Decisions

All

TITLE	Seoul Administrative Court Decision 2024GuHap70753, dated August 14, 2025: Appeal [full Text]
Summary
[Main Issues and Holdings] In a case where Company A, which operated an online lecture website and collected and retained the personal information of 1.13 million people, had an employee account’s session information compromised through a hacker’s post containing cross-site scripting (XSS) commands, resulting in the leakage of personal information of approximately 95,000 employees and members, the Personal Information Protection Commission imposed a penalty surcharge on Company A for failing to perform its obligation to take safety measures under Article 29 of the Personal Information Protection Act. Company A was found to have failed to properly implement the safety measures prescribed by the Personal Information Protection Act, and since the period of violation corresponds to the period during which the personal information controller violated the obligation to take safety measures, the penalty surcharge calculated accordingly was found to be lawful.

TITLE

Seoul Administrative Court Decision 2024GuHap70753, dated August 14, 2025: Appeal [full Text]

Summary

[Main Issues and Holdings] In a case where Company A, which operated an online lecture website and collected and retained the personal information of 1.13 million people, had an employee account’s session information compromised through a hacker’s post containing cross-site scripting (XSS) commands, resulting in the leakage of personal information of approximately 95,000 employees and members, the Personal Information Protection Commission imposed a penalty surcharge on Company A for failing to perform its obligation to take safety measures under Article 29 of the Personal Information Protection Act. Company A was found to have failed to properly implement the safety measures prescribed by the Personal Information Protection Act, and since the period of violation corresponds to the period during which the personal information controller violated the obligation to take safety measures, the penalty surcharge calculated accordingly was found to be lawful.

Prev	Supreme Court Decision 2022Do16512 Decided September 4, 2025 【Violation of the Act on Real Name Financial Transactions and Confidentiality; Violation of the Personal Information Protection Act】
Next	Supreme Court Decision 2025Da212297 Decided August 14, 2025 【Unjust Enrichment】

list