Hello, I am Attorney Lee Young-kyung of Cheongchul Law Firm.
The Supreme Court's ruling on February 26, 2026, under case number 2024Do14998, dealt with whether an insurance planner who collects and uses personal information from customers can be immediately deemed a ‘personal information processor’ under the Personal Information Protection Act just by the fact of handling personal information.
In practice, it is often the case that recruitment personnel, commissioned performers, and on-site managers who are in contact with customers handle personal information directly. Hence, determining who is the personal information processor and who bears the legal obligations and responsibilities becomes a key issue. This ruling is significant in that it presents the criteria for such determinations relatively clearly.
[Question]
If the insurance planner collected and used the customer's personal information during the process of entering into an insurance contract and managing the customer, can this alone be considered sufficient grounds to deem them a ‘personal information processor’ under the Personal Information Protection Act?
[Answer]
The Supreme Court ruled that simply handling personal information does not automatically classify an insurance planner as a personal information processor and that the matter should be judged based on who ultimately holds the authority to decide the purpose, contents, methods, and procedures related to personal information processing.
1. Facts of the Case
According to the ruling, the defendant was “appointed as an insurance planner at ○○○ Co., Ltd. (hereinafter referred to as ‘Company Not Involved 1’) from around October 22, 2015.” The indictment states that the defendant conspired with Company Not Involved 3 to call an employee of Company Not Involved 1 as if they were the customer, and then applied for termination of the special plan and changes to the main contract's coverage using personal information such as date of birth, address, and contact details collected for insurance enrollment and customer management.
“The defendant conspired with Company Not Involved 3 on January 4, 2017, where Company Not Involved 3 called an employee of Company Not Involved 1 while pretending to be Company Not Involved 2, using personal information such as the date of birth, address, and contact details collected by the defendant as an insurance planner for insurance enrollment and customer management to request termination of the specific plan and changes to the coverage of the insurance that Company Not Involved 2 had with Company Not Involved 1.” “Thus, the personal information processor, the defendant, used Company Not Involved 2's personal information beyond the scope of the purpose of collection.” |
Both the first instance and the appeals court acknowledged the violations under Article 71 (2) and Article 18 (1) of the previous Personal Information Protection Act regarding the indictment facts stated above. However, the Supreme Court found that there was insufficient inquiry to immediately classify the defendant as a 'personal information processor' and overturned and remanded the appellate judgment.
2. Issues and Legal Provisions
The key issue in this case is whether the individual insurance planner can be considered a 'personal information processor' under Article 18 (1) of the Personal Information Protection Act solely based on the fact that they actually handled customer personal information. The Supreme Court initially provided punishment provisions, obligation provisions, and definitions of personal information processors, stating that whether one qualifies as a personal information processor cannot be determined merely by the existence of actual handling but should instead be based on who has the ultimate decision-making rights regarding personal information processing.
“The previous Personal Information Protection Act (hereinafter referred to as 'the Act') stipulates in Article 71 (2) that it punishes those who violate Article 18 (1) and (2) by using personal information or providing it to third parties, while Article 18 (1) states that 'the personal information processor shall not use personal information beyond the scope set forth in Article 15 (1) or provide it to third parties beyond the scope specified in Article 17 (1) and (3).'” “The personal information processor under Article 18 (1) refers to 'public institutions, corporations, organizations, and individuals that process personal information through themselves or via others for the purpose of conducting business' (Article 2 (5) of the Act).” |
Moreover, the Supreme Court indicated the criteria for determining the personal information processor as follows. This part can be used as a direct guideline in future instances where it needs to be determined who the personal information processor is in various structures such as outsourcing, subcontracting, recruitment, and dispatching.
“Who is the personal information processor should be determined by the authority to make ultimate decisions regarding the purpose, content, method, procedures, and other aspects of personal information processing. This determination should comprehensively consider various circumstances such as whose unique work and benefits are closely related to the purpose of personal information processing, who exercises substantial control or supervision in the process of processing personal information, and who generates, retains, or operates the personal information files for what purpose.” |
In other words, this ruling clarifies that it is essential to examine for whose work, whose benefits, and under whose direction and supervision the files are generated, retained, and operated.
3. Supreme Court's Judgment and Implications
The Supreme Court held that even if an insurance planner collects and retains personal information during the process of mediating the conclusion of an insurance contract as a member of the sales staff of an insurance company, the purpose of that personal information processing is generally significantly related to the insurance company's unique business and interests. Hence, the ultimate decision-making authority regarding personal information processing is likely to rest with the insurance company.
“An insurance planner, although they may collect and retain personal information of the policyholder and others in the course of mediating contracts as a member of the sales staff belonging to an insurance company (Article 2 (9), Article 83 (1)(1) of the Insurance Business Act), the purpose of that personal information processing is, unless there are special circumstances, closely related to the insurance company’s unique business and interests concerning the insurance contract being concluded and the obligations undertaken by the insurance company, suggesting that ultimate decision-making authority regarding the information processing matters is likely to reside with the insurance company.” “Nonetheless, the appellate court failed to sufficiently examine the defendant’s obligations related to the management of personal information such as the nature of the insurance planner's appointment contract with Company Not Involved 1, the management subject or methods regarding the personal information collected or learned from customers while mediating the insurance contract, and other facts of practical guidance or supervision in the information processing process. A clear analysis of whether the information file operated by the defendant even exists, and about its creation, retention, and operation was not sufficiently explored. Thus, basing the conclusion solely on the defendant's allegations about having collected the personal information of Company Not Involved 2, the appellate court judged this part of the indictment as qualifying as a violation of Article 71(2) and Article 18(1) of the previous Personal Information Protection Act.” “This ruling of the appellate court suggests misunderstandings regarding the legal principles related to personal information processors or failure to conduct necessary inquiries, thereby affecting the judgment.” |
The first implication of this judgment is that those who directly handle personal information in the field are not necessarily the same as the ‘personal information processors’ under the Personal Information Protection Act. In practice, multi-layered structures like sales organizations, agencies, planners, and outsourced personnel are common, making it difficult to set the premises of criminal liability without considering who the legal obligation subject is.
Secondly, the importance of contractual structure and management systems is emphasized. Items such as appointment contracts, outsourcing contracts, internal regulations related to personal information processing, methods of providing access rights, the entities responsible for creating and managing customer information storage media and files, and the existence of real supervisory entities might all be key factors that need to be aligned in a company's documentation and operation systems.
Third, even if the Supreme Court does not classify the defendant as a personal information processor, it stated that the possibility of applying other punitive provisions remains unaddressed, indicating that the actor’s liability is not completely denied. Therefore, both companies and personnel need to assess risks by separating the axes of ‘qualifying as a personal information processor’ and ‘individual actor responsibility’.
In conclusion, this ruling reconfirms that in the practical field of personal information protection, liability subjects should not be determined solely by formal titles or simple handling incidents, but rather require a comprehensive examination of the purposes of processing information, direction and supervision, file operation structures, and the distribution of authority to allow for precise judgment of liability attribution.
Cheongchul Law Firm provides comprehensive consulting related to the Personal Information Protection Act based on expertise and experience accumulated through partnerships with major domestic law firms such as Kim Jang Law Office, Taepyungyang, Gwangjang, Sejong, and Yulchon.
Related work cases that are good to see together
서울 강남구 테헤란로 403 리치타워 7층
Tel. 02-6959-9936
Fax. 02-6959-9967
cheongchul@cheongchul.com
개인정보처리방침
면책공고
© 2025. Cheongchul. All rights reserved