Data Protected - Republic of Korea

Contributed by Kim & Chang

Last updated December 2017

General | Data Protection Laws

National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement

ePrivacy | Marketing and cookies

National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone

_____________________________________________________________________

General | Data Protection Laws

____________________________________________________________

National Legislation

General data protection laws 

The Personal Information Protection Act (“PIPA”).

The Act on Promotion of Information and Communications Network Utilization (the “Network Act”) and the Credit Information Act also contain provisions relevant to the processing of personal information. Some aspects of these laws have been set out below though they are not generally described in this summary.

Entry into force

The PIPA entered into force on 30 September 2011 and was most recently amended on 26 July 2017.

_____________________________________________________________________ Top

National Supervisory Authority

Details of the competent national supervisory authority

The Personal Information Protection Commission (“PIPC”)
209 Sejongdae-ro Jongno-gu
Seoul  
Korea 03171

www.pipc.go.kr

The Ministry of the Interior and Safety (“MOIS”)
209 Sejongdae-ro Jongro-gu
Seoul
Korea 03171

www.moi
s.go.kr

Notification or registration scheme and timing

Public agencies that manage personal information files must notify the MOIS Minister of a range of information including the name of the file, its legal basis and purpose and the retention period. The MOIS Minister must disclose the registration status to the public. There are no registration fees.

This notification obligation only applies to public agencies and not private sector companies.

Exemptions to notification

Public agencies are not obliged to notify personal information files dealing with matters such as national security, crime investigation, tax evasion or internal work processing.

_____________________________________________________________________ Top

Scope of Application

What is the territorial scope of application?

The PIPA does not clearly address extra-territoriality. However, there is a consensus that it applies to both Korean companies and companies established abroad that process personal information in Korea.

Is there a concept of a controller and a processor?

The PIPA uses the term “personal information managers" to mean a public institution, corporate body, organisation or individual who manages personal information directly or via another person. 

The PIPA also has the concept of a “data consignee”, who is a person who is delegated with the responsibility to process personal information, and is only responsible for compliance with more limited aspects of the PIPA.

Are both manual and electronic records subject to data protection legislation?

Yes. Both manual and electronic records are subject to the data protection laws.

Are there any national derogations?

Most of the requirements under PIPA do not apply for the following types of personal information: (i) personal information collected pursuant to the Statistics Act for processing by public institutions; (ii) personal information collected or requested to be provided for the analysis of information related to national security; (iii) personal information processed temporarily where it is urgently necessary for the public safety and security, public health, etc.; and (iv) personal information collected or used for its own purposes of reporting by the press, missionary activities by religious organisations, and nomination of candidates by political parties, respectively. 

In addition, the PIPA’s requirements on the collection and use of personal information, the establishment of a privacy policy, and the designation of a chief privacy officer will not apply to personal information that is processed by a personal information manager to operate a group or association for friendship, such as an alumni association and a hobby club.

_____________________________________________________________________ Top

Personal Data

What is personal data?

Under the PIPA, “personal information” is broadly defined as information pertaining to a living individual which identifies a specific person by name, address, image or similar identifier.

It includes information that does not, by itself, make it possible to identify a specific person, but that enables such a person to be identified easily when combined with other information.

Is information about legal entities personal data?

Information about a corporate entity is not considered to be personal information. However, information regarding employees of a corporate entity is considered to be personal information.

What are the rules for processing personal data?

The PIPA contains eight Personal Information Protection Principles. They require personal information to be collected for specific and lawful purposes and not used for further incompatible purposes. The principles also require personal information managers to ensure personal information is accurate and held securely, to publicise their privacy policy and to make personal information anonymous wherever possible.

The PIPA contains separate rules for the initial collection and use of personal information and any subsequent use for new purposes or new transfers to third parties. 

A personal information manager may initially collect and use personal information: (i) with the consent of an information subject; (ii) where there exist special provisions in an Act or it is inevitable to fulfil an obligation imposed by or under an Act or subordinate statute; (iii) where it is inevitable for a public institution to perform its affairs provided for in an Act or subordinate statute; (iv) where it is necessary for entering into and performing a contract with an information subject; (v) where it is necessary for physical safety and property interests of an information subject or a third person and it is not possible to obtain consent; and (vi) where it is necessary for the personal information manager’s legitimate interests and takes precedence over the rights of an information subject (though this condition is limited to cases where the information is substantially relevant to a personal information manager’s legitimate interests and reasonable scope is not exceeded). The personal information manager must collect the minimum amount of personal information necessary and cannot refuse to provide goods or services where additional personal information is not supplied.

A personal information manager may use personal information for a new purpose or provide personal information to a new third person if doing so does not infringe the interests of an information subject or a third person and one of the following conditions is satisfied. The conditions for further processing are: (i) the information subject consents; (ii) special provisions exist in any other Act; (iii) where it is obviously necessary for the physical safety and property interests of an information subject or a third person and it is not possible to obtain consent; or (iv) where personal information is necessary for the compiling of statistics or for scientific research purposes and the personal information is provided in a form by which a specific individual cannot be identified. Additional conditions apply where the processing is by a public agency.

The PIPA also has specific rules applicable to business transfers and other corporate transactions.

Are there any formalities to obtain consent to process personal data?

In general, consent can be obtained by means other than writing, such as telephone, internet click-through or email. However, certain laws such as the Credit Information Act limit methods of consent. 

When obtaining consent, the information subject must be first notified: (i) of the person receiving the personal information; (ii) of the purpose of processing personal information; (iii) of the items of personal information provided; (iv) of the retention period; and (v) that the information subject may refuse to give consent and the consequences of refusal.

Are there any special rules when processing personal data about children?

If the information subject is under the age of 14, the consents required under PIPA for processing the information subject’s personal information must be obtained from his/her legal guardian.  However, in such a case, the minimal amount of information needed to obtain consent from the information subject’s legal guardian can be directly collected from the information subject without the legal guardian’s consent.

_____________________________________________________________________ Top

Sensitive Personal Data

What is sensitive personal data?

Sensitive personal information is defined as the beliefs, joining or withdrawal from a labour union or political party, political opinions, health, sexual life and other personal information prescribed by Presidential Decree which could substantially infringe on the privacy of an information subject. 

The PIPA also contains specific rules on the processing of national identification numbers and the use of CCTV.

Are there additional rules for processing sensitive personal data?

There is a general prohibition on the processing of sensitive personal information.  However, it can be processed: (i) to the extent a law requires it or permits it; or (ii) if separate consent has been obtained from the data subject.

Are there additional rules for processing information about criminal offences?

 

The Presidential Decree of PIPA prescribes that information pertaining to criminal history records under the Act on the Lapse of Criminal Sentences (“Criminal Information”) is a type of sensitive personal information under the PIPA.  Therefore, the rules for processing sensitive personal data apply to the processing of Criminal Information.

 

Are there any formalities to obtain consent to process sensitive personal data?

Separate consent must be obtained to process sensitive personal information.

_____________________________________________________________________ Top

Data Protection Officers

When must a data protection officer be appointed?

All personal information managers must appoint a chief privacy officer.

What are the duties of a data protection officer?

The chief privacy officer has extensive statutory duties. He/she must: (i) establish and implement a personal information protection plan; (ii) regularly survey personal information processing and make improvements; (iii) process complaints and implement relief relating to personal information processing; (iv) establish internal control systems for preventing leakage, abuse, misuse of personal information; (v) establish and implement training on personal information protection; (vi) supervise, manage and protect personal information files; and (vii) undertake such other matters as prescribed by Presidential Decree.

_____________________________________________________________________ Top

Accountability and Privacy Impact Assessments

Is there a general accountability obligation?

A personal information manager must issue a privacy policy containing details of: (i) the purpose of collection; (ii) the retention period; (iii) any provision of personal information to third parties; (iv) any use of data consignees; (iv) the rights of information subjects; and (v) other matters specified by Presidential Decree. The PIPA also requires the establishment of an internal management plan which sets forth the required managerial, technical and physical measures which a personal information manager must undertake to safeguard the personal information.

A personal information manager should regularly provide training to its employees and data consignees who process the personal information on behalf of the personal information manager to guarantee the appropriate handling of the personal information.

Are privacy impact assessments mandatory?

The head of public agencies must conduct an assessment to analyse privacy risk factors (“Privacy Impact Assessment”) and submit the results to the MOIS Minister in the case of a probable breach of information subjects’ personal information arising out of the operation of personal information files, which meet the criteria prescribed by the Presidential Decree of the PIPA.

This obligation only applies to public agencies and not private sector companies.

_____________________________________________________________________ Top

Rights of Data Subjects

Privacy notices

The personal information manager must issue a privacy policy, as set out above.

The personal information manager must also provide certain information before obtaining consent, as set out above.

Rights to access information

The information subject may request that he or she review or copy the personal information held by the personal information manager.

Rights to data portability

There is no right to data portability in Korea.

Right to be forgotten

An information subject who has reviewed his personal information held by the personal information manager may request that his or her personal information be corrected or deleted. However, there are certain instances which limit such rights, such as when retention of personal information is required by law.

Objection to direct marketing and profiling

To conduct direct marketing, explicit consent must be obtained from the information subject and the information subject may revoke his consent at any time.

Other rights

An information subject may request that his or her personal information be no longer processed and in such case, the personal information manager must cease to process his or her personal information.

_____________________________________________________________________ Top

Security

Security requirements in order to protect personal data

The personal information manager must implement technical, managerial and physical measures to ensure data security.

This may include establishing an internal management plan to prevent the loss, theft, leakage and falsification of personal information. It may also include implementing limitations to access and control, store access records, apply encryption technology, install and renew security programs and other measures required by Presidential Decree. The MOIS Minister’s notification also contains details of the required security measures.

Specific rules governing processing by third party agents (processors)

In cases where a personal information manager delegates personal information processing to a third party data consignee, such delegation must be documented in writing. The delegated work scope and the data consignee’s name must be disclosed in such a way that information subjects can easily access and review this information. 

The personal information manager must also supervise and train the data consignee in such a way as to prevent the loss, theft, leakage, falsification and damage of personal information as required by Presidential Decree. Should the data consignee use personal information to promote or sell goods or services, the delegated work scope must be clearly communicated to the information subject. If the data consignee violates the law and this leads to liability, then the data consignee is treated as an employee of the personal information manager.

Notice of breach laws

In the event of personal information leakage, the fact of such leakage must be communicated to information subjects immediately. Should there be more than 1,000 information subjects involved, the leakage accident must be reported to MOIS immediately. 

Other laws, such as the Network Act, also contain rules with respect to responding to personal information leakage accidents.

_____________________________________________________________________ Top

Transfer of Personal Data to Third Countries

Restrictions on transfers to third countries

The PIPA does not separately address the transfer of personal information abroad. However, the transfer of personal information abroad requires consent from the information subject under the provisions requiring consent prior to any transfer of personal information to a third party (see above). 

The Network Act requires that any transfer of personal information abroad must be preceded by not only consent but also certain technical, managerial and physical protection measures.

Notification and approval of national regulator (including notification of use of Model Contracts)

There are no separate notification or approval procedures. However, for personal credit information processed by financial institutions, prior approval by a relevant authority may be necessary in certain instances.

Use of binding corporate rules

Binding corporate rules have not been recognised by Korean regulators as a sufficient basis for transferring personal information abroad.

_____________________________________________________________________ Top

Enforcement

Fines

The sanctions for a particular breach of the PIPA will depend on the type and seriousness of the violation and include criminal fines, surcharges and penalties. For example, breach of the rules on the use of sensitive personal information can lead to a fine of up to 50 million won (approximately EUR 38,000). Breach of the rules on the initial collection and use of personal information can lead to a fine of up to 50 million won (approximately EUR 38,000) but not imprisonment.

Imprisonment

The sanctions for a particular breach of the PIPA will depend on the type and seriousness of the violation and include imprisonment. For example, breach of the rules on the use of sensitive personal information can lead to imprisonment of up to five years and a fine. 

Compensation

An information subject suffering from psychological or economic loss may commence a civil action by filing a claim for compensation from the personal information manager. The personal information manager will be liable in such cases unless he or she can prove that there was no wilful conduct or negligence on his or her part. 

The PIPA was recently amended to provide statutory damages and treble damages. For the former, the PIPA provides that if the personal information manager cannot refute that their wilful misconduct or negligence caused the loss, theft, leakage, forgery, modification or damage of personal information, information subjects may claim up to KRW 3 million (approximately EUR 2,300) in damages without having to prove the actual damages amount. For treble damages, if the personal information manager cannot refute that the same loss, theft, leakage etc of personal information was caused by their gross negligence, a court may award damages up to three times the amount of actual damages after conducting an analysis of the totality of the circumstances.

To facilitate quicker resolution, alternative dispute resolution (personal information dispute mediation) and collective action options are available. However, collective actions are limited to obtaining injunctions against a personal information manager who violates the law and cannot be used for compensatory purposes.

Other powers

Corrective orders can also be issued, such as an injunction, suspension or protective measures. The MOIS Minister may, upon finding a significant violation of law with respect to protection of personal information, recommend to the head of an authority or agency that the responsible person be reprimanded.

Practice

There is a range of enforcement activity. Major issues typically involve failing to obtain consent, security and delegation of personal information processing.

_____________________________________________________________________ Top

ePrivacy | Marketing and cookies

_____________________________________________________________

National Legislation

ePrivacy laws

Cookies and direct marketing are governed by the Network Act. The Network Act also applies to online processing of personal information.  

Additional ePrivacy matters are set out in the Protection of Use of Location Information Act, the Communications Secrecy Protection Act and the Act on Promotion of Cloud Computing and Protection of Users.

_____________________________________________________________________ Top

Cookies

Conditions for use of cookies

Under the Network Act, in principle, consent must be obtained if the cookie contains personal information.

An information communications service provider must disclose its privacy policy with respect to its configuration and management of internet access information files and other devices which automatically collect personal information.

Regulatory guidance on the use of cookies

None.

_____________________________________________________________________ Top

Marketing by E-mail

Conditions for direct marketing by e-mail to individual subscribers

Explicit consent should be obtained from information subjects prior to sending e-mails or other electronic messages for marketing purposes. Commercial information may, however, be sent without consent by electronic message to addresses obtained from a prior sale of goods or services within 6 months of the sale.

Conditions for direct marketing by e-mail to corporate subscribers

The same rules above apply to corporate subscribers.

Exemptions and other issues

In order to send commercial information by e-mail: (i) the title of the e-mail message must start with the header “Gwango” (which means “advertisement” in Korean); and (ii) the contents of the e-mail message must include the sender’s name, e-mail address, telephone number and address, as well as instructions on how recipients can easily express their intent to refuse receipt of commercial information by e-mail.  Additionally, the sender must take technical measures to enable recipients to easily select the option of refusing receipt of commercial information by e-mail.

_____________________________________________________________________ Top

Marketing by Telephone

Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)

Explicit consent is needed to send commercial information to a person by telephone. However, if the telephone number was obtained from a prior sale of goods or services, then commercial information may be sent within 6 months from the sale without consent.

Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)

The same rules above apply to corporate subscribers.

Exemptions and other issues

The Korea Fair Trade Commission has established a “do-not-call” registry under the Door-to-Door Sales Act to protect consumers from illicit telephone marketing practices. A telephone marketer must confirm whether a consumer has listed its telephone number with the “do-not-call” registry and may not call consumers with numbers listed in the registry. However, due to the public’s unfamiliarity with the registry and aversion toward registering telephone numbers, the “do-not-call” registry is not popular among consumers. Information subjects’ consent to receive direct marketing by telephone should be reconfirmed at least every two years from the date of the initial consent.

_____________________________________________________________________ Top