On 6 October 2023, the public consultation closed on the Personal Information Protection Commission (PIPC) Draft Guidance on Privacy Policy Evaluation. The guidance outlines the criteria and policies for selecting and evaluating targets regarding their personal information processing. The policies are based on the Personal Information Protection Act and the amended Enforcement Decree. The criteria for selecting and prioritising targets (entities) of evaluation are found in article 4. The targets of evaluation include entities that process the data of more than 1 million individuals and have an annual turnover of more than KRW 150 billion or process the sensitive personal data of more than 50'000 data subjects. The other criteria include processing data with or without data subject consent, using automated processing systems (including Artificial Intelligence), whether more than 2 data breaches occurred in the last 3 years and processing the data of minors and adolescents. In articles 3, 5, and 7, the evaluation procedure is outlined, which includes establishing and disclosing plans for evaluating targets, the formation of evaluating committees, reviewing documents, and filing appeals. The guidance will enter into force on the date of its promulgation.
Original source