In a case where the Defendant was indicted on charges of violating the former Personal Information Protection Act on the ground that he/she used the personal information provided by a personal information manager to the effect that he/she was provided with the written application containing the personal information of an examinee in the course of conducting a senior president supervision by the Office of Education at Si (Si) and received the written application including the personal information of an examinee from the Office of Education at the Office of Education in the course of conducting a senior president supervision, added him/her to the Kakaok-gu and sent him/her a message to the effect that he/she was provided with the personal information of an examinee, and then used it for any purpose other than the purpose of receiving the personal information provided by the personal information manager at the Office of Education at the Office of Education at Si (Si) and Article 15 (1) 3 of the same Act, the case affirmed the Defendant on the ground that the Defendant constitutes “a person who received the personal information from a personal information manager” under Article 19 of the same Act, since he/she received the personal information, such as the examinee’s phone number

The Defendant, who is a high school teacher, was appointed as a supervisor of the College Ability Test at the Office of Education in 2019 at the Office of Education of Si (Si) and was charged with violating the former Personal Information Protection Act (amended by Act No. 16930, Feb. 4, 2020; hereinafter “Act”), on the ground that he/she used personal information received from a personal information manager for any purpose other than the original purpose of receiving personal information by sending messages, such as Kakao A’s message added to Kakao A when he/she became aware of contact information, including the name, resident registration number, contact number, address, etc. of an examinee in the course of supervising a senior president, and when he/she compared with the examination table of each examinee.

Article 17 (1) of the Act provides that "personal information manager may provide personal information to a third party in any of the following cases," and the form of "Provision" includes a person who is closely related to a personal information manager to the extent of sharing such information without any third party, and subparagraph 1 provides such personal information to a third party, and subparagraph 2 of Article 15 (1) provides "where the personal information manager obtains consent from the subject of information" under Article 15 (1) 2, 3, and 5 of the Act provides "where the personal information manager provides such personal information within the scope of the purpose of collecting such personal information" under Article 15 (1) 3 of the Act provides that "it is inevitable for a public institution to perform his/her duties," and thus, the provision of personal information to a third party is not included in the provision of personal information under Article 19 (1) of the Act, and thus, the provision of personal information to a third party is not applicable to a person who is under the control of the personal information manager's personal information manager's license and supervision."

Articles 17(1) and 71 subparag. 2 of the former Personal Information Protection Act (Amended by Act No. 16930, Feb. 4, 2020); Articles 2 subparag. 5, 15(1)3, 17(2), 18(3) and (5), 19, 28, 59, and 72 subparag. 2 of the Personal Information Protection Act

Defendant

Prosecutor

Theirs et al. and one other

Law Firm SEL, Attorneys Lee Sung-sung et al.

Seoul Central District Court Decision 2019Da3278 Decided December 12, 2019

The judgment below is reversed.

A defendant shall be punished by imprisonment for four months.

However, the execution of the above punishment shall be suspended for one year from the date this judgment becomes final and conclusive.

1. Summary of grounds for appeal;

The Defendant, who was provided by the Seoul Special Metropolitan Office of Education with personal information of an examinee in order to perform the supervisory duties of the College Ability Test, constitutes “person who received personal information from a personal information manager” under Article 19(a) of the Personal Information Protection Act. Nevertheless, the lower court found the Defendant not guilty of this part of the facts charged, which erred by misapprehending the legal doctrine on the Personal Information Protection Act or misapprehending

2. Judgment on the prosecutor's assertion

A. The facts charged

No person who receives personal information from a personal information manager shall use the personal information for any purpose other than the original purpose of receiving the personal information, unless he/she obtains a separate consent from the subject of information or otherwise provided for

Around November 15, 2018, the Defendant received an application containing personal information, such as the name, resident registration number, contact number, address, etc. of an examinee in the process of supervising a high president of the College College College College College College College College College's high school in ○○ High School, which was located in ( Address omitted) around November 15, 201, and came to know of the contact point of △△△△

On November 25, 2018, the Defendant added △△△△△ to the Kakakakao xe-gu using the contact point known as above, and sent the message to △△△△△△△ to Kakakao Stockholm, including “Fact △△△”.

Accordingly, the Defendant used personal information received from a personal information manager for a purpose other than the original purpose.

B. The judgment of the court below

The Personal Information Protection Act is interpreted to classify ① a person who is in a position to use the personal information or provide it to other third parties without involvement in the direction, supervision, etc. of the personal information manager, and ② a person who is in a position to provide the personal information manager with a third party in a subordinate sense under the direction, supervision, etc. of the personal information manager. In other words, “person who is provided with the personal information from a personal information manager” under Article 19 of the Personal Information Protection Act means a third party who is not a personal information manager but does not belong to a personal information manager, i.e., a third party who is irrelevant to a personal information manager (in the case of the above), and “personal information manager” under Article 28 of the Personal Information Protection Act (in the case of the above) is excluded from the above third party, so the “personal information manager” should be construed as not being subject to Article 19 of the Personal Information Protection Act.

However, the Defendant, who was selected as a supervisor of the College College College Test, was only a personal information handler who manages personal information by using personal information provided by a personal information manager under the direction and supervision of a personal information manager in order to perform the supervisory duties of the College College Test, such as confirming the identity of an examinee. Therefore, the Defendant cannot be deemed as a “person who received personal information from a personal information manager” under Article 19 of the Personal Information Protection Act,

C. Judgment of the court below

1) Principles of statutory interpretation

However, the court below's interpretation of the Personal Information Protection Act and its determination that only the defendant is a person handling personal information and does not constitute "person who has received personal information from a personal information manager" under Article 19 of the Personal Information Protection Act is difficult to accept because the legislative purport of Articles 19 and 28 of the Personal Information Protection Act and the legislative purpose of the Personal Information Protection Act that seeks to further protect personal information as well as to strengthen the legislative purpose of the Personal Information Protection Act. In other words, the interpretation of penal laws and regulations should be strict in accordance with the principle of no punishment without law, and the interpretation in the direction unfavorable to the defendant beyond the possible meaning of the language and text should not be permitted in accordance with the prohibition of expansion of interpretation, which is the content of the principle of no punishment without law, as pointed out by the court below. However, the above principle does not mean that the above principle presents some deficiencies of legislation differently from the legislative purpose, and it is

2) Relevant statutes

(1) The former Personal Information Protection Act (amended by Act No. 16930, Feb. 4, 2020; hereinafter “Personal Information Protection Act”)

Article 2 (Definitions)

The terms used in this Act shall be defined as follows:

5. The term "personal information manager" means a public institution, corporation, organization, individual, etc. that processes personal information directly or through another person to operate a personal information file for business purposes;

Article 15 (Collection and Use of Personal Information)

(1) A personal information manager may collect personal information and use it for the purpose of collection in any of the following cases:

1. Where the consent is obtained from the subject of information;

2. Where special provisions exist in any Act or it is inevitable to comply with legal obligations;

3. Where it is inevitable for a public institution to perform its duties prescribed by Acts and subordinate statutes, etc. (hereinafter referred to as "a

Article 17 (Provision of Personal Information)

(1) A personal information manager may provide (including sharing; hereinafter the same shall apply) a third person with the personal information of a subject of information in any of the following cases:

1. Where the consent is obtained from the subject of information;

2. Where personal information is provided within the scope of the purpose for which the personal information is collected in accordance with Article 15 (1) 2, 3, and 5;

(2) A personal information manager shall notify a subject of information of the following matters when obtaining the consent under paragraph (1) 1. The same shall apply when any change is made to any of the following matters:

1. A recipient of personal information;

2. The purpose of using personal information of the recipient;

3. Items of personal information to be provided (hereinafter referred to as "personal information").

Article 18 (Restrictions on Use and Provision of Personal Information for Non-Purpose)

(1) No personal information manager shall use personal information beyond the scope provided for in Article 15 (1), or provide a third person with personal information beyond the scope provided for in Article 17 (1) and (3).

(2) Notwithstanding paragraph (1), a personal information manager may use personal information for any purpose other than the intended one or provide a third person with such information, except when it is likely to unfairly infringe on the interests of a subject of information or a third person in any of the following cases: Provided, That subparagraphs 5 through 9 shall be limited to public institutions:

1. Where separate consent is obtained from the subject of information (hereinafter referred to as " omitted");

(3) A personal information manager shall notify a subject of information of the following matters when obtaining the consent under paragraph (2) 1. The same shall apply when any change is made to any of the following matters:

1. A recipient of personal information;

2. The purpose of use of personal information (referring to the purpose of use of the recipient, if provided);

3. Items of personal information to be used or provided (hereinafter referred to as "personal information");

(5) Where a personal information manager provides a third person with personal information for any purpose other than the intended one under any subparagraph of paragraph (2), he/she shall place restrictions on the purpose and method of use, and other necessary matters to the recipient of the personal information, or request the person to prepare necessary measures to ensure the safety of the personal information. In such cases, the person in receipt of such request shall take necessary measures to ensure the

Article 19 (Restrictions on Use and Provision of Personal Information by Recipients of Personal Information)

No person who receives personal information from a personal information manager shall use the personal information for any purpose other than the intended purpose of provision or provide a third person with such information, except in any of the following cases:

1. Where separate consent is obtained from the subject of information;

2. Where special provisions exist in any other Act.

Article 28 (Supervision over Persons Handling Personal Information)

(1) A personal information manager shall appropriately manage and supervise persons, such as executives, employees, temporary agency workers, part-time workers, etc. who manage personal information under the direction and supervision of the personal information manager (hereinafter referred to as "personal information handler") so that the personal information can be managed safely in managing the personal information.

(2) A personal information manager shall provide personal information handlers with necessary education on a regular basis to ensure the appropriate handling of personal information.

Article 59 (Prohibited Acts)

No person who manages or has managed personal information shall engage in any of the following acts:

1. Acquiring personal information or obtaining consent to the management thereof by fraud or other improper means;

2. Leakageing personal information learned while on duty or providing such information to any third person without authority;

3. Damaging, destroying, altering, forging, or divulging any third person's personal information without legitimate authority or beyond permitted authority.

Article 71 (Penal Provisions)

Any person who falls under any of the following subparagraphs shall be punished by imprisonment for not more than five years or by a fine not exceeding 50 million won:

1. A person who provides a third party with personal information without obtaining the consent of a subject of information in violation of Article 17 (1) 1 even though he/she does not fall under Article 17 (1) 2, and a person who knowingly receives such personal information;

2. A person who uses or provides a third party with personal information, in violation of Article 18 (1) or (2), 19, 26 (5), or 27 (3), and a person who knowingly receives such personal information for profit or for any other wrongful purpose;

5. A person who divulges personal information acquired in the course of performing his/her duties or provides another person with personal information without authority, in violation of subparagraph 2 of Article 59, and a person who knowingly receives such personal information for profit or for any other wrongful purpose;

6. A person who damages, destroys, alters, forges, or divulges any third person's personal information in violation of subparagraph 3 of Article 59;

Article 72 (Penal Provisions)

Any person who falls under any of the following subparagraphs shall be punished by imprisonment for not more than three years or by a fine not exceeding 30 million won:

2. A person who acquires personal information or obtains consent to the management of personal information by fraud or other improper means, in violation of subparagraph 1 of Article 59, and a person who knowingly receives personal information for profit or for any other wrongful purpose;

3) The meaning of “person who received personal information from a personal information manager”

The Personal Information Protection Act (hereinafter “Act”) provides for the definition of personal information managers (Article 2 subparag. 5) and does not provide for the explicit definition of “person who received personal information from a personal information manager.” Nevertheless, the Act provides for various prohibitions for the protection of personal information, including “personal information manager” (Articles 17, 18), “person who received personal information from a personal information manager” (Article 19), and “person who managed or processed personal information” (Article 59). Articles 71 and 72 provide for the punishment corresponding to each of the said subjects. Furthermore, since Article 28 separately provides for the “personal information manager” as a person who processes personal information under the direction and supervision of a personal information manager, the meaning of “person who received personal information from a personal information manager” can be reasonably changed through the systematic interpretation of each of the aforementioned regulations, etc.

Article 17(1) of the Act provides that “A personal information manager may provide personal information to a third party where it falls under any of the following subparagraphs.” The form of “provision” includes a person who is closely related to a personal information manager to the extent of sharing such information without excluding a third party. In addition, where a personal information manager can provide such personal information to a third party, “where the subject of information obtains consent from the third party” under Article 15(1)2, 3, 2, and 5” under Article 15(1)3 of the Act provides that “where a personal information manager provides personal information to a third party within the scope of the purpose of collecting the personal information pursuant to Article 15(1)2, 15(1)3 of the Act provides that “where a public institution provides such personal information to a third party without obtaining consent from the subject of information manager pursuant to Article 17(1)5 of the Act, it is reasonable to interpret that the personal information is provided to a third party within the scope of “where it is inevitable for the subject of information to obtain consent from the subject of information collection” under Article 17(2).

4) The purport and meaning of “personal information handler” under Article 28(1) of the Act

In addition to “person who received personal information from a personal information manager” under Article 19 of the Act, Article 28 of the Act provides for a separate provision for “personal information manager”, namely, a person who processes personal information under the direction and supervision of a personal information manager. However, if a personal information manager processes personal information, it is clearly distinguishable from the obligations to be borne by a personal information manager when it provides personal information to a third party. Therefore, it is difficult to view such provision as the grounds for restricting the scope of “person who received personal information” under Article 19 of the Act.

However, in full view of the fact that a personal information handler prescribed in Article 28 of the Act does not separately provide a punishment provision for the act of unfairly using personal information, and the fact that Article 2 subparagraph 5 of the Act provides that "personal information controller means a public institution, corporation, organization, individual, etc. that processes personal information on his/her own or through another person for the purpose of his/her business," the term "personal information controller" in the Act refers to a person who is equivalent to the case where he/she processes personal information on his/her own, not through another person, and is unable to process personal information according to his/her own will and is directly involved in the management of personal information under the direction and supervision of the personal information controller. In this case, in order to operate personal information files of the Seoul Metropolitan Office of Education, a personal information controller, it means a person delegated by the Office of Education of Seoul Special Metropolitan City

5) Whether the Defendant constitutes “a person who received personal information from a personal information controller” as prescribed in Article 19 of the Act

The defendant is included in the "person who is provided with personal information from a personal information manager" under Article 19 of the Act since he/she received personal information from the Seoul Metropolitan Office of Education, such as the telephone number of examinees, from the Office of Education, which is a personal information manager, in order to conduct the examination and supervision of the College Ability Test from the Seoul Metropolitan Office of Education, because he/she falls under Article 17 (1) 2 and Article 15 (1) 3 of the Act.

The lower court deemed that the Defendant constituted “personal information handler,” but the Defendant did not receive the subject’s personal information for the purpose of operating personal information files, and thus cannot be deemed to constitute “personal information handler.”

3. Conclusion

Therefore, the judgment of the court below which acquitted the primary facts charged is unfair, and the prosecutor's assertion pointing this out is with merit (in case of a judgment of conviction on the primary facts charged, no separate judgment is made as to the ancillary facts added in the trial). The judgment of the court below is reversed in accordance with Article 364 (6) of the Criminal Procedure Act and it is again decided as follows.

[Grounds for multi-use Judgment]

Criminal facts

The facts constituting the crime acknowledged by this Court are as stated in the above 2. A. Ga. of the facts charged.

Summary of Evidence

1. Examination protocol of the accused by prosecution;

1. The contents of the Kakao dialogue;

1. Statement of victim post office prepared by the police;

1. A report on investigation (Submission of reference materials for suspects related to examination and supervision and reporting);

- Reference materials, such as matters of examination supervision

1. Data replys according to requests for cooperation in investigation (request for data related to persons subject to audit);

- Documentary evidence of competent supervisor

- Doable application form

Application of Statutes

1. Article relevant to the facts constituting an offense and the selection of punishment;

Article 71 Subparag. 2 and Article 19 of the former Personal Information Protection Act (amended by Act No. 16930 of Feb. 4, 2020), Articles 71 Subparag. 2 and 19 of the same Act, selection of imprisonment

Suspension of Execution

Article 62(1) of the Criminal Act (Taking into account that the defendant is the first offender)

Reasons for sentencing

The crime of this case was committed by the Defendant, a high school teacher, sent a message to the effect that he was MaMada, using the victim’s phone number that he became aware of in the course of the supervision of the College Ability Test, and the victim seems to have suffered a big mental shock, such as leaving the existing residence, by receiving such contact. Nevertheless, it is necessary to punish the Defendant’s actions to the effect that: (a) the Defendant, who was aware of the victim’s phone number up to the trial, was not known in the course of the supervision of the College Ability Test; (b) the Defendant searched and contacted Kakakao Amo Amooooooooood with a person who was employed in the past; (c) he was aware of the phone number that he was known of in the course of the supervision of the College College Ability Test; and (d) denied the crime of this case, and (d) the Defendant’s act may be established as a result of consultation with the attorney, and (e) the Defendant’s act may be punished.

However, the sentencing conditions under Article 51 of the Criminal Act, such as the age, character and conduct, environment and circumstances after the crime, including the fact that the defendant has no record of being punished as a crime, shall be determined like the order.

Judges Choi Han-man (Presiding Judge)

1) The prosecutor maintained the facts charged in violation of the Personal Information Protection Act, which the court below acquitted, as the primary facts charged, and applied for the amendment of the indictment to add “Article 74(2), Article 71 subparag. 2, and Article 18(1) of the Personal Information Protection Act” as the applicable provisions of the Act to the charges as stated in the attached Form [Preliminary Facts], and approved by this court. However, as seen thereafter, the court accepted the prosecutor’s appeal and found the Defendant guilty of the primary facts charged, the judgment of the court below is not reversed ex officio on the ground of the amendment of the indictment.

2) Where it is inevitable for a public institution to perform its functions prescribed by legislation, etc.