Obligation to designate a person responsible for the protection of personal information
![](https://m.easylaw.go.kr/MOM/images/common/ico/icon_arrow03.gif)
Designation of a person responsible for the protection of personal information
- Every online shopping mall operator shall designate a personal information protection officer who will be in charge of personal information processing (Article 31(1) of the Personal Information Protection Act).
- The personal information protection officer shall hold the position of either ① the business owner or the representative or ② an executive (in case there is no executive, the head of a department in charge of personal information processing) (Article 31(1) of the Personal Information Protection Act and Subparagraph 2 of Article 32(2) of the Enforcement Decree of the Personal Information Protection Act).
Obligation to enforce protective measures for personal information
![](https://m.easylaw.go.kr/MOM/images/common/ico/icon_arrow03.gif)
Safety measures for personal information
- Every online shopping mall operator shall take technical, administrative and physical measures necessary to secure safety, such as establishing an internal management plan and storing access records, in order to prevent the loss, theft, leakage, forgery or alteration of or damage to personal information of consumers (Article 29 of the Personal Information Protection Act).
- Any person who violates this provision shall be punished with an administrative fine not exceeding KRW 30 million (Subparagraph 5 of Article 75(2) of the Personal Information Protection Act).
![](https://m.easylaw.go.kr/MOM/images/common/ico/icon_arrow03.gif)
Prohibition of leakage, etc. of personal information
- An online shopping mall operator who processes or has ever processed personal information of consumers shall not do the following (Subparagraphs 2 and 3 of Article 59 of the Personal Information Protection Act).
· Act of disclosing personal information that he/she learned in the course of business or of providing it for use by others without authorization
· Act of using, damaging, destroying, altering, forging, or leaking another person's personal information without authority or in excess of permitted authority
- Any person who violates this provision shall be punished by imprisonment for no more than 5 years or be subject to a fine not exceeding KRW 50 million (Subparagraphs 9 and 10 of Article 71 of the Personal Information Protection Act).
![](https://m.easylaw.go.kr/MOM/images/common/ico/icon_arrow03.gif)
Measures required against illegal use of personal information
- Where a consumer suffers or is likely to suffer damage to his/her property as a result of illegal use of his/her information, the online shopping mall operator shall take the following measures, such as verification of identity or recovery from damage (Article 11(2) of the Act on the Consumer Protection in Electronic Commerce, etc. and Article 12 of the Enforcement Decree of the Act on the Consumer Protection in Electronic Commerce, etc.).
√ Verification of illegal use and provision of transaction records related to the relevant consumer if requested by the consumer
√ Restoration of the information related to the consumer that has been forged by illegal use
√ Recovery from damage caused by illegal use
- Where the operator fails to perform his/her duty under the above provision, the Fair Trade Commission may order him/her to take corrective measures. Where the violation is repeated despite the order to take corrective measures, an order to take corrective measures is not complied with, or the corrective measures alone are deemed to be insufficient for preventing damage to consumers or impossible to compensate consumers for their damage, the Fair Trade Commission may order to fully or partially suspend the business for a fixed period of up to 1 year or impose upon the relevant operator penalty surcharges (Subparagraph 1 of Article 32(1), Article 32(4), and Article 34(1) of the Act on the Consumer Protection in Electronic Commerce, etc.).
Obligation to destroy personal information
![](https://m.easylaw.go.kr/MOM/images/common/ico/icon_arrow03.gif)
Destruction of expired personal information
- Online store operators shall destroy personal information without delay when the personal information becomes unnecessary owing to the expiry of the retention period, attainment of the purpose of processing the personal information, the expiry of the processing period of pseudonymized information, etc. (Article 21(1) of 「Personal Information Protection Act」).
· However, if it is required to retain the information under other statutes or regulations, the information may not need to be destroyed (proviso to Article 21(1) of 「Personal Information Protection Act」).
- When destroying personal information as required, online store operators shall take measures to ensure that the information cannot be recovered or revived (Article 21(2) of 「Personal Information Protection Act」).
- If online store operators are obliged to retain, rather than destroy, personal information, the relevant personal information or personal information files shall be stored and managed separately from other personal information (Article 21(3) of 「Personal Information Protection Act」).
![](https://m.easylaw.go.kr/MOM/images/common/ico/icon_arrow03.gif)
Sanctions for violations
- Any person who fails to destroy personal information or take necessary measures such as the destruction of personal information shall be subject to an administrative fine not exceeding KRW 30 million (Subparagraph 4 of Article 75(2) of the Personal Information Protection Act).