ABLI-FPF Convergences Series - Status of Consent for Processing Personal Data (South Korea report)

ABLI-FPF Convergences Series - Status of Consent for Processing Personal Data (South Korea report)

Author: Dominic Paulger, Policy Manager (APAC), Future of Privacy Forum

Asian Business Law Institute and Future of Privacy Forum

May 2022

This report provides a detailed overview of relevant laws and regulations in South Korea on

• notice and consent requirements for processing personal data;
• alternative legal bases for processing personal data which permit processing of personal data without consent if the data controller undertakes a risk impact assessment (e.g., legitimate interests); and
• statutory bases for processing personal data without consent and exceptions or derogations from consent requirements in laws and regulations.

Table of Contents 

1. INTRODUCTION 

2. ROLE OF THE PERSONAL INFORMATION PROTECTION COMMISSION (“PIPC”)

3. SECTORAL LAWS AND REGULATIONS

     3.1. Act on Usage and Protection of Credit Information (“Credit Information Act”)

     3.2. Act on the Protection and Use of Location Information (“Location Information Act”)

4. CONSENT AND PRIVACY SELF-MANAGEMENT IN THE PIPA

5. CONDITIONS FOR CONSENT

     5.1. Definition and forms of consent

     5.2. Withdrawal of consent

     5.3. Bundled consent

6. CONSENT FOR SPECIAL CATEGORIES OR USES OF DATA

     6.1. Children

     6.2. Cookie, Internet of Things, Online Tracking 

     6.3. Direct marketing 

     6.4. Biometric data

     6.5. Genetic data

     6.6. Financial information

     6.7. Pseudonymized data

          a. Obligations when processing pseudonymized information 

    6.8. Location data

7. CONSENT FOR CROSS-BORDER DATA TRANSFERS 

8. TRANSPARENCY AND NOTICE 

     8.1. Collecting and using PI 

     8.2. Disclosing PI to third parties     

9. SANCTIONS AND ENFORCEMENT

     9.1. Collecting PI without consent

     9.2. Using and disclosing of PI without consent

     9.3. Failure to provide prescribed information

     9.4. Enforcement actions

10. COLLECTING, USING, AND DISCLOSING DATA WITHOUT CONSENT SUBJECT TO A RISK IMPACT ASSESSMENT

      10.1. Scope of “legitimate interest

      10.2. Criteria weighed in the assessment 

      10.3. Documenting the assessment

      10.4. Disclosing the assessment

11. COLLECTING, USING, AND DISCLOSING DATA WITHOUT CONSENT IN OTHER CIRCUMSTANCES DEFINED BY LAW

       11.1. Collecting, using, and disclosing PI under the PIPA

               a. Collecting and using PI
               b. Disclosing PI to a third party 
               c. Collecting and using PI where required to enter into and perform a contract between the individual and the controller
               d. Collecting and using PI where unavoidably necessary to comply with obligations under laws/regulations 
               e. Collecting and using PI where unavoidably necessary for a public institution to perform its duties
               f. Collecting and using PI where manifestly necessary to protect the life, physical, or economic interest of the data subject or a third party

        11.2. Collecting, using, and disclosing of sensitive PI

        11.3. Exceptions to consent requirements in the PIPA

        11.4. Exemptions from consent requirements in specific laws

                a. Act on Real Name Financial Transactions and Confidentiality
                b. Insurance Business Act
                c. Infectious Disease Control and Prevention Act

        11.5. Specific circumstances

                a. Pseudonymized information for research purposes
                b. Publicly available information.

        11.6. Rule of interpretation 

        11.7. COVID-19