Definition of retained personal data
Certain provisions of the APPI, notably Articles 27 to 30 relating to individual rights, apply only to a specific category of personal data, namely "retained personal data". Those are defined under Article 2(7) of the APPI as personal data other than those which are either (i) "prescribed by cabinet order as likely to harm the public or other interests if their presence or absence is made known"; or (ii) "set to be deleted within a period of no longer than one year that is prescribed by cabinet order".
As regards the first of those two categories, it is explained in Article 4 of the Cabinet Order and covers four types of exemptions (20). These exemptions pursue similar objectives as those listed in Article 23(1) of Regulation (EU) 2016/679, notably protection of the data subject ("principal" in the terminology of the APPI) and the freedom of others, national security, public security, criminal law enforcement or other important objectives of general public interest. In addition, it results from the wording of Article 4(1)(i)-(iv) of the Cabinet Order that their application always presupposes a specific risk for one of the protected important interests (21).
The second category has been further specified in Article 5 of the Cabinet Order. Read in conjunction with Article 2(7) of the APPI, it exempts from the scope of the notion of retained personal data, and thus from the individual rights under the APPI, those personal data that are "set to be deleted" within a period of six months. The PPC has explained that this exemption aims at incentivising business operators to retain and process data for the shortest period possible. However, this would mean that EU data subjects would not be able to benefit from important rights for no other reason than the duration of the retention of their data by the concerned business operator.
In order to address this situation, Supplementary Rule (2) requires that personal data transferred from the European Union "be handled as retained personal data within the meaning of Article 2, paragraph 7 of the Act, irrespective of the period within which it is set to be deleted". Hence, the retention period will have no bearing on the rights afforded to EU data subjects.