April 24, 2026

(This is an unofficial translation of a press release, originally prepared in Korean.)

The Personal Information Protection Commission (PIPC) has revised its “Guidelines on Writing a Privacy Policy” to align with shifts in the data processing landscape driven by the proliferation of generative AI and on-device AI services.

A privacy policy is a document written by a data controller to inform data subjects about what personal information is collected and how it is processed. It serves as a fundamental means to ensure transparency in processing personal information and uphold the rights of data subjects.

The revision aims to ease the administrative burdens on data controllers and to safeguard the rights to self-determination of the Korean people.

The key revisions are as follows:

First, when there is a large or frequently changing number of third-party recipients or processors entrusted with data processing, data controllers may categorize them as ‘taxi drivers,’ ‘delivery workers’ and others within the privacy policy. However, the privacy policy needs to include a clear channel through which detailed information about such recipients or processors can be accessed to ensure transparency.

Second, notifying changes to a privacy policy is overhauled in a practical way. Changes that have a significant impact on data subjects’ rights should be notified without delay either before or after the revision. At the same time, changes that pose a low risk to data subjects’ rights, such as lists of entrusted or subcontracted processors, can be notified collectively in the privacy policy within a certain time frame (e.g., 4 weeks).

Third, the guidelines clarify the criteria for on-device data processing. When personal information is stored on servers, data controllers should write a privacy policy, even if they run partially on-device. Conversely, when personal information is not transferred to external servers and is processed entirely on-device, data controllers are encouraged to inform users about this practice, along with data deletion criteria.

Fourth, the revised guidelines specify what data processors should include when writing a privacy policy. Data processors’ privacy policy needs to include the information on a chief privacy officer (CPO), subcontractors, and others that are directly relevant to safeguarding data subjects’ rights.

Fifth, the guidelines also overhaul the criteria for behavioral data processing and a privacy notice (i.e., a summarized version of a privacy policy). For behavioral data processing, the revision provides processing-specific scenarios, enabling data controllers to write their privacy policies with readability and clarity tailored to their specific processing contexts. For a privacy notice, the guidelines clarify requirements, including categories and purposes of data processing, retention and use periods, the status of third-party provision and entrustment, and how to exercise data subjects’ rights.