The guidelines for drafting privacy policies have been revised to reduce the burden on processors and expand the rights of data subjects.
The Personal Information Protection Commission released the recently revised Privacy Policy Drafting Guidelines on the 24th.
Under the revised guidelines, when drafting a privacy policy, if the number of recipients of personal information or trustees is large or changes frequently, it is permitted to list them by type, such as "delivery worker" or "taxi driver." However, even in such cases, a specific method of verification must also be provided so that data subjects can identify the actual recipients or trustees.
Matters that significantly affect the rights of data subjects must be announced before the revision or immediately upon revision. In contrast, for matters with a low likelihood of infringing rights, such as lists of trustees or sub-trustees performing the same outsourced tasks, changes may be compiled and guided over a set period.
Standards related to "on-device processing (processing on the device)" have also been made more specific. If any personal information is stored on a server, a processing policy must be drafted even if on-device functions are partially included. Conversely, if personal information is not transmitted to an external server and is processed on the device, users must be informed of that fact and the deletion standards.
This revision includes a separate appendix for generative artificial intelligence (AI) services. The appendix recommends clearly stating the intended use cases, including the context and audience for AI use. It also requires listing as processing items any information entered by users—such as text, voice, or attachments—and outputs generated during service use if they are collected or stored, and it instructs that cautions on entering sensitive information or unique identification information be provided together.
The Personal Information Protection Commission plans to hold a briefing session on the 28th at the Korea Science and Technology Center in Gangnam-gu, Seoul, to help corporations and practitioners understand the revised guidelines.
Yang Cheong-sam, Secretary-General of the Personal Information Protection Commission, said, "With this revision of the drafting guidelines, we expect to provide clearer standards for the field and make it easier for the public to check how their personal information is processed."