Obligations to obtain consent to the collection and use of personal information

Consent to the collection and use of personal information
- An online shopping mall operator shall, whenever he/she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he/she intends to change any of the following matters (Article 39-3(1) of the Personal Information Protection Act).
√ Purposes of collection and use of the personal information
√ Items of personal information that he/she intends to collect
√ Period of time during which he/she intends to possess and use the personal information
- However, he/she may collect and use personal information of a user without the consent in any of the following cases (Article 39-3(2) of the Personal Information Protection Act).
√ If personal information is necessary for fulfilling the contract for the provision of products of the online shopping mall, but if it is clearly difficult to get consent in an ordinary manner due to an economic or technical reason
√ If it is necessary for paying charges on the products of the online shopping mall provided
√ If any other Act provides otherwise
- A person who collects personal information without the consent of the relevant user in violation of such regulations shall be punished by imprisonment with labor for up to 5 years or with a fine not exceeding KRW 50 million (Subparagraph 4-5 of Article 71 of the Personal Information Protection Act).
Restriction on the collection and use of personal information

Obligations, etc. to collect the minimum amount of information necessary
- When collecting personal information of a user, an online shopping mall operator shall only collect personal information within the minimum scope necessary for the purpose, and shall not refuse to provide services on the grounds that a user does not provide personal information other than the minimum amount of personal information required (Article 16(1) of the Personal Information Protection Act).
- Any person who refuses to provide such services on the grounds that a user does not provide personal information other than the minimum personal information required shall be punished by an administrative fine not exceeding KRW 30 million (Subparagraph 12-2 of Article 75(2) of the Personal Information Protection Act).

Prohibition on the use for any scope other than consented
- An online shopping mall operator may not use the collected personal information in excess of the scope consented by the relevant consumer or the scope for which personal information may be collected without consent (Article 18(1) of the Personal Information Protection Act).
- Any person who violates such prohibition shall be punished by imprisonment for no more than 5 years or be subject to a fine not exceeding KRW 50 million (Subparagraph 2 of Article 71 of the Personal Information Protection Act).
Provision of personal information to a third party and entrustment of personal information processing

Provision of personal information to a third party
- In any of the following cases, an online shopping mall operator may provide (including sharing. Hereinafter the same) a consumer's personal information to a third party (Article 17(1) of the Personal Information Protection Act).
1. When the consumer's consent is obtained
2. When the personal information is provided within the scope of the purpose for which it was collected
- When obtaining the consent under Subparagraph 1, an online shopping mall operator shall notify the consumer of the following matters. The same applies when there is change in such matters (Article 17(2) of the Personal Information Protection Act).
· The person to whom the personal information is furnished
· Purposes of use of the personal information of the person to whom the personal information is furnished
· Items of the personal information furnished
· Period of time during which the person to whom the personal information is furnished will retain and use the personal information
· The fact that he/she has the right to refuse to consent and, if there is a disadvantage due to the refusal, the content of the disadvantage
- Any person who fails to observe such obligations shall be punished by imprisonment for no more than 5 years or be subject to a fine not exceeding KRW 50 million (Subparagraph 1 of Article 71 of the Personal Information Protection Act).

Entrustment of personal information processing
- When an online shopping mall operator entrusts promotion of goods or services or recommendation of sales, the contents of the entrustment and the trustee shall be notified to the consumers by writing, e-mail, fax, telephone, text message, or equivalent method. The same applies when there is change in the contents of the entrustment or the trustee (Article 26(3) of the Personal Information Protection Act and Article 28(4) of the Enforcement Decree of the Personal Information Protection Act).
· If an online shopping mall operator is unable to notify, by the above method, consumers of the contents of the entrustment and the trustee without negligence, the relevant matter shall be posted on the Internet homepage for at least 30 days (Article 28(5) of the Enforcement Decree of the Personal Information Protection Act).
- Any person who entrusts the processing of personal information without notifying the contents of the entrustment and the trustee to consumers shall be punished with an administrative fine not exceeding KRW 30 million (Subparagraph 1 of Article 75(2) of the Personal Information Protection Act)

Consent to furnishing personal information and a separate consent to entrusted processing, etc.
- When obtaining a consumer's consent to the processing of personal information, an online shopping mall operator shall specify each consent item for the consumer to clearly recognize it, and then obtain the consumer's consent to each item (Article 22(1) of the Personal Information Protection Act).
- An online shopping mall operator shall not refuse to provide service on the ground that a consumer does not provide personal information other than the minimum required personal information. In this case, the minimum required personal information refers to information that is absolutely necessary to perform the essential functions of the service (Article 39-3(3) of the Personal Information Protection Act).
- Any person who refuses to provide service in violation of the above shall be punished with an administrative fine not exceeding KRW 30 million (Subparagraph 12-2 of Article 75(2) of the Personal Information Protection Act)

Obligation to control, supervise, and educate the trustee regarding the processing of personal information
- An online shopping mall operator shall educate the trustee so that personal information of consumers is not lost, stolen, leaked, forged, altered or damaged due to the entrustment of personal information processing, and supervise whether the trustee safely processes the personal information, such as checking the processing status, as prescribed by the Presidential Decree (Article 26(4) of the Personal Information Protection Act).
Precautions to take regarding the transfer of personal information following a transfer of business

Obligation to notify in accordance with the transfer of personal information
- Wherean online shopping mall operator transfers personal information of consumers toa third party due to transfer of business, in whole or in part, merger, or anysimilar cause, he/she shall notify the consumers in advance in writing, e-mail,fax, telephone, text message, or equivalent method. (Article 27(1) of the 「Personal InformationProtection Act」 and Article 29(1) of the 「Enforcement Decree ofthe Personal Information Protection Act」).
- Any person who violates this provision shall be punished with an administrative fine not exceeding KRW 10 million (Subparagraph 6 of Article 75(4) of the Personal Information Protection Act).

The scope of the use of personal information by business transferees, etc.
- When having taken over personal information due to a business transfer, merger, etc., a business transferee, etc. may use, or furnish to a third party, the personal information only for the original purpose as of the time of transfer (Article 27(3) of the Personal Information Protection Act).
- Any person who violates this provision shall be punished by imprisonment for no more than 5 years or be subject to a fine not exceeding KRW 50 million (Subparagraph 2 of Article 71 of the Personal Information Protection Act).