ENGLISH

- Every online shopping mall operator shall designate a personal information protection officer who will be in charge of personal information processing (Article 31(1) of the Personal Information Protection Act).

- The personal information protection officer shall hold the position of either ① the business owner or the representative or ② an executive (in case there is no executive, the head of a department in charge of personal information processing) (Article 31(1) of the Personal Information Protection Act and Subparagraph 2 of Article 32(2) of the Enforcement Decree of the Personal Information Protection Act).

- Every online shopping mall operator shall take technical, administrative and physical measures necessary to secure safety, such as establishing an internal management plan and storing access records, in order to prevent the loss, theft, leakage, forgery or alteration of or damage to personal information of consumers (Article 29 of the Personal Information Protection Act).

- Any person who violates this provision shall be punished with an administrative fine not exceeding KRW 30 million (Subparagraph 6 of Article 75(2) of the Personal Information Protection Act).

- An online shopping mall operator who processes or has ever processed personal information of consumers shall not do the following (Subparagraphs 2 and 3 of Article 59 of the Personal Information Protection Act).

- Any person who violates this provision shall be punished by imprisonment for no more than 5 years or be subject to a fine not exceeding KRW 50 million (Subparagraphs 5 and 6 of Article 71 of the Personal Information Protection Act).

- Where a consumer suffers or is likely to suffer damage to his/her property as a result of illegal use of his/her information, the online shopping mall operator shall take the following measures, such as verification of identity or recovery from damage (Article 11(2) of the Act on the Consumer Protection in Electronic Commerce, etc. and Article 12 of the Enforcement Decree of the Act on the Consumer Protection in Electronic Commerce, etc.).

- Where the operator fails to perform his/her duty under the above provision, the Fair Trade Commission may order him/her to take corrective measures. Where the violation is repeated despite the order to take corrective measures, an order to take corrective measures is not complied with, or the corrective measures alone are deemed to be insufficient for preventing damage to consumers or impossible to compensate consumers for their damage, the Fair Trade Commission may order to fully or partially suspend the business for a fixed period of up to 1 year or impose upon the relevant operator penalty surcharges (Subparagraph 1 of Article 32(1), Article 32(4), and Article 34(1) of the Act on the Consumer Protection in Electronic Commerce, etc.).

- An Internet shopping mall operator shall, if a consumer has not used the information and communication service for 1 year (if the period is otherwise determined by other laws or the user's request, such period shall apply), destroy the user's personal information immediately after the expiration of the period or store and manage the same separately from other consumers' personal information. (Article 39-6(1) of the Personal Information Protection Act and the main body of Article 48-5(1) of the Enforcement Decree of the Personal Information Protection Act).

- An Internet shopping mall operator shall notify consumers of the following matters in writing, e-mail, fax, telephone, text message, or equivalent method 30 days before the expiration of the above period (Article 39-6(2) of the Personal Information Protection Act and Article 48-5(4) of the Enforcement Decree of the Personal Information Protection Act).

- Any person who fails to destroy personal information or take necessary measures such as the destruction of personal information shall be subject to an administrative fine not exceeding KRW 30 million (Subparagraph 4 of Article 75(2) of the Personal Information Protection Act).