The Personal Information Protection Commission announced on Dec. 12 that it has investigated 12 insurance companies, including Hyundai Marine & Fire Insurance and AXA Insurance, and found that four of them illegally collected personal information from customers without proper consent for marketing purposes, imposing a total penalty surcharge of 9.277 billion won.
The commission launched the investigation in August of last year following concerns that automobile insurers were demanding unnecessary or excessive personal information from customers, infringing on the rights of the data subjects.
The investigation revealed that Hyundai Marine & Fire Insurance, AXA Insurance, Hana Insurance, and MG Insurance collected personal information from customers who had not consented to product introduction via a pop-up window prompting consent and used it for marketing purposes. During this process, legal notifications were omitted, or the consent history was designed in such a way that customers could not clearly acknowledge it.
These insurance companies used the personal information collected not only for automobile insurance but also for marketing other insurance products like driver insurance and health insurance, confirming that approximately 30 million marketing activities related to automobile insurance alone had taken place.
The commission stated that 'valid consent requires that the data subject is fully aware that their personal information is being processed and can freely decide whether to consent,' adding that it has ordered the four insurance companies to improve their internal control procedures and consent processes in addition to imposing a penalty surcharge.
Moreover, it was revealed that all 12 insurance companies under investigation had retained the personal information of customers whose contracts had not been finalized for one year after calculating insurance premiums, violating the obligation to promptly destroy personal information for which the processing purpose has been achieved under the Personal Information Protection Act. The commission has ordered the 12 companies to improve their retention periods and imposed an additional fine of 5.4 million won on Lotte Insurance for failing to destroy the personal information of 320,000 customers after one year.
A representative of the Personal Information Protection Commission remarked, 'This action clearly indicates that financial institutions must strictly adhere to the Personal Information Protection Act,' and stated that it will thoroughly investigate and respond severely to cases that infringe on the rights of data subjects in the future.