Does it violate the Personal Information Protection Act if I don’t directly receive personal information from a data controller?
Article posted in 2022-02-08 14:44:43 | VEAT
Article 59 of the “Act on the Protection of Personal Information” stipulates acts prohibited of those who process or processed personal information. According to Article 59(2), acts of divulging personal information obtained in the course of work or providing it to others without authorization are prohibited. If those who process or processed personal information violate these prohibitions, they violate the Act on the Protection of Personal Information.
Then, what about those who receive personal information from those who process or processed personal information?
Those who receive personal information are also liable for violation of the “Act on the Protection of Personal Information.” Article 71(5) of the “Act on the Protection of Personal Information” ‘those who divulge personal information obtained in the course of work in violation of Article 59(2) or provide it to others without authorization, and those who receive personal information knowing the circumstances for profit or unfair purposes’imprisonment of up to five years or a fine of up to 50 million won.
Interestingly, even if the person who received the personal information did not directly receive the personal information from those who processed or processed it, they may be held liable for violation of the “Act on the Protection of Personal Information.”
The Supreme Court has stated that regarding who is the person who provides personal information, there are no restrictions in the text of Article 71(5) of the “Act on the Protection of Personal Information”, and considering the legislative purpose of the “Act on the Protection of Personal Information”, which is to protect individual freedom and rights and to realize individual dignity and value, if the person knew that the personal information was provided by others without authorization, they are considered the person who received the personal information as stipulated in the aforementioned Article. (Supreme Court Decision 2018. 1. 24, 2015do16508)
In a specific case, there was an incident in which A, who processed personal information of association members in the course of work, leaked an Excel file containing a member list after leaving and storing it. B, who received the Excel file containing the association member list from A, thought that having the personal information was an opportunity to gain profit and attempted to contact C, who was a candidate for the then-chairperson.
B: “I received a list of association members from A via email, should I send it to you via email?”
C: “Tell the prosecutor your email address and have them send you the file.”
Even though those who received personal information did not directly receive it from those who processed or processed it, but knew that the personal information was provided by A without authorization and received the information for profit or unfair purposes, C was deemed to be the ‘person who received the personal information’ as stipulated in Article 71(5) of the Act on the Protection of Personal Information and could not deny legal responsibility.
When receiving personal information, it is essential to carefully check whether the information processor has obtained the consent of the data subject and whether the personal information is illegally leaked by those who processed or processed it, so as to avoid violating laws.
Law firm Veat provides services such as consulting on establishing personal information protection systems (ISMS, ISMS-P, etc.) to ensure that companies comply with personal information-related laws. Please feel free to contact Law firm Veat if you need legal review when providing or receiving personal information.
Thank you.
Law firm Veat