1. Reasons for Proposal

The amended Decree specifies matters concerning standards and procedures, etc. for a number of provisions to be enforced on March 15, 2024 in accordance with the amended Personal Information Protection Act (promulgated on March 14, 2023). In keeping with changes brought by digital transition, it stipulates matters delegated by the Act to guarantee the rights of data subjects in special domains where personal information is processed by a “fully automated system” in the same manner as the rights of data subjects in the conventional personal information processing process, which are protected in the form of the right to request access, correction, deletion, suspension of processing, etc.

This Amendment also specifies qualification requirements and scope of obligations of privacy officers to guarantee the expertise and independence of privacy officers and thereby strengthen the protection of personal information by personal information controllers. It prescribes detailed procedures for assessing the level of personal information protection in public institutions, and streamlines and modifies the scope of and standards on persons subject to obligations in accordance with the change in coverage of liabilities for damages from information and communications service providers to personal information controllers.

2. Major Provisions

  A. Scope, standards, methods, and procedures for assessments of the level of personal information protection (Article 13-2).

  B. Routine investigation of the management of personally identifiable information (Article 21).

  C. Content and disclosure method of privacy policies (Article 31 (1)).

  D. Privacy officer designation and councils (Article 32, Article 32-2).

  E. Rights of data subjects regarding automated decisions (Articles 44-2 through 44-4).

  F. Scope of and standards on persons required to purchase liability insurance, etc. (Article 48-7).

  G. Review of regulations (Article 62-3).