Legitimate processing of PII

Legitimate processing – grounds

Does the law require that the holding of PII be legitimised on specific grounds, for example to meet the owner’s legal obligations or if the individual has provided consent?

As a matter of principle, personally identifiable information (PII) processing is permitted only with the consent of the data subject. However, PII processing without consent is possible in the following exceptional or inevitable cases under the applicable law.

Under the Personal Information Protection Act (the PIPA), PII processing without the data subject’s consent is permitted in the following cases:

  • statutory exceptions;
  • inevitable for compliance with law;
  • inevitable for governmental agencies to conduct their statutory duties;
  • inevitable for execution of and performing under contracts with the data subject;
  • necessary to protect the life, physical safety or property interest of the data subject or a third party and the data subject is not available to provide consent; or
  • necessary to achieve the legitimate interest of the data processor and such interest overrides the interest of the data subject.

 

In addition to the above, under the amendments to the PIPA, effective as of 5 August 2020, the PII processor may use PII without the consent of a data subject pursuant to the Enforcement Decree as long as the use is within the scope reasonably related to the initial purpose of PII collection, taking into account whether such use would cause disadvantages to the data subject and whether the necessary measures to ensure security, such as encryption, have been taken. The PII processor may also process pseudonymised information without the consent of data subject for purposes such as statistics, scientific research and preservation of records for public interest.

Under the Credit Information Act, PII processing without the data subject’s consent is permitted in the following cases:

  • PII processing without data subject’s consent that is permitted under the PIPA;
  • disclosure or public filing of information pursuant to certain statutes;
  • disclosure or public filing of information through publications, media or channels, such as the websites of public institutions set forth under the Official Information Disclosure Act; and
  • disclosure of information by the data subject directly or through a third party on social networking services, or circumstances equivalent thereto, as set forth in the Enforcement Decree of the Credit Information Use and Protection Act (the Credit Information Act) only to the extent that it is objectively determined that the data subject consented.

 

Further, under the amendments to the Credit Information Act effective as of 5 August 2020, an exception allows the use of pseudonymised information by credit information companies without the data subject’s consent for specific purposes such as generating statistics for commercial purposes including market research, research including industrial research, and the preservation of records for public interest.

Under the Act on the Protection, Use, Etc, of Location Information (the Location Information Act), PII processing without the data subject’s consent is permitted in the following cases:

  • upon the request of an emergency rescue agency or the police for the purpose of emergency rescue;
  • upon the request of an emergency rescue agency for the purpose of sending warnings;
  • inevitable for execution of and performance under contracts with the data subject;
  • necessary to process payment for the location information services or location-based services that have been provided to the data subject; or
  • statutory exceptions under other laws.

 

Legitimate processing – types of PII

Does the law impose more stringent rules for specific types of PII?

Under the PIPA, more stringent rules (such as the requirement to obtain a separate consent) apply to:

  • sensitive information (which encompasses types of information that can substantially impair the data subject’s privacy, such as ideology, beliefs, trade union or political party membership, political opinion, health and sexual life); and
  • PII (such as resident registration number, passport number, driver’s licence number or foreigner registration number).

 

In particular, the processing of resident registration numbers is prohibited in principle and may only be allowed if specifically permitted under law or explicitly required to protect the life, physical safety or property interest of the data subject or a third party, or similar inevitable circumstances prescribed by the Personal Information Protection Commission.

Data handling responsibilities of owners of PII

Notification

Does the law require owners of PII to notify individuals whose PII they hold? What must the notice contain and when must it be provided?

The Personal Information Protection Act (the PIPA) requires data processors to notify data subjects as set forth below.

First, when the data processor obtains consent from the data subject for personally identifiable information (PII) collection, the data processor must notify the data subject of the following information:

  • the purpose of the collection and use of PII;
  • the type of PII being collected;
  • the retention period of PII; and
  • the data subject’s right to refuse consent and any disadvantages which will result from refusing consent.

 

If there are any changes to the above, such changes also need to be notified to the data subject.

Second, if the PII being processed by the PII processor is collected from a party other than the data subject, the PII processor must notify the data subject of the following information immediately upon the data subject’s request:

  • the source where the PII was collected;
  • the purpose of the PII processing; and
  • the right of the data subject to request that the PII processor suspend the processing of the data subject’s PII.

 

Third, if the PII processing is being delegated to a third party, the following information needs to be published on the relevant website or otherwise disclosed in a manner easily accessible to the data subject.

Fourth, information and communications technology (ICT) service providers that have an average number of daily users (whose PII is being stored and managed) of no less than one million for the last three months of the preceding year or a revenue for ICT-related services that is no less than 10 billion won in the preceding year, must notify their users at least once a year in writing of the details of their PII usage, including any provision and delegation of processing to third parties.

Exemption from notification

When is notice not required?

Under the PIPA, notice is not required under exceptional circumstances, such as a threat to life, risk of bodily harm or substantial impairment of rights regarding another person’s property or other interest.

Under the Credit Information Use and Protection Act (the Credit Information Act), in principle, any person who intends to provide, or who receives, personal credit information to or from a third party is required to notify the data subject. However, the Credit Information Act waives this notice requirement for pseudonymised information, and notice is not required when a credit information provider or user provides pseudonymised information to personal credit evaluation companies, sole proprietorship credit evaluation companies, corporate credit verification companies or credit information collection agencies for credit rating and evaluation purposes.

Control of use

Must owners of PII offer individuals any degree of choice or control over the use of their information? In which circumstances?

Under the PIPA, the consent for collection of PII and the consent for sharing PII with a third party should be clearly distinguished so that the data subject is aware of the scope of each consent. Also, when collecting PII, the data processor needs to clearly distinguish between mandatory PII and optional PII, thereby providing a degree of control to the data subject.

However, under the amendments to the PIPA effective as of 5 August 2020, a PII processor may use PII without the consent of a data subject pursuant to the Enforcement Decree of the PIPA (the Enforcement Decree) as long as the use is within the scope reasonably related to the initial purpose of PII collection, taking into account whether such use would cause disadvantages to the data subject and whether the necessary measures to ensure security, such as encryption, have been taken. 

Under the Enforcement Decree, the following criteria must be considered in order to determine whether PII can be used without consent:

  • whether the purpose of the additional use of the PII without consent has considerable relevance to the initial purpose of the collection;
  • whether, given the circumstances and processing practices in which the PII was collected, additional use or provision of the PII was foreseeable;
  • whether the additional use of the PII without consent unfairly infringes the interests of the data subject; and
  • whether measures necessary to secure safety, such as pseudonymisation or encryption, were adopted.

 

Data accuracy

Does the law impose standards in relation to the quality, currency and accuracy of PII?

Under the PIPA, a PII processor must ensure the accuracy, completeness and currency of the PII to the extent required for the purpose of the PII processing by implementing the following procedures:

  • pre-verification of the PII being inputted;
  • upon a request by the data subject to access and correct their PII; and
  • correction or deletion of inaccurate information.

 

Further, the PII processor should exercise due care when processing PII to prevent any intentional or negligent alteration or destruction of PII.

 

Amount and duration of data holding

Does the law restrict the amount of PII that may be held or the length of time it may be held?

Under the PIPA, PII must be destroyed when it becomes no longer necessary to retain the PII due to the expiry of the PII holding period or the expiry or completion of the purpose of the PII processing.

Also, in the case of ICT service providers whose users have been inactive for a year (or other period as permitted under applicable statutes or as requested by the data subject), the PIPA requires the destruction of PII (or other necessary measures) and notice given to the data subjects by email (or other means) at least 30 days prior to the expiry of such a one-year period (or the aforementioned different period) of the items set forth in the Enforcement Decree, such as the fact that the PII will be destroyed, the expiry date and the type of PII which will be destroyed.

The specific holding period for PII is determined by the sector-specific laws. For example, the Act on the Consumer Protection in Electronic Commerce, Etc, states that:

  • records of expression and advertising should be stored for six months;
  • records of contracts and retractions of applications should be stored for five years;
  • records of payments and provision of goods should be stored for five years; and
  • records of consumer complaints and dispute resolutions should be stored for three years.

 

Additionally, under the Credit Information Act, credit information should be deleted by the date which is the earlier of five years from the termination of the financial transaction and three months from the date on which the purpose for collecting and providing PII has been achieved. Certain records require retention for three years under the Credit Information Act.

Finality principle

Are the purposes for which PII can be used by owners restricted? Has the ‘finality principle’ been adopted?

In principle, a PII processor can only use PII for the purpose for which the PII was collected. Under the amendments to the PIPA effective as of 5 August 2020, however, the PII processor may use PII without the consent of a data subject pursuant to the Enforcement Decree, as long as it is within the scope reasonably related to the initial purpose of PII collection, taking into account whether such use would cause disadvantages to the data subject and whether the necessary measures to ensure security, such as encryption, have been taken. The PII processor may also process pseudonymised information without the consent of data subject for purposes such as statistics, scientific research and preservation of records for the public interest.

It is illegal for a PII processor to use the PII beyond the purpose of collection unless the consent of the data subject has been obtained or there are exceptions in other statutes. Accordingly, it can be viewed that the finality principle has been adopted.

Use for new purposes

If the finality principle has been adopted, how far does the law allow for PII to be used for new purposes? Are there exceptions or exclusions from the finality principle?

In principle, a PII processor can only use PII for the purpose for which the PII was collected, unless the purpose falls under the explicit exceptions that allow PII processing without consent or the purpose relates to pseudonymised PII in limited circumstances. Accordingly, unless the new purpose falls under the aforementioned exceptions, additional consent from the data subject would be required to use PII for a new purpose.

Law stated date

Correct on

Give the date on which the information above is accurate.

May 2020.