Article 1 (Purpose) The purpose of this Ordinance is to protect the freedom and rights of individuals by providing for matters pertaining to the safe management of personal information and the guarantee of the rights of data subjects pursuant to the Personal Information Protection Act.

Article 2 (Definitions) The definitions of the terms used in this Ordinance shall be as follows: <Amended on Jul. 20, 2021>
1. The term "personal information" refers to information as defined in subparagraph 1 of Article 2 of the Personal Information Protection Act (hereinafter referred to as the "Act");
1-2. The term “pseudonymization” refers to the process defined in subparagraph 1-2 of Article 2 of the Act;
2. The term "processing" refers to the activities defined in subparagraph 2 of Article 2 of the Act;
3. The term "data subject" refers to a person as defined in subparagraph 3 of Article 2 of the Act;
4. The term "personal information file" refers to a personal information file as defined in subparagraph 4 of Article 2 of the Act;
5. The term "personal information processor" refers to a person as defined in subparagraph 5 of Article 2 of the Act.

Article 3 (Principles for the Protection of Personal Information) (1) Each processor of personal information shall make the purpose of processing particular personal information clear and collect only the minimum amount of personal information that is legitimately and lawfully necessary for such purpose.
(2) Each processor of personal information shall endeavor to ensure the accuracy, completeness, and currency of personal information to the extent necessary for the purpose of processing such personal information.
(3) Each processor of personal information shall manage personal information safely by applying the appropriate technical, administrative and physical security measures against the possibility, and the level of risk, of infringement of the rights of data subjects.
(4) Each processor of personal information shall, when processing personal information, disclose the matters concerning the processing of personal information, such as the policy on the processing of personal information, and guarantee the rights of data subjects to request perusal thereof.
(5) Even where a person responsible for processing personal information processes personal information to the extent necessary for the purpose of its processing, he or she shall process it as much as possible by means that minimize any infringement of the privacy of a data subject.
(6) If it is still possible to fulfil the purposes of collecting personal information by processing anonymized or pseudonymized personal information, the controller of personal information shall endeavor to process personal information through anonymization, in cases where anonymization is possible, or through pseudonymization if it is impossible to fulfil the purposes of collecting personal information through anonymization. <Amended on Jul. 20, 2021>
(7) Each processor of personal information shall process personal information appropriately to the extent necessary for the purpose of the processing thereof; and shall not use any personal information for any other purposes.

Article 3-2 (Relationship to Other Ordinances of Seoul Government) Except as otherwise provided in other Ordinances of Seoul Government, this Ordinance shall apply to personal information protection.
[This Article Newly Inserted by Ordinance No. 8076, Jul. 20, 2021]

Article 4 (Responsibility) The Mayor of the Seoul Metropolitan Government (hereinafter referred to as the "Mayor") shall formulate policies to promote human dignity and protect individual privacy, by preventing any harmful effects caused by the collection of personal information for purposes other than the intended purpose, or the misuse, abuse, indiscriminate monitoring, tracking, etc. of personal information.

Article 4-2 (Formulation of the Master Plan to Protect Personal Information) (1) The Mayor shall formulate the Seoul Metropolitan Government’s master plan for the protection of personal information (hereinafter referred to as the “master plan”) every three years to ensurethe effective and systematic management of personal information.
(2) The master plan shall include personal information protection plans established by autonomous Gu’s, City-invested or City-funded institutions, etc., and be confirmed after deliberation thereupon by the Personal Information Protection Deliberative Committee of the Seoul Metropolitan Government .<Amended on Jul. 20, 2021>
[This Article Newly Inserted by Ordinance No. 6908, Oct. 4, 2018]

Article 5 (Designation of Persons Responsible for Protecting Personal Information) The Mayor shall designate the persons responsible for protecting personal information, persons in charge of the protection of personal information, etc. under Article 31 of the Act and Article 32 (2) 1 of the Enforcement Decree of the Act.

Article 6 (Registration of Personal Information Files) The Mayor shall register the current status of the management and use of personal information files under Article 32. The same shall also apply where any alteration is made to the matters registered. <Amended on Mar. 22, 2018; Jul. 20, 2021>

Article 7 (Countermeasures against Divulgence of Personal Information) (1) In the event that it is verified that personal information has been divulged, the Mayor shall notify without delay the relevant data subject of the following matters by such means as a written letter, etc.:
1. Items of personal information divulged;
2. Date and time at which personal information is divulged and details of divulgence;
3. Information on the methods etc. that the data subject may use to mitigate any losses that may be caused by the divulgence of their personal information;
4. Countermeasures and procedures for relief from losses taken by the Seoul Metropolitan Government (hereinafter referred to as the "Seoul Government");
5. In cases where a data subject incurs losses, the department in charge of the receipt of reports, etc. and the contact information thereof.
(2) In the event that the personal information of data subjects is divulged, the Mayor shall take all necessary measures to mitigate any losses caused by such divulgence of their personal information. The Mayor may organize and operate the "Personal Information Infringement Countermeasures Center" according to the extent of the divulgence of personal information.
(3) In the event that the personal information of at least 1,000 people is divulged, the Mayor shall publish the matters specified in the subparagraphs of the foregoing paragraph (1) on the website for at least seven days along with the methods, such as in writing, so as to allow the data subjects to easily recognize and understand the details thereof; and shall report the results of notification made under paragraph (1) and the measures taken under paragraph (2) without delay to the Personal Information Protection Deliberative Committee or a specialized institution (such as the Korea Internet and Security Agency). <Amended on Mar. 22, 2018; Oct. 4, 2018; Jul. 20, 2021>

Article 8 (Charging and Payment of Fees) (1) Pursuant to Article 38 (3) of the Act and Article 47 (1) of the Enforcement Decree of the same Act, the Mayor may charge data subjects (including the agents referred to in Article 38 of the Act) for the cost of any fees and postage incurred by requests for access under Article 35 of the Act; requests for correction or erasure under Article 36 of the Act; and requests for suspension, etc. of processing under Article 37 of the Act (hereinafter referred to as "request for access, etc.") in accordance with the attached Table of the Seoul Metropolitan Government Ordinance on the Collection of Fees: Provided, however, that where any grounds for such requests for access, etc. pursuant to Article 47 (2) of the Decree lie with the Seoul Government, the Mayor shall not data subjects for the cost of fees and postage as referred to in paragraph (1). <Amended by Ordinance No. 7046, Mar. 28, 2019>
(2) The Seoul Government may receive fees and postage under paragraph (1) in the form of revenue stamps pursuant to Article 47 (3) of the Decree or by means of electronic payment under subparagraph 11 of Article 2 of the Electronic Financial Transactions Act.

Article 9 (Raising of Objections) (1) Where a data subject is dissatisfied with any measures taken, such as rejection of a request for access, etc., he or she may raise an objection.
(2) The Mayor shall table an objection raised under paragraph (1), before the Deliberative Committee established under Article 10 in order to have it deliberate and provide advice thereon.
(3) After such deliberation and provision of advice, the Mayor shall notify the data subject who has raised the objection of the decision on their objection within 10 days in accordance with the relevant procedure.

Article 10 (Personal Information Protection Deliberative Committee) The Mayor shall establish the Personal Information Protection Deliberative Committee of the Seoul Metropolitan Government (hereinafter referred to as the "Committee") in order to deliberate on the following matters: <Amended on Oct. 4, 2018; Jul. 20, 2021>
1. Matters concerning the raising of objections as provided under Article 9;
2. Matters concerning policies and institutional improvements with respect to personal information;
3. Formulation of master and action plans for protecting personal information, or modification of important matters;
4. Matters concerning the processing of pseudonymized information, such as reviewing the suitability and adequacy of pseudonymized information;
5. Matters concerning the gathering and transfer of the opinions of a related institution or group with respect to personal information protection;
6. Publicizing of best practices with respect to personal information protection;
7. Other matters submitted by the Mayor for deliberation in relation to the protection of personal information
[This Article Wholly Amended on Jul. 13, 2017]

Article 10-2 (The Period of the Committee) The term of existence of the Committee shall be until Jul. 12, 2027. [This Article Newly Inserted on Apr. 28, 2022]

Article 11 (Organization of Committee) (1) The Committee shall be composed of 25 members including one chairperson and two vice-chairpersons. <Amended on Oct. 4, 2018; Jul. 20, 2021>
(2) The Mayor may appoint or commission the following persons as Committee members. At least one person with a disability shall be included among the commissioned members, and the members of a particular gender shall not exceed 6/10 of the total number of commissioned members pursuant to the main sentence of Article 21 (2) of the Framework Act on Gender Equality: Provided, however, that this shall not apply in cases where unavoidable causes are deemed to exist, such as a lack of professional personnel of a particular gender in the relevant field, and the Working Committee on Gender Equality passes a resolution thereon pursuant to the proviso of the same paragraph: <Amended by Ordinance No. 6908, Oct. 4, 2018>
1. A person responsible for protecting personal information under Article 5 of the Ordinance;
2. A member of a standing committee under the Seoul Metropolitan Council;
3. A person recommended by a civil society organization;
4. A person recommended by an academic society related to the protection of personal information;
5. A person with a wealth of knowledge and experience in the protection of personal information, including experts and professors;
6. A person with considerable knowledge and experience in the pseudonymization of information, or a data expert;
7. The general head of personal information protection of an autonomous Gu (Public Officer of Grade 4);
8. A person in charge of personal information protection at a public institution, enterprise, or group(s) in Seoul Metropolitan City;
9. Other persons deemed necessary by the Mayor
(3) The ex officio vice-chairperson of the Committee shall be the person responsible for protecting personal information in Article 5, and the chairperson and the vice-chairperson shall be elected from among and by the commissioned members of the Committee. <Amended on Jul. 20, 2021>
(4) The term of office of the commissioned members of the Committee shall be two years, and they may be consecutively recommissioned only once. <Amended by Ordinance No. 6821, Mar. 22, 2018>
(5) The Mayor may dismiss a member of the committee even before the expiration of his or her term of office pursuant to Article 8-2 of the Seoul Metropolitan Government Ordinance on the Establishment and Operation of Various Committees. <Amended on Jul. 24, 2023>
[This Article Newly Inserted by Ordinance No. 6541, Jul. 13, 2017]
[Previous Article 11 moved to Article 13 <by Ordinance No. 6541, Jul. 13, 2017>]

Article 11 (Organization of Committee) (1) The Committee shall be composed of 25 members including one chairperson and two vice-chairpersons. <Amended on Oct. 4, 2018; Jul. 20, 2021>
(2) The Mayor may appoint or commission the following persons as Committee members. At least one person with a disability shall be included among the commissioned members, and the members of a particular gender shall not exceed 6/10 of the total number of commissioned members pursuant to the main sentence of Article 21 (2) of the Framework Act on Gender Equality: Provided, however, that this shall not apply in cases where unavoidable causes are deemed to exist, such as a lack of professional personnel of a particular gender in the relevant field, and the Working Committee on Gender Equality passes a resolution thereon pursuant to the proviso of the same paragraph: <Amended by Ordinance No. 6908, Oct. 4, 2018>
1. A person responsible for protecting personal information under Article 5 of the Ordinance;
2. A member of a standing committee under the Seoul Metropolitan Council;
3. A person recommended by a civil society organization;
4. A person recommended by an academic society related to the protection of personal information;
5. A person with a wealth of knowledge and experience in the protection of personal information, including experts and professors;
6. A person with considerable knowledge and experience in the pseudonymization of information, or a data expert;
7. The general head of personal information protection of an autonomous Gu (Public Officer of Grade 4);
8. A person in charge of personal information protection at a public institution, enterprise, or group(s) in Seoul Metropolitan City;
9. Other persons deemed necessary by the Mayor
(3) The ex officio vice-chairperson of the Committee shall be the person responsible for protecting personal information in Article 5, and the chairperson and the vice-chairperson shall be elected from among and by the commissioned members of the Committee. <Amended on Jul. 20, 2021>
(4) The term of office of the commissioned members of the Committee shall be two years, and they may be consecutively recommissioned only once. <Amended by Ordinance No. 6821, Mar. 22, 2018>
(5) The Mayor may dismiss a member of the committee even before the expiration of his or her term of office pursuant to Article 8-2 of the Seoul Metropolitan Government Ordinance on the Establishment and Operation of Various Committees. <Amended on Jul. 24, 2023>
[This Article Newly Inserted by Ordinance No. 6541, Jul. 13, 2017]
[Previous Article 11 moved to Article 13 <by Ordinance No. 6541, Jul. 13, 2017>]

Article 12 (Operation of the Committee) (1) The Chairperson shall represent the Committee and oversee the work of the Committee. When the Chairperson is unable to perform his or her duties due to any unavoidable reason, the elected vice-chairperson and ex officio vice-chairperson shall act on behalf of the chairperson in that order. <Amended on Jul. 20, 2021>
(2) Meetings of the Committee shall be divided into regular meetings and special meetings. The regular meeting shall be held twice a year, whereas the special meeting shall be convened by the Chairperson of the Committee where deliberation is necessary on an objection raised under Article 9, or where it is requested by at least 1/2 of the members of the Committee, or when it is deemed necessary by the chairperson <Amended on Jul. 20, 2021>
(3) The Chairperson shall notify the members of the Committee of the schedule, agenda, etc. of a meeting not later than fifteen days before the meeting is held. <Amended on Jul. 24, 2023>
(4) A majority of the members of the Committee shall constitute a quorum, and any decision thereof shall require the concurring vote of at least a majority of those present.
(5) Deliberation shall be made in writing or by a subcommittee upon obtaining the consent of at least 1/2 of all members of the Committee, where an item of agenda subject to deliberation is a similar or repeated matter, or where such item of agenda is a matter of urgency In such cases, deliberation may be conducted electronically. <Amended on Jul. 24, 2023 and Jan. 3, 2025>
(6) The Committee may establish a practical affairs council to review any item of agenda to be presented with respect to Article 10 (5) and Article 6, and to assist the affairs of the Committee. [This Paragraph Newly Inserted on Jul. 20, 2021]
(7) The Committee shall have one executive secretary and one clerk to handle its affairs, and the director of the Department of Personal Information Protection Affairs shall serve as the executive secretary, while the deputy director of the personal information protection team shall serve as the clerk. <Amended on Jul. 20, 2021>
(8) The minutes of the meetings of the Committee, other than the items of personal information stipulated under the Personal Information Protection Act, shall be open to the public: Provided, however, that such minutes may not be open to the public where deemed necessary by the chairperson. <Amended on Jul. 20, 2021>
(9) Allowances and travel expenses may be paid to those members who attend meetings of the Committee within the budget according to the Seoul Metropolitan Government Ordinance on Committee Allowances and Expenses. <Amended on Jul. 20, 2021>
(10) Other matters necessary for the operation of the Committee shall be determined by a resolution of the Committee. <Amended on Dec. 31, 2019; Jul. 20, 2021>
[This Article Newly Inserted by Ordinance No. 6541, Jul. 13, 2017]
[Previous Article 12 moved to Article 14 <by Ordinance No. 6541, Jul. 13, 2017>]

Article 12-1 (Subcommittee) (1) The Committee may establish a subcommittee for efficient operation of the Committee by resolution of the Committee.
(2) The subcommittee shall deliberate and resolve the following agenda:
1. Matters concerning processing pseudonymized information including appropriate pseudonymization of information review;
2. Similar or repeated matter or where such agenda item is a matter of urgency;
3. Other matters deemed necessary for subcommittee by the Chairperson.
(3) Subcommittee consists of five members including one chairperson, chairperson and members shall be elected among and by the commissioned members of the Committee through Committee resolution.
(4) Subcommittee shall be resolved by attendance of at least 2/3 of members and unanimous concurring vote.
(5) Agenda reviewed and resolved by the subcommittee shall be considered reviewed and resolved by the Committee.
(6) Related public officer (General director of personal information, Head of pseudonymization affairs) may be requested to attend for their opinion in review of matters concerning processing pseudonymized information.
[This Article Newly Inserted on Jul. 20, 2021]

Article 12-1 (Subcommittee) (1) The Committee may establish a subcommittee for efficient operation of the Committee by resolution of the Committee.
(2) The subcommittee shall deliberate and resolve the following matters on the agenda: <Amended on Jan. 3, 2025>
1. Matters concerning the processing of pseudonymized information, such as reviewing the suitability and adequacy of pseudonymized information;;
2. Similar or repeated matters or where a particular item of agenda is a matter of urgency;
3. Other matters deemed necessary for deliberation by the subcommittee by the Chairperson.
(3) Each subcommittee shall consist of five members, including one chairperson; and the chairperson and members shall be elected from among and by the commissioned members of the Committee through a resolution of the Committee.
(4) A resolution by a subcommittee shall be made by attendance of at least 2/3 of its members and the unanimous approval of all attenting members.
(5) Items of agenda reviewed and resolved by the subcommittee shall be considered to have been reviewed and resolved by the Committee.
(6) The public officer (General-Director of personal information, head of pseudonymization affairs) concerned may be requested to attend to give their opinion in a review of matters concerning the processing of pseudonymized information.
[This Article Newly Inserted by Ordinance No. 8076, Jul. 20, 2021]

Article 13 (Supervision of Personal Information Handlers) (1) The Mayor shall exercise appropriate supervision and oversight over persons who are responsible for processing personal information under his or her supervision and direction (hereinafter referred to as "personal information handler") in order to ensure that personal information is managed safely.
(2) The Mayor shall ensure that the personal information handlers of the Seoul Metropolitan Government receive regular education on the protection of personal information at least once per year, in order to ensure the appropriate handling thereof.
[Moved from Article 11 <by Ordinance No. 6541, Jul. 13, 2017>]

Article 13-2 (Processing of Pseudonymized Information) (1) The Mayor can process pseudonymized information without the consent of the data subject for such purposes as the production of statistics or scientific research, or when the processing of such information is in the public interest.
(2) The Mayor shall not include identifiable details of individuals when transferring pseudonymized information to third parties for the purposes provided under the foregoing paragraph (1).
(3) Detailed procedures for pseudonymized information processing may be determined separately by applying the guidelines on pseudonymized information processing published by the Personal Information Protection Deliberative Committee.
(4) The Mayor may prescribe a specialized institute to handle the combination of pseudonymized information in accordance with Article 28-3 of the Act when deemed necessary to facilitate data usage and to promote municipal development through a resolution of the Committee.
[This Article Newly Inserted by Ordinance No. 8076, Jul. 20, 2021]

Article 14 (Purchasing Insurance and Entering into Mutual Aid Agreements) The Mayor may subscribe to insurance, enter into a mutual aid agreement, etc. within the budget, in order to prepare for losses and compensation for damages due to infringements of personal information during the handling thereof.
[Moved from Article 12 <by Ordinance No. 6541, Jul. 13, 2017>]

Addendum (En Bloc Amendment Ordinance for the Overhaul, Etc. of Inaccessible Terminology in Seoul Metropolitan Government Ordinances) <No. 9487, Jan. 3, 2025>
This Ordinance shall enter into force on the date of its promulgation.