skip to main contents skip to main menu
KOTRA Trade-Investment Promotion Agency buy korea For Seller Inverst KOREA
Korean

FOREIGN INVESTMENT OMBUDSMAN

FOREIGN INVESTMENT OMBUDSMAN

Korean

Government Legislation

  • [IT & IPR] Re-Legislative Notice of Partial Revision (Draft) to the Enforcement Decree of the Personal Information Protection Act
    • Competent Ministry : Personal Information Protection Commission
    • Advance Publication of Legislation : 2024-12-16
    • Opinion Submission Deadline : 2024-12-23

1. Reason for the Revision

The proposed revision aims to specify the matters delegated by the Personal Information Protection Act so as to allow data subjects to exercise fully their right to request the transmission of personal information, as the recent revision to the Act (promulgated on March 14, 2023) provides the statutory grounds for guaranteeing the right to request the transmission of personal information as a universal right of the general public. 


2. Main Contents

a. Improvement of notification methods and procedures (Article 15-2 (3) of the Enforcement Decree)

- The revision improves the relevant provisions to allow notifications of  transmission details of personal information to be provided together with the “Notification of the Sources of Personal Information” (Article 20 (2) of the Act) and the “Notification of Details of Use and Provision of Personal Information” (Article 20-2 (1) of the Act).

b. Standards for information transmitter (Article 42-2 of the Enforcement Decree)

- The revision stipulates the scope of information transmitters by specifying the targets of information transmitters (Article 35-2 (1) of the Act and Article 35-2 (2) of the Act) who transmit personal information to the person and a third party at the request of the data subject.

c. Standards for general recipients of information (Article 42-3 of the Enforcement Decree)

- The revision stipulates that general recipients of personal information must be equipped with the facilities and technologies specified by the Protection Commission in order to verify the authenticity of the information collected in the course of performing their own business.

d. Provision for requesting transmission (Article 42-4 and 42-5 of the Enforcement Decree)

- The revision specifies the scope of information that data subject may request a data transmitter to transmit to him or her and to third parties (Article 42-4 of the Enforcement Decree).

- The revision provides the details of how data subjects may request transmission, periodic transmission, etc. (Article 42-5 of the Enforcement Decree)

e. Methods and procedures for transmission, exclusion laws related to transmission requests, and refusal and discontinuance of transmission (Article 42-6 to 42-8 of the Enforcement Decree)

- The revision provides the matters pertaining to the methods and procedures of transmission, including the transmission of personal information without delay, the use of methods of transmission that ensure safety and reliability, the utilization of specialized relay service agencies, the storage of transmitted information, and notification of the details of transmission (Article 42-6 of the Enforcement Decree).

- The revision specifies the matters that exclude the application of other Acts so that transmission can be effectuated despite their provisions when data subject requests transmission (Article 42-7 of the Enforcement Decree).

- The revision provides the causes of or reasons for which the transmitters of information may refuse requests for, or discontinue, transmission and the notification procedure when it is refused or discontinued (Article 42-8 of the Enforcement Decree).

f. Provision on agencies specializing in personal information management (Article 42-9 to 42-14 of the Enforcement Decree)

- The revision specifies the duties delegated by the Act to the Enforcement Decree in relation to personal information management service agencies, and provides the classification of personal information management service agencies and the matters necessary for the performance of their duties (Article 42-9 of the Enforcement Decree).

- The revision specifies such matters as those concerning the application procedure for obtaining designation as a specialized organization, designation authority, and preliminary examination (Article 42-10 of the Enforcement Decree).

- The revision specifies detailed guidelines for the designation of specialized service organizations and the omission of examination of detailed guidelines for designation (Article 42-11 of the Enforcement Decree).

- The revision specifies the procedure for designating the designating authority, the imposition of conditions for designation, approval of changes, re-designation, and the procedure for suspension or abolition of their duties (Article 42-12 of the Enforcement Decree).

- The revision specifies the prohibited acts by personal information management service organizations, including acts that may infringe on the personal information, or restrict the rights, of data subjects (Article 42-13 of the Enforcement Decree).

- The revision specifies the causes of, reasons, and procedure for revocation by the designating authority of the designation of a specialized service organization, and the follow-up measures to be taken in the event of revocation (Article 42-14 of the Enforcement Decree).

g. The Protection Commission's administration and supervision related to the right to request transmission (Article 42-15 of the Enforcement Decree)

- The revision provides the matters for the management and supervision of both transmitters and general recipients of information, and organizations specializing in personal information management, including whether the right to request transmission is fulfilled, and whether the designation requirements are satisfied and maintained, etc.

- The revision stipulates that the Protection Commission may require processors of personal information to submit the necessary data or materials for their management and supervision.

h. Deployment and operation of personal information transmission support platforms (Article 42-16 of the Enforcement Decree)

- The revision stipulates the matters necessary for the deployment and operation of a personal information transmission support platform, including the platform registration procedures, submission of transmission histories to the platform, linkage to the transmission support system, and notification to the platform.

i. Confirmation of the data subject or agent (Article 46 (1) of the Enforcement Decree)

- The revision requires processors of personal information to verify whether the person requesting the transfer of personal information is the actual data subject or their legitimate agent upon receiving a request for the transfer of personal information.

k. Fees for transmission requests (Article 47 (1) and Article 47 (4) of the Enforcement Decree)

- The revision provides that a transmitter of data or information may charge a fee to a recipient who requests the transmission of personal data on behalf of the data subject.

- The revision provides that the transmission service fee will be calculated in accordance with the fee calculation guidelines set forth by the Protection Commission, taking into account the characteristics of the personal information to be transmitted and the cost of building and operating the necessary facilities.

l. Outsourcing of duties or services (Article 62 (3) of the Enforcement Decree)

- The revision provides for the delegation of duties related to the right to request the transmission of personal information pursuant to Article 68 (1) of the Act, which allows the Protection Commission to delegate parts of its authority.

m. Grounds for processing unique identifiable information for authentication of the related person in connection with a request for transmission (Article 62-2 (3) of the Enforcement Decree)

- The revision provides the grounds on which information transmitters and intermediary service organizations may process uniquely identifiable information in order to verify the identity of data subjects that they already possess while performing their duties related to the right to request the transmission of personal information.

n. Explanation of the time limit for reviewing regulations (Article 62-3 (1) of the Enforcement Decree)

- The revision stipulates that regulations newly introduced by the revision should be reviewed every three years to take measures such as improvement. 

o. Revision of cited articles due to revision to the Enforcement Decree (Article 48-7 (4) and Article 60-2 (6) of the Enforcement Decree)

- As the Enforcement Decree has been revised to add attached Table to it and their serial numbers have been changed, the provisions citing them have also been revised.

Regulatory effect assessment
  • 개인정보 보호법 시행령(규제영향분석서)_20241213.hwp [download]
Legislative proposal (draft)
  • 개인정보 보호법 시행령 일부개정령안 재입법예고 공고문.pdf [download]
Kotra - Korea Trade-Investment Promotion Agency
Foreign Investor Aftercare Office, 6th floor, Invest Korea Plaza, 7, Heolleungno, Seocho-gu, Seoul, 06792, Republic of Korea TEL : 1600-7119
Copyight(c) All Rights Reserved. OFFICE OF FOREIGN INVESTMENT OMBUDSMAN [OFIO], KOTRA