the information processed hereby to become the subject of that information;

4. The term “personal information file” means a set or sets of personal information arranged or organized in a systematic manner based on a certain rule for easy access to the personal information;

5. The term “personal information controller” means a public institution, legal person, organization, individual, etc. that processes personal information directly or indirectly to operate the personal information files for official or business purposes;

6. The term “public institution” means any of the following institutions:

(a) The administrative bodies of the National Assembly, the Courts, the Constitutional Court, and the National Election Commission; the central administrative agencies (including agencies under the Presidential Office and the Prime Minister’s Office) and their affiliated entities; and local governments;

(b) Other national agencies and public entities prescribed by Presidential Decree;

7. The term “visual data processing devices” means the devices prescribed by Presidential Decree, which are continuously installed at a certain place to take pictures of persons or images of things, or transmit such pictures or images via wired or wireless networks.

Article 3 (Principles for Protecting Personal Information)

(1) The personal information controller shall specify and explicit the purposes for which personal information is processed; and shall collect personal information lawfully and fairly to the minimum extent necessary for such purposes.

(2) The personal information controller shall process personal information in a manner compatible with the purposes for which the personal information is processed, and shall not use it beyond such purposes.

(3) The personal information controller shall ensure personal information is accurate, complete, and up to date to the extent necessary in relation to the purposes for which the personal information is processed.

(4) The personal information controller shall manage personal information safely according to the processing methods, types, etc. of personal information, taking into account the possibility of infringement on the data subject rights and the severity of the relevant risks.

(5) The personal information controller shall make public its privacy policy and other matters related to personal information processing; and shall guarantee the data subject rights, such as the right to access their personal information.

(6) The personal information controller shall process personal information in a manner to minimize the possibility to infringe on the privacy of a data subject.

(7) The personal information controller shall endeavor to process personal information in anonymity, if possible.

(8) The personal information controller shall endeavor to obtain trust of data subjects by observing and performing such duties and responsibilities as provided for in this Act and other related statutes.

Article 4 (Rights of Data Subjects)

A data subject has the following rights in relation to the processing of his/her own personal information:

1. The right to be informed of the processing of such personal information;

2. The right to consent or not, and to elect the scope of consent, to the processing of such personal information;

3. The right to confirm the processing of such personal information, and to request access (including the provision of copies; hereinafter the same applies) to such personal information;

4. The right to suspend the processing of, and to request a correction, erasure, and destruction of such personal information;

5. The right to appropriate redress for any damage arising out of the processing of such personal information in a prompt and fair procedure.

Article 5 (Obligations of State, etc.)

(1) The State and a local government shall formulate policies to prevent harmful consequences of beyond-purpose collection, abuse and misuse of personal information, indiscrete surveillance and pursuit, etc. and to enhance the dignity of human beings and individual privacy.

(2) The State and a local government shall establish policy measures, such as improving statutes, necessary to protect the data subject rights as provided for in Article 4.

(3) The State and a local government shall respect, promote, and support self-regulating data protection activities of personal information controllers to improve irrational social practices relating to the processing of personal information.

(4) The State and a local government shall enact or amend any statutes or municipal ordinances in conformity with the purpose of this Act.

Article 6 (Relationship to other Acts)

The protection of personal information shall be governed by this Act, except as otherwise specifically provided for in other Acts.  (Amended by Act nº 12504, Mar. 24, 2014)

CHAPTER II.- ESTABLISHMENT OF PERSONAL INFORMATION PROTECTION POLICIES, ETC.

Article 7 (Personal Information Protection Commission)

(1) The Personal Information Protection Commission (hereinafter referred to as the “Protection Commission”) shall be established under the Presidential Office to deliberate and resolve on matters relating to the protection of personal information. The Protection Commission shall independently conduct functions belonging to its authority.

(2) The Protection Commission shall be comprised of not more than 15 Commissioners, including one Chairperson and one Standing Commissioner, who shall be a public official in political service.

(3) The Chairperson shall be commissioned by the President from among non-public official Commissioners.

(4) The Commissioners shall be appointed or commissioned by the President from among the following persons. In this case, five Commissioners shall be appointed or commissioned from among the candidates elected by the National Assembly, and other five Commissioners from among the candidates designated by the Chief Justice of the Supreme Court:

1. Persons recommended by the civil society organizations or consumer groups related to the protection of personal information;

2. Persons recommended by the trade associations comprised of personal information controllers;

3. Other persons who have abundant academic knowledge and experience related to personal information.

(5) The term of office for the Chairperson and Commissioners shall be three years, renewable for only one further term.

(6) Meetings of the Protection Commission shall be convened by the Chairperson when the Chairperson deems it necessary or not less than 1/4 of the Commissioners demand it.

(7) The resolution of a meeting of the Protection Commission shall be made by the affirmative votes of a majority of present Commissioners if not less than 1/2 of the Commissioners are present at the meeting.

(8) A secretariat shall be established within the Protection Commission to support the administration of the Protection Commission.

(9) Except as otherwise expressly provided for in paragraphs (1) through (8), matters necessary for the organizational structure and operation of the Protection Commission shall be prescribed by Presidential Decree.

Article 8 (Functions, etc. of Protection Commission)

(1) The Protection Commission shall deliberate and resolve on the following matters:  (Amended by Act nº 13423, Jul. 24, 2015)

1. Matters concerning the assessment of data breach incident factors under Article 8-2;

1-2. Matters concerning the establishment of the Master Plan referred to in Article 9 and the Implementation Plans referred to in Article 10;

2. Matters concerning the improvement of policies, systems, and statutes;

3. Matters concerning the coordination of positions taken by public institutions with respect to the processing of personal information;

4. Matters concerning the interpretation and operation of statutes related to the protection of personal information;

5. Matters concerning the use and provision of personal information under Article 18 (2) 5;

6. Matters concerning the results of the privacy impact assessment under Article 33 (3);

7. Matters concerning the presentation of opinions under Article 61 (1);

8. Matters concerning recommendation on measures under Article 64 (4);

9. Matters concerning the publication of processing results under Article 66;

10. Matters concerning the preparation and submission of annual reports under Article 67 (1);

11. Matters referred to a meeting by the President, the Chairperson of the Commission, or at least two Commissioners of the Protection Commission with respect to the protection of personal information;

12. Other matters on which the Protection Commission deliberates or resolves pursuant to this Act or other statutes.

(2) The Protection Commission may take the following measures if necessary to deliberate and resolve on the matters provided for in paragraph (1): (Amended by Act nº 13423, Jul. 24, 2015)

1. Listening to the opinions of relevant public officials, specialists in data protection, civic organizations and related business operators;

2. Request of relevant materials from the relevant agencies or inquiry of facts.

(3) The relevant agencies in receipt of a request made under paragraph (2) 2, shall comply with the request, except in extenuating circumstances.  (Inserted by Act nº 13423, Jul. 24, 2015)

(4) Upon deliberating and resolving on the matters provided for in paragraph (1) 2, the Protection Commission may advise the improvement of such matters to the relevant agency.  (Inserted by Act nº 13423, Jul. 24, 2015)

(5) The Protection Commission may inspect whether its advice given under paragraph (4) has been implemented or not.  (Inserted by Act nº 13423, Jul. 24, 2015)

Article 8-2 (Assessment of Data Breach Incident Factors)

(1) The head of a central administrative agency shall request the Protection Commission to assess data breach incident factors where the policy or system in need of personal information processing is adopted or changed by the enactment or amendment of any statute under his/her jurisdiction.

(2) Upon receipt of a request made pursuant to paragraph (1), the Protection Commission may advise the head of the relevant agency of the matters necessary to improve the relevant statute by analyzing and reviewing the data breach incident factors of such statute.

(3) Necessary matters concerning the procedure and method to assess the data breach incident factors under paragraph (1) shall be prescribed by Presidential Decree.

(Article Inserted by Act nº 13423, Jul. 24, 2015)

Article 9 (Master Plan)

(1) The Protection Commission shall establish a Master Plan to protect personal information (hereinafter referred to as a “Master Plan”) every three years in consultation with the heads of relevant central administrative agencies to ensure the protection of personal information and the rights and interests of data subjects.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 13423, Jul. 24, 2015)

(2) The Master Plan shall include the following:

1. Basic goals and intended directions of the protection of personal information;

2. Improvement of systems and statutes related to the protection of personal information;

3. Measure to prevent personal information breaches;

4. How to vitalize self-regulation to protect personal information;

5. How to promote education and public relations to protect personal information;

6. Training of specialists in the protection of personal information;

7. Other matters necessary to protect personal information.

(3) The National Assembly, the Court, the Constitutional Court, and the National Election Commission may establish and implement its own Master Plan to protect personal information of relevant institutions, including affiliated entities.

Article 10 (Implementation Plan)

(1) The head of a central administrative agency shall establish an implementation plan to protect personal information each year in accordance with the Master Plan and submit it to the Protection Commission, and shall execute the implementation plan subject to the deliberation and resolution of the Protection Commission.

(2) Matters necessary for the establishment and execution of the implementation plan shall be prescribed by Presidential Decree.

Article 11 (Request for Materials, etc.)

(1) To efficiently establish the Master Plan, the Protection Commission may request materials or opinions regarding the status of regulatory compliance, personal information management, etc. by personal information controllers from personal information controllers, the heads of related central administrative agencies, the heads of local governments and related organizations or associations, etc. (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 13423, Jul. 24, 2015)

(2) The Minister of the Interior and Safety may survey the level and status of personal information protection toward personal information controllers, the heads of related central administrative agencies, the heads of local governments and related organizations or associations, etc., if necessary to promote personal information protection policies, to assess outcomes of such policies, etc. (Inserted by Act nº 13423, Jul. 24, 2015; Act nº 14839, Jul. 26, 2017)

(3) To efficiently establish and promote implementation plans, the head of a central administrative agency may request the materials referred to in paragraph (1) in the fields under his/her jurisdiction from personal information controllers. (Amended by Act nº 13423, Jul. 24, 2015)

(4) Any person in receipt of a request to furnish the materials under paragraphs (1) through (3) shall comply with the request except in extenuating circumstances.  (Amended by Act nº 13423, Jul. 24, 2015)

(5) The scope and method to furnish the materials under paragraphs (1) through (3) and other necessary matters shall be prescribed by Presidential Decree.  (Amended by Act nº 13423, Jul. 24, 2015)

Article 12 (Personal Information Protection Guidelines)

(1) The Minister of the Interior and Safety may establish the Standard Personal Information Protection Guidelines (hereinafter referred to as the “Standard Guidelines”) regarding the personal information processing standard; types of personal information breaches; preventive measures, etc.; and may encourage personal information controllers to comply with the Standard Guidelines.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(2) The head of a central administrative agency may establish the personal information protection guidelines regarding the personal information processing in the fields under his/her jurisdiction in accordance with the Standard Guidelines; and may encourage personal information controllers to comply with such guidelines.

(3) The National Assembly, the Court, the Constitutional Court, and the National Election Commission may establish and implement its own or its affiliated entities’ personal information protection guidelines.

Article 13 (Promotion and Support of Self-Regulation)

The Minister of the Interior and Safety shall establish policies necessary for the following matters to promote and support self-regulating data protection activities of personal information controllers: (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

1. Education and public relations concerning protecting personal information;

2. Promoting and supporting agencies and organizations related to the protection of personal information;

3. Introducing and facilitating ePRIVACY Mark system;

4. Assisting personal information controllers in establishing and implementing self-regulatory rules;

5. Other matters necessary to support the self-regulating data protection activities of personal information controllers.

Article 14 (International Cooperation)

(1) The Government shall establish policy measures necessary to enhance the personal information protection standard in the international environment.

(2) The Government shall establish relevant policy measures so that the rights of data subjects may not be infringed on owing to the cross-border transfer of personal information.

CHAPTER III.- PROCESSING OF PERSONAL INFORMATION

SECTION 1.- Collection, Use, Provision, etc. of Personal Information

Article 15 (Collection and Use of Personal Information)(1) A personal information controller may collect personal information in any of the following circumstances, and use it with the scope of the purpose of collection:

1. Where the consent is obtained from a data subject;

2. Where special provisions exist in laws or it is inevitable to observe legal obligations;

3. Where it is inevitable so that a public institution may perform the duties under its jurisdiction as prescribed by statutes, etc.;

4. Where it is inevitably necessary to execute and perform a contract with a data subject;

5. Where it deems necessary explicitly for the protection, from impending danger, of life, body or economic profits of a data subject or a third party in case that the data subject or his/her legal representative is not in a position to express intention, or prior consent cannot be obtained owing to unknown addresses;

6. Where it is necessary to attain the justifiable interest of a personal information controller, which is explicitly superior to that of a data subject. In this case, it is allowed only when substantial relation exists with the justifiable interest of the personal information controller and it does not go beyond the reasonable scope.

(2) A personal information controller shall inform a data subject of the following matters when it obtains the consent under paragraph (1) 1. The same shall apply when any of the following is modified.

1. The purpose of the collection and use of personal information;

2. Particulars of personal information to be collected;

3. The period for retaining and using personal information;

4. The fact that the data subject is entitled to deny consent, and disadvantage affected resultantly from the denial of consent.

Article 16 (Limitation to Collection of Personal Information)

(1) A personal information controller shall collect the minimum personal information necessary to attain the purpose in the case applicable to Article 15 (1). In this case, the burden of proof that the minimum personal information is collected shall be borne by the personal information controller.

(2) A personal information controller shall collect personal information by informing a data subject of the fact concretely that he/she may deny the consent to the collection of other personal information than the minimum information necessary in case of collecting the personal information by the consent of the data subject.  (Inserted by Act nº 11990, Aug. 6, 2013)

(3) A personal information controller shall not deny the provision of goods or services to a data subject on ground that the data subject would not consent to the collection of personal information exceeding minimum requirement.  (Amended by Act nº 11990, Aug. 6, 2013)

Article 17 (Provision of Personal Information)

(1) A personal information controller may provide (or share; hereinafter the same shall apply) the personal information of a data subject to a third party in any of the following circumstances:

1. Where the consent is obtained from the data subject;

2. Where the personal information is provided within the scope of purposes for which it is collected pursuant to Article 15 (1) 2, 3, and 5.

(2) A personal information controller shall inform a data subject of the following matters when it obtains the consent under paragraph (1) 1. The same shall apply when any of the following is modified:

1. The recipient of personal information;

2. The purpose for which the recipient of personal information uses such information;

3. Particulars of personal information to be provided;

4. The period for which the recipient retains and uses personal information;

5. The fact that the data subject is entitled to deny consent, and disadvantage affected resultantly from the denial of consent.

(3) A personal information controller shall inform a data subject of the matters provided for in paragraph (2), and obtain the consent from the data subject in order to provide personal information to a third party overseas; and shall not enter into a contract for the cross-border transfer of personal information in violation of this Act.

Article 18 (Limitation to Out-of-Purpose Use and Provision of Personal Information)

(1) A personal information controller shall not use personal information beyond the scope provided for in Article 15 (1), or provide it to any third party beyond the scope provided for in Article 17 (1) and (3).

(2) Notwithstanding paragraph (1), where any of the following subparagraphs applies, a personal information controller may use personal information or provide it to a third party for other purpose than the intended one, unless it is likely to infringe on unfairly the interest of a data subject or third party: Provided, That subparagraphs 5 through 9 are applicable only to public institutions:

1. Where additional consent is obtained from the data subject;

2. Where special provisions exist in other laws;

3. Where it is deemed necessary explicitly for protecting, from impending danger, life, body or economic profits of the data subject or third party where the data subject or his/her legal representative is not in a position to express his/her intention, or prior consent cannot be obtained owing to unknown addresses;

4. Where personal information is provided in a manner keeping a specific individual unidentifiable necessarily for such purposes as compiling statistics or academic research;

5. Where it is impossible to perform the duties under its jurisdiction as provided for in any Act, unless the personal information controller uses personal information for other purpose than the intended one, or provides it to a third party, and it is subject to the deliberation and resolution by the Commission;

6. Where it is necessary for providing personal information to a foreign government or international organization to perform a treaty or other international convention;

7. Where it is necessary for the investigation of a crime, indictment and prosecution;

8. Where it is necessary for the court to proceed the case;

9. Where it is necessary for punishment, probation and custody.

(3) A personal information controller shall inform the data subject of the following matters when it obtains the consent under paragraph (2) 1. The same shall apply when any of the following is modified.

1. The recipient of personal information;

2. The purpose of use of personal information (where personal information is provided, it means the purpose of use by the recipient);

3. Particulars of personal information to be used or provided;

4. The period for retaining and using personal information (where personal information is provided, it means the period for retention and use by the recipient);

5. The fact that the data subject is entitled to deny consent, and disadvantage affected resultantly from the denial of consent.

(4) Where a public institution uses personal information, or provides it to a third party under paragraph (2) 2 through 6, 8, and 9 for other purpose than the intended one, the public institution shall post the legal grounds for such use or provision, purpose and scope, and other necessary matters on the Official Gazette or its website, as prescribed by Ordinance of the Ministry of the Interior and Safety.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(5) Where a personal information controller provides personal information to a third party for other purpose than the intended one in any case provided for in paragraph (2), the personal information controller shall request the recipient of the personal information to limit the purpose and method of use and other necessary matters, or to prepare necessary safeguards to ensure the safety of the personal information. In such cases, the person in receipt of such request shall take necessary measures to ensure the safety of the personal information.

Article 19 (Limitation to Use and Provision of Personal Information on Part of Its Recipients)

A person who receives personal information from a personal information controller shall not use the personal information, or provide it to a third party, for any purpose other than the intended one, except in the following circumstances:

1. Where additional consent is obtained from the data subject;

2. Where special provisions exist in other laws.

Article 20 (Notification on Sources, etc. of Personal Information Collected from Third Parties)

(1) When a personal information controller processes personal information collected from third parties, the personal information controller shall immediately notify the data subject of the following matters at the request of such data subject:

1. The source of collected personal information;

2. The purpose of processing personal information;

3. The fact that the data subject is entitled to demand suspension of processing personal information.

(2) Notwithstanding paragraph (1), when a personal information controller satisfying the criteria prescribed by Presidential Decree taking into account the types and amount of processed personal information, number of employees, amount of sales, etc., collects personal information from third parties and processes upon obtaining consent as provided for in Article 17 (1) 1, the personal information controller shall notify the data subject of the matters referred to in paragraph (1): Provided, That this shall not apply where the information collected by the personal information controller does not contain any personal information, such as contact information, through which the notification can be given to the data subject.  (Inserted by Act nº 14107, Mar. 29, 2016)

(3) Necessary matters in relation to the timing, method, and procedure of giving notification to the data subject pursuant to the main sentence of paragraph (2), shall be prescribed by Presidential Decree.  (Inserted by Act nº 14107, Mar. 29, 2016)

(4) Paragraph (1) and the main sentence of paragraph (2) shall not apply to any of the following circumstances: Provided, That it is explicitly superior to the rights of data subjects under this Act: (Amended by Act nº 14107, Mar. 29, 2016)

1. Where personal information, which is subject to a notification request, is included in the personal information files referred to in Article 32 (2);

2. Where such notification is likely to cause harm to the life or body of any other person, or unfairly damages the property and other profits of any other person.

Article 21 (Destruction of Personal Information)

(1) A personal information controller shall destroy personal information without delay when the personal information becomes unnecessary owing to the expiry of the retention period, attainment of the purpose of processing the personal information, etc.: Provided, That this shall not apply where the retention of such personal information is mandatory by other statutes.

(2) When a personal information controller destroys personal information pursuant to paragraph (1), necessary measures to block recovery and revival shall be taken.

(3) Where a personal information controller is obliged to retain, rather than destroy, personal information pursuant to the proviso to paragraph (1), the relevant personal information or personal information files shall be stored and managed separately from other personal information.

(4) Other necessary matters, such as the methods to destroy personal information and its destruction process, shall be prescribed by Presidential Decree.

Article 22 (Methods of Obtaining Consent)

(1) To obtain the consent of a data subject (including his/her legal representative as stated in paragraph (6): hereafter in this Article the same applies) to the processing of his/her personal information pursuant to this Act, a personal information controller shall present the request for consent to the data subject in an explicitly recognizable manner which distinguishes matters requiring consent from the other matters, and obtain his/her consent thereto, respectively.  (Amended by Act nº 14765, Apr. 18, 2017)

(2) To obtain the consent referred to in paragraph (1) in writing (including an electronic document defined in subparagraph 1 of Article 2 of the Framework Act on Electronic Documents and Transactions), a personal information controller shall state the significant matters prescribed by Presidential Decree, such as the purpose of collecting and using personal information and particulars of the personal information that he/she intends collect and use, as prescribed by Ordinance of the Ministry of the Interior and Safety in an explicit and easily recognizable manner.  (Inserted by Act nº 14765, Apr. 18, 2017; Act nº 14839, Jul. 26, 2017)

(3) To obtain the consent of a data subject to the processing of his/her personal information pursuant to Articles 15 (1) 1, 17 (1) 1, 23 (1) 1, and 24 (1) 1, a personal information controller shall distinguish personal information that requires the data subject’s consent to processing, from the personal information that requires no consent in executing a contract with the data subject. In such cases, the burden of proof that no consent is required in processing the personal information shall be borne by the personal information controller.  (Amended by Act nº 14107, Mar. 29, 2016; Act nº 14765, Apr. 18, 2017)

(4) To obtain the consent of a data subject to the processing of his/her personal information in order to promote goods or services or solicit purchase thereof, a personal information controller shall notify the data subject of the fact in an explicitly recognizable manner, and obtain his/her consent thereto.  (Amended by Act nº 14765, Apr. 18, 2017)

(5) A personal information controller shall not deny the provision of goods or services to a data subject on ground that the data subject would not consent to the matter eligible for selective consent pursuant to paragraph (3), or would not consent pursuant to paragraph (4) and Article 18 (2) 1.  (Amended by Act nº 14765, Apr. 18, 2017)

(6) When it is required to obtain consent pursuant to this Act to process personal information of a child under 14 years of age, a personal information controller shall obtain the consent of his/her legal representative. In such cases, minimum personal information necessary to obtain the consent of the legal representative may be collected directly from such child without the consent of his/her legal representative.  (Amended by Act nº 14765, Apr. 18, 2017)

(7) Except as otherwise expressly provided for in paragraphs (1) through (6), other matters necessary in relation to detailed methods to obtain the consent of data subjects and the minimum information referred to in paragraph (6) shall be prescribed by Presidential Decree, in consideration of the collection media of personal information.  (Amended by Act nº 14765, Apr. 18, 2017)

SECTION 2 Limitation to Processing of Personal Information

Article 23 (Limitation to Processing of Sensitive Information)(1) A personal information controller shall not process any information prescribed by Presidential Decree (hereinafter referred to as “sensitive information”), including ideology, belief, admission to or withdrawal from a trade union or political party, political opinions, health, sexual life, and other personal information that is likely to threat the privacy of any data subject noticeably: Provided, That this shall not apply in any of the following circumstances:  (Amended by Act nº 14107, Mar. 29, 2016)

1. Where the personal information controller informs the data subject of the matters provided for in Article 15 (2) or 17 (2), and obtains the consent of the data subject apart from the consent to the processing of other personal information;

2. Where other statutes require or permit the processing of sensitive information.

(2) Where a personal information controller processes sensitive information pursuant to paragraph (1), the personal information controller shall take measures necessary to ensure safety pursuant to Article 29 so that the sensitive information may not be lost, stolen, divulged, forged, altered, or damaged.  (Inserted by Act nº 14107, Mar. 29, 2016)

Article 24 (Limitation to Processing of Personally Identifiable Information)(1) A personal information controller shall not process any information prescribed by Presidential Decree that can be used to identify an individual in accordance with statutes (hereinafter referred to as “personally identifiable information”), except in any of the following cases:

1. Where the personal information controller informs a data subject of the matters provided for in Article 15 (2) or 17 (2), and obtains the consent of the data subject apart from the consent to the processing of other personal information;

2. Where other statutes require or permit the processing of personally identifiable information in a concrete manner.

(2) Deleted.  (Act nº 11990, Aug. 6, 2013)

(3) Where a personal information controller processes personally identifiable information pursuant to paragraph (1), the personal information controller shall take measures necessary to ensure safety, including encryption, as prescribed by Presidential Decree, so that the personally identifiable information may not be lost, stolen, divulged, forged, altered, or damaged.  (Amended by Act nº 13423, Jul. 24, 2015)

(4) The Minister of the Interior and Safety shall regularly inspect whether a personal information controller meeting the criteria prescribed by Presidential Decree based on the types and amount of processed personal information, number of employees, amount of sales, etc., has taken the measures necessary to ensure safety pursuant to paragraph (3), as prescribed by Presidential Decree.  (Inserted by Act nº 14107, Mar. 29, 2016; Act nº 14839, Jul. 26, 2017)

(5) The Minister of the Interior and Safety may authorize specialized institutions prescribed by Presidential Decree to conduct the inspection referred to in paragraph (4).  (Inserted by Act nº 14107, Mar. 29, 2016; Act nº 14839, Jul. 26, 2017)

Article 24-2 (Limitation to Processing of Resident Registration Numbers)

(1) Notwithstanding Article 24 (1), a personal information controller shall not process any resident registration number, except in any of the following cases: (Amended by Act nº 14107, Mar. 29, 2016; Act nº 14839, Jul. 26, 2017)

1. Where any Act, Presidential Decree, National Assembly Regulations, Supreme Court Regulations, Constitutional Court Regulations, National Election Commission Regulations, or Board of Audit and Inspection Regulations require or permit the processing of resident registration numbers in a concrete manner;

2. Where it is deemed explicitly necessary for protecting, from impending danger, life, body and property of a data subject or a third party;

3. Where it is inevitable to process resident registration numbers in line with subparagraphs 1 and 2 in circumstances prescribed by Ordinance of the Ministry of the Interior and Safety.

(2) Notwithstanding Article 24 (3), a personal information controller shall retain resident registration numbers in safety by means of encryption so that the resident registration numbers may not be lost, stolen, divulged, forged, altered, or damaged. In such cases, any necessary matters in relation to the scope of encryption objects, encryption timing by object, etc. shall be prescribed by Presidential Decree, based on the amount of personal information processed, data breach impact, etc.  (Inserted by Act nº 12504, Mar. 24, 2014; Act nº 13423, Jul. 24, 2015)

(3) A personal information controller shall provide data subjects with an alternative sign-up tool without using their resident registration numbers in the stage of being admitted to membership via the website while processing the resident registration numbers pursuant to paragraph (1).

(4) The Minister of the Interior and Safety may prepare and support measures, such as legislative arrangements, policy-making, necessary facilities, and system build-up to assist a personal information controller in providing the methods referred to in paragraph (3).  (Amended by Act nº 12504, Mar. 24, 2014; Act nº 14839, Jul. 26, 2017)

(Article Inserted by Act nº 11990, Aug. 6, 2013)

Article 25 (Limitation to Installation and Operation of Visual Data Processing Devices)

(1) No one shall install and operate any visual data processing device at open places, except in any of the following circumstances:

1. Where statutes allow it in a concrete manner;

2. Where it is necessary for the prevention and investigation of crimes;

3. Where it is necessary for the safety of facilities and prevention of fire;

4. Where it is necessary for regulatory control of traffic;

5. Where it is necessary for the collection, analysis, and provision of traffic information.

(2) No one shall install and operate any visual data processing device so as to look into the places which is likely to threat individual privacy noticeably, such as a bathroom, restroom, sauna, and dressing room used by many unspecified persons: Provided, That the same shall not apply to the facilities prescribed by Presidential Decree, which detain or protect persons in accordance with statutes, such as correctional facilities and mental health care centers.

(3) The head of a public institution who intends to install and operate visual data processing devices pursuant to paragraph (1) and a person who intends to install and operate visual data processing devices pursuant to the proviso to paragraph (2) shall gather opinions of relevant specialist and interested persons through the formalities prescribed by Presidential Decree such as public hearings and information sessions.

(4) A person who intends to install and operate visual data processing devices pursuant to paragraph (1) (hereinafter referred to as “VDPD operator”) shall take necessary measures including posting on a signboard the following matters, so that data subjects may recognize such devices with ease: Provided, That this shall not apply to military installations defined in subparagraph 2 of Article 2 of the Protection of Military Bases and Installations Act, important national facilities defined in subparagraph 13 of Article 2 of the United Defense Act, and other facilities prescribed by Presidential Decree:  (Amended by Act nº 14107, Mar. 29, 2016)

1. The purpose and place of installation;

2. The scope and hours of photographing;

3. The name and contact information of the person in charge of its management;

4. Other matters prescribed by Presidential Decree.

(5) A VDPD operator shall not handle arbitrarily the visual data processing devices for other purposes than the initial one; direct the said devices toward different spots; nor use sound recording functions.

(6) Every VDPD operator shall take measures necessary to ensure safety pursuant to Article 29 so that the personal information may not be lost, stolen, divulged, forged, altered, or damaged.  (Amended by Act nº 13423, Jul. 24, 2015)

(7) Every VDPD operator shall establish the appropriate policy to operate and manage the visual data processing devices, as prescribed by Presidential Decree. In this case, he/she may be discharged to make the Privacy Policy pursuant to Article 30.

(8) A VDPD operator may outsource the installation and operation of visual data processing devices to a third party: Provided, That the public institutions shall comply with the procedures and requirements prescribed by Presidential Decree when outsourcing the installation and operation of visual data processing devices to a third party.

Article 26 (Limitation to Personal Information Processing Subsequent to Outsourcing of Work)

(1) A personal information controller shall undergo paper-based formalities stating the following when outsourcing personal information processing to a third party:

1. Prevention of personal information processing for other purposes than the outsourced purpose;

2. Technical and managerial safeguards of personal information;

3. Other matters prescribed by Presidential Decree to manage personal information safely.

(2) A personal information controller that outsources personal information processing pursuant to paragraph (1) (hereinafter referred to as “outsourcer”) shall disclose the details of the outsourced work and the entity that processes personal information (hereinafter referred to as “outsourcee”) under an outsourcing contract in the manner prescribed by Presidential Decree so that data subjects may recognize it with ease at any time.

(3) The outsourcer shall, in case of outsourcing the promotion of goods or services, or soliciting of sales thereof, notify data subjects of the outsourced work and the outsourcee in the manners prescribed by Presidential Decree. The same shall apply where the outsourced work or the outsourcee has been changed.

(4) The outsourcer shall educate the outsourcee so that personal information of data subjects may not be lost, stolen, leaked, forged, altered, or damaged owing to the outsourcing of work, and supervise how the outsourcee processes such personal information safely by inspecting the status of processing, etc., as prescribed by Presidential Decree.  (Amended by Act nº 13423, Jul. 24, 2015)

(5) An outsourcee shall not use any personal information beyond the scope of the work outsourced by the personal information controller, nor provide personal information to a third party.

(6) With respect to the compensation of damage arising out of the processing of personal information outsourced to an outsourcee in violation of this Act, the outsourcee shall be deemed an employee of the personal information controller.

(7) Articles 15 through 25, 27 through 31, 33 through 38, and 59 shall apply mutatis mutandis to outsourcees.

Article 27 (Limitation to Transfer of Personal Information following Business Transfer, etc.)

(1) A personal information controller shall notify in advance the data subjects of the following matters in the manner prescribed by Presidential Decree in the case of transfer of personal information to a third party owing to the transfer of some or all of his/her business, a merger, etc.:

1. The fact that the personal information will be transferred;

2. The name (referring to the company name in case of a legal person), address, telephone number and other contact information of the recipient of the personal information (hereinafter referred to as “business transferee”);

3. The method and procedure to withdraw the consent if the data subject would not want the transfer of his/her personal information.

(2) Upon receiving personal information, the business transferee shall, without delay, notify data subjects of the fact in the manner prescribed by Presidential Decree: Provided, That this shall not apply where the personal information controller has already notified the data subjects of the fact of such transfer pursuant to paragraph (1).

(3) Upon receiving personal information owing to business transfer, a merger, etc., the business transferee may use, or provide a third party with, the personal information only for the initial purpose prior to transfer. In this case, the business transferee shall be deemed the personal information controller.

Article 28 (Supervision of Personal Information Handlers)

(1) While processing personal information, a personal information controller shall conduct appropriate control and supervision against the persons who process the personal information under his/her command and supervision, such as an officer or employee, temporary agency worker and part-time worker (hereinafter referred to as “personal information handler”) to ensure the safe management of the personal information.

(2) A personal information controller shall provide personal information handlers with necessary educational programs on a regular basis in order to ensure the appropriate handling of personal information.

CHAPTER IV SAFEGUARD OF PERSONAL INFORMATION

Article 29 (Duty of Safeguards)

Every personal information controller shall take such technical, managerial, and physical measures as establishing an internal management plan and preserving log-on records, etc. that are necessary to ensure safety as prescribed by Presidential Decree so that the personal information may not be lost, stolen, divulged, forged, altered, or damaged.  (Amended by Act nº 13423, Jul. 24, 2015)

Article 30 (Establishment and Disclosure of Privacy Policy)

(1) Every personal information controller shall establish the personal information processing policy including the following matters (hereinafter referred to as “Privacy Policy”). In such cases, public institutions shall establish the Privacy Policy for the personal information files to be registered pursuant to Article 32: (Amended by Act nº 14107, Mar. 29, 2016)

1. The purposes for which personal information is processed;

2. The period for processing and retaining personal information;

3. Providing personal information to a third party (if applicable);

4. Outsourcing personal information processing (if applicable);

5. The rights and obligations of data subjects and legal representatives, and how to exercise the rights;

6. Contact information, such as the name of the privacy officer designated under Article 31 or the name, telephone number, etc. of the department which performs the duties related to personal information protection and handles related grievances;

7. Installing and operating an automatic collection tool of personal information, including Internet access data files, and the denial thereof (if applicable);

8. Other matters prescribed by Presidential Decree regarding the processing of personal information.

(2) Upon establishing or modifying the Privacy Policy, every personal information controller shall disclose the Privacy Policy in the way prescribed by Presidential Decree so that data subjects may recognize it with ease.

(3) Where there exist discrepancies between the Privacy Policy and the agreement executed by and between the personal information controller and data subjects, what is beneficial to the data subjects prevails.

(4) The Minister of the Interior and Safety may formulate the Privacy Policy Guidelines and encourage personal information controllers to comply with such Guidelines.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

Article 31 (Designation of Privacy Officers)

(1) A personal information controller shall designate a privacy officer who comprehensively takes charge of personal information processing.

(2) Every privacy officer shall perform the following functions:

1. To establish and implement a personal information protection plan;

2. To conduct a regular survey of the status and practices of personal information processing, and to improve shortcomings;

3. To treat grievances and remedial compensation in relation to personal information processing;

4. To build the internal control system to prevent the divulgence, abuse, and misuse of personal information;

5. To prepare and implement an education program about personal information protection;

6. To protect, control, and manage the personal information files;

7. Other functions prescribed by Presidential Decree for the appropriate processing of personal information.

(3) In performing the functions provided for in paragraph (2), every privacy officer may inspect the status of personal information processing and systems frequently, if necessary, and may request a report thereon from the relevant parties.

(4) Where a privacy officer becomes aware of any violation of this Act or other relevant statutes in relation to the protection of personal information, the privacy officer shall take corrective measures immediately, and shall report such corrective measures to the head of the institution or organization to which he/she belongs, if necessary.

(5) A personal information controller shall not have the privacy officer give or take disadvantage without any justifiable ground while performing the functions provided for in paragraph (2).

(6) The requirements for designation as privacy officers, functions, qualifications, and other necessary matters, shall be prescribed by Presidential Decree.

Article 32 (Registration and Disclosure of Personal Information Files)

(1) When operating personal information files, the head of a public institution shall register the following matters with the Minister of the Interior and Safety. The same shall also apply where the registered matters are modified.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

1. The titles of the personal information files;

2. The grounds and purposes for operating the personal information files;

3. Particulars of personal information recorded in the personal information files;

4. The method of processing personal information;

5. The period for retaining personal information;

6. The recipient of personal information, if it is provided routinely or repetitively;

7. Other matters prescribed by Presidential Decree.

(2) Paragraph (1) shall not apply to any of the following personal information files:

1. Personal information files that record the national security, diplomatic secrets, and other matters relating to grave national interests;

2. Personal information files that record the investigation of crimes, indictment and prosecution, punishment, and probation and custody, corrective orders, protective orders, security observation orders, and immigration;

3. Personal information files that record the investigations of violations of the Punishment of Tax Offenses Act and the Customs Act;

4. Personal information files exclusively used for internal job performance of public institutions;

5. Classified personal information files pursuant to other statutes.

(3) If necessary, the Minister of the Interior and Safety may review the registration and content of the personal information files referred to in paragraph (1), and advise the head of the relevant public institution to make improvements.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(4) The Minister of the Interior and Safety shall make public the status of personal information files registered under paragraph (1) so that anyone may access them with ease.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(5) Necessary matters regarding the registration referred to in paragraph (1), the method, scope, and procedure of public disclosure referred to in paragraph (4), shall be prescribed by Presidential Decree.

(6) The registration and public disclosure of the personal information files retained by the National Assembly, the Court, the Constitutional Court and the National Election Commission (including their affiliated entities) shall be prescribed by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, and the National Election Commission Regulations.

Article 32-2 (Certification of Personal Information Protection)

(1) The Minister of the Interior and Safety may certify whether the data processing and other data protection-related activities of a personal information controller abide by this Act, etc.  (Amended by Act nº 14839, Jul. 26, 2017)

(2) The certification provided for in paragraph (1) shall be effective for three years.

(3) In any of the following cases, the Minister of the Interior and Safety may revoke the certification granted under paragraph (1), as prescribed by Presidential Decree: Provided, That it shall be revoked in cases falling under subparagraph 1: (Amended by Act nº 14839, Jul. 26, 2017)

1. Where personal information protection has been certified by fraud or other unjust means;

2. Where follow-up management provided for in paragraph (4) has been denied or obstructed;

3. Where the certification criteria provided for in paragraph (8) have not been satisfied;

4. Where personal information protection-related statutes are breached seriously.

(4) The Minister of the Interior and Safety shall conduct follow-up management at least once annually to maintain the effectiveness of the certification of personal information protection.  (Amended by Act nº 14839, Jul. 26, 2017)

(5) The Minister of the Interior and Safety may authorize the specialized institutions prescribed by Presidential Decree to perform the duties related to certification under paragraph (1), revocation of certification under paragraph (3), follow-up management under paragraph (4), management of certification examiners under paragraph (7).  (Amended by Act nº 14839, Jul. 26, 2017)

(6) Any person who has obtained certification pursuant to paragraph (1) may indicate or publicize the certification, as prescribed by Presidential Decree.

(7) Qualifications of certification examiners who conduct the certification examination pursuant to paragraph (1), grounds for disqualification, and other relevant matters, shall be prescribed by Presidential Decree based on specialty, career, and other necessary matters.

(8) Other matters necessary for the certification criteria, method, procedure, etc. subject to paragraph (1), including whether the personal information management system, guarantee of data subjects’ rights, and safeguards are consistent with this Act, shall be prescribed by Presidential Decree.

(Article Inserted by Act nº 13423, Jul. 24, 2015)

Article 33 (Privacy Impact Assessment)(1) In the case of a probable breach of personal information of data subjects arising out of the operation of personal information files meeting the criteria prescribed by Presidential Decree, the head of a public institution shall conduct an assessment to analyze and improve risk factors (hereinafter referred to as “privacy impact assessment”), and submit the result thereof to the Minister of the Interior and Safety. In such cases, the head of the public institution shall request the privacy impact assessment from any of the institutions designated by the Minister of the Interior and Safety (hereinafter referred to as “PIA institution“).  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(2) The privacy impact assessment shall cover the following matters:

1. The number of personal information being processed;

2. Whether the personal information is provided to a third party;

3. The probability to violate the rights of the data subjects and the degree of risks;

4. Other matters prescribed by Presidential Decree.

(3) The Minister of the Interior and Safety may provide his/her opinion subject to the deliberation and resolution by the Protection Commission upon receiving the results of the privacy impact assessment conducted under paragraph (1).  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(4) The head of the public institution shall register the personal information files in accordance with Article 32 (1), for which the privacy impact assessment has been conducted pursuant to paragraph (1), with the results of the privacy impact assessment attached thereto.

(5) The Minister of the Interior and Safety shall take necessary measures, such as fostering relevant specialists, and developing and disseminating criteria for the privacy impact assessment, to promote the privacy impact assessment.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(6) Necessary matters in relation to the privacy impact assessment, such as the criteria for designation as PIA institutions, revocation of designation, assessment criteria, method and procedure, etc. pursuant to paragraph (1), shall be prescribed by Presidential Decree.

(7) Matters regarding the privacy impact assessment conducted by the National Assembly, the Court, the Constitutional Court and the National Election Commission (including their affiliated entities) shall be prescribed by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, and the National Election Commission Regulations.

(8) A personal information controller other than public institutions shall proactively endeavor to conduct a privacy impact assessment, if a breach of personal information of data subjects is highly probable in operating the personal information files.

Article 34 (Data Breach Notification, etc.)

(1) A personal information controller shall notify the aggrieved data subjects of the following matters without delay when he/she becomes aware their personal information has been divulged:

1. Particulars of the personal information divulged;

2. When and how personal information has been divulged;

3. Any information about how the data subjects can do to minimize the risk of damage from divulgence;

4. Countermeasures of the personal information controller and remedial procedure;

5. Help desk and contact points for the data subjects to report damage.

(2) A personal information controller shall prepare countermeasures to minimize the risk of damage where personal information is divulged.

(3) Where a breach of personal information above the scale prescribed by Presidential Decree arises, the personal information controller shall, without delay, report the results of notification given under paragraph (1) and the results of measures taken under paragraph (2) to the Minister of the Interior and Safety and the specialized institution designated by Presidential Decree. In such cases, the Minister of the Interior and Safety and the specialized institution designated by Presidential Decree may provide technical assistance for preventing or recovering further damage, etc.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(4) Necessary matters in relation to the timing, method and procedure for data breach notification pursuant to paragraph (1), shall be prescribed by Presidential Decree.

Article 34-2 (Imposition, etc. of Penalty Surcharges)

(1) The Minister of the Interior and Safety may impose and collect a penalty surcharge not exceeding 500 million won where a personal information controller has failed to prevent any loss, theft, divulgence, forgery, alteration, or damage of resident registration numbers: Provided, That this shall not apply where the personal information controller has fully taken measures necessary to ensure safety under Article 24 (3) to prevent any loss, theft, divulgence, forgery, alteration, or damage of resident registration numbers.  (Amended by Act nº 12844, Nov. 19, 2014; Act nº 13423, Jul. 24, 2015; Act nº 14839, Jul. 26, 2017)

(2) The Minister of the Interior and Safety shall consider the following when imposing the penalty surcharge pursuant to paragraph (1): (Amended by Act nº 12844, Nov. 19, 2014; Act nº 13423, Jul. 24, 2015; Act nº 14839, Jul. 26, 2017)

1. Efforts being taken to perform the measures necessary to ensure safety under Article 24 (3);

2. Status of the resident registration numbers which have been lost, stolen, divulged, forged, altered or damaged;

3. Fulfillment of subsequent measures to prevent further damage.

(3) The Minister of the Interior and Safety shall collect a late-payment penalty prescribed by Presidential Decree in an amount not exceeding 6/100 per annum of the unpaid penalty surcharge for the period beginning on the day following the payment deadline and ending on the day immediately preceding the day the penalty surcharge is paid where a person liable to pay the penalty surcharge under paragraph (1) fails to pay it by the payment deadline. In such cases, the late-payment penalty shall be collected for a maximum period of 60 months.  (Amended by Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(4) Where a person liable to pay the penalty surcharge under paragraph (1) fails to pay it by the payment deadline, the Minister of the Interior and Safety shall give notice with the period of payment specified in it; and where the penalty surcharge and late-payment penalty are not paid within the specified period, the Minister of the Interior and Safety shall collect such penalty surcharge and late-payment penalty in the same manner as delinquent national taxes are collected.  (Amended by Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(5) Other matters necessary for imposing and collecting penalty surcharges shall be prescribed by Presidential Decree.

(Article Inserted by Act nº 11990, Aug. 6, 2013)

CHAPTER V.- GUARANTEE OF RIGHTS OF DATA SUBJECTS

Article 35 (Access to Personal Information)

(1) A data subject may request access to his/her own personal information, which is processed by a personal information controller, from the personal information controller.

(2) Notwithstanding paragraph (1), where a data subject intends to request access to his/her own personal information from a public institution, the data subject may request such access directly from the said public institution, or indirectly via the Minister of the Interior and Safety, as prescribed by Presidential Decree.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(3) Upon receipt of a request for access filed under paragraphs (1) and (2), a personal information controller shall permit the data subject to access his/her own personal information for the period prescribed by Presidential Decree. In such cases, if a personal information controller finds any good cause for not permitting access for such period, the personal information controller may postpone access after notifying the relevant data subject of the said cause. If the said cause ceases to exist, the postponement shall be lifted without delay.

(4) In any of the following cases, a personal information controller may limit or deny access after it notifies a data subject of the cause:

1. Where access is prohibited or limited by Acts;

2. Where access may probably cause damage to the life or body of a third party, or improper violation of property and other benefits of a third party;

3. Where a public institution has grave difficulties in performing any of the following duties:

(a) Imposition, collection or refund of taxes;

(b) Evaluation of academic achievements or admission affairs at the schools of each level established under the Elementary and Secondary Education Act and the Higher Education Act, lifelong educational facilities established under the Lifelong Education Act, and other higher educational institutions established under other Acts;

(c) Testing and qualification examination regarding academic competence, technical capability and employment;

(d) Ongoing evaluation or decision-making in relation to compensation or grant assessment;

(e) Ongoing audit and examination under other Acts.

(5) Necessary matters in relation to the methods and procedures for filing requests for access; for limiting access; for giving notification, etc. pursuant to paragraphs (1) through (4) shall be prescribed by Presidential Decree.

Article 36 (Correction or Erasure of Personal Information)

(1) A data subject who has accessed his/her personal information pursuant to Article 35 may request a correction or erasure of such personal information from the relevant personal information controller: Provided, That the erasure is not permitted where the said personal information shall be collected by other statutes.

(2) Upon receipt of a request by a data subject pursuant to paragraph (1), the personal information controller shall investigate the personal information in question without delay; shall take necessary measures to correct or erase as requested by the data subject unless otherwise specifically provided by other statutes in relation to correction or erasure; and shall notify such data subject of the result.

(3) The personal information controller shall take measures not to recover or revive the personal information in case of erasure pursuant to paragraph (2).

(4) Where the request of a data subject falls under the proviso to paragraph (1), a personal information controller shall notify the data subject of the details thereof without delay.

(5) While investigating the personal information in question pursuant to paragraph (2), the personal information controller may, if necessary, request from the relevant data subject the evidence necessary to confirm a correction or erasure of the personal information.

(6) Necessary matters in relation to the request of correction and erasure, notification method and procedure, etc. pursuant to paragraphs (1), (2) and (4) shall be prescribed by Presidential Decree.

Article 37 (Suspension, etc. of Processing of Personal Information)

(1) A data subject may request the relevant personal information controller to suspend the processing of his/her personal information. In this case, if the personal information controller is a public institution, the data subject may request the suspension of processing of only the personal information contained in the personal information files to be registered pursuant to Article 32.

(2) Upon receipt of the request under paragraph (1), the personal information controller shall, without delay, suspend processing of some or all of the personal information as requested by the data subject: Provided, That, where any of the following is applicable, the personal information controller may deny the request of such data subject:

1. Where special provisions exist in law or it is inevitable to observe legal obligations;

2. Where it may probably cause damage to the life or body of a third party, or improper violation of property and other benefits of a third party;

3. Where the public institution cannot perform its work as prescribed by any Act without processing the personal information in question;

4. Where the data subject fails to express explicitly termination of the contract even though it is impracticable to perform the contract such as provision of service as agreed upon with the said data subject without processing the personal information in question.

(3) When denying the request pursuant to the proviso to paragraph (2), the personal information controller shall notify the data subject of the reason without delay.

(4) The personal information controller shall, without delay, take necessary measures including destruction of the relevant personal information when suspending the processing of personal information as requested by data subjects.

(5) Necessary matters in relation to the methods and procedures to request the suspension of processing, to deny such request, and to give notification, etc. pursuant to paragraphs (1) through (3) shall be prescribed by Presidential Decree.

Article 38 (Methods and Procedures for Exercise of Rights)

(1) A data subject may authorize his/her representative to file requests for access pursuant to Article 35, correction or erasure pursuant to Article 36, and suspension of processing pursuant to Article 37 (hereinafter referred to as “request for access, etc.”) in writing or by the methods and procedure prescribed by Presidential Decree.

(2) The legal representative of a child under 14 years of age may file a request for access, etc. to the personal information of the child with a personal information controller.

(3) A personal information controller may demand a fee and postage (only in case of a request to mail the copies), as prescribed by Presidential Decree, from a person who files a request for access, etc.

(4) A personal information controller shall prepare the detailed method and procedure to enable data subjects to file requests for access, etc., and publicly announce such method and procedure so that the data subjects may become aware of them.

(5) A personal information controller shall prepare, and guide towards, necessary procedure for data subjects to raise objections against its denial to a request for access, etc. from such data subjects.

Article 39 (Responsibility for Compensation)

(1) A data subject who suffers damage by reason of a violation of this Act by a personal information controller is entitled to claim compensation from the personal information controller for that damage. In this case, the said personal information controller may not be released from the responsibility for compensation if it fails to prove non-existence of his/her wrongful intent or negligence.

(2) Deleted.  (by Act nº 13423, Jul. 24, 2015)

(3) Where a data subject suffers damage out of loss, theft, divulgence, forgery, alteration, or damage of his/her own personal information, caused by wrongful intent or negligence of a personal information controller, the Court may determine the damages not exceeding three times such damage: Provided, That the same shall not apply to the personal information controller who has proved non-existence of his/her wrongful intent or negligence.  (Inserted by Act nº 13423, Jul. 24, 2015)

(4) The Court shall take into account the following when determining the damages pursuant to paragraph (3): (Inserted by Act nº 13423, Jul. 24, 2015)

1. The degree of wrongful intent or expectation of damage;

2. The amount of loss caused by the violation;

3. Economic benefits the personal information controller has gained in relation to the violation;

4. A fine and a penalty surcharge to be levied subject to the violation;

5. The duration, frequency, etc. of violations;

6. The property of the personal information controller;

7. The personal information controller’s efforts to retrieve the affected personal information exerted after the loss, theft, or divulgence of personal information;

8. The personal information controller’s efforts to remedy damage suffered by the data subject.

Article 39-2 (Claims for Statutory Compensation)

(1) Notwithstanding Article 39 (1), a data subject, who suffers damage out of loss, theft, divulgence, forgery, alteration, or damage of his/her own personal information, caused by wrongful intent or negligence of a personal information controller, may claim a reasonable amount of damages not exceeding three million won. In this case, the said personal information controller may not be released from the responsibility for compensation if it fails to prove non-existence of his/her wrongful intent or negligence.

(2) In the case of a claim made under paragraph (1), the Court may determine a reasonable amount of damages not exceeding the amount provided for in paragraph (1) taking into account all arguments in the proceedings and the results of examining evidence.

(3) A data subject who has claimed compensation pursuant to Article 39 may change such claim to the claim provided for in paragraph (1) until the closing of fact-finding proceedings.

(Article Inserted by Act nº 13423, Jul. 24, 2015)

CHAPTER VI.- PERSONAL INFORMATION DISPUTE MEDIATION COMMITTEE

Article 40 (Establishment and Composition)

(1) There shall be established a Personal Information Dispute Mediation Committee (hereinafter referred to as the “Dispute Mediation Committee”) to mediate disputes over personal information.

(2) The Dispute Mediation Committee shall be comprised of not more than 20 members, including one chairperson, and the members shall be ex officio and commissioned members.  (Amended by Act nº 13423, Jul. 24, 2015)

(3) The commissioned members shall be commissioned by the Chairperson of the Protection Commission from among the following persons, and public officials of the national agencies prescribed by Presidential Decree shall be ex officio members:  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 13423, Jul. 24, 2015)

1. Persons who once served as members of the Senior Executive Service of the central administrative agencies in charge of data protection, or persons who presently work or have worked at equivalent positions in the public sector and related organizations, and have job experience in data protection;

2. Persons who presently serve or have served as associate professors or higher positions in universities or in publicly recognized research institutes;

3. Persons who presently serve or have served as judges, public prosecutors, or attorneys-at-law;

4. Persons recommended by data protection-related civic organizations or consumer groups;

5. Persons who presently work or have worked as senior officers for the trade associations comprised of personal information controllers.

(4) The chairperson shall be commissioned by the Chairperson of the Protection Commission from among Committee members except public officials.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 13423, Jul. 24, 2015)

(5) The term of office for the chairperson and commissioned members shall be two years, and their term may be renewable for only one further term. (Amended by Act nº 13423, Jul. 24, 2015)

(6) In order to conduct dispute settlement efficiently, the Dispute Mediation Committee may, if necessary, establish a mediation panel that is comprised of not more than five Committee members in each sector of mediation cases, as prescribed by Presidential Decree. In this case, the resolution of the mediation panel delegated by the Dispute Mediation Committee shall be construed as that of the Dispute Mediation Committee.

(7) The Dispute Mediation Committee or a mediation panel shall be open with a majority of its members present, and its resolution shall be made by the affirmative votes of a majority of the members present.

(8) The Protection Commission may deal with the administrative affairs necessary for dispute mediation, such as receiving dispute mediation cases and fact-finding.  (Amended by Act nº 13423, Jul. 24, 2015)

(9) Except as otherwise expressly provided for in this Act, matters necessary to operate the Dispute Mediation Committee shall be prescribed by Presidential Decree.

Article 41 (Guarantee of Members’ Status)

None of the Committee members shall be dismissed or de-commissioned against his/her will except when he/she is sentenced to the suspension of qualification or a heavier punishment, or unable to perform his/her duties due to mental or physical incompetence.

Article 42 (Exclusion, Challenge, and Refrainment of Members)

(1) A member of the Dispute Mediation Committee shall be excluded from participating in the deliberation and resolution of a case requested for dispute mediation pursuant to Article 43 (1) (hereafter in this Article referred to as “case”) if:

1. The member or his/her current or former spouse is a party to the case or is a joint right holder or a joint obligator with respect to the case;

2. The member is or was a relative of a party to the case;

3. The member has given any testimony, expert opinion, or legal advice with respect to the case;

4. The member is or was involved in the case as an agent or representative of a party to the case.

(2) When any party finds it impracticable to expect a fair deliberation and resolution from a Committee member, he/she may file a challenge application with the chairperson. In this case, the chairperson shall determine the challenge application without any resolution of the Dispute Mediation Committee.

(3) When any committee member falls under the case of paragraph (1) or (2), he/she may refrain from the deliberation and resolution of the case.

Article 43 (Application for Mediation, etc.)

(1) Any person, who wants a dispute over personal information mediated, may apply for mediation of the dispute to the Dispute Mediation Committee.

(2) Upon receipt of an application for dispute mediation from a party to the case, the Dispute Mediation Committee shall notify the counterparty of the application for mediation.

(3) When a public institution is notified of dispute mediation under paragraph (2), the public institution shall respond to it except in extenuating circumstances.

Article 44 (Time Limitation of Mediation Proceedings)

(1) The Dispute Mediation Committee shall examine the case and prepare draft mediation within 60 days from the date of receiving an application pursuant to Article 43 (1): Provided, That the Dispute Mediation Committee may pass a resolution to extend such period by reason of inevitable circumstances.

(2) When the period is extended pursuant to the proviso to paragraph (1), the Dispute Mediation Committee shall inform the applicant of the reasons for extending the period and other matters concerning the extension of such period.

Article 45 (Request for Materials, etc.)

(1) Upon receipt of an application for dispute mediation pursuant to Article 43 (1), the Dispute Mediation Committee may request disputing parties to provide materials necessary to mediate the dispute. In this case, such parties shall comply with the request unless any justifiable ground exists.

(2) The Dispute Mediation Committee may require disputing parties or relevant witnesses to appear before the Committee to hear their opinions, if deemed necessary.

Article 46 (Settlement Advice before Mediation)

Upon receipt of an application for dispute mediation pursuant to Article 43 (1), the Dispute Mediation Committee may present a draft settlement to disputing parties and recommend a settlement before mediation.

Article 47 (Dispute Mediation)

(1) The Dispute Mediation Committee may prepare a draft mediation including the following matters:

1. Suspension of the violation to be investigated;

2. Restitution, compensation and other necessary remedies;

3. Any measure necessary to prevent recurrence of the identical or similar violations.

(2) Upon preparing a draft mediation pursuant to paragraph (1), the Dispute Mediation Committee shall present the draft mediation to each party without delay.

(3) Each party presented with the draft mediation prepared under paragraph (1) shall notify the Dispute Mediation Committee of his/her acceptance or denial of the draft mediation within 15 days from the date of receipt of such draft mediation, without which such mediation shall be deemed denied.

(4) If the parties accept the draft mediation, the Dispute Mediation Committee shall prepare a written mediation, and the chairperson of the Dispute Mediation Committee and the parties shall have their names and seals affixed thereon.

(5) The mediation agreed upon pursuant to paragraph (4) shall have the same effect as a settlement before the court.

Article 48 (Rejection and Suspension of Mediation)

(1) Where the Dispute Mediation Committee deems that it is inappropriate to mediate any dispute in view of its nature, or that an application for mediation of any dispute is filed for an unfair purpose, it may reject the mediation. In this case, the reasons why it rejects the mediation shall be notified to the applicant.

(2) If one of the parties files a lawsuit while mediation proceedings are pending, the Dispute Mediation Committee shall suspend the dispute mediation and notify the parties thereof.

Article 49 (Collective Dispute Mediation)

(1) The State, a local government, a data protection organization or institution, a data subject, and a personal information controller may request or apply for a collective dispute mediation (hereinafter referred to as “collective dispute mediation”) to the Dispute Mediation Committee where sufferings or infringement on rights take place to a multitude of data subjects in an identical or similar manner, and such incident is prescribed by Presidential Decree.

(2) Upon receipt of a request or an application for collective dispute mediation under paragraph (1), the Dispute Mediation Committee may commence, by its resolution, collective dispute mediation proceedings pursuant to paragraphs (3) through (7). In this case, the Dispute Mediation Committee shall publicly announce the commencement of such proceedings for a period prescribed by Presidential Decree.

(3) The Dispute Mediation Committee may accept an application from any data subject or personal information controller other than the parties to the collective dispute mediation to participate in the collective dispute mediation additionally as a party.

(4) The Dispute Mediation Committee may, by its resolution, select at least one person as a representative party, who most appropriately represents the common interest among the parties to the collective dispute mediation pursuant to paragraphs (1) and (3).

(5) When the personal information controller accepts a collective dispute mediation award presented by the Dispute Mediation Committee, the Dispute Mediation Committee may advise the personal information controller to prepare and submit a compensation plan for the benefit of the non-party data subjects suffered from the same incident.

(6) Notwithstanding Article 48 (2), if a group of data subjects among a multitude of data subject parties to the collective dispute mediation files a lawsuit before the court, the Dispute Mediation Committee shall not suspend the proceedings but exclude the relevant data subjects, who have filed the lawsuit, from the proceedings.

(7) The period for collective dispute mediation shall not exceed 60 days from the following day when public announcement referred to in paragraph (2) ends: Provided, That the period can be extended by the resolution of the Dispute Mediation Committee in extenuating circumstances.

(8) Other necessary matters, such as collective dispute mediation proceedings, shall be prescribed by Presidential Decree.

Article 50 (Mediation Proceedings, etc.)

(1) Except as otherwise expressly provided for in Articles 43 through 49, the method and proceedings to mediate disputes and matters necessary to deal with such dispute mediation shall be prescribed by Presidential Decree.

(2) Except as otherwise expressly provided for in this Act, the Judicial Conciliation of Civil Disputes Act shall apply mutatis mutandis to the operation of the Dispute Mediation Committee and dispute mediation proceedings.

CHAPTER VII.- CLASS-ACTION LAWSUIT OVER DATA BREACH

Article 51 (Parties to Class-Action Lawsuits, etc.)

Any of the following organizations may file a lawsuit (hereinafter referred to as “class-action lawsuit”) with the court to prevent or suspend data breach if a personal information controller rejects or would not accept the collective dispute mediation under Article 49:

1. A consumer group registered with the Fair Trade Commission pursuant to Article 29 of the Framework Act on Consumers that meets all of the following criteria:

(a) Its by-laws shall state the purpose to augment the rights and interests of data subjects constantly;

(b) The number of full members shall exceed 1000;

(c) Three years shall have passed since the registration under Article 29 of the Framework Act on Consumers;

2. A non-profit, non-governmental organization referred to in Article 2 of the Assistance for Non-Profit, Non-Governmental Organizations Act that meets all of the following criteria:

(a) At least 100 data subjects, who experienced the same sufferings as a matter of law or fact, shall submit a request to file a class-action lawsuit;

(b) Its by-laws shall state the purpose of data protection and it has conducted such activities for the most recent 3 years;

(c) The number of regular members shall be at least 5000;

(d) It shall be registered with any central administrative agency.

Article 52 (Exclusive Jurisdictions)

(1) A class-action lawsuit shall be subject to the exclusive jurisdiction of the competent district court (panel of judges) at the place of business or main office, or at the address of the business manager in the case of no business establishment, of the defendant.

(2) Where paragraph (1) applies to a foreign business entity, the same shall be determined by the place of business or main office, or the address of the business manager located in the Republic of Korea.

Article 53 (Retention of Litigation Attorney)

The plaintiff of a class-action lawsuit shall retain an attorney-at-law as a litigation attorney.

Article 54 (Application for Certification of Lawsuit)

(1) An organization that intends to file a class-action lawsuit shall submit to the court an application for certification of lawsuit describing the following as well as the petition:

1. Plaintiff and his/her litigation attorney;

2. Defendant;

3. Detailed violation of the rights of data subjects.

(2) An application for certification of lawsuit filed under paragraph (1) shall be accompanied by the following materials:

1. Materials that prove that the organization which has filed a lawsuit meets all criteria provided for in Article 51;

2. Documentary evidence that proves that the personal information controller has rejected the dispute mediation or would not accept the mediation award.

Article 55 (Requirements for Certification of Lawsuit, etc.)

(1) The court shall certify in a decision a class-action lawsuit only when all of the following requirements are satisfied:

1. That the personal information controller has rejected the dispute mediation or would not accept the mediation award;

2. That none of the descriptions in the application for certification of lawsuit filed under Article 54 is incomplete.

(2) The court decision that certifies, or rejects to certify, a class-action lawsuit may be objected by an immediate appeal.

Article 56 (Effect of Conclusive Judgment)

When a judgment dismissing a plaintiff’s complaint becomes conclusive, any other organizations provided for in Article 51 cannot file a class-action lawsuit regarding the identical case: Provided, That this shall not apply in any of the following circumstances:

1. Where, after the judgment became conclusive, new evidence has been found by the State, a local government, or a State or local government-invested institution regarding the said case;

2. Where the judgment dismissing the lawsuit proves to be caused intentionally by the plaintiff.

Article 57 (Application of the Civil Procedure Act, etc.)

(1) Except as otherwise expressly provided for in this Act, the Civil Procedure Act shall apply to class-action lawsuits.

(2) When a decision to certify a class-action lawsuit is made under Article 55, a preservation order provided for in PART IV of the Civil Execution Act may be issued.

(3) Matters necessary for class-action lawsuit proceedings shall be provided by the Supreme Court Regulations.

CHAPTER VIII.- SUPPLEMENTARY PROVISIONS

Article 58 (Partial Exclusion of Application)

(1) Chapter III through VII shall not apply to any of the following personal information:

1. Personal information collected pursuant to the Statistics Act for processing by public institutions;

2. Personal information collected or requested to be provided for the analysis of information related to national security;

3. Personal information processed temporarily where it is urgently necessary for the public safety and security, public health, etc.;

4. Personal information collected or used for its own purposes of reporting by the press, missionary activities by religious organizations, and nomination of candidates by political parties, respectively.

(2) Articles 15, 22, 27 (1) and (2), 34, and 37 shall not apply to any personal information that is processed by means of the visual data processing devices installed and operated at open places pursuant to Article 25 (1).

(3) Articles 15, 30 and 31 shall not apply to any personal information that is processed by a personal information controller to operate a group or association for friendship, such as an alumni association and a hobby club.

(4) In the case of processing personal information pursuant to paragraph (1), a personal information controller shall process the personal information to the minimum extent necessary to attain the intended purpose for a minimum period; and shall also make necessary arrangements, such as technical, managerial and physical safeguards, individual grievance treatment and other necessary measures for the safe management and appropriate processing of such personal information.

Article 59 (Prohibited Activities)

No person who processes or has ever processed personal information shall do any of the following activities:

1. To acquire personal information or to obtain consent to personal information processing by fraud, improper, or unjust means;

2. To divulge personal information acquired in the course of business, or to provide it for any third party’s use without authority;

3. To damage, destroy, alter, forge, or divulge other’s personal information without legal authority or beyond proper authority.

Article 60 (Confidentiality, etc.)

Any person who performs or has performed the following affairs shall not divulge any confidential information acquired in the course of performing his/her duties to any third party, nor use such information for any purpose other than for his/her duties: Provided, That, the same shall not apply where specific provisions exist in other Acts:

1. Affairs of the Protection Commission provided for in Article 8;

2. Impact assessments provided for in Article 33;

3. Dispute mediation of the Dispute Mediation Committee established under Article 40.

Article 61 (Suggestions and Advices for Improvements)

(1) The Minister of the Interior and Safety may suggest his/her opinion to any relevant agency subject to the deliberation and resolution by the Protection Commission, where he/she deems necessary with respect to the statutes or municipal ordinances containing provisions likely to affect the protection of personal information.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(2) The Minister of the Interior and Safety may advise a personal information controller to improve the status of personal information processing, where deemed necessary to protect personal information. In such cases, upon receiving the advice, the personal information controller shall endeavor to conscientiously comply with the advice; and shall inform the Minister of the Interior and Safety of its result.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(3) The head of a related central administrative agency may advise a personal information controller to improve the status of personal information processing pursuant to the Acts under his/her jurisdiction, where deemed necessary to protect personal information. In such cases, upon receiving the advice, the personal information controller shall endeavor to conscientiously comply with the advice; and shall inform the head of the related central administrative agency of its result.

(4) Central administrative agencies, local governments, the National Assembly, the Court, the Constitutional Court, and the National Election Commission may suggest their opinions, or provide guidance or inspection with respect to the protection of personal information to their affiliated entities and public institutions under their jurisdiction.

Article 62 (Reporting on Infringements, etc.)

(1) Anyone who suffers infringement on the rights or interests involving his/her personal information in the course of personal information processing by a personal information controller may report such infringement to the Minister of the Interior and Safety.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(2) The Minister of the Interior and Safety may designate a specialized institution to efficiently receive and handle the claim reports pursuant to paragraph (1), as prescribed by Presidential Decree. In such cases, such specialized institution shall establish and operate a personal information infringement call center (hereinafter referred to as “Privacy Call Center”). (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(3) The Privacy Call Center shall perform the following duties:

1. To receive the claim reports and provide counseling in relation to personal information processing;

2. To investigate and confirm the incidents and hear opinions of interested parties;

3. Duties incidental to subparagraphs 1 and 2.

(4) The Minister of the Interior and Safety may, if necessary, dispatch its public official to the specialized institution designated under paragraph (2) pursuant to Article 32-4 of the State Public Officials Act to efficiently investigate and confirm the incidents pursuant to paragraph (3) 2. (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

Article 63 (Requests for Materials and Inspections)

(1) The Minister of the Interior and Safety may request the relevant materials, such as goods and documents, from a personal information controller in any of the following cases: (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

1. Where any violation of this Act is found or suspected;

2. Where any violation of this Act is reported or a civil complaint thereon is received;

3. In cases prescribed by Presidential Decree where it is necessary to protect personal information of data subjects.

(2) Where a personal information controller fails to furnish the materials pursuant to paragraph (1) or is deemed to have violated this Act, the Minister of the Interior and Safety may require its public official to enter the offices or places of business of the personal information controller and other persons involved in such violation to inspect the status of business operations, ledgers, documents, etc. In such cases, the public official who conducts the inspection shall carry a certificate indicating his/her authority and produce it to the interested persons.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 13423, Jul. 24, 2015; Act nº 14839, Jul. 26, 2017)

(3) The head of a related central administrative agency may request the materials from a personal information controller pursuant to paragraph (1); or may inspect the personal information controller and other persons involved in the violation of the relevant Act pursuant to paragraph (2) in accordance with the Acts under his/her jurisdiction.  (Amended by Act nº 13423, Jul. 24, 2015)

(4) When finding or suspecting any violation of this Act, the Protection Commission may demand the Minister of the Interior and Safety or the head of a related central administrative agency to take measures provided for in paragraph (1) or (3). In such cases, upon receiving such demand, the Minister of the Interior and Safety or the head of the related central administrative agency shall comply therewith except in extenuating circumstances.  (Inserted by Act nº 13423, Jul. 24, 2015; Act nº 14839, Jul. 26, 2017)

(5) The Minister of the Interior and Safety and the head of a related central administrative agency shall not provide any third party with the documents, materials, etc. furnished or collected pursuant to paragraphs (1) and (2), nor make them public, except as otherwise required by this Act.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 13423, Jul. 24, 2015; Act nº 14839, Jul. 26, 2017)

(6) Where the Minister of the Interior and Safety and the head of a related central administrative agency receives the materials submitted via the information and communications networks, or make them digitalized, they shall take systematic and technical measures to prevent the divulgence of personal information, trade secrets, etc.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(7) The Minister of the Interior and Safety may inspect the status of personal information protection jointly with the head of a related central administrative agency for the prevention of personal information breach incidents and efficient response.  (Inserted by Act nº 13423, Jul. 24, 2015; Act nº 14839, Jul. 26, 2017)

Article 64 (Corrective Measures, etc.)

(1) Where the Minister of the Interior and Safety deems that any personal information breach is substantially grounded and negligence over such breach is likely to cause irreparable damage, he/she may order the violator of this Act (excluding the central administrative agencies, local governments, the National Assembly, the Court, the Constitutional Court, and the National Election Commission) to take any of the following measures:  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

1. To suspend personal information breach;

2. To temporarily suspend personal information processing;

3. Other measures necessary to protect personal information and to prevent personal information breach.

(2) Where the head of a related central administrative agency deems that any personal information breach is substantially grounded and negligence over such breach is likely to cause irreparable damage, he/she may order a personal information controller to take any of the measures provided for in paragraph (1) pursuant to the Acts under his/her jurisdiction.

(3) A local government, the National Assembly, the Court, the Constitutional Court, or the National Election Commission may order their affiliated entities and public institutions, which are found to violate this Act, to take any of the measures provided for in paragraph (1).

(4) When a central administrative agency, a local government, the National Assembly, the Court, the Constitutional Court, or the National Election Commission violates this Act, the Protection Commission may advise the head of the relevant agency to take any of the measures provided for in paragraph (1). In such cases, upon receiving the advice, the agency shall comply therewith except in extenuating circumstances.

Article 65 (Accusation and Advices for Disciplinary Action)

(1) Where reasonable grounds exist to suspect that a personal information controller has violated this Act or other data protection-related statutes, the Minister of the Interior and Safety may accuse the fact to the competent investigative agency.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(2) Where reasonable grounds exist to suspect that this Act or other data protection-related statutes are violated, the Minister of the Interior and Safety may advise the relevant personal information controller to take disciplinary action against the person responsible for it (including the representative and the executive officer in charge). In such cases, upon receiving the advice, the relevant personal information controller shall comply therewith; and shall notify the Minister of the Interior and Safety of the result.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 11990, Aug. 6, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(3) The head of a related central administrative agency may accuse a personal information controller pursuant to paragraph (1), or advise the head of the relevant affiliated agency, organization, etc. to take disciplinary action pursuant to paragraph (2), in accordance with the Acts under his/her jurisdiction. In such cases, upon receiving the advice under paragraph (2), the head of the relevant affiliated agency, organization, etc. shall comply therewith; and shall notify the head of the related central administrative agency of the result.

Article 66 (Disclosure of Results)

(1) The Minister of the Interior and Safety may disclose the advice for improvement pursuant to Article 61; the corrective measures pursuant to Article 64; the accusation or advice for disciplinary action pursuant to Article 65; and the imposition of administrative fines pursuant to Article 75 and its result, subject to deliberation and resolution by the Protection Commission.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(2) The head of a related central administrative agency may disclose the matters provided for in paragraph (1) in accordance with the Acts under his/her jurisdiction.

(3) The method, criteria, and procedure for disclosure pursuant to paragraphs (1) and (2), and other related matters, shall be prescribed by Presidential Decree.

Article 67 (Annual Reports)

(1) The Protection Commission shall prepare a report each year, based on necessary materials furnished by related agencies, etc., in relation to the establishment and implementation of personal information protection policy measures, and submit (including transmission via the information and communications networks) it to the National Assembly before the opening of the plenary session

(2) The annual report referred to in paragraph (1) shall contain the following matters:  (Amended by Act nº 14107, Mar. 29, 2016)

1. Infringement on the rights of data subjects and the status of remedies thereof;

2. Findings of the survey in relation to the status of personal information processing;

3. Status of implementation of the personal information protection policy measures and achievements thereof;

4. Overseas legislation and policy developments related with personal information;

5. Status of the enactment and amendment of the Acts, Presidential Decrees, the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, the National Election Commission Regulations, and the Board of Audit and Inspection Regulations, in relation to processing of resident registration numbers;

6. Other matters to be disclosed or reported in relation to the personal information protection policy measures.

Article 68 (Delegation and Entrustment of Authority)

(1) Authority of the Minister of the Interior and Safety or the head of a related central administrative agency under this Act may be partially delegated or entrusted, as prescribed by Presidential Decree, to the Special Metropolitan City Mayor, Metropolitan City Mayors, Do Governors, Special Self-Governing Province Governors, or the specialized institutions prescribed by Presidential Decree.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(2) The agencies to which authority of the Minister of the Interior and Safety or the head of a related central administrative agency has been partially delegated or entrusted pursuant to paragraph (1) shall notify the Minister of the Interior and Safety or the head of the related central administrative agency of the results of performing the affairs delegated or entrusted.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

(3) Where delegating or entrusting a part of authority to a specialized institution pursuant to paragraph (1), the Minister of the Interior and Safety may grant a contribution to the specialized institution to cover expenses incurred in performing the affairs delegated or entrusted.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

Article 69 (Persons Deemed to be Public Officials for Purposes of Penalty Provisions)

Any executive or employee of a relevant agency that performs the affairs entrusted by the Minister of the Interior and Safety or the head of a related central administrative agency shall be deemed a public official for the purposes of Articles 129 through 132 of the Criminal Act.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

CHAPTER IX.- PENALTY PROVISIONS

Article 70 (Penalty Provisions)

Any of the following persons shall be punished by imprisonment with labor for not more than 10 years, or by a fine not exceeding 100 million won: (Amended by Act nº 13423, Jul. 24, 2015)

1. A person who causes the suspension, paralysis or other severe hardship of work of a public institution by altering or erasing the personal information processed by the public institution for the purpose of disturbing the personal information processing of such public institution;

2. A person who obtains any personal information processed by third parties by fraud or other unjust means or methods and provides it to a third party for a profit-making or unjust purpose, and a person who abets or arranges such conduct.

Article 71 (Penalty Provisions)

Any of the following persons shall be punished by imprisonment with labor for not more than 5 years, or by a fine not exceeding 50 million won: (Amended by Act nº 14107, Mar. 29, 2016)

1. A person who provides personal information to a third party without the consent of a data subject in violation of Article 17 (1) 1 even through Article 17 (1) 2 is not applicable, and a person who knowingly receives such personal information;

2. A person who uses personal information or provides personal information to a third party in violation of Articles 18 (1) and (2), 19, 26 (5), or 27 (3), and a person who knowingly receives such personal information for a profit-making or unfair purpose;

3. A person who processes sensitive information in violation of Article 23 (1);

4. A person who processes personally identifiable information in violation of Article 24 (1);

5. A person who divulges or provides a third party without authority with, the personal information acquired in the course of performing business in violation of subparagraph 2 of Article 59, and a person who knowingly receives such personal information for a profit-making or unfair purposes;

6. A person who damages, destroys, alters, forges, or divulges any third party’s personal information in violation of subparagraph 3 of Article 59.

Article 72 (Penalty Provisions)

Any of the following persons shall be punished by imprisonment with labor for not more than 3 years, or by a fine not exceeding 30 million won:

1. A person who arbitrarily handles visual data processing devices for any purpose other than the initial one, directs such devices toward different spots, or uses a sound recording function in violation of Article 25 (5);

2. A person who acquires personal information or obtains consent to personal information processing by fraud or other unjust means in violation of subparagraph 1 of Article 59, and a person who knowingly receives such personal information for a profit-making or unfair purpose;

3. A person who divulges confidential information acquired while performing his/her duties, or uses such information for other purposes than the initial one in violation of Article 60.

Article 73 (Penalty Provisions)

Any of the following persons shall be punished by imprisonment with labor for not more than 2 years, or by a fine not exceeding 20 million won: (Amended by Act nº 13423, Jul. 24, 2015; Act nº 14107, Mar. 29, 2016)

1. A person who fails to take necessary measures to ensure safety in violation of Article 23 (2), 24 (3), 25 (6), or 29 and causes personal information to be lost, stolen, divulged, forged, altered, or damaged;

2. A person who fails to take necessary measures to correct or erase personal information in violation of Article 36 (2), and continuously uses, or provides a third party with, the personal information;

3. A person who fails to suspend processing of personal information in violation of Article 37 (2), and continuously uses, or provides a third party with, the personal information.

Article 74 (Joint Penalty Provisions)

(1) If the representative of a corporation, or an agent or employee of, or any other person employed by, a corporation or an individual commits any of the offense provided for in Article 70 in connection with the business affairs of the corporation or individual, not only shall such offender be punished, but also the corporation or individual shall be punished by a fine not exceeding 70 million won: Provided, That the same shall not apply where such corporation or individual has not been negligent in taking due care and supervisory duty concerning the relevant business affairs to prevent such offense.

(2) If the representative of a corporation, or an agent or employee of, or any other person employed by, a corporation or an individual commits any of the offense provided for in Articles 71 through 73 in connection with the business affairs of the corporation or individual, not only shall such offender be punished, but also the corporation or individual shall be punished by a fine prescribed in the relevant Article: Provided, That the same shall not apply where such corporation or individual has not been negligent in taking due care and supervisory duty concerning the relevant business affairs to prevent such offense.

Article 74-2 (Confiscation, Additional Collection, etc.)

Any money or goods or other profits acquired by a person who has violated Articles 70 through 73 in relation to such violation shall be confiscated, or, if confiscation is impossible, the value thereof may be collected. In this case, such confiscation or additional collection may be levied in addition to other penalty provisions.

(Article Inserted by Act nº 13423, Jul. 24, 2015)

Article 75 (Administrative Fines)

(1) Any of the following persons shall be subject to an administrative fine not exceeding fifty million won: (Amended by Act nº 14765, Apr. 18, 2017)

1. A person who collects personal information, in violation of Article 15 (1);

2. A person who fails to obtain the consent of a legal representative, in violation of Article 22 (6);

3. A person who installs and operates a visual data processing device, in violation of Article 25 (2).

(2) Any of the following persons shall be subject to an administrative fine not exceeding thirty million won: (Amended by Act nº 11990, Aug. 6, 2013; Act nº 12504, Mar. 24, 2014; Act nº 13423, Jul. 24, 2015; Act nº 14107, Mar. 29, 2016; Act nº 14765, Apr. 18, 2017)

1. A person who fails to notify a data subject of necessary information, in violation of Article 15 (2), 17 (2), 18 (3), or 26 (3);

2. A person who denies the provision of goods or services to a data subject, in violation of Article 16 (3) or 22 (5);

3. A person who fails to notify a data subject of the matters provided for in Article 20 (1) or (2), in violation of Article 20 (1) or (2);

4. A person who fails to destroy personal information, in violation of Article 21 (1);

4-2. A person who processes resident registration numbers, in violation of Article 24-2 (1);

4-3. A person who fails to adopt encryption, in violation of Article 24-2 (2);

5. A person who fails to provide a data subject with an alternative method without using his/her resident registration number, in violation of Article 24-2 (3);

6. A person who fails to take measures necessary to ensure safety, in violation of Article 23 (2), 24 (3), 25 (6), or 29;

7. A person who installs and operates a visual data processing device, in violation of Article 25 (1);

7-2. A person who indicates and promotes the certification by fraud despite a failure to obtain such certification, in violation of Article 32-2 (6);

8. A person who fails to notify a data subject of the facts provided for in Article 34 (1), in violation of the same paragraph;

9. A person who fails to report the results of measures taken, in violation of Article 34 (3);

10. A person who limits or denies access to personal information, in violation of Article 35 (3);

11. A person who fails to take necessary measures to correct or erase personal information, in violation of Article 36 (2);

12. A person who fails to take necessary measures, such as destruction of the personal information whose processing has been suspended, in violation of Article 37 (4);

13. A person who fails to comply with corrective measures taken under Article 64 (1).

(3) Any of the following persons shall be subject to an administrative fine not exceeding ten million won: (Amended by Act nº 14765, Apr. 18, 2017)

1. A person who fails to store and manage personal information separately, in violation of Article 21 (3);

2. A person who obtains consent, in violation of Article 22 (1) through (4);

3. A person who fails to take necessary measures including posting on a signboard, in violation of Article 25 (4);

4. A person who fails to undergo paper-based formalities stating the matter provided for in Article 26 (1) when outsourcing the work, in violation of the same paragraph;

5. A person who fails to disclose the outsourced work and the outsourcee, in violation of Article 26 (2);

6. A person who fails to notify a data subject of the transfer of his/her personal information, in violation of Article 27 (1) or (2);

7. A person who fails to establish, or disclose, the Privacy Policy, in violation of Article 30 (1) or (2);

8. A person who fails to designate a privacy officer, in violation of Article 31 (1);

9. A person who fails to notify a data subject of necessary information, in violation of Article 35 (3) and (4), 36 (2) and (4), or 37 (3);

10. A person who fails to furnish materials, such as goods and documents pursuant to Article 63 (1), or who submits false materials;

11. A person who refuses, interferes with, or evades access or an inspection pursuant to Article 63 (2).

(4) Administrative fines provided for in paragraphs (1) through (3) shall be imposed and collected by the Minister of the Interior and Safety and the head of a related central administrative agency, as prescribed by Presidential Decree. In such cases, the head of a related central administrative agency shall impose and collect administrative fines from the personal information controllers in the field under his/her jurisdiction.  (Amended by Act nº 11690, Mar. 23, 2013; Act nº 12844, Nov. 19, 2014; Act nº 14839, Jul. 26, 2017)

Article 76 (Special Exemption to Application of Provisions on Administrative Fines)

For the purposes of the provisions on administrative fines provided for in Article 75, no additional administrative fine shall be imposed on any act subject to penalty surcharges pursuant to Article 34-2.

(Article Inserted by Act nº 11990, Aug. 6, 2013)

ADDENDA (Act nº 11690,  Mar. 23,  2013)

ADDENDA (Act nº 11990,  Aug. 6,  2013)

ADDENDUM (Act nº 12504,  Mar. 24,  2014)

ADDENDA (Act nº 12844,  Nov. 19,  2014)

ADDENDA (Act nº 13423,  Jul. 24,  2015)

ADDENDA (Act nº 14107,  Mar. 29,  2016)

ADDENDUM (Act nº 14765,  Apr. 18,  2017)

ADDENDA (Act nº 14839,  Jul. 26,  2017)

Article 1 (Enforcement Date)

This Act shall enter into force on the date of its promulgation: Provided, That any amendment to the Acts made pursuant to Article 5 of this Addenda, promulgated before this Act enters into force, which have not yet entered into force, shall enter into force on the date the corresponding Act takes effect.

Articles 2 through 6 Omitted.