The Personal Information Protection Commission determined that the collection of personal information of suspected fraudsters by Dutchit, an online fraud victim inquiry service provider, does not violate the Personal Information Protection Act.
The Personal Information Protection Commission announced on the 10th that at the plenary session on the 9th, it decided that Dutchit’s collection and processing of personal information from suspected fraudsters is necessary for the urgent economic interests of a third party.
According to Article 15, Section 1, Subsection 5 of the Personal Information Protection Act, the collection and utilization of personal information is permissible if it is explicitly recognized as necessary for the urgent interests of the life, body, or property of the information subject or a third party. However, the Personal Information Protection Commission recommended that Dutchit provide the collected personal information solely for the purpose of preventing fraud and set the retention and disclosure period for personal information to a minimum. Additionally, it required actions such as deleting registered information upon request once a suspected fraudster proves that they are not actually a victim of fraud.
Furthermore, the Personal Information Protection Commission confirmed that Dutchit was receiving consent in a broad manner without distinguishing between membership registration and victim case registration and that some items were missing in the personal information processing policy, imposing fines of 4.8 million won and ordering corrective measures.
The Personal Information Protection Commission also determined that Toss Income, G&Enterprise, and Jobis & Villains, which provide comprehensive income tax refund agency services, did not violate the Personal Information Protection Act. Previously, complaints were filed alleging that the way these three companies handle resident registration numbers from users might violate the Personal Information Protection Act.
However, the Personal Information Protection Commission found that the three companies had received explicit consent to transmit users' resident registration numbers to Home Tax and others. It also reported that they only transmitted the received resident registration numbers without storing them.
Nevertheless, the Personal Information Protection Commission recommended that the three companies establish methods to minimize the input of resident registration numbers. It also advised Toss Income and G&Enterprise to specifically document legal provisions in their personal information processing policies when indicating personal information retention periods. The commission plans to continuously check compliance with corrective orders and improvement recommendations to encourage businesses to strengthen personal information protection.