What is, and which organizations have to appoint a DPO?
A Data Protection Officer (DPO) is a person in charge of verifying the compliance of personal data processing with the applicable law. The DPO communicates information on processing personal data such as its purposes, interconnections, types, categories of data subjects, length of retention and department(s) in charge of implementing processing. DPOs may be required by law or recommended.
Per the Personal Information Protection Act (Art. 31), employers (i.e. personal information controllers) in South Korea are required to designate a privacy officer who is responsible for:
- establishing and implementing a personal information protection plan;
- conducting regular surveys of the status/practices related to processing personal data and working to improve shortcomings;
- addressing grievances and remedial compensation related to personal data processing;
- building internal controls to protect data from being divulged, misused and abused;
- preparing and implementing training programs relating to personal information protection;
- protecting, controlling and managing files;
- maintaining related materials; and,
- the destruction of expired personal data.
In the private sector, employers (and other personal information controllers) must designate a privacy officer who meets any of the following conditions:
- is a business owner or representative;
- is an executive officer (or, if no executive officer exists, is a department head in charge of responsibilities related to personal information processing).