What new rights do data subjects have under these amendments?

Data subjects now have the right to:

• Request an explanation or review of fully automated decisions made without human intervention.
• Refuse such automated decisions if they significantly impact their rights or obligations.

Data controllers must transparently disclose the criteria and procedures for automated processing and provide explanations upon request.

What are the new requirements for Chief Privacy Officers (CPOs)?

Companies and public institutions processing large amounts of personal or sensitive information must appoint CPOs with at least four years of experience in personal information protection. Current CPOs must meet this requirement by 14 March 2026.

How have the rules for overseas data transfers changed?

The amendments require the legal basis for overseas data transfers to be disclosed in privacy policies, including the names of the countries where South Korean data subjects' personal information is collected and processed.

What are the new liability insurance requirements for data processors?

Online businesses and data processors with annual sales exceeding KRW 1 billion (approximately $749,245) and more than 10,000 data subjects must obtain insurance and accumulate reserves to cover liabilities for damages to data subjects.

What should employers do to comply with the new rules?

Employers should:

• Ensure compliance with the new requirements regarding automated decision-making and data subject rights.
• Review and adjust the qualifications of current CPOs to meet the new experience requirements.
• Update privacy policies to include details about the legal basis for overseas data transfers.
• Secure appropriate insurance coverage and reserves if they exceed the specified sales and data subject thresholds.