Hello. I am Attorney Shin Jun-seon from Cheongchul Law Firm.

Recently, the Personal Information Protection Commission (hereinafter referred to as 'PIPC') has published the results of the '2024 Personal Information Processing Policy Evaluation.' This result clearly shows the points that need to be emphasized in writing personal information processing policies and the main issues that have been pointed out.

Establishing and disclosing personal information processing policies goes beyond a simple legal obligation (Article 30 of the Personal Information Protection Act, Article 75 of the Fine Regulation) and is a key means to transparently inform data subjects about the status of personal information processing and to ensure their control over personal data. However, many companies were still evaluated as writing this in a formal manner, being inconsistent with actual services, or not considering accessibility, thus limiting the protection of the rights of data subjects.

This article summarizes the key points to pay attention to when writing personal information processing policies based on the results of the 2024 evaluation.

[Question] How should personal information processing policies be written? (Focusing on PIPC's 2024 evaluation cases)

[Answer]

1. What is the evaluation system for personal information processing policies?

The evaluation system for personal information processing policies was introduced under the revised Personal Information Protection Act in 2023. It evaluates the personal information processing policies (hereinafter referred to as 'processing policies') established and disclosed by personal information processors to improve the level of personal information protection and strengthen corporate responsibility (Article 30-2 of the Personal Information Protection Act). PIPC has established the [Notification on Evaluation of Personal Information Processing Policies], which stipulates that rewards can be given to outstanding evaluators as specified in Article 8.

The first evaluation of PIPC in 2024 assessed a total of 49 companies across seven sectors—big tech, online shopping, platforms, hospitals, OTT, entertainment, and AI recruitment—based on three criteria: appropriateness (whether legal requirements are included), readability (whether it is written in an understandable way), and accessibility (whether it can be easily found by users).

The significance of this evaluation is that it goes beyond checking mere formal compliance with personal information processing policies; it comprehensively evaluates the consistency with actual personal information processing operations, specificity, and the readability and accessibility from the perspective of data subjects.

In particular, writing personal information processing policies according to the guidelines of the Personal Information Protection Commission is fundamental, and it is required to faithfully reflect the issues pointed out in the 2024 evaluation (discrepancy with services, ambiguous retention periods, lack of accessibility, etc.). In particular, the Personal Information Protection Commission is expected to establish and announce the 2025 personal information processing policy evaluation plan reflecting the latest issues such as artificial intelligence (AI) and smart home (Home IoT) by May 2025, so companies need to proactively review their policies in preparation for this.

2. Main points of criticism in the 2024 evaluation

(1) Examples of lack of appropriateness

• Inconsistency with actual services: 72% of companies stated purposes, items, and retention periods in ways that differed from actual operations.

• Ambiguous expressions of retention and usage periods: Stated as 'for the necessary period' made it difficult to know the specific end date.

• Failure to indicate legal basis: Failed to clearly state the items of personal information retained and the relevant laws.

• Formal operation of domestic agent system: Some foreign companies merely designated domestic agents without handling actual complaints.

(2) Examples of insufficient accessibility

• Difficulty in finding processing policies: On average, it required scrolling 12 times; some shopping sites needed over 50 scrolls. This indicates that the link or banner for accessing the personal information processing policy was located in a place that was difficult to find on the homepage of the respective company.

• Lack of app accessibility: Required logging in to access or had to go through multiple steps to check.

(2) Examples of insufficient readability

• Use of translated sentences and complex terminology: In particular, global companies received low scores for both readability and appropriateness. This is expected to result from certain companies simplifying their personal information processing policies through translation or AI tools.

3. Checklist for writing personal information processing policies based on the 2024 evaluation results

(1) Appropriateness

It should be written to match the actual personal information processing status and detailed contents, specifying the retention period for each personal information item (e.g., "30 days after membership withdrawal," "1 month after travel ends," etc.) and must include the legal basis along with the relevant law names and specific provisions clearly.

(2) Readability

It should be written in an easy-to-understand way, and providing a 'simplified version' or a separate format to assist understanding is also presented as a good practice; using visual materials (tables, diagrams, etc.) is encouraged. Policies generated using AI should not be used as-is, and it is advisable to seek legal advice on compliance with guidelines.

(3) Accessibility

It should be easily accessible from the homepage of websites and apps or main menus, should be available for viewing without logging in, and the term 'privacy policy' should be used clearly so that data subjects can easily access it.

4. Examples of excellent evaluations

PIPC introduced the following excellent evaluation cases for 2024.

(1) Excellence in the field of hospitals

Seoul Asan Medical Center, Samsung Seoul Hospital, and Seoul St. Mary's Hospital received high overall evaluations in the hospital field; among them, Samsung Seoul Hospital was separately mentioned as an outstanding case for its ongoing improvement efforts, including the addition of operational details of the research data review committee related to pseudonymous information processing even after the evaluation date ('24.7.1.).

(2) Establishment of a system for viewing personal information and receiving complaints

Seoul St. Mary's Hospital, Lotte Tourism Development Co., Ltd., Homeplus Co., Ltd., and Gmarket Co., Ltd. were selected as excellent cases for clearly stating their personal information viewing departments in the processing policies, allowing data subjects to immediately file complaints related to personal information.

(3) Minimizing the retention period for unique identification information

Yanolja Co., Ltd. does not retain passport numbers, Lotte Tourism Development Co., Ltd. retains passport numbers for 3 days from the arrival date, and Hana Tour retains passport numbers for 1 month from the end of the trip, all specifically set to meet the minimum requirements under the law, which received good reviews.

(4) Considering readability and vulnerable groups

Netmarble Co., Ltd. and NCSOFT received recognition as excellent cases for separately providing 'easy-to-understand processing policies' and preparing separate versions for children, the elderly, and foreigners to enhance accessibility for vulnerable groups.

(5) Utilizing multimedia for explanations

Nexon Korea Corp., Google, and Woori Home Shopping (Lotte Home Shopping) provided video and audio materials for explaining processing policies, making it easier to understand the policies.

(6) Specifying personal information processing status at each service stage

Naver Corp., Kakao Corp., etc., specifically indicated the purpose and items of personal information processing by each service stage and actively included additional information to ensure the protection of data subject rights beyond the mandatory disclosure items, receiving the highest evaluation in the appropriateness category.

5. Conclusion

Personal information processing policies are a key means of ensuring the right to know of data subjects and building trust in the processing of personal data by companies. As revealed by the results of the 2024 evaluation, companies must ensure compliance with the writing guidelines of the Personal Information Protection Commission when drafting their policies, while faithfully reflecting the issues pointed out in the evaluation: 1) ensuring consistency with actual service operations, 2) establishing specific and clear retention periods, 3) enhancing readability to assist data subjects’ understanding, and 4) ensuring easy accessibility on websites and mobile apps.

Furthermore, the Personal Information Protection Commission has announced that they will publish a revised version of the personal information processing policy guidelines in April 2025, and the personal information processing policy evaluation plan is expected to be established and announced around May 2025. Therefore, continuous efforts to review and improve internal personal information processing policies are required from companies. The PIPC has stated that they plan to offer incentives such as reduction of fines or penalties under the Personal Information Protection Act if a company receives a good evaluation in the personal information processing policy evaluation, allowing companies to expect substantial business benefits by enhancing their policies.

(* The grounds for reducing fines under Article 10, Paragraph 2, Item 3 of the Personal Information Protection Act provide that "if the evaluation of the personal information processing policy or the result of the personal information protection level evaluation is at a higher grade, and confirmed that the personal information protection activities such as conducting a personal information impact assessment have been properly performed: the amount shall be reduced to no more than 30% of the amount subject to the first adjustment." )

Attorney Shin Jun-seon from Cheongchul Law Firm provides customized personal information processing policy establishment, diagnosis, and improvement advisory services reflecting the latest evaluation results, recent amendments to the Personal Information Protection Act, and matters required by the personal information processing policy guidelines and has already provided advice on the writing of personal information processing policies (including terms of use) to numerous clients in 2025.

If you are having difficulty drafting personal information processing policies and terms of use, collecting, using, and providing personal information consent forms, or need to check whether your current policies meet legal requirements, please feel free to contact us.