Yes.

The Act on the Protection of Personal Information (Act No. 57 of 2003 as amended) ("APPI") is the local law relevant to the data privacy/security area, and the Personal Information Protection Commission ("PPC") is the relevant governmental authority.

The APPI provides for a general obligation on a business entity that outsources processing of personal data to a third party to exercise necessary and appropriate supervision over the processing activities of the processor (e.g., an IT vendor), with a view to controlling the security of the entrusted personal data. The APPI does not specify what measures would be needed to satisfy this requirement, and, overall, what constitutes necessary and appropriate supervision would depend on the situation and need case-by-case review. That said, the relevant guidelines on the APPI issued by the PPC require a business to take necessary and appropriate measures regarding matters such as selection of an appropriate processor, execution of a proper data processing agreement and monitoring of the data processing activities by the processor. The guidelines issued by the PPC also recommend imposing a reporting obligation on the IT vendor and/or obtaining audit rights to ensure that sufficient security controls are in place.