On September 22, 2016, Korean law firm Bae, Kim & Lee LLC released a Legal Update outlining amendments to Korea’s Personal Information Protection Act (“PIPA”) and the Act on the Promotion of IT Network Use and Information Protection (“IT Network Act”).
The amendments to PIPA include:
- notification requirements for third-party transfers; and
- an obligation to submit to regular inspection by MOI.
Effective September 30, 2016, “companies that either process sensitive information or unique identifying information of 50,000 data subjects or more, or process personal information of 1 million data subjects or more should be prepared to implement the obligation to notify data subjects if personal information has been obtained indirectly from third parties [and] comply with MOI’s request for document review in connection with MOI’s regular inspection on the company’s security measures.”
Amendments to the IT Network Act include clarification of statutory retention period applicable to unused data. This amendments addresses “the issue of how the IT service providers should handle personal data whose “statutory retention period” has expired, but which data the IT service provider has a legal obligation to retain pursuant to other laws.”