The Personal Information Protection Commission (PIPC), chaired by Song Kyung-hee, decided on December 10 to issue a warning to four personal information processors for violating personal information protection regulations. These processors were found to have omitted or inadequately disclosed some legally required items in their personal information processing policies.
The PIPC considered that the violations occurred due to a lack of personal information protection capabilities, and all four processors immediately corrected the violations. Given that there were no additional confirmed cases of damage beyond public reports, the PIPC issued a stern warning and will continue to guide processors to establish and disclose personal information processing policies in accordance with laws and guidelines.
Personal information processing policies are important as they regulate the methods and procedures for handling personal information, allowing users to easily check what personal information is collected, used, and stored, and how they can exercise their rights such as viewing and deleting their information. The PIPC provided guidance on desirable cases and precautions related to the establishment and disclosure of these policies.
To improve the practice of formal mandatory consent, the PIPC emphasized that personal information required for contract fulfillment and other lawful conditions should be clearly stated in the processing policies without the need for the data subject’s consent, reflecting the revised Personal Information Protection Act of 2023. Additionally, to enhance transparency in personal information processing across society, the PIPC is implementing a personal information processing policy evaluation system for large-scale processors and providing tailored support for policy establishment and revision to small and medium-sized enterprises.