1. Reason for revision

The proposed revision is to specify matters delegated by the Act so that the information subjects may smoothly exercise their right to request the transmission of personal information ("My data") since the revision of the Personal Information Protection Act (promulgated on 2023.03.14) has provided statutory grounds for guaranteeing the right to request the transmission of personal information as a universal right of the citizens. 

The revision is also proposed to provide a basis for not designating inactive and non-performing "Expert Data Combination Institutions" with no track record in combining pseudonymized information when their performance is reviewed for redesignation.

2. Main contents

a. Information transmitter criteria (Article 42-2 of the Enforcement Decree)

- The revision is proposed to define the scope of information transmitters by specifying their categories into subject information transmitters that transmit personal information to the information subject upon request (Article 35-2 (1) of the Act) and third-party information transmitters that transmit personal information to a third party (Article 35-2 (2) of the Act).

b. General information receiver criteria (Article 42-3 of the Enforcement Decree)

- Stipulates a provision for the general recipients who receive and confirm their personal information transmitted to them to be equipped with facilities and technologies as notified by the Protection Commission, including overall systems related to their request for transmission, protective equipment and technologies for preventing unlawful access or infringement, and systems for recording and storing transmission details.

c. Provisions for requesting transmission (Articles 42-4 & 42-5 of the Enforcement Decree)

- Specifies the types of information whose transmission may be requested by the information subject into two categories: information transmitted to the information subject and information transmitted to third parties (Article 42-4 of the Enforcement Decree)

- Provides specific detailed guidelines on how the information subject may request the transmission, periodic transmission, and exclusion of application of other statutes (Article 42-5 of the Enforcement Decree)

d. Provisions concerning methods and procedures for transmission and refusal and discontinuance of transmission (Articles 42-6 & 42-7 of the Enforcement Decree)

- Provisions related to transmission methods and procedures, including transmission of personal information without delay, application of transmission methods that can ensure safety and reliability, use of relay service-specializing institutions, processing of unique identification information for authentication of the information subjects, storage of transmitted information, and notification of transmission details (Article 42-6 of the Enforcement Decree)

- Provisions concerning the causes or reasons for the information transmitter to refuse or discontinue the transmission, notification procedure for such refusal or discontinuation, and method of withdrawal (Article 42-7 of the Enforcement Decree)

e. Provisions concerning institutions specializing in managing personal information (Articles 42-8 & 42-11 of the Enforcement Decree)

- Specifies the tasks whose provision is delegated by the Act to the Enforcement Decree in relation to institutions specializing in managing personal information and provisions for stipulating the classification of institutions specializing in managing personal information and matters necessary for the performance of their duties (Article 42-8 of the Enforcement Decree)

- Provides specific requirements for the designation of specialized institutions, procedures for designation and redesignation, essential changes, preliminary designation, and validity of designation (Article 42-9 of the Enforcement Decree)

- Provisions specifying the causes or reasons for the Protection Commission or the relevant central administrative agency to revoke the designation of a specialized service agency, revocation procedure, and follow-up actions in case of revocation (Article 42-10 of the Enforcement Decree)

- Specifies acts feared to infringe personal information or restrict the rights of information subjects as the Act has delegated to the Enforcement Decree the provision on prohibited acts by institutions specializing in managing personal information (Article 42-11 of the Enforcement Decree)

f. The Protection Commission's administration and supervision related to the right to request transmission (Article 42-12 of the Enforcement Decree)

- Provisions stipulating the administration and supervision of information transmitters, general receivers, and Institutions specializing in managing personal information, including whether the right to request transmission is honored and whether the designation requirements are met, etc.

- Provides that the Protection Commission may require the relevant personal information processors to submit the data or information necessary for its administration and supervision

g. Development and Operation of the Personal Information Transmission Support Platform (Article 42-13 of the Enforcement Decree)

- Stipulates matters necessary for the development and operation of a personal information transmission support platform, including the platform registration procedure, submission of transmission history to the platform, connection to the transmission support system, and notification to the platform

h. Improvement of notification methods and procedures (Article 15-2 (3) of the Enforcement Decree)

- Improves the relevant provisions so that the details of personal information transmission can be notified together with "the notification of the sources of personal information collected" (Article 20(2) of the Act) and "the notification of the details of use and provision of personal information" (Article 20-2 (1) of the Act)

i. Fees for transmission requests (Article 47 (4)-(5) of the Enforcement Decree)

- Stipulates that an information transmitter may charge a fee to a recipient who requests the transmission of personal data on behalf of the information subject

- Stipulates that the fee for request for transmission should be calculated in accordance with the fee calculation guidelines set forth by the Personal Information Protection Commission, taking into account the cost of deploying the necessary facilities, their operating costs, and the characteristics of the target personal information

j. Outsourcing of works (Article 62 (3) of the Enforcement Decree)

- Adds matters related to the right to request the transmission of personal information introduced by the revision of the Act pursuant to Article 68 (1) of the Act, which allows the Protection Commission to delegate part of its authority, to the existing provisions concerning the delegation of duties 

k. Improvement of guidelines for designation and redesignation of Expert Data Combination Agency (Article 29-2 (1) & (4) of the Enforcement Decree)

- Provides the statutory basis for the head of the Protection Commission or the relevant central administrative agency to decide whether to redesignate an Expert Data Combination Agency by reviewing its performance and future operation plans in the past three years when the service institutions are being redesignated (every three years)

l. Provides a clear basis for the quarterly submission of documents concerning the administration and supervision of in-house combination (Article 29-4 (2) of the Enforcement Decree)

- Clarifies the Enforcement Decree's provision on delegating the Protection Commission to require the Expert Data Combination Agency to submit the documents prescribed and notified by the Protection Commission for the purpose of administration and supervision of the Expert Data Combination Agency.