Data Protected - Republic of Korea
Last updated August 2022
General | Data Protection Laws
National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement
ePrivacy | Marketing and cookies
National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone
_____________________________________________________________________
General | Data Protection Laws
____________________________________________________________
National Legislation
General data protection laws
The Personal Information Protection Act (“PIPA”).
The Credit Information Use and Protection Act (the “Credit Information Act”) also contain provisions relevant to the processing of personal information.
This summary is mainly based on the PIPA requirements. Some aspects of the other applicable laws have been set out below also, though they are not generally described in this summary.
Entry into force
The PIPA entered into force on 30 September 2011, and the most recent amendments to the PIPA took effect on 5 August 2020.
_____________________________________________________________________ Top
National Supervisory Authority
Details of the competent national supervisory authority
The Personal Information Protection Commission (“PIPC”)
209 Sejongdae-ro Jongno-gu
Seoul
Korea 03171
www.pipc.go.kr
Notification or registration scheme and timing
Public agencies that manage personal information files must notify PIPC of a range of information including the name of the file, its legal basis and purpose and the retention period. The PIPC must disclose the registration status to the public. There are no registration fees.
This notification obligation only applies to public agencies and not private sector companies.
Exemptions to notification
Public agencies are not obliged to notify personal information files dealing with matters such as national security, crime investigation, tax evasion or internal work processing.
_____________________________________________________________________ Top
Scope of Application
What is the territorial scope of application?
The PIPA does not clearly address extra-territoriality. However, there is a consensus that it applies to both Korean companies and companies established abroad that process personal information in Korea.
Is there a concept of a controller and a processor?
The PIPA uses the term “personal information managers" to mean a public institution, corporate body, organisation or individual who manages personal information directly or via another person.
The PIPA also has the concept of a “data consignee”, who is a person who is delegated with the responsibility to process personal information, and is only responsible for compliance with more limited aspects of the PIPA.
Are both manual and electronic records subject to data protection legislation?
Yes. Both manual and electronic records are subject to the data protection laws.
Are there any national derogations?
Most of the requirements under PIPA do not apply for the following types of personal information: (i) personal information collected pursuant to the Statistics Act for processing by public institutions; (ii) personal information collected or requested to be provided for the analysis of information related to national security; (iii) personal information processed temporarily where it is urgently necessary for the public safety and security, public health, etc.; and (iv) personal information collected or used for its own purposes of reporting by the press, missionary activities by religious organisations, and nomination of candidates by political parties, respectively.
In addition, the PIPA’s requirements on the collection and use of personal information, the establishment of a privacy policy, and the designation of a chief privacy officer will not apply to personal information that is processed by a personal information manager to operate a group or association for friendship, such as an alumni association and a hobby club.
_____________________________________________________________________ Top
Personal Data
What is personal data?
Under the PIPA, “personal information” is broadly defined as information pertaining to a living individual which identifies a specific person by name, address, image or similar identifier.
It includes information that does not, by itself, make it possible to identify a specific person, but that enables such a person to be identified easily when combined with other information. Whether a piece of information can be easily combined with other information must be determined by reasonably considering the time, cost, and technology needed to identify the data subject, including to obtain the other information that must be combined in order to identify the individual.
The PIPA defines “pseudonymized information” as a subset of personal information. Pseudonymized information is personal information which has been partially deleted or partially/wholly substituted so that the information can no longer identify an individual without utilization of, or combination with, additional information to restore the information to its original state.
Is information about legal entities personal data?
Information about a corporate entity is not considered to be personal information. However, information regarding employees of a corporate entity is considered to be personal information.
What are the rules for processing personal data?
The PIPA contains eight Personal Information Protection Principles. They require personal information to be collected for specific and lawful purposes and not used for further incompatible purposes. The principles also require personal information managers to ensure personal information is accurate and held securely, to publicise their privacy policy and to make personal information anonymous wherever possible.
The PIPA contains separate rules for the initial collection and use of personal information and any subsequent use for new purposes or new transfers to third parties.
A personal information manager may initially collect and use personal information: (i) with the consent of a data subject; (ii) where there exist special provisions in an Act or it is inevitable to fulfil an obligation imposed by or under an Act or subordinate statute; (iii) where it is inevitable for a public institution to perform its affairs provided for in an Act or subordinate statute; (iv) where it is necessary for entering into and performing a contract with a data subject; (v) where it is necessary for physical safety and property interests of a data subject or a third person and it is not possible to obtain consent; and (vi) where it is necessary for the personal information manager’s legitimate interests and takes precedence over the rights of a data subject (though this condition is limited to cases where the information is substantially relevant to a personal information manager’s legitimate interests and reasonable scope is not exceeded). The personal information manager must collect the minimum amount of personal information necessary and cannot refuse to provide goods or services where additional personal information is not supplied.
A personal information manager may use personal information for a new purpose or provide personal information to a new third person if doing so does not infringe the interests of a data subject or a third person and one of the following conditions is satisfied. The conditions for further processing are: (i) the data subject consents; (ii) special provisions exist in any other Act; or (iii) where it is obviously necessary for the physical safety and property interests of a data subject or a third person and it is not possible to obtain consent. Additional conditions apply where the processing is by a public agency.
Furthermore, even without obtaining additional consent from the data subject, a personal information manager may use, or provide personal information in its possession to a third party, within the scope reasonably related to the original purpose of collection and use, considering the following conditions prescribed in the Enforcement Decree to the PIPA: (i) whether the additional use or provision is related to the original purpose; (ii) whether the data subject may expect the additional use or provision in the light of the background of collection of personal information or the practice of processing personal information; (iii) whether the additional use or provision unjustifiably infringes upon the data subject’s interest; and (iv) whether there are measures to secure the personal information (such as pseudonymization and encryption).
The PIPA also allows a personal information manager to process pseudonymized information for such purposes as statistical analysis, scientific research and preservation of public records, without the data subject's consent, provided that where such pseudonymized information is provided to a third party without the data subject's consent, such pseudonymized information cannot be provided together with information that can be used to identify a specific living individual.
The PIPA also has specific rules applicable to business transfers and other corporate transactions.
Are there any formalities to obtain consent to process personal data?
In general, consent can be obtained by means other than writing, such as telephone, internet click-through or email. However, certain laws such as the Credit Information Act limit methods of consent.
When obtaining consent, the personal information manager must first notify the data subject of certain information about the processing of their personal information. For instance, where a personal information manager intends to provide a data subject’s personal information to a third party, the personal information manager must notify the data subject of: (i) of the person receiving the personal information; (ii) of the purpose of processing personal information; (iii) of the items of personal information provided; (iv) of the retention period; and (v) that the data subject may refuse to give consent and the consequences of refusal.
Are there any special rules when processing personal data about children?
If the data subject is under the age of 14, the consents required under PIPA for processing the data subject’s personal information must be obtained from his/her legal guardian. However, in such a case, the minimal amount of information needed to obtain consent from the data subject’s legal guardian can be directly collected from the data subject without the legal guardian’s consent.
Are there any special rules when processing personal data about employees?
There are no special rules pertaining to the processing personal data about employees. There are some provisions in the labour laws that are relevant to the processing employee data, such as statutory bases for processing resident registration numbers and other specific types of personal data, and a requirement to retain certain data for three years after the employee stops working for the company.
_____________________________________________________________________ Top
Sensitive Personal Data
What is sensitive personal data?
Sensitive personal information is defined as the beliefs, joining or withdrawal from a labour union or political party, political opinions, health, sexual life and other personal information prescribed by Presidential Decree which could substantially infringe on the privacy of a data subject.
The PIPA also contains specific rules on the processing of national identification numbers and the use of CCTV.
Are there additional rules for processing sensitive personal data?
There is a general prohibition on the processing of sensitive personal information. However, it can be processed: (i) to the extent a law requires it or permits it; or (ii) if separate consent has been obtained from the data subject.
Are there additional rules for processing information about criminal offences?
The Presidential Decree of PIPA prescribes that information pertaining to criminal history records under the Act on the Lapse of Criminal Sentences (“Criminal Information”) is a type of sensitive personal information under the PIPA. Therefore, the rules for processing sensitive personal data apply to the processing of Criminal Information.
Are there any formalities to obtain consent to process sensitive personal data?
Separate consent must be obtained to process sensitive personal information.
_____________________________________________________________________ Top
Data Protection Officers
When must a data protection officer be appointed?
All personal information managers must appoint a chief privacy officer.
What are the duties of a data protection officer?
The chief privacy officer has extensive statutory duties. He/she must: (i) establish and implement a personal information protection plan; (ii) regularly survey personal information processing and make improvements; (iii) process complaints and implement relief relating to personal information processing; (iv) establish internal control systems for preventing leakage, abuse, misuse of personal information; (v) establish and implement training on personal information protection; (vi) supervise, manage and protect personal information files; and (vii) undertake such other matters as prescribed by Presidential Decree.
_____________________________________________________________________ Top
Accountability and Privacy Impact Assessments
Is there a general accountability obligation?
A personal information manager must issue a privacy policy containing details of: (i) the purpose of collection; (ii) the retention period; (iii) any provision of personal information to third parties (if any); (iv) any use of data consignees (if any); (iv) the rights of data subjects; (v) name of chief privacy officer or the department which handles complaints related to personal information, and contact information such as a telephone number; (vi) matters related to operation of mechanism for automatically collecting personal information, such as cookies, and methods for disabling such mechanism (if any); and (vii) other matters specified by Presidential Decree. The PIPA also requires the establishment of an internal management plan which sets forth the required managerial, technical and physical measures which a personal information manager must undertake to safeguard the personal information.
A personal information manager should regularly provide training to its employees and data consignees who process the personal information on behalf of the personal information manager to guarantee the appropriate handling of the personal information.
Are privacy impact assessments mandatory?
The head of public agencies must conduct an assessment to analyse privacy risk factors (“Privacy Impact Assessment”) and submit the results to the PIPC in the case of a probable breach of data subjects’ personal information arising out of the operation of personal information files, which meet the criteria prescribed by the Presidential Decree of the PIPA.
This obligation only applies to public agencies and not private sector companies.
_____________________________________________________________________ Top
Rights of Data Subjects
Privacy notices
The personal information manager must issue a privacy policy, as set out above.
The personal information manager must also provide certain information before obtaining consent, as set out above.
Rights to access information
The data subject may request that he or she review or copy the personal information held by the personal information manager.
Rights to data portability
There is no right to data portability in the PIPA. However, according to the Credit Information Act, a data subject has the right of data portability with respect to their personal credit information, in that they can demand credit information providers/users (e.g., financial companies) to transfer their personal credit information to certain third parties, such as credit rating agencies or credit information providers/users specified in the Presidential Decree.
Right to be forgotten
A data subject who has reviewed his personal information held by the personal information manager may request that his or her personal information be corrected or deleted. However, there are certain instances which limit such rights, such as when retention of personal information is required by law.
Objection to direct marketing
To conduct direct marketing, explicit consent must be obtained from the data subject and the data subject may revoke his consent at any time.
Other rights
A data subject may request that his or her personal information be no longer processed and in such case, the personal information manager must cease to process his or her personal information.
_____________________________________________________________________ Top
Security
Security requirements in order to protect personal data
The personal information manager must implement technical, managerial and physical measures to ensure data security.
This may include establishing an internal management plan to prevent the loss, theft, leakage and falsification of personal information. It may also include implementing limitations to access and control, store access records, apply encryption technology, install and renew security programs and other measures required by Presidential Decree. The PIPC’s notification also contains details of the required security measures.
Specific rules governing processing by third party agents (processors)
In cases where a personal information manager delegates personal information processing to a third party data consignee, such delegation must be documented in writing. The delegated work scope and the data consignee’s name must be disclosed in such a way that data subjects can easily access and review this information.
The personal information manager must also supervise and train the data consignee in such a way as to prevent the loss, theft, leakage, falsification and damage of personal information as required by Presidential Decree. Should the data consignee use personal information to promote or sell goods or services, the delegated work scope must be clearly communicated to the data subject. If the data consignee violates the law and this leads to liability, then the data consignee is treated as an employee of the personal information manager.
Notice of breach laws
In the event of personal information leakage, the fact of such leakage must be communicated to data subjects immediately. Should there be more than 1,000 data subjects involved, the leakage accident must be reported to PIPC or Korea Internet & Security Agency (“KISA”) immediately. For information communications service providers, any personal information leakage (even involving a single user) must be reported to PIPC or KISA in 24 hours.
_____________________________________________________________________ Top
Transfer of Personal Data to Third Countries
Restrictions on transfers to third countries
The PIPA requires that any transfer of personal information abroad by an information communications service provider must be preceded by not only consent but also certain technical, managerial and physical protection measures.
Notification and approval of national regulator (including notification of use of Model Contracts)
There are no separate notification or approval procedures. However, for personal credit information processed by financial institutions, prior approval by a relevant authority may be necessary in certain instances.
Use of binding corporate rules
Binding corporate rules have not been recognised by Korean regulators as a sufficient basis for transferring personal information abroad.
_____________________________________________________________________ Top
Enforcement
Fines
The sanctions for a particular breach of the PIPA will depend on the type and seriousness of the violation and include criminal fines, surcharges and penalties. For example, breach of the rules on the use of sensitive personal information can lead to a criminal fine of up to 50 million won (approximately EUR 38,000). Breach of the rules on the initial collection of personal information can lead to a fine of up to 50 million won (approximately EUR 38,000) but not imprisonment. In addition, if resident registration number processed by the personal information manager is lost, stolen, leaked, fabricated, altered or damaged, the personal information manager may be subject to a surcharge of up to KRW 500 million (approximately EUR 380,000).
Also, no person may process pseudonymized information in order to identify a specific living individual, and violators may be subject to a surcharge of up to 3% of the violator’s total turnover.
Imprisonment
The sanctions for a particular breach of the PIPA will depend on the type and seriousness of the violation and include imprisonment. For example, breach of the rules on the use of sensitive personal information can lead to imprisonment of up to five years and a fine.
Also, no person may process pseudonymized information in order to identify a specific living individual, and violators may be subject to criminal penalties of up to 5 years’ imprisonment or a criminal fine of up to KRW 50 million, as well as a surcharge.
Compensation
A data subject suffering from psychological or economic loss may commence a civil action by filing a claim for compensation from the personal information manager. The personal information manager will be liable in such cases unless he or she can prove that there was no wilful conduct or negligence on his or her part.
The PIPA provides statutory damages and treble damages. For the former, the PIPA provides that if the personal information manager cannot refute that their wilful misconduct or negligence caused the loss, theft, leakage, forgery, modification or damage of personal information, data subjects may claim up to KRW 3 million (approximately EUR 2,300) in damages without having to prove the actual damages amount. For treble damages, if the personal information manager cannot refute that the same loss, theft, leakage, etc. of personal information was caused by their wilful misconduct or gross negligence, a court may award damages up to three times the amount of actual damages after conducting an analysis of the totality of the circumstances.
To facilitate quicker resolution, alternative dispute resolution (personal information dispute mediation) and collective action options are available. However, collective actions are limited to obtaining injunctions against a personal information manager who violates the law and cannot be used for compensatory purposes.
Other powers
Corrective orders can also be issued, such as an injunction, suspension or protective measures. The PIPC may, upon finding a significant violation of law with respect to protection of personal information, recommend to the head of an authority or agency that the responsible person be reprimanded.
Practice
Fines: The Korean data protection authorities actively enforce the data protection regulations. The authorities conduct audits (including on-site investigations) of companies, on a both periodic and ad hoc basis, and impose administrative fines or surcharges upon discovering violations. The specific assessment standards for administrative fines and surcharges are set forth in the Enforcement Decree of PIPA.
Other enforcement action: There is a range of enforcement activity. Major issues typically involve failing to obtain consent, security and delegation of personal information processing.
_____________________________________________________________________ Top
ePrivacy | Marketing and cookies
_____________________________________________________________
National Legislation
ePrivacy laws
Cookies and direct marketing are governed by the PIPA.
Additional ePrivacy matters are set out in the Protection of Use of Location Information Act, the Communications Secrecy Protection Act and the Act on Promotion of Cloud Computing and Protection of Users.
_____________________________________________________________________ Top
Cookies
Conditions for use of cookies
Under the PIPA, in principle, consent must be obtained if the cookie contains personal information.
A personal information manager must disclose its privacy policy with respect to its configuration and management of internet access information files and other devices which automatically collect personal information.
Regulatory guidance on the use of cookies
None.
_____________________________________________________________________ Top
Marketing by E-mail
Conditions for direct marketing by e-mail to individual subscribers
Explicit consent should be obtained from data subjects prior to sending e-mails or other electronic messages for marketing purposes. Commercial information may, however, be sent without consent by electronic message to addresses obtained from a prior sale of goods or services within 6 months of the sale.
Conditions for direct marketing by e-mail to corporate subscribers
The same rules above apply to corporate subscribers.
Exemptions and other issues
In order to send commercial information by e-mail: (i) the title of the e-mail message must start with the header “Gwango” (which means “advertisement” in Korean); and (ii) the contents of the e-mail message must include the sender’s name, e-mail address, telephone number and address, as well as instructions on how recipients can easily express their intent to refuse receipt of commercial information by e-mail. Additionally, the sender must take technical measures to enable recipients to easily select the option of refusing receipt of commercial information by e-mail.
_____________________________________________________________________ Top
Marketing by Telephone
Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)
Explicit consent is needed to send commercial information to a person by telephone. However, if the telephone number was obtained from a prior sale of goods or services, then commercial information may be sent within 6 months from the sale without consent.
Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)
The same rules above apply to corporate subscribers.
Exemptions and other issues
The Korea Fair Trade Commission has established a “do-not-call” registry under the Door-to-Door Sales Act to protect consumers from illicit telephone marketing practices. A telephone marketer must confirm whether a consumer has listed its telephone number with the “do-not-call” registry and may not call consumers with numbers listed in the registry. However, due to the public’s unfamiliarity with the registry and aversion toward registering telephone numbers, the “do-not-call” registry is not popular among consumers. Data subjects’ consent to receive direct marketing by telephone should be reconfirmed at least every two years from the date of the initial consent.
_____________________________________________________________________ Top