Database

According to the Federal Law for the Protection of Personal Data in the Possession of Private Parties, domestic and international transfers need the consent of the individual. Additionaly, the data controller must provide the third parties with the privacy notice that was sent to and consented to by the individual. Consent is not required for international transfer:
- if transfer is intra-group;
- if it results from a contract executed or to be executed in the interest of the data owner between the data controller and a third party; and
- in few other circumstances.

The Personal Data Protection Standards 2015, which came into force in December 2015, require data users to delete or dispose of data that is no longer needed for its purposes, and in particular to dispose personal data and data collection forms within fourteen days after the relevant commercial transaction has been completed.

Under the Personal Data Protection Act, the data controller must ensure that all personal information is destroyed or permanently deleted if it is no longer required for the purpose in which it was collected.

The Personal Data Protection Act (PDPA) does not permit a data user to transfer any personal data out of Malaysia. However, the Act offers a set of exceptions, permitting the transfer of data abroad under certain conditions. The transfer is allowed if:
- the data subject has given his consent to the transfer;
- the transfer is necessary for the performance of a contract between the data subject and the data user;
- the transfer is necessary for the conclusion or performance of a contract between the data user and a third party that is either entered into at the request of the data subject or in his interest;
- the transfer is in the exercise of or to defend a legal right;
- the transfer mitigates adverse actions against the data subjects;
- reasonable precautions and all due diligence to ensure compliance to conditions of the Act were taken; or
- the transfer was necessary for the protection the data subject’s vital interests or for the public interest as determined by the Minister.

While officially entered into force in November 2013, the PDPA has not yet been enforced.

It is reported that messages sent by e-mail (after submission and receipt) are considered by law enforcement authorities as “objects” rather than “means of communications”. This implies that they are subject to ordinary search and seizure requirements, rather than requiring wiretapping warrants and notification to parties within 30 days.

All personal information managers must appoint a chief privacy officer who has a multitude of legal obligations.

The Korea Communications Commission (KCC) announced on April 29 that individuals in Korea will be able to request website administrators and search engine operators remove certain digital content of personal information as early as June 2016. The KCC released the “Guidelines on the Right to Request Access Restrictions on Personal Internet Postings” which enable consumers to request that search engines and website operators restrict access and ultimately remove online information (including blogs, pictures and videos) that individual data subjects cannot delete themselves.

The personal information manager must obtain consent before starting the data collection. Consent must be given also for transferring or selling data to any entity.

The Enforcement Decree of the Networks Act Art. 16 provides that the data retention period must be not longer than one year, except in cases where a longer retention period is required in order to comply with other Korean laws or regulations and where the data subject has expressly agreed to a longer retention period.

Amendments to the 2007 Protection of Communications Secrets Act established extensive data retention requirements. These amendments require telecommunications companies and Internet Service Providers to retain access records and log files (including online transactions conducted; Web sites visited; time of access; and files downloaded, edited, read, and uploaded) for at least three months, along with date and time stamps, telephone numbers of callers and receivers and GPS location information for 12 months.

All cloud services providers providing services to public institutions must have public data centers located within the country, and must be physically separated from networks serving the general public. Although the guidelines only act as recommendations, in practice, Korean institutions generally follow them. These policies, paired with a Ministry of Science, ICT and Future Planning (MSIP) plan to spread the use of cloud services in e-government, entails an increased localisation of data used in public services.

Despite provisions in its FTAs with EU and US to allow sending financial data across borders, Korea prohibited outsourcing of data-processing activities to third parties in the financial services industry for several years and today certain restrictions still apply. Banks can therefore only process financial information related to Korean customers in-house, either in Korea or abroad and offshore outsourcing is restricted to a financial firm’s head office, branch or affiliates.

In June 2015, the Korea Financial Services Commission has proposed revisions to its outsourcing policies by eliminating its requirements for (1) prior approval for the outsourcing of IT facilities; (2) offshore outsourcing to be restricted to a financial firm’s head office, branch or affiliates (thus permitting use of third parties); and (3) use of a standardized outsourcing contract form (thus permitting customized contracts provided they include certain obligatory terms). Such revisions were implemented in July 2015. Yet, certain conditions for processing abroad still apply today.

If a user's personal information is transferred to an overseas entity, the Article 24-2 of the Network Act requires online service providers to disclose and obtain the user's consent, regarding the following: the specific information to be transferred overseas, the destination country, the date, time, and method of transmission, the name of the third party and the contact information of the person in charge of the personal information held by the third party, the third party's purpose of use of the personal information and the period of retention and use.

The Personal Information Protection Act requires companies to obtain consent from data subjects prior to exporting their personal data.

Korea imposes a prohibition to store high resolution imagery and related mapping data outside the country and justifies this restriction on security grounds. It is reported that the prohibition led to a competitive disadvantage for international online map services, since their locally-based competitors are able to provide several services (such as turn-by-turn driving/walking instructions, live traffic updates, interior building maps) that international service providers cannot.