1. Reason for Amendment
In order to operate the domestic agent system effectively, when a personal information controller without an address or place of business in Korea designates a domestic agent, the domestic corporation meeting certain criteria, such as being established and operated in Korea, should be prioritized for designation. Additionally, the personal information controller will be required to manage and supervise the designated domestic agent, and in case of violations, fines will be imposed. As the "Personal Information Protection Act" is amended (Act No. 20897, promulgated on April 1, 2025, and effective on October 2, 2025), this regulation aims to define the criteria for a domestic corporation that exercises significant influence over its management and operations, establish methods for managing and supervising designated domestic agents, and set criteria for imposing fines. Furthermore, the legal basis for entrusting businesses to specialized institutions and including local government-invested and commissioned institutions as public agencies under the Personal Information Protection Act will also be addressed.
2. Key Contents
a. Expansion of the Scope of Public Institutions (Articles 2 and 13-2)
- Local government-invested and commissioned institutions will be included as public institutions under the Personal Information Protection Act.
- As a result of this expansion, local government-invested and commissioned institutions will be included in the evaluation target for the level of personal information protection for public institutions.
b. Specification of Domestic Agent Designation Criteria and Management & Supervision Obligations, and Fines for Violations (Articles 32-3, 63, and Annex 2)
- The criteria for a domestic corporation where the personal information controller has dominant influence over management, operations, and decision-making (e.g., holding more than 50% of the voting rights for board appointments or 30% or more of the total shares or investment) will be established.
- The management and supervision obligations for the domestic agent will be clarified (e.g., developing and implementing plans, checking compliance, confirming improvements, and conducting training at least once a year).
- Fines will be established for violations (e.g., 20 million KRW for not designating a domestic agent or failing to supervise the agent, with further fines for failing to include the agent's name and address in the privacy policy, based on the number of violations).
c. Legal Basis for Entrusting Tasks to Specialized Institutions (Article 62)
- The scope of tasks that can be entrusted to specialized institutions, such as the Korea Internet & Security Agency, will be expanded to include the evaluation of personal information protection levels for public institutions and the promotion and support of self-regulation.
