Legitimate processing of PII

Legitimate processing – grounds

Does the law require that the holding of PII be legitimised on specific grounds, for example to meet the owner’s legal obligations or if the individual has provided consent?

As a matter of principle, PII processing is permitted only with the consent of the data subject. However, PII processing without consent is possible in the following exceptional or inevitable cases under the applicable law.

Under the PIPA, PII processing without the data subject’s consent is permitted in the following cases:

  • statutory exceptions;
  • inevitable for compliance with law;
  • inevitable for governmental agencies to conduct their statutory duties;
  • inevitable for executing and performing contracts with the data subject;
  • necessary to protect the life, physical safety or property interest of the data subject or a third party and the data subject is not available to provide consent; or
  • necessary to achieve the legitimate interest of the data processor and such interest overrides the interest of the data subject.

Under the Network Act, PII processing without the data subject’s consent is permitted in the following cases:

  • necessary to provide the ICT services under the contract with the data subject and obtaining customary consent is not feasible due to economic or technical difficulties;
  • necessary to process payment for the ICT services that have been provided to the data subject; or
  • statutory exceptions under other laws.

Further, under the recent amendments to the Network Act, the additional obligations are imposed if the data subject is under 14. Such additional obligations include ensuring that (i) the consent uses an easily understandable format and clear and straightforward language; and (ii) the consent of the legal representative is also obtained.

Under the Credit Information Act, PII processing without the data subject’s consent is permitted in the following cases:

  • statutory exceptions;
  • inevitable for compliance with the law;
  • inevitable for executing and performing contracts, such as financial transactions, with the data subject;
  • necessary to protect the life, physical safety or property interest of the data subject or a third party and the data subject is not available to provide consent; or
  • necessary to achieve the legitimate interest of the data processor and such interest overrides the interest of the data subject.

Under the Location Information Act, PII processing without the data subject’s consent is permitted in the following cases:

  • upon the request of an emergency rescue agency or the police for the purpose of emergency rescue;
  • upon the request of an emergency rescue agency for the purpose of sending warnings;
  • inevitable for executing and performing contracts with the data subject;
  • necessary to process payment for the location information services or location-based services that have been provided to the data subject; or
  • statutory exceptions under other laws.
Legitimate processing – types of PII

Does the law impose more stringent rules for specific types of PII?

Under the PIPA, more stringent rules (such as obtaining a separate consent) apply to:

  • sensitive information (such as ideology, beliefs, trade union or political party membership, political opinion, health, sexual life or other type of information that could substantially impair the data subject’s privacy); and
  • personal identification information (such as resident registration number, passport number, driver’s licence number or foreigner registration number).

In particular, the processing of resident registration numbers (which is a type of personal identification information) is prohibited in principle and only allowed if specifically permitted under law or explicitly required to protect the life, physical safety or property interest of the data subject or a third party.

Data handling responsibilities of owners of PII

Notification

Does the law require owners of PII to notify individuals whose PII they hold? What must the notice contain and when must it be provided?

The PIPA and the Network Act requires data processors to notify the data subject as set forth below.

PIPA

First, when the data processor obtains consent from the data subject for PII collection, the data processor must notify the data subject of the following information:

  • the purpose of the collection and use of PII;
  • the type of PII being collected;
  • the retention period of PII; and
  • the right to refuse consent and the disadvantages resulting from refusing consent.

If there are any changes to the above, such changes also need to be notified to the data subject.

Second, if the PII being processed by the PII processor is collected from someone other than the data subject, the PII processor must notify the data subject of the following information immediately upon the request of the data subject:

  • the source of the PII collection;
  • the purpose of the PII processing; and
  • the right of the data subject to request the PII processor to suspend processing of the data subject’s PII.

Third, if the PII processing is being delegated to a third party, the following information needs to be published on the relevant website or otherwise disclosed in a manner easily accessible to the data subject:

  • the processing activity that is being delegated; and
  • the identity of the delegatee.

Fourth, in the case of PII transfer due to corporate events such as business transfer, the transferor must notify the data subject in writing or by posting on the transferor’s website.

Network Act

First, when obtaining consent from the data subject for PII collection, the data processor must notify the data subject of the following information:

  • the purpose of the collection and use of PII;
  • the type of PII being collected; and
  • the retention period of PII.

If there are any changes to the above, such changes also need to be notified to the data subject.

Second, in the case of PII transfer due to corporate events such as business transfer, the transferor must notify the data subject by email or by posting on the transferor’s website.

Third, ICT service providers whose revenue for ICT related services is 10 billion won or more in the preceding year or whose number of daily average users is one million or above for the last three months of the preceding year must notify the data subjects of the use of PII at least once a year by email, mail, text or telephone.

Exemption from notification

When is notice not required?

Notice is not required for exceptional circumstances, such as a threat to life, the risk of bodily harm or the substantial impairment of rights regarding another person’s property or other interest.

Control of use

Must owners of PII offer individuals any degree of choice or control over the use of their information? In which circumstances?

Under the PIPA and the Network Act, the consent for collection of PII and the consent for sharing PII with a third party (or, in the case of the Network Act, delegation of processing to a third party) should be clearly distinguished so that the data subject is aware of the scope of each consent. Also, when collecting PII, the data processor needs to clearly distinguish between mandatory PII and optional PII thereby providing a degree of control to the data subject.

Data accuracy

Does the law impose standards in relation to the quality, currency and accuracy of PII?

Under the PIPA, a PII processor must ensure the accuracy, completeness and currency of the PII to the extent required for the purpose of the PII processing by implementing the following procedures:

  • pre-verification of PII being inputted;
  • data subject’s right to access and correct PII; and
  • correction or deletion of inaccurate information.

Further, the PII processor should exercise due care when processing PII to prevent any intentional or negligent alteration or destruction of PII.

Under the Network Act, ICT service providers are required to implement technical and organisational measures to ensure the security of PII and to prevent the falsification, alteration or destruction of PII. Like the PIPA, the Network Act requires procedures for granting the data subject access to PII and the right to request correction of PII to ensure the input of accurate data and for rectifying or deleting any incorrect information.

Amount and duration of data holding

Does the law restrict the amount of PII that may be held or the length of time it may be held?

Under the PIPA, the PII must be destroyed when it becomes no longer necessary to retain PII due to the expiry of the PII holding period or the expiry or completion of the purpose of the PII processing.

The specific holding period for PII is determined by the sector- specific laws. For example, the Act on the Consumer Protection in Electronic Commerce, etc, states that information on:

  • expression and advertising should be stored for six months;
  • contracts and retraction of applications should be stored for five years;
  • payment and provision of goods should be stored for five years; and
  • consumer complaints and dispute resolution should be stored for three years.

Additionally, under the Credit Information Act, credit information should be deleted by the date which is the earlier of (i) five years from the termination of the financial transaction and (ii) three months from the date on which the purpose for collecting and providing PII has been achieved. Please note that certain records (as set forth in question 23) require retention for three years under the Credit Information Act.

Finality principle

Are the purposes for which PII can be used by owners restricted? Has the ‘finality principle’ been adopted?

A PII processor can only use PII for the purpose for which the PII was collected. It is illegal for a PII processor to use the PII beyond the purpose of collection unless the consent of the data subject has been obtained or there are exceptions in other statutes. Accordingly, it can be viewed that the finality principle has been adopted.

Use for new purposes

If the finality principle has been adopted, how far does the law allow for PII to be used for new purposes? Are there exceptions or exclusions from the finality principle?

In principle, a PII processor can only use PII for the purpose for which the PII was collected unless the exceptions that allow PII processing without consent (as described in question 11). Accordingly, unless the new purpose falls under these exceptions, additional consent from the data subject would be required to use PII for a new purpose.