Republic of Korea: Adopted Personal Information Protection Commission Guidelines on Evaluation of Privacy Policies

On 19 February 2024, the Personal Information Protection Commission (PIPC) adopted the guidelines on Evaluation of Privacy Policies. The PIPC aims to evaluate the policies adopted and disclosed by personal information processors to ensure they are compliant with the Personal Information Protection Act and the amended Enforcement Decree. The guidelines outline the criteria and policies for selecting and evaluating targets regarding their personal information processing. The targets of evaluation include entities that have an annual turnover of more than KRW 150 billion and process the sensitive personal data of more than 50'000 data subjects per day. The other criteria include processing data with or without data subject consent, using automated processing systems (including Artificial Intelligence), whether more than two data breaches occurred in the last three years, and processing the data of minors and adolescents. Finally, the guidelines include information on evaluation procedures, formation of evaluation committees, reviewing documents, and filing appeals. The guidelines will enter into force on 20 February 2024.