PPC’s Q&A Q8-9 (translated by me) states as follows, but since there is no exception corresponding to Article 27(5)(i) of the APPI regarding outsourcing for third-party provision of personally referable information. So, in the case of personal data, a return of data from the contractor to the consignor would fall outside the scope of regulation as “return provision.” However, in the case of personally referable information, if the consignor obtains it as personal data, Article 31(1) of the Act applies.
For example, consider a situation where a contractor is entrusted with obtaining personally referable information and returns it to the consignor. (If what had been entrusted was the acquisition of personal data, it would have been excluded from regulation as “return provision.”)
At first glance, this might appear to be an unfair conclusion. However, in the case of the “return provision” of personal data, identification of individuals has already been performed at the contractor’s end at the time of processing. By contrast, in the case of the “return provision” of personally referable information, no identification is performed at the contractor’s end; rather, it is first carried out by the consignor. This means that a new personal data handling entity, which the data subject is unaware of, could emerge. In this sense, there seems to be a substantive rationale behind this difference in legal treatment.
Q8-9
When personal data is provided to a contractor in connection with outsourcing, and that data does not constitute personal data for the contractor but instead constitutes personally referable information, does the act of the contractor returning the data to the consignor fall under Article 31(1) of the Act?
A8-9
Where personal data provided by the consignor in connection with outsourcing does not constitute personal data for the contractor but constitutes personally referable information, the act of the contractor returning the data to the consignor within the scope of the entrusted work does not fall under Article 31(1) of the Act.
However, if the contractor appends personally referable information independently obtained by the contractor to such data and then returns the resulting data to the consignor, Article 31(1) of the Act applies.