Hello, I am Attorney Lee Young-kyung from Cheongchul Law Firm. I would like to analyze the recent case in which the Personal Information Protection Commission (hereinafter referred to as 'PIPC') imposed a large fine on Woori Card Co., Ltd. This case provides important implications regarding the management of personal information by financial companies.

[Question] What is the recent case in which the PIPC sanctioned the use of personal information for purposes other than its intended purpose?

[Answer]

Overview of the Case

1. The PIPC held its 7th plenary meeting on March 26, 2025, and decided to impose a fine of 13.45 billion won on Woori Card Co., Ltd. for violating the Personal Information Protection Act (hereinafter referred to as 'the Act'), along with corrective orders and publication orders. The investigation was initiated in April 2024 based on Woori Card Co., Ltd.'s report and media reports that stated, "The personal information of the representative of the merchant from Woori Card Co., Ltd. is being used for card recruitment." The investigation confirmed that Woori Card Co., Ltd. utilized the personal information of the merchant representative for new card marketing without consent, and that sales center employees transmitted this information to card recruiters.

The specific violations are as follows:

1. Woori Card's Incheon Sales Center accessed personal information such as the names, resident registration numbers, mobile phone numbers, and addresses of at least 131,862 merchants by inputting the business registration numbers of card merchants into the merchant management program between July 2022 and April 2024 to increase sales performance through new card marketing.

2. In the card issuance review program, the resident registration numbers of the merchant representatives were entered to check whether the respective merchant had a credit card issued by Woori Card Co., Ltd. (hereinafter referred to as 'Woori Credit Card'), and this was recorded and photographed on the printed merchant documents and shared in a KakaoTalk group chat participated by card recruiters.

3. In particular, from September 2023, a database (hereinafter referred to as 'DB') processing the personal information of the merchant representatives and card members was created by invoking an information inquiry command to check the personal information of the merchant representatives and whether they held a Woori Credit Card. Between January 8 and April 2, 2024, the personal information of 75,676 merchant representatives was emailed to card recruiters more than twice a day for a total of 100 times. In this manner, information on at least 207,538 merchant representatives was accessed and conveyed to card recruiters, of which 74,692 had not consented to the use of their information for marketing purposes.

Determination of the Personal Information Protection Commission - The PIPC has determined that Woori Card Co., Ltd.'s actions constitute a violation of the Act:

1. Violation of regulations on restrictions on the use and provision of personal information for unintended purposes: The Act stipulates that personal information should not be used beyond the scope of collection and use. Woori Card Co., Ltd.'s use of personal information collected for purposes such as merchant management for marketing purposes, such as issuing Woori Credit Cards, is a violation of the prohibition against utilizing and providing personal information for unintended purposes (Article 18, Section 1 of the Act).

2. Violation of regulations on the processing of resident registration numbers: In the process, processing resident registration numbers without legal basis is a violation of the regulations restricting the processing of resident registration numbers (Article 24-2, Section 1 of the Act).

3. Violation of the obligation of safety measures: Woori Card Co., Ltd. has effectively delegated the DB access rights, file download rights, and viewing rights of personal information containing resident registration numbers to the sales centers of individual departments, neglecting internal controls such as monitoring the status of access rights and inspecting connection records. Specifically, Woori Card granted access rights to view data on merchant representatives unrelated to the work of sales center employees, allowing the occurrence of over 30 million instances of mass personal information inquiries and downloads per month in the sales center, while failing to inspect or take action on this, effectively neglecting the viewing and utilization of merchant representatives' or credit card members' information (Article 29 of the Act).

In response to these violations, the PIPC took the following actions:

1. Imposition of fines: A fine of 13.45 billion won was imposed.

2. Corrective order: Orders were given to strengthen internal controls to prevent misuse of personal information, minimize access rights, and comply with the obligation of safety measures, as well as to strengthen management and supervision of personal information handlers.

3. Publication order: The PIPC ordered the disclosure of the fact of the sanction on its website, which is a newly established provision under the amendment of the Personal Information Protection Act (September 15, 2023) requiring businesses to publicly disclose the fact of being sanctioned, such as fines and penalties.

Implications

The decision by the PIPC provides the following important implications:

1. The importance of adhering to the purpose of collecting and using personal information: The PIPC emphasized that "the processing of personal information beyond the initial purpose of collection and use is illegal." This reaffirms the principle that companies cannot utilize information for purposes other than those explicitly stated at the time of collection.

2. The necessity of an internal control system: The PIPC advised that "the access rights of personal information handlers, such as employees, should be regularly checked and connection records should be reviewed to ensure that there is no unnecessary inquiry or use of personal information," highlighting the need for a robust internal control system. This implies that practical management and supervision must be implemented, going beyond merely establishing personal information protection policies.

3. Confirmation of the application of the Act to financial companies: The PIPC stated that "following the investigation and sanction against a non-life insurance company last December, this sanction against a credit card company indicates that the Act applies to financial companies as well, and it is necessary to once again check compliance with the Act." This clearly indicates that financial companies must strictly adhere to relevant laws.

4. The significance of the level of fines: The fine of 13.45 billion won demonstrates that sanctions for violations of personal information protection are becoming very stringent. This indicates that companies need to adopt a more cautious approach to personal information protection.

5. The introduction of publication orders: The publication order introduced under the amendment of the Personal Information Protection Act in September 2023 can directly impact a company's reputation in addition to legal sanctions, and may encourage voluntary compliance with laws among companies.

Corporate Response Directions

Companies need to take the following measures based on this case:

1. Clear establishment and compliance of purposes for handling personal information: The purpose of use should be clearly defined from the stage of collecting personal information, and use beyond that purpose must be strictly limited.

2. Strengthening of internal control systems: Companies must enhance their internal control systems, including management of access rights to personal information, retention and inspection of connection records, and regular audits.

3. Enhancing training for personal information handlers: Regular training on relevant laws and internal regulations should be conducted for employees who handle personal information.

4. Continuous monitoring for compliance with personal information protection-related laws: Companies should continuously monitor amendments to relevant legal provisions such as the Act and regularly check their adherence to those laws.

Cheongchul Law Firm provides comprehensive consulting related to the Personal Information Protection Act based on expertise and experience accumulated through working with major domestic law firms such as Kim & Chang, Pacific, and Sejong. By collaborating with Cheongchul, we will become a reliable partner that accurately understands the essence of the case and effectively conveys the client's position.