Hello, I am Attorney Shin Jun-seon from Cheongchul Law Firm.
The Personal Information Protection Commission (hereinafter referred to as 'PIPC') has recently published the revised version of the "Personal Information Processing Policy Guidelines" (April 21, 2025). This revision reflects the amendments to the Personal Information Protection Act (to be implemented in September 2024) and the preliminary opinions from the 2024 Policy Evaluation Committee. The PIPC introduced that while strengthening the rights of data subjects, it has also alleviated the burden on companies through a press release.
Looking at the content of the revision, it can be seen that the requirements for the form of the Personal Information Processing Policy have somewhat relaxed, but as the measures to strengthen the rights of data subjects have increased, the preparation and management burden on the person in charge at companies may have actually increased. Therefore, let's look at the main points of the revision.
Reflection of the Reform of the Personal Information Consent System
Firstly, due to the reform of the personal information consent system, items that can be processed without consent and those that require consent have been clearly distinguished. For example, 'Member service operation', 'Sales product A/S consultation', etc., can be processed as they are necessary for the execution of the contract without separate consent, whereas sensitive information (such as health information), unique identification information (such as resident registration numbers), and provision of personal information to third parties must obtain separate consent regardless of the execution of the contract. Accordingly, personal information processors must clearly reflect this distinction in the processing policy.
Expansion of Flexibility in Writing Personal Information Items and Retention Periods
Flexibility has also been introduced in the writing style of personal information items and retention/use periods. Previously, all items had to be listed individually, but now, in special circumstances, type-based entries are allowed. For example, under the type "Personal Information for Document Screening", letters of self-introduction, scores from certified English tests, and university grades can be bundled together. Regarding retention/use periods, it is generally required to specify the period concretely rather than abstractly, but in cases where the retention/use period cannot be specified, the criteria used to determine it can be noted.
Strengthening Contact Information for the Grievance Handling Department
The obligation to provide contact information for the grievance handling department has also been strengthened. Previously, only the contact information of the department in charge of the Chief Personal Information Protection Officer (CPO) had to be provided, but in the future, the contact information of related departments such as customer centers which actually handle grievances will also be allowed to facilitate the exercise of rights by data subjects.
Improvement of Disclosure Methods According to Mobile App Environments
Improvements to disclosure methods in response to changes in mobile app environments must also be examined carefully. Previously, the processing policy had to be fixedly disclosed at the bottom of the first screen of the app, but after the revision, it is now allowed to disclose it in various locations that data subjects can easily access, including settings, membership registration, login screens, service menus, and settings screens.
Enhanced Guidance on Procedures for Exercising Rights of Data Subjects
The guidance on procedures for exercising the rights of data subjects has also been specified in more detail. Regarding requests for personal information transmission, not only should the method of request be specified, but also specific methods to check the transmission status and the content of the transmitted personal information must be clarified. In cases of automated decisions, the criteria and procedures for decisions, methods of personal information processing, and how to appeal must be detailed, and when collecting and using data for AI training, it is recommended to clarify the data collection sources, collection methods, and safety measures.
Strengthening Guidance on Collection of Behavioral Information and Refusal
The section on guidance for collecting behavioral information and refusal has also been strengthened. Specific instructions on methods to block cookies and personalized advertisements must be provided, such as the procedure "Web browser settings > Cookie management > Block third-party cookies" or directions in mobile apps like "Settings > Personal Information > Refuse personalized ads" must be clearly presented. In particular, for Chrome browsers, the guidance was updated to utilize 'Incognito mode' instead of the previous 'Delete internet history' method.
This revision emphasizes that the personal information processing policy should not only be a mere formal disclosure but should function as a practical means for data subjects to exercise their personal information protection rights. To this end, the PIPC has suggested guidelines to enhance the specificity, transparency, and accessibility of processing policies across all areas, including consent systems, grievance handling, disclosure methods, and procedures for exercising rights.
Personal information processors should reflect the main contents of the revised personal information processing policy guidelines by
Ensuring consistency between the personal information collection and use consent form and the processing policy, clearly distinguishing between mandatory and optional consent items.
In cases where there are many or complex personal information items, it is permissible to categorize similar items.
Providing contact information not only for the Chief Personal Information Protection Officer but also for the departments (customer centers, CS teams, etc.) that actually handle inquiries and complaints from data subjects.
Considering user experience (UX), ensuring that the processing policy can be found in a natural flow within the app, while avoiding overly deep menu structures.
In addition to the key points related to the drafting of personal information processing policies mentioned above, the revised guidelines also provide examples for small businesses along with methods of disclosure and display, so companies, corporations, and institutions that process personal information should thoroughly understand the content and purpose of these revised guidelines and actively review updating and enhancing their own personal information processing policies.
As awareness of personal information protection has become more important than ever, the personal information processing policy is not merely a formal document required by law but a measure of transparency that shows the philosophy and efforts of companies regarding personal information protection and a core element for building trust with data subjects. Therefore, personal information processors such as companies should fully understand the purpose of these revised guidelines and take proactive measures to secure trust from data subjects and minimize personal information protection risks.
Attorney Shin Jun-seon from Cheongchul Law Firm has been providing tailored personal information processing policy establishment, diagnosis, and improvement consulting services reflecting the requirements set forth in the Personal Information Protection Act and the PIPC's guidelines. If you are facing difficulties related to personal information management or need legal advice on whether your current processing policy complies with the drafting guidelines, please feel free to contact us at any time.
