Personal Information Protection Commission Announces Legislative Notice of Revised Enforcement Decree
Clarification of Requirements and Management Responsibilities for Designating a Local Representative
Starting in October, foreign businesses operating in South Korea will be required to appoint a local representative to ensure personal data protection. A revised enforcement decree detailing the specific requirements for this obligation has been pre-announced for legislation.
The Personal Information Protection Commission announced on May 30 that it will pre-announce the revised enforcement decree of the Personal Information Protection Act until July 9.
The amended Personal Information Protection Act, which will take effect on October 2, requires foreign businesses that meet certain conditions to designate a local representative. If a foreign business has established a corporation in Korea, or if there is a domestic corporation over which the foreign business exercises dominant influence, that corporation must be designated as the local representative. In addition, foreign businesses will have management and supervisory obligations over their designated local representatives.
The local representative system is designed to require large-scale foreign businesses providing services in Korea to designate a local representative in order to protect the personal data of domestic customers and handle their complaints.
The revised enforcement decree specifies the requirements for a "domestic corporation exercising dominant influence over executive composition or business operations," which is one of the criteria for designating a local representative. Specifically, a corporation is considered to have dominant influence if it appoints or dismisses the CEO or more than half of the executives, or if it invests 30% or more of the total issued shares or capital contribution of the corporation.
The delegated matters, including the management and supervisory obligations of foreign businesses over their local representatives, have also been clarified. Foreign businesses must manage and supervise their local representatives by establishing and verifying the implementation of work plans, confirming improvements based on inspection results, and providing training at least once a year.
Meanwhile, the revised decree also expands the scope of public institutions under the Personal Information Protection Act to include local government-funded and -invested institutions. As a result, these institutions will also be able to process personal data in the course of their business operations.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
