 |
Photo courtesy of Yonhap News |
[Alpha Biz= Kim Jisun] Regulator cites unauthorized processing of children’s data and improper marketing consent as key violations
South Korea’s Personal Information Protection Commission (PIPC) has imposed sanctions on 10 food and beverage franchise operators and remote reservation/waiting platforms, with the bulk of monetary penalties concentrated on Burger King Korea and MegaMGC Coffee.
At its third plenary session held on Feb. 11, the PIPC decided to levy a total of KRW 1.566 billion in administrative fines and KRW 111.3 million in penalty surcharges for violations of the Personal Information Protection Act. Corrective and public disclosure orders were also issued.
Of the total fines, Burger King Korea (BKR), the local operator of Burger King, was fined KRW 924 million, while MGC Global, the operator of MegaMGC Coffee, was fined KRW 642 million. The remaining eight companies, including Starbucks and McDonald’s, were subject only to penalty surcharges and corrective measures without administrative fines.
While most companies were cited for inadequate management practices—such as failure to delete personal data or insufficient security safeguards—the two heavily fined firms were found to have committed more serious violations, including processing personal data without proper consent and using information beyond its stated purpose.
According to the PIPC, BKR processed the personal data of children under the age of 14 without obtaining consent from their legal guardians, in violation of Article 22-2 of the Act. In addition to the KRW 924 million fine, the company was also penalized for failing to notify users of data usage and provision history, not deleting data after achieving the intended purpose, and not retaining access logs. It was fined an additional KRW 15.3 million and ordered to implement corrective measures and publicly disclose the sanctions. Burger King stated that the penalties stemmed from past system and management shortcomings.
MGC Global was found to have automatically marked marketing consent as agreed during the membership registration process, resulting in marketing messages being sent to users who had not consented. The PIPC deemed this a violation of Article 18 of the Act for using personal information beyond its intended purpose without consent. The company was fined KRW 642 million, along with an additional KRW 15.3 million in penalties, and was subject to corrective and public disclosure orders.
Alphabiz Reporter Kim Jisun(stockmk2020@alphabiz.co.kr)
