Data Protected - Republic of Korea

Contributed by Kim & Chang

Last updated February 2024

General | Data Protection Laws

National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement

ePrivacy | Marketing and cookies

National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone

_____________________________________________________________________

General | Data Protection Laws

____________________________________________________________

National Legislation

General data protection laws 

The Personal Information Protection Act (“PIPA”).

The Credit Information Use and Protection Act (the “Credit Information Act”) also contain provisions relevant to the processing of personal information.

This summary is mainly based on the PIPA requirements. Some aspects of the other applicable laws have been set out below also, though they are not generally described in this summary.

Entry into force

The PIPA entered into force on 30 September 2011, and the most recent amendments passed the National Assembly on 27 February 2023. Some of the amended provisions took effect on 15 September 2023, while others are scheduled to take effect on 15 March 2024. Provisions on the right to data portability have been announced, but its enforcement date has not yet been determined.

_____________________________________________________________________ Top

National Supervisory Authority

Details of the competent national supervisory authority

The Personal Information Protection Commission (“PIPC”)
209 Sejongdae-ro Jongno-gu
Seoul  
Korea 03171

www.pipc.go.kr

Notification or registration scheme and timing

Public agencies that manage personal information files must notify PIPC of a range of information including the name of the file, its legal basis and purpose and the retention period. The PIPC must disclose the registration status to the public. There are no registration fees.

This notification obligation only applies to public agencies and not private sector companies.

Exemptions to notification

Public agencies are not obliged to notify personal information files dealing with matters such as national security, crime investigation, tax evasion or internal work processing.

_____________________________________________________________________ Top

Scope of Application

What is the territorial scope of application?

The PIPA does not clearly address extra-territoriality. However, there is a consensus that it applies to both Korean companies and companies established abroad that process personal information in Korea.

Is there a concept of a controller and a processor?

The PIPA uses the term “personal information managers" to mean a public institution, corporate body, organisation or individual who manages personal information directly or via another person. 

The PIPA also has the concept of a “data consignee”, who is a person who is delegated with the responsibility to process personal information, and is only responsible for compliance with more limited aspects of the PIPA.

Are both manual and electronic records subject to data protection legislation?

Yes. Both manual and electronic records are subject to the data protection laws.

Are there any national derogations?

Most of the requirements under PIPA do not apply to (i) personal information collected or requested to be provided for the analysis of information related to national security; and (ii) personal information collected or used for its own purposes of reporting by the press, missionary activities by religious organisations, and nomination of candidates by political parties, respectively. 

In addition, the PIPA’s requirements on the collection and use of personal information, the establishment of a privacy policy, and the designation of a chief privacy officer will not apply to personal information that is processed by a personal information manager to operate a group or association for friendship, such as an alumni association and a hobby club.

_____________________________________________________________________ Top

Personal Data

What is personal data?

Under the PIPA, “personal information” is broadly defined as information pertaining to a living individual which identifies a specific person by name, address, image or similar identifier.

It includes information that does not, by itself, make it possible to identify a specific person, but that enables such a person to be identified easily when combined with other information. Whether a piece of information can be easily combined with other information must be determined by reasonably considering the time, cost, and technology needed to identify the data subject, including to obtain the other information that must be combined in order to identify the individual.

The PIPA defines “pseudonymized information” as a subset of personal information. Pseudonymized information is personal information which has been partially deleted or partially/wholly substituted so that the information can no longer identify an individual without utilization of, or combination with, additional information to restore the information to its original state.

Is information about legal entities personal data?

Information about a corporate entity is not considered to be personal information. However, information regarding employees of a corporate entity is considered to be personal information.

What are the rules for processing personal data?

The PIPA contains eight Personal Information Protection Principles. They require personal information to be collected for specific and lawful purposes and not used for further incompatible purposes. The principles also require personal information managers to ensure personal information is accurate and held securely, to publicise their privacy policy and to make personal information anonymous wherever possible.

The PIPA contains separate rules for the initial collection and use of personal information and any subsequent use for new purposes or new transfers to third parties. 

A personal information manager may initially collect and use personal information: (i) with the consent of a data subject; (ii) where there exist special provisions in an Act or it is inevitable to fulfil an obligation imposed by or under an Act or subordinate statute; (iii) where it is inevitable for a public institution to perform its affairs provided for in an Act or subordinate statute; (iv) where it is necessary to perform an agreement entered into with a data subject or to take measures as requested by a data subject in the course of performing such agreement; (v) where it is clearly necessary for the physical safety and property interests of a data subject or a third person ; (vi) where it is necessary for the personal information manager’s legitimate interests and clearly takes precedence over the rights of a data subject (though this condition is limited to cases where the information is substantially relevant to a personal information manager’s legitimate interests and reasonable scope is not exceeded); and (vii) where it is urgently necessary for public health, safety and welfare. The personal information manager must collect the minimum amount of personal information necessary and cannot refuse to provide goods or services where additional personal information is not supplied.

A personal information manager may use personal information for a new purpose or provide personal information to a new third person if doing so does not infringe the interests of a data subject or a third person and one of the following conditions is satisfied. The conditions for further processing are: (i) the data subject consents; (ii) special provisions exist in any other Act; (iii) it is obviously necessary for the physical safety and property interests of a data subject or a third person; or (iv) it is urgently necessary for public health, safety and welfare. Additional conditions apply where the processing is by a public agency.

Furthermore, even without obtaining additional consent from the data subject, a personal information manager may use, or provide personal information in its possession to a third party, within the scope reasonably related to the original purpose of collection and use, considering the following conditions prescribed in the Enforcement Decree to the PIPA: (i) whether the additional use or provision is related to the original purpose; (ii) whether the data subject may expect the additional use or provision in the light of the background of collection of personal information or the practice of processing personal information; (iii) whether the additional use or provision unjustifiably infringes upon the data subject’s interest; and (iv) whether there are measures to secure the personal information (such as pseudonymization and encryption).

The PIPA also allows a personal information manager to process pseudonymized information for such purposes as statistical analysis, scientific research and preservation of public records, without the data subject's consent, provided that where such pseudonymized information is provided to a third party without the data subject's consent, such pseudonymized information cannot be provided together with information that can be used to identify a specific living individual.

The PIPA also has specific rules applicable to business transfers and other corporate transactions.

Are there any formalities to obtain consent to process personal data?

In general, consent can be obtained by means other than writing, such as telephone, internet click-through or email. However, certain laws such as the Credit Information Act limit methods of consent. 

When obtaining consent, the personal information manager must first notify the data subject of certain information about the processing of their personal information. For instance, where a personal information manager intends to provide a data subject’s personal information to a third party, the personal information manager must notify the data subject of: (i) of the person receiving the personal information; (ii) of the purpose of processing personal information; (iii) of the items of personal information provided; (iv) of the retention period; and (v) that the data subject may refuse to give consent and the consequences of refusal.

Are there any special rules when processing personal data about children?

If the data subject is under the age of 14, the consents required under PIPA for processing the data subject’s personal information must be obtained from his/her legal guardian. However, in such a case, the minimal amount of information needed to obtain consent from the data subject’s legal guardian can be directly collected from the data subject without the legal guardian’s consent. In addition, personal information managers must use easy-to-understand forms and languages when notifying children under the age of 14 of matters related to personal information processing.

Are there any special rules when processing personal data about employees?

There are no special rules pertaining to the processing personal data about employees. There are some provisions in the labour laws that are relevant to the processing employee data, such as statutory bases for processing resident registration numbers and other specific types of personal data, and a requirement to retain certain data for three years after the employee stops working for the company.

_____________________________________________________________________ Top

Sensitive Personal Data

What is sensitive personal data?

Sensitive personal information is defined as the beliefs, joining or withdrawal from a labour union or political party, political opinions, health, sexual life and other personal information prescribed by Presidential Decree which could substantially infringe on the privacy of a data subject

The PIPA also contains specific rules on the processing of national identification numbers and the use of CCTV.

Are there additional rules for processing sensitive personal data?

There is a general prohibition on the processing of sensitive personal information. However, it can be processed: (i) to the extent a law requires it or permits it; or (ii) if separate consent has been obtained from the data subject.

Are there additional rules for processing information about criminal offences?

The Presidential Decree of PIPA prescribes that information pertaining to criminal history records under the Act on the Lapse of Criminal Sentences (“Criminal Information”) is a type of sensitive personal information under the PIPA. Therefore, the rules for processing sensitive personal data apply to the processing of Criminal Information.

Are there any formalities to obtain consent to process sensitive personal data?

Separate consent must be obtained to process sensitive personal information.

_____________________________________________________________________ Top

Data Protection Officers

When must a data protection officer be appointed?

All personal information managers must appoint a chief privacy officer. There is an exemption for those that are below certain thresholds concerning the number of employees, the volume of sales, and others. In such case, the business owner or representative of the personal information manager shall be the Chief Privacy Officer.

What are the duties of a data protection officer?

The chief privacy officer has extensive statutory duties. He/she must: (i) establish and implement a personal information protection plan; (ii) regularly survey personal information processing and make improvements; (iii) process complaints and implement relief relating to personal information processing; (iv) establish internal control systems for preventing leakage, abuse, misuse of personal information; (v) establish and implement training on personal information protection; (vi) supervise, manage and protect personal information files; and (vii) undertake such other matters as prescribed by Presidential Decree.

_____________________________________________________________________ Top

Accountability and Privacy Impact Assessments

Is there a general accountability obligation?

A personal information manager must issue a privacy policy containing details of: (i) the purpose of collection; (ii) the retention period; (iii) any provision of personal information to third parties (if any); (iv) any use of data consignees (if any); (iv) the rights of data subjects; (v) name of chief privacy officer or the department which handles complaints related to personal information, and contact information such as a telephone number; (vi) matters related to operation of mechanism for automatically collecting personal information, such as cookies, and methods for disabling such mechanism (if any); and (vii) other matters specified by Presidential Decree. The PIPA also requires the establishment of an internal management plan which sets forth the required managerial, technical and physical measures which a personal information manager must undertake to safeguard the personal information.

A personal information manager should regularly provide training to its employees and data consignees who process the personal information on behalf of the personal information manager to guarantee the appropriate handling of the personal information.

Are privacy impact assessments mandatory?

The head of public agencies must conduct an assessment to analyse privacy risk factors (“Privacy Impact Assessment”) and submit the results to the PIPC in the case of a probable breach of data subjects’ personal information arising out of the operation of personal information files, which meet the criteria prescribed by the Presidential Decree of the PIPA.

This obligation only applies to public agencies and not private sector companies.

_____________________________________________________________________ Top

Rights of Data Subjects

Privacy notices

The personal information manager must issue a privacy policy, as set out above.

The personal information manager must also provide certain information before obtaining consent, as set out above.

Rights to access information

The data subject may request that he or she review or copy the personal information held by the personal information manager.

Rights to data portability

A recent amendment to the PIPA introduced the data subject‘s right to data portability, though its enforcement date has not yet been determined. A data subject can request personal information managers satisfying the criteria prescribed by Presidential Decree to transfer the personal information to him/her or certain third parties such as institutions specializing in managing personal information, etc. Upon receipt of such request, the personal information manager shall transmit the relevant information in a form processible through information processing device (e.g. computer) to the extent reasonable in consideration of time, expense, and technology.

Right to be forgotten

A data subject who has reviewed his personal information held by the personal information manager may request that his or her personal information be corrected or deleted. However, there are certain instances which limit such rights, such as when retention of personal information is required by law.

Objection to direct marketing

To conduct direct marketing, explicit consent must be obtained from the data subject and the data subject may revoke his consent at any time.

Other rights

A data subject may request that his or her personal information be no longer processed and in such case, the personal information manager must cease to process his or her personal information.

PIPA contains new rules on automated decision making. In particular, a data subject may request an explanation from the personal information manager with respect to decisions made from processing personal information by a fully automated system, including systems using artificial intelligence, and if such decisions materially affect the data subject’s rights or obligations, the data subject has the right to refuse such decisions. If a data subject refuses an automated decision or requests an explanation, unless there is a justifiable reason to the contrary, the personal information manager shall not apply the automated decision or shall take necessary measures such as notification and explanation of the result after re-processing by human intervention. The foregoing shall not apply where the automated decision was made with the consent of the data subject, where there is a special provision in the law or it is inevitable to comply with statutory obligations, or where it is necessary to perform an agreement entered into with the data subject or to take measures as requested by the data subject in the course of executing such agreement.

_____________________________________________________________________ Top

Security

Security requirements in order to protect personal data

The personal information manager must implement technical, managerial and physical measures to ensure data security.

This may include establishing an internal management plan to prevent the loss, theft, leakage and falsification of personal information. It may also include implementing limitations to access and control, store access records, apply encryption technology, install and renew security programs and other measures required by Presidential Decree. The PIPC’s notification also contains details of the required security measures.

Specific rules governing processing by third party agents (processors)

In cases where a personal information manager delegates personal information processing to a third party data consignee, such delegation must be documented in writing. The delegated work scope and the data consignee’s name must be disclosed in such a way that data subjects can easily access and review this information. 

The personal information manager must also supervise and train the data consignee in such a way as to prevent the loss, theft, leakage, falsification and damage of personal information as required by Presidential Decree. Should the data consignee use personal information to promote or sell goods or services, the delegated work scope must be clearly communicated to the data subject. If the data consignee violates the law and this leads to liability, then the data consignee is treated as an employee of the personal information manager.

Notice of breach laws

In an event of personal information loss, theft, or leakage ("leakage etc."), the fact of such leakage etc. must be communicated to the data subjects within 72 hours after the leakage etc. The leakage, etc. must be reported to PIPC or Korea Internet & Security Agency (“KISA”) within 72 hours after the leakage, etc. if (i) there are more than 1,000 data subjects involved, (ii) sensitive information or unique identification information has been leaked, etc. or (iii) leakage etc. has occurred due to illegal external access to personal information processing systems or devices used for personal information processing

_____________________________________________________________________ Top

Transfer of Personal Data to Third Countries

Restrictions on transfers to third countries

The PIPA prohibits any transfer of personal information overseas by a personal information manager unless it is in any of the following cases: (i) where a separate consent for overseas transfer has been obtained from the data subject; (ii) where there exist special provisions in a statute, a treaty or other international conventions to which the Republic of Korea is a party; or (iii) where it is necessary to delegate the processing of, or retain, personal information in order to execute and perform a contract with a data subject, and the matters to be informed to the data subject when obtaining his/her consent to overseas transfer have been informed to the data subject or have been disclosed in the personal information manager’s privacy policy; (iv) where the recipient of personal information has obtained certification determined and publicly notified by the PIPC and has implemented certain measures to protect personal information; or (v) where the PIPC has recognized that the country or the international organization to where the personal information is transferred has the personal information protection system, etc.  that are substantially equal to the level of those under the PIPA. The personal information manager shall also take certain technical, managerial and physical protection measures.

Notification and approval of national regulator (including notification of use of Model Contracts)

There are no separate notification or approval procedures. However, for personal credit information processed by financial institutions, prior approval by a relevant authority may be necessary in certain instances.

Use of binding corporate rules

Binding corporate rules have not been recognised by Korean regulators as a sufficient basis for transferring personal information abroad.

_____________________________________________________________________ Top

Enforcement

Fines

The sanctions for a particular breach of the PIPA will depend on the type and seriousness of the violation and include criminal fines, surcharges and penalties. For example, breach of the rules on the use of sensitive personal information can lead to a criminal fine of up to 50 million won (approximately EUR 35,000).

Recent amendments added grounds for imposing administrative fines and improved the standards for calculating administrative fines. Main grounds for imposing administrative fines are as follows: (i) collecting, using, or providing to a third party the personal data without legitimate grounds; (ii) processing sensitive, unique identification information or resident registration numbers without legitimate grounds; (iii) neglecting to manage, supervise, or train the data consignee so that the data consignee violates the provisions of the PIPA; (iv) overseas transfer of personal data without legitimate grounds; and (v) loss, theft, leakage, forgery, modification, or damage of personal data (except where all necessary measures to ensure the safety of personal data have been taken).

In such a case, the PIPC may impose an administrative fine not exceeding 3% of the total revenue of the relevant personal data manager. Revenue unrelated to the violation are excluded from the total revenue for calculation purposes.

Imprisonment

The sanctions for a particular breach of the PIPA will depend on the type and seriousness of the violation and include imprisonment. For example, breach of the rules on the use of sensitive personal information can lead to imprisonment of up to five years or a criminal fine of up to KRW 50 million (approximately EUR 35,000).

Also, no person may process pseudonymized information in order to identify a specific living individual, and violators may be subject to criminal penalties of up to 5 years’ imprisonment or a criminal fine of up to KRW 50 million (approximately EUR 35,000), as well as a surcharge.

Compensation

A data subject suffering from psychological or economic loss may commence a civil action by filing a claim for compensation from the personal information manager. The personal information manager will be liable in such cases unless he or she can prove that there was no wilful conduct or negligence on his or her part. 

The PIPA provides statutory damages and treble damages. For the former, the PIPA provides that if the personal information manager cannot refute that their wilful misconduct or negligence caused the loss, theft, leakage, forgery, modification or damage of personal information, data subjects may claim up to KRW 3 million (approximately EUR 2,100) in damages without having to prove the actual damages amount. For treble damages, if the personal information manager cannot refute that the same loss, theft, leakage, etc. of personal information was caused by their wilful misconduct or gross negligence, a court may award damages up to three times the amount of actual damages after conducting an analysis of the totality of the circumstances.

To facilitate quicker resolution, alternative dispute resolution (personal information dispute mediation) and collective action options are available. However, collective actions are limited to obtaining injunctions against a personal information manager who violates the law and cannot be used for compensatory purposes.

Other powers

Corrective orders can also be issued, such as an injunction, suspension or protective measures. The PIPC may, upon finding a significant violation of law with respect to protection of personal information, recommend to the head of an authority or agency that the responsible person be reprimanded.

Practice

Fines: The Korean data protection authorities actively enforce the data protection regulations. The authorities conduct audits (including on-site investigations) of companies, on a both periodic and ad hoc basis, and impose administrative fines or surcharges upon discovering violations. The specific assessment standards for administrative fines and surcharges are set forth in the Enforcement Decree of PIPA.

Other enforcement action: There is a range of enforcement activity. Major issues typically involve failing to obtain consent, security and delegation of personal information processing.

_____________________________________________________________________ Top

ePrivacy | Marketing and cookies

_____________________________________________________________

National Legislation

ePrivacy laws

Cookies and direct marketing are governed by the PIPA. 

Additional ePrivacy matters are set out in the Protection of Use of Location Information Act, the Communications Secrecy Protection Act and the Act on Promotion of Cloud Computing and Protection of Users.

_____________________________________________________________________ Top

Cookies

Conditions for use of cookies

Under the PIPA, in principle, consent must be obtained if the cookie contains personal information.

A personal information manager must disclose its privacy policy with respect to its configuration and management of internet access information files and other devices which automatically collect personal information.

Regulatory guidance on the use of cookies

None.

_____________________________________________________________________ Top

Marketing by E-mail

Conditions for direct marketing by e-mail to individual subscribers

Explicit consent should be obtained from data subjects prior to sending e-mails or other electronic messages for marketing purposes. Commercial information may, however, be sent without consent by electronic message to addresses obtained from a prior sale of goods or services within 6 months of the sale.

Conditions for direct marketing by e-mail to corporate subscribers

The same rules above apply to corporate subscribers.

Exemptions and other issues

In order to send commercial information by e-mail: (i) the title of the e-mail message must start with the header “Gwango” (which means “advertisement” in Korean); and (ii) the contents of the e-mail message must include the sender’s name, e-mail address, telephone number and address, as well as instructions on how recipients can easily express their intent to refuse receipt of commercial information by e-mail. Additionally, the sender must take technical measures to enable recipients to easily select the option of refusing receipt of commercial information by e-mail.

_____________________________________________________________________ Top

Marketing by Telephone

Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)

Explicit consent is needed to send commercial information to a person by telephone. However, if the telephone number was obtained from a prior sale of goods or services, then commercial information may be sent within 6 months from the sale without consent.

Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)

The same rules above apply to corporate subscribers.

Exemptions and other issues

The Korea Fair Trade Commission has established a “do-not-call” registry under the Door-to-Door Sales Act to protect consumers from illicit telephone marketing practices. A telephone marketer must confirm whether a consumer has listed its telephone number with the “do-not-call” registry and may not call consumers with numbers listed in the registry. However, due to the public’s unfamiliarity with the registry and aversion toward registering telephone numbers, the “do-not-call” registry is not popular among consumers. Data subjects’ consent to receive direct marketing by telephone should be reconfirmed at least every two years from the date of the initial consent.

_____________________________________________________________________ Top