Personal Information Handling Memorandum for Service Agreements

This section organizes the actual trouble cases that arise from inadequate personal information handling memoranda in service agreements.

EC site operator Company A delegated email newsletter delivery to freelancer Ms. B. Company A gave Ms. B the email addresses and purchase history data of 100,000 members, but did not prepare a memorandum on personal data handling. Several months later, it came to light that Ms. B had been using the same data to send promotional emails for a separate service she operated. Company A became subject to reporting obligations to the Personal Information Protection Commission for the leakage and unauthorized use of personal information, and was overwhelmed with responding to apology correspondence to all affected parties.

There are also serious risks on the receiving party's side. Mr. C, who had accepted a web system development project, received a sample of patient data from the client and used it in a test environment. Even after development was complete, Mr. C retained the data on his local PC, and when the PC was stolen, the patient information was leaked. Because Mr. C had not concluded an agreement on personal data handling, he was unable to demonstrate compliance with "security measures within the scope of the delegation," and faced a claim for damages.

In delegation relationships where personal data handling contracts are insufficiently established, the following troubles occur frequently: unauthorized use by the contractor, leakage due to the receiving party's management failures, information spreading through sub-delegates (so-called further sub-delegation), data remaining after contract termination, and unclear responsibility when a leak occurs.

These cases are not all caused by malicious intent. In most cases, the cause is a lack of awareness or management oversight — "I didn't know how far I was allowed to use it," "I forgot to delete the data after testing," or "I hadn't checked the sub-delegate's management situation."

This section explains the position of delegation under the Act on the Protection of Personal Information and the reasons why a memorandum is legally and practically necessary.

Article 24 of the Act on the Protection of Personal Information requires that when personal data handling is delegated to an outside party, appropriate and necessary supervision must be carried out over the delegate. This "supervisory obligation" encompasses not merely executing a memorandum, but also continuously confirming the security measures of the delegate.

If the delegating party neglects its supervisory obligation and a personal data leak occurs at the delegate, the delegating party itself becomes subject to recommendations and guidance from the Personal Information Protection Commission. Furthermore, serious violations may be subject to orders, public disclosure, and penalties. The 2022 amendment to the Act on the Protection of Personal Information strengthened reporting and notification obligations when personal data leaks occur, requiring strict responses from both delegating and receiving parties.

From the receiving party's perspective, Article 24 of the Act on the Protection of Personal Information places obligations on delegates equivalent to those of a "personal information handling business operator" in certain situations. Specifically, this includes a prohibition on using personal data outside the purpose of the delegation, implementing security measures, supervising employees, and obtaining prior approval from the delegating party when sub-delegating.

Without a memorandum, work proceeds with uncertainty about "what scope of personal data has been delegated," "for what purpose only it may be used," and "what level of security measures are required." If problems arise with the personal data handling contract, the delegating party claims "the receiving party's management was inadequate," the receiving party claims "we never agreed to those obligations," and responsibility becomes a back-and-forth argument.

Executing a memorandum before work begins is indispensable for clarifying management responsibility for the contractor's personal information and meeting legal requirements.

This section shows what must be included in a personal information handling memorandum for service agreements, with practical drafting examples.

Essential Item 1: Limitation of Purpose and Scope of Handling

The memorandum must concretely and specifically state the purposes for which personal data may be used. The broad statement "for the purposes defined in this contract" is insufficient. For example, both permitted and prohibited uses should be stated explicitly: "to be used solely for the email newsletter delivery service delegated by Party A to Party B, and all other uses (promotion of other services, list sales, analytics, etc.) are strictly prohibited."

The type of data being handled should also be identified. Required security measures differ depending on whether the data covers only names and email addresses or includes sensitive personal information such as purchase history, location data, or health information, so explicitly stating the target data is important.

Essential Item 2: Security Measure Standards and Specific Methods

For security measures, avoid vague language like "appropriate measures will be taken" and instead enumerate specific measures to be implemented. Technical security measures include data encryption, access control (permission management), log acquisition, and unauthorized access countermeasures. Organizational security measures include limiting the personnel who handle the data, maintaining a management ledger, and employee education. Physical security measures specify locked storage and a confirmed method of disposal upon termination (for electronic data, this includes overwriting/wiping and complete deletion from cloud storage).

It is important to set realistic measures appropriate to the receiving party's business scale and technical level. Requiring an individual contractor to maintain corporate-level security infrastructure has no practical effect and merely creates a formalistic contract.

Essential Item 3: Sub-delegation Rules and Approval Procedures

An often-overlooked provision in personal information handling memoranda concerns sub-delegation. If the receiving party further delegates work to outside vendors or individuals, the memorandum should explicitly state that "sub-delegation without the prior approval of the delegating party is prohibited."

If sub-delegation is approved and carried out, the receiving party must be obligated to ensure that the sub-delegate also implements security measures at the same level as this memorandum. The memorandum should also explicitly state "maintenance of primary responsibility" — meaning that for any trouble such as a leak at the sub-delegate, the receiving party bears responsibility to the delegating party (the ordering party from the receiving party's perspective).

Essential Item 4: Data Return and Disposal Upon Contract Termination

How personal data is to be handled at the end of the service agreement must be specifically defined. The principle is "prompt return or confirmed disposal," but in practice the "confirmed disposal" part creates problems. For electronic data, mandate complete file deletion (not merely moving to the trash, but also overwriting deletion of the HDD and complete deletion from cloud storage) and require submission of a completion report.

For data stored as backup, prescribe disposal obligations within a realistic scope. If the system configuration makes immediate deletion from backups impossible, agree on this in advance.

Essential Item 5: Reporting Obligations and Liability Allocation in the Event of a Leak

Specify reporting obligations when personal data is leaked, lost, or damaged, or when there is a risk of such an event. The amended Act on the Protection of Personal Information requires reporting to the Personal Information Protection Commission and notification to the individuals concerned for leaks above a certain scale. The memorandum should set a reporting deadline from the receiving party to the delegating party (e.g., "within [X] hours of becoming aware of the incident"), and establish a prompt coordination system so that the delegating party can take legally required action.

On liability allocation, clarify that the receiving party bears primary responsibility for leaks caused by the receiving party's management failures, and that the delegating party bears responsibility for problems caused by the delegating party's instructions. Setting an upper limit on damages is also a practically important topic; define it within a realistic range taking into account the balance with the service fee.

This section identifies the risks each party tends to overlook in a personal data delegation relationship, and sets out practical countermeasures.

Cautions for the Delegating Party

The most common trap for the delegating party is the false sense of security from "we executed a memorandum, so we're covered." The supervisory obligation under the Act on the Protection of Personal Information is ongoing; the existence of a memorandum alone does not fulfill the obligation.

Confirmation of security measures should begin at the contractor selection stage. In particular, for the management of the contractor's personal information, asking the contractor to complete a security checklist in advance and keeping documentary evidence rather than only verbal confirmation is important. In the case of small to medium-sized contractors, even when they answer that "we have a management system," the specific content is often unclear.

Passing only the minimum necessary data (the data minimization principle) is also the delegating party's responsibility. Scrutinize whether it is necessary to pass all customer data for a marketing initiative or whether only the target segment is sufficient, and reducing the amount of data passed is the fundamental basis for risk reduction.

Even after executing the memorandum, periodically conduct management status checks. Build an ongoing supervisory structure, such as having the receiving party submit a security management status confirmation form approximately once a year, or conducting on-site audits.

Cautions for the Receiving Party

The most common blind spot for receiving parties is the misunderstanding that "the client gave us the data, so the client is responsible." The receiving party, as a handler of personal data, independently bears security management obligations. If a leak occurs and the cause is the receiving party's management failure, the receiving party may potentially bear liability for damages not only to the delegating party but also to the affected individuals.

The first step in self-protection is obtaining clear agreement on the prohibition of unauthorized use, the scope of handling, and the method of disposal upon termination before receiving personal data. Even if the delegating party does not present a memorandum, requesting that the receiving party execute a memorandum is a legitimate act in fulfillment of legal obligations.

If sub-delegation is planned, always obtain prior approval from the delegating party. For example, if a web design project is accepted and some of the work is delegated to writers or freelance engineers, approval for sub-delegation is needed whenever customer data is shared. If sub-delegation is carried out without approval and a data leak occurs, the receiving party risks bearing full liability to the delegating party.

Shared Checklist

Here is a summary of matters that both parties should confirm before executing the memorandum.

□ Has the type and number of personal data records to be delegated been identified?
□ Is the purpose of handling stated concretely and specifically?
□ Is the specific content of security measures stated?
□ Are the permissibility of sub-delegation and the approval procedure defined?
□ Is the method of data disposal upon contract termination and the confirmation procedure clear?
□ Are the reporting deadline and communication system in the event of a leak established?
□ Is the damage liability cap and responsibility allocation reasonable?

This section explains the post-execution management structure and timing for reviewing the memorandum in order to keep a personal information handling memorandum functioning effectively.

A memorandum is not finished once it is executed. A system for periodically confirming that actual business operations are not diverging from the memorandum's contents is indispensable for fulfilling the supervisory obligations under the Act on the Protection of Personal Information.

Periodic Audits and Management Status Checks

It is advisable for the delegating party to confirm the receiving party's security management status at least once a year. The confirmation method may be a written self-report (responses to a confirmation form), but for delegation relationships involving important data, an on-site confirmation (visit audit) should also be considered. The results of the confirmation should be kept as records, and when problems are found, an improvement instruction and deadline should be set.

The receiving party should maintain a personal data handling ledger, recording what data was received and when, how it was stored and used, and when it was disposed of. This ledger also functions as evidence of compliance with supervisory obligations.

Incident Response Flow

When personal data is leaked, lost, or damaged, the receiving party must immediately report to the delegating party. Delayed reporting hinders the delegating party's legal response (reporting to the Personal Information Protection Commission, notification to individuals), so the reporting deadline specified in the memorandum must be strictly observed.

The report should include an overview of the leak (when, how many records, what type of information), the cause (to the extent known), measures taken to prevent further damage, and future response plans. Specifying a two-stage reporting structure in the memorandum — verbal report followed by written report — makes actual operations smoother.

After receiving the report from the receiving party, the delegating party should consider, as necessary, reporting to the Personal Information Protection Commission (leak report), notification to individuals who may have been affected, and external information disclosure such as a press release. Preparing response policies for these in advance as an appendix to the memorandum or as an incident response manual increases response speed in an emergency.

Timing for Reviewing the Memorandum

The memorandum should be reviewed when any of the following applies: change in the content of the delegated work (increase or decrease in the type or volume of data handled), organizational or operational changes in the receiving party, legal amendment (Act on the Protection of Personal Information or related guidelines), new technological risks (changes to cloud services, etc.), or when more than two years have passed since the previous execution.

In particular, the Act on the Protection of Personal Information continues to be amended; the 2022 amendment strengthened reporting obligations for leaks, clarified cross-border data transfer regulations, and strengthened individual rights (requests for suspension of use and deletion). Periodically confirm that delegation memoranda meet the latest legal requirements and update as necessary.

A personal information handling memorandum for service agreements is not merely a document for avoiding risk. It functions as a foundation for the delegating and receiving parties to share a common understanding of how personal data is to be handled, and to respond quickly when trouble occurs. Proper execution of a memorandum before work begins, and building an ongoing management structure after execution, are the practical essentials required of all parties who handle personal data in service agreements.

References

Guidelines on the Act on the Protection of Personal Information (2024)

Explanatory Materials on the Amendment to the Civil Code (Law of Obligations) (2020)

Civil Code (e-Gov Law Database) (2024)