On December 12, 2024, the Personal Information Protection Commission (PIPC) published its decision, as issued on the same date, in which it imposed a fine of KRW 2.715 billion (approx. $1.89 million) on AXA General Insurance Co., Ltd. for violations of the Personal Information Protection Act (PIPA).

Background to the decision

The PIPC highlighted that it initiated an investigation into AXA for the unnecessary or excessive use of customer personal information in August 2023. The PIPC noted that AXA, in providing services to sell automotive insurance, collected user data including resident registration numbers and mobile phone numbers, among others.

Findings of the PIPC

Following its investigation, the PIPC found that AXA used pop-up windows to induce users to change their consent settings. Notably, the PIPC found that although consent was validly obtained in the pop-up window, the notice failed to mention the processing of personal information, such that users were unaware that their personal information was being processed for marketing purposes.

The PIPC noted that there were 548 spam reports stemming from AXA's use of customer personal data for marketing purposes.

In addition, the PIPC found that AXA failed to consult the data protection officer (DPO) before implementing the pop-up windows. The PIPC further detailed that AXA failed to destroy user data even one year after users had stopped using the insurance service or entered into insurance contracts.

Accordingly, the PIPC found AXA to have violated Articles 15, 21, and 31 of the PIPA.

Outcomes

In light of the above violations, the PIPC imposed a fine of KRW 2.715 billion (approx. $1.89 million) on AXA.

You can read the press release and the decision, both only available in Korean, here.