• Insights

1

The Amended Enforcement Decree introduces specific rules that were delegated by the March 2023 amendments to the Personal Information Protection Act, which also came into effect on March 15, 2024. These include rules concerning automated decisions facilitated by artificial intelligence (AI) and similar technologies, qualification requirements for Chief Privacy Officers (CPOs), and insurance requirements. 

Details on data subjects’ rights against automated decision-making

Under the Amended PIPA, data subjects have the right to demand explanations or reviews of decisions made through a ‘fully automated process’. Moreover, when these automated decisions significantly affect the subjects’ rights and obligations, they have the right to refuse such decisions. In this context, an ‘automated decision’ refers to a final decision that affects one’s rights or obligations and is made through the processing of personal information by systems such as AI, which operate without any substantive human intervention.  

Specifically, the Amended Enforcement Decree provides that:  

  • Data subjects have the right to request explanations or reviews from the data controller regarding automated decisions that affect their rights and obligations. Upon receiving a request, the data controller must provide a concise and meaningful explanation, detailing the criteria and processing procedures that led to the decision. However, this explanation does not need to include overly technical details. Additionally, if data subjects submit follow-up regarding the decision (e.g. a request to consider additional personal information), the data controller must assess whether this needs to be reflected, and must then communicate the decision regarding the follow-up and its outcome without delay.  
  • Data subjects can refuse automated decisions if they significantly affect their rights and obligations. In this case, the data controller is required to either implement measures to refrain from applying the decision or reprocess with human intervention and promptly inform the data subject of the outcome. However, if data subjects have been clearly informed in advance (through consent, contract, or explicit legal provisions) of the fact that automated decisions will be made, they cannot exercise the right to refuse the decision; they can only request an explanation or review of the decision.  
  • If the data controller has justifiable reasons (such as concerns regarding unjustified infringement upon another person’s life, body, property, or other interests), it has the right to deny the data subjects’ exercise of the above rights.  

New qualification requirements for the Chief Privacy Officer

Under the Amended PIPA, data controllers are obligated to appoint a Chief Privacy Officer responsible for overseeing and managing the processing of personal information. The Amended Enforcement Decree provides further details on the qualifications expected of the CPO and outlines specific entities that are required to appoint a CPO meeting these qualifications.  

These entities include:  

  • data controllers with annual revenue or income of more than KRW 150 billion that hold (i) personal information of 1 million or more data subjects or (ii) sensitive information or unique identification information (resident registration number, passport number, driver’s license number, and/or alien registration number) of 50,000 or more data subjects;   
  • universities with an enrolment of over 20,000 students (including graduate students);  
  • major general hospitals processing large volume of sensitive information (health information); and 
  • institutions that operate public data systems.  

 

Data controllers meeting the above criteria must appoint a CPO with a total of at least four years of combined experience in personal information protection, information security, and information technology, with at least two years dedicated specifically to personal information protection.  

However, in response to industry feedback during the legislative process, a grace period of up to two years has been implemented (until 14 March 2026) for individuals who were already designated as CPOs at the time of the Enforcement Decree’s effective date to meet the qualification requirements.   

Aside from the qualification requirements, the Amended PIPA also has provisions aimed at ensuring the independence of CPOs. The Amended Enforcement Decree requires the data controller to establish a regular reporting system to the representative or board of directors, ensure the CPO’s access to information on personal information processing, and provide the CPO with necessary human and material resources.  

Entities subject to the insurance requirement

Under the Amended PIPA, data controllers meeting specific criteria are required to have insurance or self-insurance coverage for any damages suffered by data subjects resulting from data controllers’ violation of the PIPA. The criteria for this requirement are delineated in the Amended Enforcement Decree, which has expanded the scope of entities subject to the insurance requirement.  

Previously, only online service providers with 1,000 users or more and annual sales of at least KRW 50 million were obligated to comply with the insurance requirement. However, under the Amended Enforcement Decree the requirement applies to data controllers for both online and offline service providers with 10,000 users or more and annual sales of at least KRW 1 billion.  

Nevertheless, the Amended Enforcement Decree includes provisions exempting certain entities from the insurance requirement:  

  • public institutions (excluding those subject to the CPO qualification requirements);  
  • public interest corporations and non-profit private organisations;  
  • small businesses that have outsourced the processing of personal information to entities that possess liability insurance for damages incurred.  

Other Notable Points

The Amended Enforcement Decree reduces the frequency of regular evaluations of the management status of unique identification information from every two years to every three years. However, entities acquiring ISMS-P certifications or undergoing evaluations mandated by other relevant laws may be exempted from these evaluation requirements.  

Further, in relation to overseas transfer of personal information, the Amended Enforcement Decree requires data controllers to disclose the following information in their privacy policy:   

  • When data controllers located overseas directly collect and process the personal information of data subjects residing in Korea, they must disclose these facts (along with the country where the data is collected and processed) in the privacy policy.  
  • When data controllers transfer collected personal information overseas, they must specify the legal basis for such overseas transfer in the privacy policy, along with a number of other items of information about the  transfer. In this context, the term ‘transfer’ includes the third-party provision of personal information (including granting access to personal information), entrustment of processing to third parties, and storage of personal information. 

Discover more about Employee Data Privacy on our Global HR Law Guide