PERSONAL INFORMATION PROTECTION ACT


Article 15 (Collection and Use of Personal Information)
(1) A personal information controller may collect personal information in any of the following circumstances, and use it with the scope of the purpose of collection:

1. Where consent is obtained from a data subject;
2. Where special provisions exist in other laws or it is inevitable to observe legal obligations;
3. Where it is inevitable for a public institution’s performance of its duties under its jurisdiction as prescribed by statutes, etc.;
4. Where it is inevitably necessary to execute and perform a contract with a data subject;
5. Where it is deemed manifestly necessary for the protection of life, bodily or property interests of the data subject or third party from imminent danger where the data subject or his or her legal representative is not in a position to express intention, or prior consent cannot be obtained owing to unknown addresses, etc.;
6. Where it is necessary to attain the justifiable interest of a personal information controller, which such interest is manifestly superior to the rights of the data subject. In such cases, processing shall be allowed only to the extent the processing is substantially related to the justifiable interest of the personal information controller and does not go beyond a reasonable scope.


(2) A personal information controller shall inform a data subject of the following matters when it obtains consent under paragraph (1) 1. The same shall apply when any of the following is modified.
1. The purpose of the collection and use of personal information;
2. Particulars of personal information to be collected;
3. The period for retaining and using personal information;
4. The fact that the data subject is entitled to deny consent, and disadvantages, if any, resulting from the denial of consent.


(3) A personal information controller may use personal information without the consent of a data subject within the scope reasonably related to the initial purpose of the collection as prescribed by Presidential Decree, in consideration whether disadvantages have been caused to the data subject and whether necessary measures have been taken to secure such as encryption, etc. <This Article Newly Inserted by Act No. 16930, February 4, 2020>

Article 16 (Limitation to Collection of Personal Information)
(1) A personal information controller shall collect the minimum personal information necessary to attain the purpose when collecting personal information pursuant to Article 15
(1). In such cases, the burden of proof that the minimum personal information is collected shall be borne by the personal information controller.
(2) A personal information controller shall collect personal information by specifically informing a data subject of the fact that he or she may deny the consent to the collection of other personal information than the minimum information necessary in case of collecting the personal information through the consent of the data subject. <Newly Inserted by Act No. 11990, Aug. 6, 2013>
(3) A personal information controller shall not deny the provision of goods or services to a data subject on ground that the data subject does not consent to the collection of personal information exceeding minimum requirement. <Amended by Act No. 11990, Aug. 6, 2013>

Article 17 (Provision of Personal Information)
(1) A personal information controller may provide (or share; hereinafter the same shall apply) the personal information of a data subject to a third party in any of the following circumstances: <Amended by Act No 16930, February. 4, 2020>

1. Where the consent is obtained from the data subject;
2. Where the personal information is provided within the scope of purposes for which it is collected pursuant to Articles 15 (1) 2, 3 and 5 and 39-3 (2) 2 and 3.

(2) A personal information controller shall inform a data subject of the following matters when it obtains the consent under paragraph (1) 1. The same shall apply when any of the following is modified:
1. The recipient of personal information;
2. The purpose for which the recipient of personal information uses such information;
3. Particulars of personal information to be provided;
4. The period during which the recipient retains and uses personal information;
5. The fact that the data subject is entitled to deny consent, and disadvantages, if any, resulting from the denial of consent.

(3) A personal information controller shall inform a data subject of the matters provided for in paragraph (2), and obtain the consent from the data subject in order to provide personal information to a third party overseas; and shall not enter into a contract for the cross-border transfer of personal information in violation of this Act.
(4) A personal information controller may provide personal information without the consent of a data subject within the scope reasonably related to the purposes for which the personal information was initially collected, in accordance with the matters prescribed by Presidential Decree taking into consideration whether disadvantages are caused to the data subject, whether necessary measures to secure safety, such as encryption, have been taken, etc. . <Newly Inserted by Act No. 16930, 4. February, 2020>

Article 18 (Limitation to Out-of-Purpose Use and Provision of Personal Information)
(1) A personal information controller shall not use personal information beyond the scope provided for in Articles 15 (1) and 39-3 (1) and (2), or provide it to any third party beyond the scope provided for in Article 17 (1) and (3). (2) Notwithstanding paragraph (1), where any of the following subparagraphs applies, a personal information controller may use personal information or provide it to a third party for other purposes, unless doing so is likely to unfairly infringe on the interest of a data subject or third party: Provided, That information and communications service providers (as set forth in Article 2 (1) 3 of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc.; hereinafter the same shall apply) processing the personal information of users (as set forth in Article 2 (1) 4 of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc.; hereinafter the same shall apply) are only subject to subparagraphs 1 and 2, and subparagraphs 5 through 9 are applicable only to public institutions: <Amended by Act No. 16930, Feb. 4, 2020>

1. Where additional consent is obtained from the data subject;
2. Where special provisions exist in other laws;
3. Where it is deemed manifestly necessary for the protection of life, bodily or property interests of the data subject or third party from imminent danger where the data subject or his or her legal representative is not in a position to express intention, or prior consent cannot be obtained owing to unknown addresses;
4. Deleted; <by Act No. 16930, Feb. 4, 2020>
5. Where it is impossible to perform the duties under its jurisdiction as provided for in any Act, unless the personal information controller uses personal information for other purpose than the intended one, or provides it to a third party, and it is subject to the deliberation and resolution by the Commission;
6. Where it is necessary to provide personal information to a foreign government or international organization to perform a treaty or other international convention;
7. Where it is necessary for the investigation of a crime, indictment and prosecution;
8. Where it is necessary for a court to proceed with trial-related duties;
9. Where it is necessary for the enforcement of punishment, probation and custody.


(3) A personal information controller shall inform the data subject of the following matters when it obtains the consent under paragraph (2) 1. The same shall apply when any of the following is modified.
1. The recipient of personal information;
2. The purpose of use of personal information (in the case of provision of personal information, it means the purpose of use by the recipient);
3. Particulars of personal information to be used or provided;
4. The period for retaining and using personal information (where personal information is provided, it means the period for retention and use by the recipient);
5. The fact that the data subject is entitled to deny consent, and disadvantages, if any, resulting from the denial of consent.

(4) Where a public institution uses personal information, or provides it to a third party for other purpose than the intended one collected under paragraph (2) 2 through 6, 8, and 9, the public institution shall post the legal grounds for such use or provision, purpose and scope, and other necessary matters on the Official Gazette or its website requirements for such use or provision including the legal basis, purpose, scope, etc. as prescribed by Notification of the Protection Commission. <Amended by Act No. 11690, Mar. 23, 2013; Act No. 12844, Nov. 19, 2014; Act No. 14839, Jul. 26, 2017; Act No 16930, Feb. 4, 2020>
(5) Where a personal information controller provides personal information to a third party for other purpose than the intended one in any case provided for in paragraph (2), the personal information controller shall request the recipient of the personal information to limit the purpose and method of use and other necessary matters, or to prepare necessary safeguards to ensure the safety of the personal information. In such cases, the person in receipt of such request shall take necessary measures to ensure the safety of the personal information.

Article 19 (Limitation to Use and Provision of Personal Information on Part of Its Recipients)
A person who receives personal information from a personal information controller shall not use the personal information, or provide it to a third party, for any purpose other than the intended one, except in the following circumstances:

1. Where additional consent is obtained from the data subject;
2. Where special provisions exist in other laws.


Article 20 (Notification on Sources, etc. of Personal Information Collected from Third Parties)
(1) When a personal information controller processes personal information collected from third parties, the personal information controller shall immediately notify the data subject of the following matters at the request of such data subject:

1. The source of collected personal information;
2. The purpose of processing personal information;
3. The fact that the data subject is entitled to demand suspension of processing of personal information, as prescribed in Article 37.

(2) Notwithstanding paragraph (1), when a personal information controller satisfying the criteria prescribed by Presidential Decree taking into account the types and amount of processed personal information, number of employees, amount of sales, etc., collects personal information from third parties and processes the same pursuant to Article 17 (1) 1, the personal information controller shall notify the data subject of the matters referred to in paragraph (1): Provided, That this shall not apply where the information collected by the personal information controller does not contain any personal information, such as contact information, through which notification can be given to the data subject. <Newly Inserted by Act No. 14107, Mar. 29, 2016; Act No 16930, February. 4, 2020>
(3) Necessary matters in relation to the time, method, and procedure of giving notification to the data subject pursuant to the main sentence of paragraph (2), shall be prescribed by Presidential Decree.
(4) Paragraph (1) and the main clause of paragraph (2) shall not apply to any of the following circumstances: Provided, That this shall be the case only where it is manifestly superior to the rights of data subjects under this Act: <Amended by Act No. 14107, Mar. 29, 2016>
1. Where personal information, which is subject to a notification request, is included in the personal information files referred to in any of the subparagraphs of Article 32 (2);
2. Where such notification is likely to cause harm to the life or body of any other person, or unfairly damages the property and other interests of any other person.


Article 21 (Destruction of Personal Information)
(1) A personal information controller shall destroy personal information without delay when the personal information becomes unnecessary owing to the expiry of the retention period, attainment of the purpose of processing the personal information, etc.: Provided, That this shall not apply where the retention of such personal information is mandatory by other statutes.
(2) When a personal information controller destroys personal information pursuant to paragraph (1), necessary measures to prevent recovery and revival shall be taken.
(3) Where a personal information controller is obliged to retain, rather than destroy, personal information pursuant to the proviso to paragraph (1), the relevant personal information or personal information files shall be stored and managed separately from other personal information.
(4) Other necessary matters, such as the methods to destroy personal information and its destruction process, shall be prescribed by Presidential Decree.

Article 22 (Methods of Obtaining Consent)
(1) Where a personal information controller intends to obtain the consent of the data subject (including his or her legal representative as stated in paragraph (6): hereafter in this Article the same applies) to the processing of his or her personal information, the personal information controller shall present the request for consent to the data subject in a clearly recognizable manner where each matter requiring consent is distinctly presented, and obtain his or her consent thereto, respectively. <Amended by Act No. 14765, Apr. 18, 2017>
(2) Where a personal information controller obtains the consent under paragraph (1) in writing (including electronic documents under Article 2, subparagraph 1 of the Framework Act on Electronic Documents and Transactions), the personal information controller shall clearly specify important matters prescribed by Presidential Decree such as the purpose of collection and use of personal information and the items of personal information to be collected and used, in the manner prescribed by Notification of the Protection Commission, so as to make such matters easy to be understood. <Newly Inserted by Act No. 14765, Apr. 18, 2017; Act No. 14839, Jul. 26, 2017; Act No. 16930, 4. February, 2020>
(3) Where a personal information controller obtains the consent of a data subject to the processing of his or her personal information pursuant to Articles 15 (1) 1, 17 (1) 1, 23 (1) 1, and 24 (1) 1, the personal information controller shall distinguish personal information that may be processed without the data subject’s consent for the purpose of executing a contract with the data subject, etc., from personal information that may be processed only with the data subject’s consent. In such cases, the burden of proof that no consent is required in processing the personal information shall be borne by the personal information controller. <Amended by Act No. 14107, Mar. 29, 2016; Act No. 14765, Apr. 18, 2017>
(4) Where a personal information controller intends to obtain the consent of the data subject to the processing of his or her personal information in order to promote goods or services or solicit purchase thereof, the personal information controller shall notify the data subject of the fact in a clearly recognizable manner, and obtain his/her consent thereto. <Amended by Act No. 14765, Apr. 18, 2017>
(5) A personal information controller shall not deny the provision of goods or services to a data subject on ground that the data subject would not consent to the matter eligible for selective consent pursuant to paragraph (3), or would not consent pursuant to paragraph (4) and Article 18 (2) 1. <Amended by Act No. 14765, Apr. 18, 2017>
(6) When it is required to obtain consent pursuant to this Act to process personal information of a child under 14 years of age, a personal information controller shall obtain the consent of his/her legal representative. In such cases, minimum personal information necessary to obtain the consent of the legal representative may be collected directly from such child without the consent of his/her legal representative. <Amended by Act No. 14765, Apr. 18, 2017>
(7) Except as otherwise expressly provided for in paragraphs (1) through (6), other matters necessary in relation to detailed methods to obtain the consent of data subjects and the minimum information referred to in paragraph (6) shall be prescribed by Presidential Decree, in consideration of the collection media of personal information. <Amended by Act No. 14765, Apr. 18, 2017>