Hello, this is Attorney Kim Kwang-sik from Cheongchul Law Firm.

The Personal Information Protection Act stipulates the obligations of personal information processors to establish and disclose privacy policies, and these privacy policies are a kind of 'trust blueprint' that transparently discloses how companies collect customers' personal information, for what purposes it is used, for how long it is retained, and how it is destroyed. Beyond mere legal obligations, it becomes an important indicator that gives trust to customers and proves legal stability to investors.

In particular, startups often process personal information while quickly bringing products and services to market, but their internal policies and documentation are often inadequate in comparison. If legal violations or information leaks occur in this situation, it can negatively impact the company's trust, as well as future business expansion and investment attraction.

This article will specifically look at how startups should develop practical and workable personal information processing policies that align with the characteristics of their services.

[Question]

How should startups write their privacy policies?

[Answer]

1.     What is personal information and to what extent does it apply?

The first thing startups should consider when creating their privacy policies is 'what information constitutes personal information'. In addition to easily identifiable information such as names, contact information, and social security numbers, if specific information can identify an individual when combined with other information, it is also considered personal information. For example, a customer's ID or payment product name may seem like anonymous information, but if the company already holds the customer's name and address separately, it can combine this information with others to identify a specific individual, making it personal information.

When a startup intends to use its customers' payment history and IDs for internal analysis, it may judge that this information alone cannot identify the customers. However, if it is linked to names, emails, and contact information registered in the existing member management system, it must recognize that it has already become personal information without separate collection. In fact, the government's interpretation states, "Even if the information may seem difficult to identify alone, it is considered personal information if it can easily identify individuals when combined with other information".

2.     What procedures and criteria must be followed to collect personal information?

Startups will collect customer information in various ways, such as joining the website, participating in events, responding to surveys, and automatic collection when using mobile apps. Principle-wise, explicit consent from customers is required for all these collection acts. Particularly in the telecommunications services sector, there is an obligation to explicitly notify customers of four main points: the purpose of collecting personal information, items, retention period, and whether it will be provided to third parties, and to obtain consent for these.

In fact, many startups misunderstand by thinking, "Since we obtained consent for terms at signup, doesn't that also include consent for collecting personal information?" However, this is clearly a wrong approach, and consent for terms and consent for collecting and using personal information must each be obtained clearly and separately. Additionally, some companies induce implicit consent by having users click the join button, but this method also fails to meet the legal requirements for consent. Moreover, collecting for marketing purposes or for providing to partners must be separate consenting items for guidance.

3.     How long and in what manner should personal information be stored?

Personal information should only be retained for the period required to achieve the intended purpose and must be safely destroyed thereafter. For example, when a member withdraws, the information left by the customer becomes subject to immediate destruction, as the purpose of providing the service has ended. However, information that certain laws, such as electronic commerce or tax-related legislation, require to be retained for a specific period can be treated as exceptions.

However, some startups continue to retain personal information with the thought, "We might use it later for marketing or statistics, so let's keep it for now." This is clearly illegal, and retaining information beyond the retention period agreed upon by the customer also constitutes a violation of the Personal Information Protection Act. Particularly, if the company retains internal customer numbers or membership records even after the customer has requested to withdraw, it may become problematic unless it clarifies the purpose and legal basis for retention of that item. Practically, it is advisable to set retention periods for each item of personal information and to have procedures in place to periodically review whether it should be destroyed.

4.     How should information processing through outsourcing or partnerships be handled?

Startups collaborate with various external businesses, such as agencies, IT system companies, call centers, and advertising marketing companies. In this process, it is common for external companies to process customers' personal information, which is referred to as 'entrusting the processing of personal information'. Entrustment can be done without the consent of the information subject, but it must be specified in a contract, and the information of the entrusted party and the scope of services must be disclosed on the website.

In contrast, 'providing' information to partners is entirely different. Providing to third parties must obtain clear prior consent, and at this time, details such as the recipient, purpose of provision, items, and retention period must be specifically guided. For instance, sharing customer information with an advertising agency for SNS advertising or pursuing information linking with a partner for joint marketing are all considered third-party provisions and require separate consent.

Sometimes startups ask, "Do we need to train the entrustees even for short-term events?" However, the Personal Information Protection Commission clearly states that even for 'one-off entrustments', at least minimal training or notice of precautions must be provided, and omitting contracts or not disclosing them is illegal.

5.     What measures should be taken to protect personal information safely?

Technical and managerial measures for personal information protection are very important, and neglecting them makes it difficult to avoid civil and criminal liability in the event of a leak. For startups, most manage data through cloud or SaaS, so it is essential to implement basic measures such as system access control, encryption, backup, and log management.

In particular, when storing unique identification information or sensitive information, encryption must be implemented, and simply applying a password to an Excel file does not count as encryption. For example, when dealing with social security numbers, facial recognition data, or biometric authentication information, encryption measures must be taken, and a technical protection system against loss, theft, or hacking of the devices holding the information must also be established. Furthermore, when granting system access rights to entrustees or partners, procedures for managing permissions and keeping connection records are absolutely necessary.

Meanwhile, it is also risky if former employees still have system access rights, or if interns have unauthorized access to sensitive information. The number of people handling personal information should be limited to a small group, and periodic security training for them is essential.

For startups, personal information protection is a legal obligation and a key means of securing customer trust. Setting up basic processing policies early on and preparing policies and procedures that align with the actual service flow will help prevent significant risks in the future. An attitude of protecting customers' information enhances corporate brand value and leaves a positive impression on partners and investors.

Cheongchul Law Firm provides professional legal advice based on rich experience in responding to personal information protection regulations. Please feel free to request a consultation if needed.