[Personal Information Protection – What are the main points of the latest guidelines for the 2025 Personal Information Processing Policy?]

Hello. I am Attorney Shin Jun-seon from the law firm Cheongchul.

The Personal Information Protection Commission (hereinafter referred to as 'PIPC') recently released the revised version of the "Guidelines for Writing Personal Information Processing Policies" (April 21, 2025). This revised guideline reflects the amendments to the Personal Information Protection Act (effective September 2024) and the comments from the 2024 Processing Policy Evaluation Committee. PIPC has introduced this through a press release, stating that while enhancing the rights of data subjects, the burden on businesses has been alleviated.

Upon reviewing the contents of the revised guidelines, it can be seen that the requirements for the format when drafting personal information processing policies seem to have been somewhat relaxed; however, with the strengthening of measures to enhance the rights of data subjects, the preparation and management burden for business practitioners may have actually increased. Therefore, let’s look at the main points of the revised guidelines.

[Question] What are the main points of the latest guidelines for the 2025 Personal Information Processing Policy?

[Answer]

1. Reflection of Personal Information Consent System Revision

   First, according to the revision of the personal information consent system, items that can be processed without consent and those that require consent have been clearly distinguished. For example, 'membership service operation,' 'sales product A/S consultation,' etc. can be processed without separate consent as they are essential for contract fulfillment, while sensitive information (such as health information), unique identification information (such as resident registration numbers), and third-party provision of personal information must receive separate consent, even if unrelated to the contract fulfillment. Accordingly, personal information processors must clearly reflect this distinction in their processing policy.

2. Increased Flexibility in Writing Personal Information Items and Retention Periods

   Flexibility has also been introduced in the way personal information items and retention/use periods are written. Previously, all items had to be listed individually, but now, under special circumstances, grouping by type is allowed. For instance, under the type "Personal Information for Document Screening," self-introduction letters, certified English exam scores, and university grades can be grouped together. Regarding retention/use periods, it is generally required to specify the period concretely rather than abstractly; however, in cases where the retention/use period cannot be determined, it has been allowed to specify the criteria used to determine the retention/use period.

3. Strengthened Contact Information for Complaint Handling Departments

   The obligation to include the contact information of the complaint handling department has also been strengthened. Previously, only the contact of the department to which the Chief Privacy Officer (CPO) belongs was required, but in the future, it will also be allowed to include the contact information of related departments such as customer service centers that actually handle complaints, thereby improving the ability for data subjects to exercise their rights.

4. Improvement of Disclosure Methods Suitable for Mobile App Environments

   Improvements in disclosure methods concerning changes in mobile app environments should also be closely examined. Previously, the processing policy had to be fixedly publicized on the bottom of the app’s first screen, but after the revision, it has been allowed to disclose the processing policy in various locations that data subjects can easily access, such as the settings, membership registration, login screen, service menu, and settings screen.

5. Enhanced Guidance on the Procedures for Exercising Data Subject Rights

   Guidance on the procedures for exercising data subject rights has also been further specified. Regarding requests for the transmission of personal information, the methods of request as well as ways to check the status of transfer and the contents of the transmitted personal information must be specified. In cases where automated decisions are made, the criteria and procedures for decisions, methods of processing personal information, and methods to contest should be thoroughly disclosed; it is also recommended to specify the sources of data collection, collection methods, and safety measures when collecting and using data for AI training.

6. Strengthened Guidance on Behavioral Information Collection and Refusal

   The section regarding guidance on behavioral information collection and refusal has also been reinforced. The methods for blocking cookies and personalized advertisements must be specified, such as the steps for "Web browser settings > Cookie management > Block third-party cookies," or clearly presenting paths like "Settings > Personal Information > Refusal of personalized advertisements" in mobile apps. Especially for Chrome browsers, the guidance has been updated to recommend using 'incognito mode' instead of the previous method of 'clearing internet history.'

Conclusion (Response Measures)

This revised version emphasizes that the personal information processing policy should not just be a formal disclosure but should function as a practical means for data subjects to exercise their personal information protection rights. To this end, PIPC provided guidance to enhance specificity, transparency, and accessibility of the processing policy across all areas, including the consent system, complaint handling, disclosure methods, and rights exercise procedures.

Personal information processors should reflect the main points of the revised guidelines for writing personal information processing policies,

• ensure consistency between the personal information collection and use consent and the processing policy, clearly distinguish between mandatory consent items and optional consent items,

• and in cases where there are many or complex personal information items, classify similar items for writing,

• provide the contact details of not only the privacy officer but also the relevant departments (customer service, CS teams, etc.) that actually handle inquiries and complaints from data subjects,

• while considering user experience (UX), make sure that the processing policy can be found naturally within the app's flow, avoiding overly deep menu structures.

In addition to the key content regarding the writing of personal information processing policies mentioned above, the revised guidelines also provide examples for small businesses regarding the public disclosure and display methods. Therefore, companies, corporations, and institutions that handle personal information should thoroughly understand the contents and intent of these revised guidelines and actively consider updating and improving their own personal information processing policies.

As awareness of personal information protection has become more crucial than ever, personal information processing policies are not just simple formal documents required by law; they are also a measure of transparency that shows a company's philosophy and efforts towards personal information protection, as well as a key element for building trust with data subjects. Therefore, it is advisable for enterprises and personal information processors to thoroughly understand the intent of these revised guidelines and to take proactive measures to secure trust from data subjects and minimize personal information protection risks.

Attorney Shin Jun-seon from the law firm Cheongchul has been providing tailored personal information processing policy establishment, diagnosis, and improvement consultation services reflecting the requirements of the Personal Information Protection Act and the guidelines from PIPC. If you are facing difficulties related to personal information tasks or need legal advice on whether your current processing policy complies with the guidelines, please feel free to contact us at any time.