"The necessity of personal information protection measures as seen in administrative sanctions cases arising from violations of the 「Personal Information Protection Act」"
Article posted in 2025-02-06 18:11:50 | VEAT
Recently, administrative penalties due to violations of the “Personal Information Protection Act” are increasing. Law firm Veat is informing you about the necessity of personal information protection measures, focusing on cases that have received fines and penalties due to violations of the “Personal Information Protection Act.” Most of the sanctions were due to a lack of protection measures for personal information and occurred in cases where personal information was leaked, with a lack of firewall installation, security patch application, and personal information encryption, as well as the absence of security measures, being pointed out as major causes. These violations can lead to corrective orders, fines, and public disclosure. Companies and institutions need to strictly comply with the Personal Information Protection Act to prevent such cases and minimize potential risks.
Administrative Penalty Cases Due to Violations of the Personal Information Protection Act
1. Fine for C Company, an E-Commerce and Delivery Platform159,945,000 KRW, Penalty 10,800,000 KRW
C Company, an e-commerce and delivery platform, regarding the transmission of delivery personnel's real names and phone numbers to restaurants, was imposed a fine of 278.65 million KRW for personal information leakage and violation of safety obligation, and a penalty of 10.8 million KRW for delaying the notification within 24 hours after recognizing the personal information leakage. Additionally, a fine of 13.1 billion KRW was imposed for the leakage of personal information of orderer and recipient to another seller within the seller system.
2. W Company, Providing Financial & Real Estate Related ServicesFine 51.10 million KRW, Penalty 2.70 million KRW
W Company, which provides online video services related to financial and real estate, was imposed a fine of 51.10 million KRW and a penalty of 2.70 million KRW due to hacking and leakage of personal information, due to lack of firewall installation, lack of IP address restrictions, lack of password protection measures when accessing the database, and lack of authentication procedures for the database administrator account.
3. B Company, a Used Car Trading and Brokerage Platform Fine 51.10 million KRW, Penalty 2.70 million KRW
B Company, a used car trading and brokerage platform, was imposed a fine of 959 million KRW and a penalty of 810 million KRW for the leakage of personal information of 4,004 members due to SQL injection attack caused by lack of firewall installation, failure to comply with the obligation to delete personal information, lack of personal information encryption, and delay in notification of leakage.
4. UniversityFine 42.80 million KRW
S University was imposed a fine of 19.30 million KRW and a penalty of 6.60 million KRW due to hacking and leakage of personal information of approximately 500 people due to lack of security patch application and lack of firewall and intrusion prevention system, and failure to encrypt resident registration numbers. K University was imposed a fine of 42.80 million KRW due to the leakage of personal information of approximately 2,000 students due to insufficient security patches.
Through the administrative penalty cases of companies, it is once again confirmed that platform companies need to pre-determine the scope of personal information processing measures, the necessary information disclosure, and the scope of access rights for personal information processors or entrustment companies, and build personal information processing systems.
Also, it is confirmed that even educational institutions such as schools cannot escape the obligation of personal information protection, and that even startups or small businesses cannot escape the threat of large fines.
For companies and institutions, entities processing personal information for business purposes (“personal information processors”) require comprehensive technical and administrative measures as stipulated by the Personal Information Protection Act, and failure to comply with these measures can lead to significant legal risks, such as fines, penalties, and reputational damage. "Personal information processors" should systematically review legal compliance requirements with the help of legal experts, strengthen internal policies and systems to create a safe data management environment to prevent personal information leakage and risks of fines.
Law firm Veat’s Personal Information Protection Team, composed of personal information protection advisors from the Personal Information Protection Committee, provides personal information protection advisory services to ensure that personal information processors comply with personal information-related laws, as well as consulting services for establishing and establishing personal information protection systems, to support clients in minimizing the risk of personal information leakage. Furthermore, it provides comprehensive advice on issues related to personal information laws, from drafting essential forms such as personal information consent forms, personal information processing policies, and internal management plans, to responding to on-site inspections by the supervising authority, to managing crisis and investigation in the event of infringement and leakage, and to submitting opinions on administrative penalties.
If you have any legal inquiries regarding personal information protection, please feel free to contact Law firm Veat.
This content can also be found on Law firm Veat's blog below.
Thank you.
Law firm Veat