｢개인정보 보호법｣에 대한 행정조직법적 일고찰

This study analyzes the structure of the Personal Information Protection Act (PIPA) from the perspective of administrative organization law, focusing on its application to the public sector. Under the current legal framework, the protection of personal information is premised on the illegality of processing without statutory authorization, with the Act narrowly defining the conditions for lawful processing. Since personal data processing by public authorities affects individual rights, the principle of legality in administration requires a clear legal basis for such activities. Accordingly, this paper examines the legal status of data controllers in the categories of the State, central administrative agencies, subordinate agencies, and institutions under the President or the Prime Minister. The study finds that PIPA does not recognize the “State” itself as a data controller but instead treats each central administrative agency and its subordinate bodies as independent units. As a result, information transfer between agencies constitutes a “third-party provision,” and the legal effects of data processing are fragmented among institutions. The reliance of subordinate agencies on administrative regulations for their legal basis raises concerns regarding the principle of legality and the stability of data protection. Furthermore, although institutions under the President or the Prime Minister are granted the same status as central administrative agencies, the ambiguity of their statutory foundation may undermine the principle of accountability in administrative organization. the study suggests that the PIPA’s framework should be reconsidered for its consistency with administrative organizational principles. Clarifying the legal units and scope of public-sector data controllers would promote a balanced relationship between personal information protection and administrative stability.