2. 본 조 제1항에 규정된 사례의 경우 컨트롤러가 정보주체를 식별할 수 없음을 입증할 수 있다면, 제15조부터 제20조까지의 조문은 적용되지 않는다. 단, 정보주체가 해당 조문에 따라 본인의 권리를 행사하기 위한 목적으로 본인의 신원을 확인할 수 있는 추가 정보를 제공하는 경우는 예외로 한다.
ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.
Here is the relevant paragraphs to article 11(2) GDPR:
7.3.2 Determining information for PII principals
Control
The organization should determine and document the information to be provided to PII principals regarding the processing of their PII and the timing of such a provision.
Implementation guidance
The organization should determine the legal, regulatory and/or business requirements for when information is to be provided to the PII principal (e.g. prior to processing, within a certain time from when it is requested, etc.) and for the type of information to be provided.
Depending on the requirements, the information can take the form of a notice. Examples of types of information that can be provided to PII principals are:
[…]
Sign in
to read the full text
Source: http://www.pipc.go.kr/cmt/not/ntc/selectBoardArticle.do?nttId=5969&bbsId=BBSMSTR_000000000121&bbsTyCode=BBST03&bbsAttrbCode=BBSA03&authFlag=Y&pageIndex=6
ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.
Here is the relevant paragraph to article 11(1) GDPR:
7.4.5 PII de-identification and deletion at the end of processing
Control
The organization should either delete PII or render it in a form which does not permit identification or re-identification of PII principals, as soon as the original PII is no longer necessary for the identified purpose(s).
[…]
Sign in
to read the full text