This article is a contribution by Attorney Jaesik Moon of Choi & Lee Law Firm. If you would like to share quality content for startups in the form of a contribution, please contact the Venture Square editor team at editor@venturesquare.net.
Unless you are a one-person company, there is one law that all companies cannot avoid. That is the Personal Information Protection Act. Not only B2C companies that target general consumers, but also B2B companies that have employees, if they have employees, they inevitably have to obtain their employees’ personal information, so they are subject to the Personal Information Protection Act. Therefore, the Personal Information Protection Act is a law that anyone running a business should never overlook.
The Personal Information Protection Act regulates all matters related to the collection, storage, use, provision or entrustment to third parties, destruction, and processing and protection of personal information. This section deals with the distinction and difference between 'provision of personal information to third parties' and 'entrustment of personal information processing', which can be problematic when transferring personal information to other companies or individuals. They are similar in that the collected personal information is not used within our company but is transferred to another company or person, but the legal requirements and the corresponding regulations are significantly different depending on which one applies, and in actual practice, it is not easy to distinguish between them.
1. Distinction between ‘provision of personal information to third parties’ and ‘entrustment of personal information processing tasks’
The standard for distinguishing between ‘provision of personal information to a third party’ and ‘entrustment of personal information processing’ is for whose benefit the personal information is processed. In the former case, personal information is processed for the benefit of the third party receiving the transfer, and in the latter case, it is processed for the benefit of the entrustor transferring the personal information. Our Supreme Court clearly explains the former as “when personal information is transferred for the purpose of processing and benefiting the recipient of the information beyond the scope of the original purpose of collecting and using personal information,” and the latter as “when personal information is transferred for the purpose of processing and benefiting the entrustor related to the original purpose of collecting and using personal information” (Supreme Court Decision 2016do13263, April 7, 2017).
Although it may seem easy to distinguish in words, it is not easy to distinguish in actual practical cases. For example, what if a shopping mall company contracts with a separate call center company to respond to customer A/S and transfers the customer’s personal information? This is because the call center company handles the shopping mall company’s customer response service work and transfers the personal information for the company’s benefit, so it is not a third-party provision but a processing consignment. If the call center company receives the customer’s personal information from the shopping mall company to promote and market its own company, this is for the call center company’s own work and benefit, so it is a third-party provision.
The Supreme Court and the Personal Information Protection Commission published guidelines explain that third-party provision and entrustment should be distinguished by comprehensively considering the purpose and method of acquiring personal information, whether compensation was received, whether there is actual management and supervision of the trustee, the impact on the need to protect personal information of the data subject or user, and who actually needs to use the personal information.
2. Comparison of ‘provision of personal information to third parties’ and ‘entrustment of personal information processing tasks’
So, if we've managed to distinguish between these two, let's look at what to keep in mind in each case.
First, the requirements for legality when transferring personal information. In the case of 'provision of personal information to a third party', the requirements of Articles 17 and 18 of the Personal Information Protection Act must be met. It is legal only when there is consent from the data subject, a special provision of the law is based on it, or it is urgently necessary for public safety. However, in the case of 'entrustment of personal information processing work', the details of the entrusted work and the trustee must be disclosed in an easily verifiable manner, such as posting it on the website, in a newspaper, or in a place where it is easily visible, such as the business premises (Article 26, Paragraph 2 of the Personal Information Protection Act) (However, in the case of entrustment of promotional or sales solicitation work, individual notification is required to the data subject).
Next, since the responsible party for the transferred personal information is different, it is important to confirm whether you are the party responsible for the management and supervision of the personal information. In the case of 'entrustment of personal information processing', as explained above, since the personal information is entrusted to the trustee for the purpose of one's own work and interests, the responsibility for it lies with the trustee. However, in the case of 'provision of personal information to a third party', the consent of the data subject or separate requirements must be met, and since the transfer is made regardless of the work or interests of the trustee, the responsibility for the management and supervision of the transferred personal information lies with the third party that received the information. Accordingly, if the data subject suffers damages due to the leakage of the personal information, etc., in the case of 'provision of personal information to a third party', it will vary depending on the responsibility or scope of the provider and the recipient, but in the case of 'entrustment of personal information processing', the trustee is responsible in principle, and if the trustee is at fault, the trustee can seek indemnification from the trustee.
Lastly, in the case of 'entrustment of personal information processing work', the entrustment must be made in the form of a document containing the contents of the entrustment. In other words, a contract must be drawn up between the entrustor and the trustee. The contract must include all of the following in accordance with Article 26, Paragraph 1 of the Personal Information Protection Act and Article 8, Paragraph 1 of the Enforcement Decree of the same Act: 1) Prohibition of processing personal information other than for the purpose of performing the entrusted work, 2) Matters concerning technical and administrative protection measures, 3) Purpose and scope of the entrusted work, 4) Matters concerning restrictions on re-entrustment, 5) Matters concerning measures to ensure safety such as access restrictions, 6) Matters concerning supervision such as inspection of the status of management of personal information held, and 7) Matters concerning liability such as compensation for damages in case of breach of obligations by the trustee. In the case of 'provision of personal information to a third party', of course, a contract can be concluded between the provider and the recipient for the purpose of a business partnership, but as seen above, the consent of the information subject of the relevant personal information or separate requirements must be met, and since the Personal Information Protection Act regulates the recipient, a separate contract such as the above is not necessarily required.
Due to the recent SK Telecom personal information leak issue, not only those who run the company but also individual consumers seem to be more interested in personal information. As such, we need to pay more attention to compliance work related to personal information protection and management.
Recently, in July of this year, the Personal Information Protection Commission prepared an “Integrated Guide to Personal Information Processing” that reflects the contents of the Personal Information Protection Act, which was completely revised in 2023, and includes the contents of various previously published guides. The contents of the guide were also referenced in this article (Personal Information Protection Commission “Integrated Guide to Personal Information Processing” 2025.7., can be downloaded from the Personal Information Protection Commission website ). It would be of great help to you to refer to the above guide for your personal information processing work.
- See more related columns
You must be logged in to post a comment.