Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Collection and storage of data

Collection and management In what circumstances can personal data be collected, stored and processed?

Processing

A business operator governed by the Act on the Protection of Personal Information must specify the purpose of use for personal information it handles (to the extent possible) and comply with the following rules:

  • it must not change the purpose of use beyond a scope which has a reasonably substantial relationship with the original purpose of use; and
  • it must not use the personal information beyond the scope necessary to achieve the purpose of use, without obtaining the individual’s prior consent.

Collection The following restrictions apply to the collection of personal information by business operators governed by the Act on the Protection of Personal Information:

  • proper acquisition – a business operator must not acquire personal information by deception or other wrongful means;
  • notice of purpose of use at time of acquisition – once a business operator has acquired personal information, it must notify the individual of or publicly announce the purpose of use, unless it has already been publicly announced or one of the following applies:
    • such notification or public announcement would likely cause harm to the life, body, property, rights or interests of an individual or third party;
    • such notification would likely harm the business operator’s rights or legitimate interests;
    • cooperation with a state agency, local government or third party commissioned by a state or local agency is necessary to conduct certain affairs specified by laws and regulations and the notification or public announcement of the purpose of use would likely impede the execution of such affairs; or
    • the purpose of use is evident from the circumstances around the collection of the personal information.

The guidelines issued by the Personal Information Protection Commission (PPC) include examples of how business operators can make such public announcement – namely, by posting it on their websites or displaying it in an easily viewable location within their places of business. Business operators must not obtain sensitive information without the individual’s prior consent. Sensitive information means personal information comprising a principal’s race, creed, social status, medical history, criminal record, the fact of having suffered damage as a result of a crime, or other descriptions described by the cabinet order as those of which the handling requires special care so as not to cause unfair discrimination, prejudice or other disadvantage to the principal.

Storage Business operators governed by the Act on the Protection of Personal Information must take security control measures in regards to personal data. The act imposes a broadly stated obligation on business operators to “take necessary and proper measures for the prevention of leakage, loss, or damage, and for other security control of the Personal Data”. The act provides no concrete measures to satisfy this requirement. However, it is generally understood that such security control measures include:

  • organisational measures;
  • employee-related measures (eg, personnel training);
  • physical measures; and
  • technical measures. 

Specific actions to be taken for each type of measure are stipulated in the various guidelines issued by the PPC.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

Business operators governed by the act must endeavour to delete personal data without delay when its use is no longer required.

Do individuals have a right to access personal information about them that is held by an organisation?

A business operator governed by the Act on the Protection of Personal Information must make the following details accessible to individuals whose personal data it retains:

  • its name;
  • the purpose of use (except in specified circumstances);
  • the procedures for requesting correction, cessation of use, sharing or deletion of the retained personal data, as well as the procedures for other requests; and
  • other matters as specified by cabinet order that are necessary to ensure the proper handling of the retained personal data.

In addition, business operators governed by the act must disclose any relevant personal data without delay if:

  • an individual requests that the business operator disclose whether it has retained any personal data that could lead to the individual’s identification; or
  • an individual requests notification that the business operator holds no such personal data.

Do individuals have a right to request deletion of their data?

If an individual requests that a business operator governed by the Act on the Protection of Personal Information correct, expand or delete his or her retained personal data because it is inaccurate, the business operator must investigate the issue without delay. Based on the investigation results, the business operator must correct, expand or delete the personal data and notify the individual of its response to the request.

In addition, if an individual requests that a business operator stop using or disclosing retained personal data on the basis that it is violating the Act on the Protection of Personal Information, the business operator must stop using or disclosing the personal data if the request is reasonable.

Consent obligations Is consent required before processing personal data?

As a general rule, business operators governed by the Act on the Protection of Personal Information cannot handle personal information for reasons beyond the scope necessary to achieve the purpose of use without obtaining the individual’s prior consent.

As a general rule, business operators governed by the act may not provide such information to a third party without obtaining the individual’s prior opt-in consent.

If consent is not provided, are there other circumstances in which data processing is permitted?

Exceptions to the general rules above apply if:

  • the handling of personal information is required by laws and regulations;
  • the handling of personal information is necessary to protect an individual’s life, body or property and obtaining his or her consent would be difficult;
  • the handling of personal information is necessary to improve public health or promote the positive growth of children and obtaining the individual’s consent would be difficult; or
  • cooperation with a state agency, local government or third party commissioned by a state or local agency is necessary to conduct certain affairs specified by laws and regulations and obtaining the individual’s consent would likely impede the execution of such affairs.

What information must be provided to individuals when personal data is collected?

As a general rule, once a business operator governed by the Act on the Protection of Personal Information has acquired personal information, it must notify the individual of or publicly announce the purpose of use.

Click here to view the full article.