The government announced on March 30 that the amendments to the three major data privacy laws passed by the National Assembly on January 9 are scheduled to take effect on August 5 this year. As such, the FSC has prepared the amendments to the enforcement decree of the Credit Information Use and Protection Act to be put up for public notice until May 11.
KEY AMENDMENTS
I. DATA CONVERGENCE
Data convergence by financial institutions shall be carried out through a designated institution specifically tasked with data convergence by the FSC. Data specializing institutions shall provide pseudonymised or anonymised data to financial institutions.
Data specializing institutions shall maintain appropriate human resources and set up a risk management system for secured processing of data convergence by maintaining separate servers for converged data.
II. TRANSFER OF PERSONAL DATA
Personal credit data including personal financial transaction information, individual income tax and local tax records, insurance payment records and other financial information that are stored in financial institutions, commercial businesses and public institutions can be transferred to data subjects, financial institutions, personal credit bureaus and MyData businesses upon request from data subjects.
III. MYDATA BUSINESS IN FINANCIAL SECTOR
MyData businesses shall abide by the system and facility requirements to ensure the safety and security of data processing. MyData businesses shall be allowed to operate upon approval and registration electronic financial business, loan brokerage business and financial advising business using robo-advisors.
MyData businesses shall be prohibited from collecting personal credit information outside the boundaries of data subjects’ right to information privacy.
IV. REGULATIONS ON CREDIT BUREAUS
Credit bureaus shall (i) maintain appropriate system and facility requirements to ensure the safety and security of data processing, (ii) maintain an adequate number of data specialists commensurate with capital requirements set by license units and (iii) be permitted to operate a diverse range of data-related services upon receiving approval according to other relevant laws.
Credit bureaus shall be prohibited from engaging in unfair practices, such as giving preferential credit ratings to their own companies or subsidiaries and offering a higher credit rating as a part of sales pitch.
V. REGULAR INSPECTION FOR DATA PROTECTION
Financial institutions and credit bureaus shall be required to report at least once a year to the FSS their compliance status with the Credit Information Use and Protection Act. The financial regulators will then conduct on-site inspections based on the result of self-reported data.
VI. PERSONAL DATA CONSENT FORM
The FSC may decide on different levels of personal data consent based on the risks, benefits, legibility, etc. Financial institutions shall be obligated to provide information about the purpose of collecting, using and distributing personal data, the types of personal data collected and distributed as well as the retention periods along with the FSC’s consent levels in order to guarantee informed consent from data subjects.
* Please refer to the attached PDF for details.