Amendment to the use and protection of credit information

1. Heightened obligation to protect CI The amended Act provides stricter control on the outsourcing of CI processing. If credit bureau companies, public credit registries or CI providers/users (e.g., financial institutions) outsource CI processing to a third-party service provider, the company which outsources the CI processing must include in its outsourcing agreement, provisions addressing secure management of the CI, training of the staff of the third-party service provider handling CI and processing of the CI to prevent personal CI from being compromised. The act also severely limits the third-party service provider from subcontracting the CI processing again (Article 17, Paragraphs 4 to 7) and requires that the CI providers/users that are larger than the threshold size designate a director-level officer to the position of the CI manager/custodian. The obligations of a CI manager/custodian are detailed in the Act (Article 20, Paragraphs 3 (proviso), 4 and 5).

Furthermore, the Act limits the period that the CI providers/users can retain personal CI to five years after the conclusion of the applicable commercial transaction. Personal CI of individuals whose commercial transactions have been completed must be segregated from personal CI of individuals whose transactions are ongoing, and the CI providers/users who need (or desire) to use the personal CI of individuals whose commercial transactions have been completed must notify the subject individuals (Article 20-2). Also, in the case of a business transfer, spin-off or merger and acquisition, if the CI providers/users transfer the personal CI in its database to another party, the receiving party is required to segregate and separately manage the personal CI so transferred from the personal CI of individuals who are currently engaged in transactions with the receiving party (Article 32, Paragraph 9).

2. Increase of the owner’s control over his or her personal CI: The Act provides that a separate individual consent of the owner of the CI is required in order for a CI provider/user to disclose the owner’s personal CI to a third party or a person to obtain the CI from a credit bureau company or public credit registry. Also, when initially obtaining consent for collecting personal information, the consent-seeking company must first inform each individual whether the information for which consent is sought is mandatory or optional. Companies seeking consent may not refuse to provide services to the owner of the CI based on the owner’s non-consent to the optional items of personal CI (Article 32). The owner of the CI may request deletion of the personal CI after a certain period if the commercial relationship between the owner of CI and the company receiving CI has been terminated, and upon such request, the CI providers/users must delete the personal CI without delay and notify the the owner of the CI of results (Article 38-3).

3. Stronger ex-post protective measures Any credit bureau company, public credit registry or CI provider/user (collectively, the CI Companies) who disclose or use an individual’s personal and confidential information acquired during the course of business for any purpose other than the business purposes, or provide to a third party or use the personal and confidential information with the knowledge that such information was illegally disseminated may be subject to an administrative penalty of up to 3 percent of the company’s revenue generated from the relevant business. Any CI Company which allows personal and confidential information to be lost, stolen, leaked, fabricated or damaged due to their failure to establish a security plan for their CI data processing system may be subject to an administrative penalty of up to KRW5 billion (roughly US$5 million) (Article 42-2). Moreover, a person who suffers actual damages due to his/her personal CI being stolen, lost, leaked, fabricated, or damaged due to the CI Company’s willful conduct or gross negligence may seek a maximum of treble damages from the CI Company (Articles 43, Paragraphs 2 and 3). The CI Company may be required to pay damages of up to KRW3,000,000 (approximately US$3,000) to those whose personal CI has been leaked, etc. due to the CI Company’s willful misconduct or negligence (Article 43-2).

These amendments have strengthened the ex-post protective measures following the leakage of CI and increased the level of punishment and amount of penalty for breach of the obligations related to the information protection (Articles 50 and 52), and thereby reinforced the level of sanctions on the CI leakage.