SOUTH KOREA Law and Practice Contributed by: Sang Wook Cho, Soojung Lee, Seung Hyun Lee, Tae Eun Lee and Christopher Mandel, Yulchon LLC
gent circumstances or to the minimum extent needed to maintain an employment relationship. Generally, an employer would be allowed to collect personal data for the purpose of an HR internal inves - tigation, provided it has obtained proper, explicit con - sent from the data subjects. Under exceptional cir - cumstances, the consent requirement can be waived, but such instances are limited and strictly regulated. Even when consent is obtained, the employer must ensure that only the minimum amount of personal data necessary for the purpose of the investigation is collected. The burden of proof for demonstrating that the data collected is strictly necessary for the stated purpose lies with the employer. 7.2 Specific Rules When collecting and/or processing personal data for an HR internal investigation, the Korean data privacy law must be adhered to as for any other data collec - tion or processing activity. An employer must consider which lawful basis to rely on in order to collect and process personal data (eg, explicit consent or lawful exception). 7.3 Access Korean data privacy law grants data subjects specific rights, including the right to confirm whether their per - sonal data is being processed, as well as the right to access and request the transfer of their personal data. Individuals involved in an HR internal investigation (eg, employees under investigation) are generally entitled to exercise these rights concerning the personal data collected about them during the investigation. This is not an entirely settled legal area, but an employ - er may refuse to disclose sensitive information derived from an investigation on the basis that it has a duty to protect the confidentiality of such information. There are multiple bases for such a duty. Korean law specifi - cally provides that individuals involved in investigating workplace or sexual harassment, such as those con - ducting the investigation, receiving reports or partici - pating in the process, must not disclose confidential information obtained during the investigation to others without the consent of the affected party. Further, oth - er people would have privacy rights respecting their
own personal information, which may be contained in investigation-related materials. A data subject’s rights under PIPA (Personal Information Protection Act) may be restricted by these requirements. PIPA also pro - vides a ground to refuse accessing one’s personal data in cases “where access may cause damage to the life or health of a third party, or unjustified infringe - ment of the property and other interests of any other person...”, but the proper application of this exception to HR internal investigations is somewhat unclear. Additionally, governmental authorities may request access to information obtained during an internal investigation for their investigative purposes. Relevant laws permit the provision of such information in these cases, but the scope of disclosure must be strictly limited to what is necessary to fulfil the purpose speci - fied by the authority. 7.4 AI AI is increasingly being used in investigations. Typi - cal uses include reviewing, selecting or summarising documents and data, and preparing draft interview questions. However, confidentiality and data privacy concerns remain a barrier to the free use of AI tools for investigations. These concerns are being addressed in part by means such as developing internal, closed- system AI tools and by anonymising and redacting sensitive data that will be reviewed by AI. Although it may be arguable based on the specifics, under Korean data-protection rules, providing individ - uals’ personal information to an AI service provider for analysis may be construed as an improper third-party provision of personal information, because the AI ser - vice provider may use the data for its own purposes. This kind of third-party provision generally requires the data subject’s consent. This contrasts with entrust - ment of personal information purely for the provision of services, without any independent use by the pro - vider; entrustment does not require consent but is subject to other disclosure and security requirements. It is worth noting that where fully automated decisions have a significant impact on an individual’s rights or obligations, Korean privacy law requires notice and an opportunity to reject the automated decision and request human intervention. These rules are relatively
347 CHAMBERS.COM
Powered by FlippingBook