June 2024

1. Governing Texts

Under the Constitution of South Korea (the Constitution), the rights to privacy, the privacy of communications, and freedom of expression are recognized as fundamental rights. In addition, the Constitutional Court of South Korea (Constitutional Court) and the Supreme Court of South Korea (Supreme Court) have established through subsequent court decisions that the right to informational self-determination should be viewed as a separate fundamental right, despite not being stipulated in the Constitution.

The main law and regulations related to data protection are the Personal Information Protection Act of Korea as amended in 2023 (available in English here and available in Korean here) (PIPA) and its implementing regulations, which regulate the collection, usage, disclosure, and other processing of personal data by governmental or private entities as well as individuals. The data protection laws in South Korea provide very prescriptive specific requirements throughout the lifecycle of the handling of personal data. Under these laws, the data subject's consent is almost always required, in principle, to process their personal data.

1.1. Key acts, regulations, directives, bills

Generally speaking, the data protection laws in South Korea provide very prescriptive specific requirements throughout the lifecycle of the handling of personal data, and, due to the requirements of prior notification and opt-in consent and relatively heavy sanctions prescribed by law, they are known as one of the strictest sets of data protection laws in the world. The data protection laws consist of a general law and several special laws pertaining to certain specific industry sectors.

General data protection law

The collection and processing of personal data is governed by the PIPA, the comprehensive general data protection law. PIPA was first enacted in 2011 and has undergone two major amendments in 2020 and 2023. Furthermore, to provide more specific provisions related to the PIPA, the Enforcement Decree of the PIPA has also been enacted and amended (available in English here and available in Korean here) (the PIPA Enforcement Decree).

Special laws

There are special laws regulating the handling of personal data in certain specific industries, most notably, the Use and Protection of Credit Information Act 2009 (available in English here and available in Korean here) (UPCIA).

Meanwhile, the processing of personal data by information and communications service providers and recipients of such information (ICSPs), which was previously governed by the Act on Promotion of Information and Communication Network Utilization and Information Protection 2001 (available in English here and available in Korean here) (ICNA), is now governed by the PIPA.

1.2. Guidelines

Data protection authorities have also issued various guidelines related to the protection of personal data, including:

• A Guide to the Interpretation of Data Protection Laws and Regulations, issued by the Personal Information Protection Commission (the PIPC) (only available in Korean here) (PIPC Guidelines);
• A Guide to the PIPA and Amended PIPA Enforcement Decree, issued by the PIPC (only available in Korean here)
• Guidelines for the Pseudonymization of Personal Data, issued by the PIPC (only available in Korean here);
• A Handbook on the Pseudonymization and Anonymization of Personal Data in the Financial Sector, issued by the Financial Services Commission (FSC) (only available in Korean here);
• Biometric Protection Guidelines, issued by the PIPC (only available in Korean here); and
• A Guide to the Application of the Personal Information Protection Act for Overseas Business Operators, issued by the PIPC (only available in Korean here).

Although such guidelines lack binding legal effect, they may, nevertheless, serve as useful reference materials on how laws and regulations are likely to be interpreted in practice.

1.3. Case law

Being a civil law jurisdiction, South Korea's principal source of legal authority is legislation, as opposed to case law in common law jurisdictions, in particular, codifications in the Constitution and statutes enacted by the Government of the Republic of Korea or the National Assembly. However, several important court decisions have been issued recently which may serve as useful references for how data protection laws and regulations may be interpreted in practice.

In the Supreme Court Decision 2016Do13263, decided on April 7, 2017, the Supreme Court invalidated the consent obtained from data subjects because the defendant had collected personal data under circumstances that made it difficult for data subjects to clearly understand what they had consented to, even though the consent they had provided satisfied formalities prescribed by law, i.e. the notice was provided in font size of 1mm.

Furthermore, in the Seoul High Court (the High Court) Decision 2017Na2074963/ 2017Na2074970 (Consolidated), decided on May 3, 2019, the High Court ruled that the Korea Pharmaceutical Information Center's provision of sensitive personal data, i.e. prescription data of patients to third parties, without consent constituted a violation of the PIPA. At the same time, the High Court noted that if the personal data has undergone appropriate de-identification measures, such as encryption, which makes it impossible to identify specific individuals, then the provision of such de-identified data to third parties without the consent of data subjects should not be considered a violation of the PIPA.

In the Seoul Administrative Court Decision 2021Guhap57117, decided on October 26, 2023, the court ruled that when a user utilizes a third-party app through a social media company's login method, not only the user's personal data but also the personal data of approximately 3.3 million individuals who are friends with the user on the social media platform is provided to the third-party app, constituting a 'provision of personal data to a third party.' The court found that the regulatory authority's sanctions against the act of providing personal data to a third party without the consent of the data subjects, who are the friends of the user, were lawful.

2. Scope of Application

2.1. Personal scope

General data protection law

PIPA is applicable to a data handler, which is a person, whether a public agency, juridical person, organization, or individual, that, by itself or through a third party, handles personal data to make use of, or carry out, any operation on a personal data file in the course of, or in relation to, its business activities. The personal data file is a collection of personal data in which personal data is systematically organized pursuant to certain rules for easy search or use of such personal data.

Special laws

Although most of the ICNA's personal data-related provisions have been deleted, the ICNA still applies to certain data processing matters by ICSPs, which include:

• commercial providers of information services, including those provided through the use of a telecommunications service, i.e. internet service and online service providers, including content providers and application providers; and
• telecommunications service providers.

The UPCIA applies specifically to:

• credit information companies (i.e. credit bureaus for individuals, credit bureaus for sole proprietorships, credit bureaus for corporations, and credit investigation companies);
• credit information self-management companies (i.e. MyData service providers) that are engaged in the business of providing credit information to credit information subjects by combining statutorily prescribed information relevant to the credit information subject through certain methods;
• credit information collection agencies that manage/utilize credit information they have collected;
• debt collection agencies; and
• credit information users and providers, meaning persons providing a third party with credit information obtained or generated in connection with its commercial transactions, such as financial transactions, with customers, or persons being provided by a third party with such credit information to be used for their business, e.g. a bank or a credit card company.

PIPA, as a general law, would apply unless any applicable special laws exist. Thus, if a provision of a special law is found to be applicable to an entity, it must comply with the provision of the special law (e.g. the UPCIA) ahead of the PIPA.

2.2. Territorial scope

While it is understood that the PIPA applies to all data handlers and outsourced processors within South Korea, the PIPA does not explicitly specify its territorial scope. Furthermore, the PIPA does not reference its extraterritorial scope, however, in practice, several factors are considered when deciding whether a foreign entity is subject to the PIPA (e.g. whether the company provides services targeted at Koreans, or whether the company generates revenue from doing business in South Korea). In particular, the PIPC recently issued a guideline titled 'A Guide to the Application of the Personal Information Protection Act for Overseas Business Operators,' which specifies that 'if an overseas business operator provides goods or services targeting Korean data subjects, if the personal data processing of an overseas business operator affects Korean data subjects, or if an overseas business operator's place of business exists within the territory of Korea, the PIPA may be applied.'

2.3. Material scope

The PIPA is applicable to the 'handling of personal data,' defined as the 'collection, generation, recording, storage, retention, processing, editing, search, outputting, rectification, restoration, use, provision, disclosure, or destruction of personal data or any other action similar to any of the foregoing.'

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The main data protection authorities are:

• the PIPC;
• the Korea Communications Commission (KCC);
• the Korea Internet & Security Agency (KISA); and
• the FSC.

3.2. Main powers, duties and responsibilities

The main powers of the PIPC are:

• enforcing the PIPA;
• addressing issues regarding formal interpretations;
• imposing administrative fines, penalty surcharges, corrective orders, and other administrative sanctions;
• shaping data protection policy; and
• assessing the enactment/amendment of laws and administrative measures relating to the protection of personal data.

The main functions of the KCC are:

• enforcing the ICNA;
• addressing issues regarding formal interpretations; and
• imposing administrative fines, penalty surcharges, corrective orders, and other administrative sanctions.

The main duty of KISA is to perform tasks delegated to it by the KCC and PIPC.

The main duties of the FSC are:

• enforcing the UPCIA; and
• addressing issues regarding formal interpretations.

4. Key Definitions

Data controller: The concept of data handler, or personal information controller, under the PIPA, is similar to the concept of data controller under the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR). Specifically, the PIPA defines a data handler as 'a public institution, corporate body, organization, individual, who, by itself or through a third party, processes, i.e., collects, generates, connects, interlocks, records, stores, retains, processes, edits, searches, outputs, corrects, restores, uses, provides, discloses, destroys, or otherwise handles personal data to administer personal data files for official or business purposes.'

Data processor: Data handlers may outsource the processing of personal data to third parties, i.e. data processors. Under the PIPA, the concept of data handler is defined quite broadly and therefore includes data protection authorities that process data.

Personal data:  The PIPA has a broad definition of personal data, which is any data relating to a living natural person that:

• identifies a particular individual by their full name, resident registration number (RRN), image, or the like;
• even if it by itself does not identify a particular individual, may be easily combined with other information to identify a particular individual (in such cases, whether or not the information may be 'easily combined' shall be determined by reasonably considering the time, cost, and technology used to identify the individual such as the likelihood that the other information can be procured); or
• is information under items 1 or 2 above which is pseudonymized and thereby becomes incapable of identifying a particular individual without the use or combination of additional information for restoration to its original state.

Sensitive data: Sensitive data is defined as 'personal data regarding an individual's ideology, faith, trade union or political party membership, political views, health, information on sexual activities and other personal data that may cause a material breach of privacy,' and further includes genetic information, criminal records, information on an individual's physical, physiological, and behavioral characteristics generated through certain technical means for the purpose of identifying a specific individual and racial/ethnic data as stated in Article 18 of the PIPA Enforcement Decree.

Health data: The PIPA only stipulates that health data is deemed sensitive data without providing a direct definition of 'health data.' According to the PIPC guidelines, health data is data about an individual's current and past medical history and physical/mental disabilities (e.g., disability rating).

Biometric data: The PIPA does not specifically define biometric data, but items of sensitive data that are 'information on an individual's physical, physiological, and behavioral characteristics generated through certain technical means for the purpose of identifying a specific individual' would likely be considered similar in concept. According to the PIPC guidelines, the data described above is data that is manufactured using technology that extracts unique characteristics of an individual such as their face, fingerprint, iris, and handwriting sample in order to confirm or verify the individual's identity.

Pseudonymization: The PIPA defines pseudonymized data as 'data from which the specific individual cannot be identified without the use or combination of additional information for restoring to the original state.' Furthermore, the PIPA defines 'pseudonymization' as 'the processing of personal data to the extent where the specific individual cannot be identified anymore from that information without additional information, by deleting or replacing in whole or in part the personal data, or by any other means.'

Data Collection: 'Handling' of personal data is defined to mean the 'collection, generation, recording, storage, retention, processing, editing, search, outputting, rectification, restoration, use, provision, disclosure or destruction of personal data or any other action similar to any of the foregoing.'

Data Subject: Referred to as being an individual who is a subject of the handled data by which that individual can be identifiable.

Anonymized information: Is defined as any information that cannot be used to identify a specific individual even if the information is combined with other information, after reasonably considering factors such as time, cost, and technology, and is not subject to the PIPA.

Data protection officer: There is no definition of 'data protection officer' under PIPA. However, Article 31 of the PIPA refers to a 'privacy officer' (DPO) as the individual who comprehensively takes charge of personal data processing.

Privacy Impact Assessment | Data Protection Impact Assessment: There is no definition of 'PIA' under the PIPA. However, the PIPA establishes PIAs as the assessment for the analysis and improvement of risk factors relating to the operations of personal data (Article 33 of the PIPA).

5. Legal Bases

5.1. Consent

Data handlers must provide notice when processing personal data. Explicit consent is generally required before the collection, use, and provision to third parties of personal data, subject to certain exceptions.

For your reference, the PIPC guidelines provide that data handlers should:

• provide notice, in a clear and easily understandable manner, of information on the items of personal data collected and the reasons for such collection when obtaining consent from users; and
• obtain 'explicit consent' because they are required to obtain consent in accordance with Article 22 of the PIPA (which, among other things, prohibits data handlers from obtaining blanket consent for all types of processing) requires data handlers to provide notice of material information and the scope of consent, and requires data handlers to differentiate between required/optional consent (e.g. for marketing/promotional purposes).

However, under Article 17(1) of the PIPA Enforcement Decree, which will take effect on  September 15, 2024, when a data handler obtains consent from a data subject, all of the following conditions must be met:

• the data subject shall be able to decide whether to give their consent based on free will;
• details requiring the consent of the data subject shall be specific and clear;
• the data handler shall use phrases that are easily readable and understandable for the relevant details; and
• the data handler shall provide the data subject with the methods of clearly indicating whether to give consent.

Among these conditions, the PIPC has recently been emphasizing that in accordance with the principle of 'consent should be based on their free will,' data handlers should refrain from obtaining mandatory consent and only seek consent for matters that were previously subject to 'optional' consent. Therefore, it is advised to closely monitor the guidelines and other materials that will be released by the regulatory authorities in the future.

In addition, the PIPC guidelines provide that consent for the collection and use of personal data which is required by the PIPA should be voluntary opt-in consent (via written signature, oral confirmation, or an online checkbox) and be clearly verifiable.

5.2. Contract with the data subject

The PIPA stipulates that data handlers may collect and use personal data without the data subject's consent when it is necessary to perform a contract concluded with the data subject or take measures at the request of the data subject in the course of concluding a contract. However, please note that this legal basis is not valid for the provision of personal data to a third party.

5.3. Legal obligations

The PIPA stipulates that when required to comply with the data handler's obligations under other applicable laws, or if it is specifically required or permissible under other applicable laws and regulations, data handlers may collect, use, and/or provide personal data without the data subject's consent. As such, this legal basis may only be relied on if applicable laws specifically require or permit the collection or use of personal data, it is impossible for the data handler to comply with its obligations under another applicable law without collecting the personal data, or it would be extremely difficult to use another method to comply with their obligation.

5.4. Interests of the data subject

The PIPA stipulates that where there is a clear and urgent need to protect the life, physical, or economic interest of the data subject or a third party, the data handler may collect, use, and/or provide the data subject's personal data without their consent.

5.5. Public interest

The PIPA allows the collection and use of personal data without consent if it is necessary to ensure public safety such as public health and well-being - for instance, the prevention of the spread of COVID-19 and other infectious diseases.

Please note that pseudonymized data may be processed without consent for the purpose of preserving records for the public interest, and/or for public institutions that cannot perform their work as prescribed by other laws without processing the personal data in question, they may collect, use, and/or provide the personal data without the data subject's consent.

5.6. Legitimate interests of the data controller

The PIPA exceptionally provides that personal data may be collected and used without consent in cases where the collection and use are necessary to achieve a legitimate interest of the data handler and where such legitimate interest clearly overrides the rights of the data subject (provided that the collection and use is substantially relevant to the legitimate interest of the data handler and that the collection and use is only done to a reasonable extent). The PIPC guidelines provide that 'the preparation/procurement of supporting materials for the collection/calculation of service fees, collection of debts, and commencement/continuation of legal action' may be examples of what may constitute a 'legitimate interest.'

Please note that the 'legitimate interest' ground is only recognized in very limited instances, given the specific language of the PIPA and the PIPC's guidelines.

5.7. Legal bases in other instances

Direct marketing

Under the ICNA, the transmission of for-profit advertisements through an electronic medium (e.g. telephone, mobile phone, fax, email, etc.) requires the express prior consent of the recipients. Additionally, the ICNA provides a list of certain information that must be included in the for-profit advertisements and certain acts that are prohibited from being performed by the sender.

Smartphone storage

ICSPs, including but not limited to app developers, wishing to access stored data or functions within a user's mobile device, including smartphones and tablets, will be required to obtain the user's prior informed consent to gain such access.

ICSPs must notify the following to the users:

• the items of data;
• the reason why the access authority is necessary; and
• the fact that the user may refuse to grant the access authority if such granting is not indispensable to provide the service in question.

6. Principles

The PIPA sets out eight key principles that apply to data handlers:

• the data handler shall explicitly specify the purposes for which personal data is processed, and shall collect personal data lawfully and fairly to the minimum extent necessary for such purposes;
• the data handler shall process personal data in an appropriate manner necessary for the purposes for which the personal data is processed, and shall not use it beyond such purposes;
• the data handler shall ensure personal data is accurate, complete, and up to date to the extent necessary in relation to the purposes for which the personal data is processed;
• the data handler shall manage personal data safely according to the processing methods, types, etc. of personal data, taking into account the possibility of infringement on the data subject's rights and the severity of the relevant risks;
• the data handler shall disclose its privacy policy and other matters related to personal data processing, and shall guarantee the data subject's rights, such as the right to access their personal data;
• the data handler shall process personal data in a manner to minimize the possibility of infringing the privacy of a data subject;
• if it is still possible to fulfill the purposes of collecting personal data by processing anonymized or pseudonymized personal data, the data handler shall process personal data through anonymization, where anonymization is possible, or through pseudonymization, if it is impossible to fulfill the purposes of collecting personal data through anonymization; and
• the data handler shall endeavor to obtain the trust of data subjects by observing and performing such duties and responsibilities as provided for in the PIPA and other related statutes.

7. Controller and Processor Obligations

Data handlers have various other obligations under the PIPA, including handling personal data in a way that minimizes any possible infringement upon the privacy of data subjects, and, where possible, anonymizing personal data, and if anonymization is not possible, pseudonymizing the data before processing. Specifically, data handlers must maintain the security of personal data, taking into account the likelihood and risk of infringement of data subjects' privacy. This likelihood and level of risk may vary depending on various factors such as the types and methods of the handling of personal data. In particular, data handlers are required to take the technical, administrative, and physical measures necessary to ensure the security of personal data. These measures include, among other things, the establishment of internal rules for adequate administration of personal data, and the keeping of access logs to prevent personal data from being lost, stolen, leaked, fabricated, or destroyed. The PIPA has a prescriptive list of the minimal measures to be taken in this regard.

Data handlers must also provide notice when processing personal data. Express consent is generally required prior to the collection, use, and provision of personal data, subject to certain exceptions (however, as explained earlier, it should be noted that the regulatory authorities' stance on consent is understood to be changing, so close monitoring of regulatory developments is advisable). The consent for a provision must be obtained separately from the consent for the collection and use of personal data. Moreover, consent for the processing of certain particular identification data (i.e. passport numbers, driver's license numbers, alien registration numbers) and sensitive data must be obtained separately from each other, and from any other consent. Personal data must not be used beyond consented purposes unless the separate consent of data subjects has been obtained.

Under the PIPA, personal data may be used and provided without the data subject's consent within the scope reasonably related to the original purpose of the collection after considering whether the contemplated use and provision is related to the original purpose of the collection, such use and provision of the personal data could have been predicted in light of the circumstances surrounding the collection and customary handling practices, the use and provision will not result in any disadvantage to the data subject, and/or the data handler has implemented the necessary safeguards to ensure the security of the personal data (e.g. encryption). Where additional use or provision of personal data takes place on a continuous basis, the data handler must disclose the criteria for assessing the matters referred to above in its privacy, and the privacy officer shall check whether the data handler is using or providing additional personal data in accordance with the relevant criteria.

Data processor

As data processors are likely to be treated as data handlers, data processors will, in general, be subject to the same legal obligations as those applicable to data handlers. In the case of a violation of the PIPA by a data processor, i.e. an outsourced service provider, the data processor will be deemed as an employee of the data handler and the data handler will have vicarious liability.

7.1. Data processing notification

There are no legal obligations for data handlers and/or data processors to notify any regulatory authority of their data processing activities.

The head of a public institution is required to notify the processing of personal data to the PIPC (Article 32(1) of the PIPA).

7.2. Data transfers

There are separate requirements for provision and outsourcing to data processors.

Specifically, a provision refers to cases where a data transfer is conducted for the benefit and business purpose of the transferee, whereas outsourcing refers to cases where a data transfer is conducted for the benefit and business purpose of the transferor. The prior consent of data subjects is required in order to conduct a provision, whereas, in the case of outsourcing, the PIPA does not require the prior consent of data subjects.

Data handlers may not enter into data transfer agreements that violate relevant laws and regulations. Under the PIPA, cross-border data transfer is exceptionally permitted only in one of the following cases (Article 28-8 (1) of the PIPA):

• where separate consent is obtained from the data subject;
• where there are special provisions regarding the cross-border transfer of personal data in a statute, a treaty to which the Republic of Korea is a party or other international conventions;
• in any of the following cases where it is necessary to outsource the processing of personal data or store personal data in order to conclude and perform a contract with the data subject:
  • where certain statutorily prescribed matters are disclosed in the privacy policy; or
  • where certain statutorily-prescribed matters are communicated to the data subject by means prescribed by the PIPA Enforcement Decrees, such as e-mail;
• where the recipient of personal data obtains certification determined and publicly notified by the PIPC (such as the certification of personal data protection under Article 32-2 of the PIPA) and takes all of the following measures:
  • safety measures necessary for protecting personal data and measures necessary for guaranteeing the rights of data subjects; and
  • measures necessary for implementing certified matters in the country to which personal data is to be transferred; or
• where the PIPC recognizes that the personal data protection system of the country or international organization to which the personal data is to be transferred, the scope of guarantee of the rights of the data subject, and the procedures for damage relief, etc. are substantially equal to the level of personal data protection under the PIPA.

Where a data handler conducts a cross-border transfer of personal data, it must take the following protective measures (Article 29-10 of the PIPA Enforcement Decree):

• measures to ensure safety for protecting personal data;
• measures to handle grievances and resolve disputes with respect to personal data breach; and
• other measures necessary to protect the personal data of data subjects.

Where a data handler conducts a cross-border transfer of personal data, it shall have a prior consultation with the recipient of the personal data regarding each of the matters listed above and shall reflect the results of such consultation in the details of a contract, etc.

Further, the PIPA grants the PIPC powers similar to those of data protection authorities under the GDPR, such as the power to order a data handler to suspend a cross-border data transfer if the transfer violates or is expected to violate the PIPA or if the recipient does not adequately protect data in accordance with the PIPA.

The European Commission published, on December 17, 2021, its decision on the adequate protection of personal data by the Republic of Korea, allowing the transfer of personal data from the EU Member States to Korea without having to complete any additional process or certification such as entering into Standard Contractual Clauses (SCCs) for data transfers. This decision will be subject to a first review by the European Commission within three years after entering into force, and thereafter, at least once every four years. Also, on December 19, 2022, the UK has granted data adequacy status to South Korea.

In order to establish clear interpretation standards and to address any discrepancies between the EU and South Korea's data protection regimes, the PIPC issued the Supplementary Regulations for Interpretation and Application of the Personal Information Protection Act with respect to the Processing of Personal Information Transferred to Korea (only available in Korean here), which entered into force as of the effective date of the European Commission's adequacy decision.

For your information, companies that are supervised by the FSC in processing personal data pursuant to the UPCIA are explicitly exempt from the application of the above decision. Accordingly, such companies should have a separate legal basis (e.g., SCCs for data transfers as stipulated in Article 5 of the GDPR).

7.3. Data processing records

The PIPA does not require organizations to maintain a record of processing activities. However, the PIPA does require data handlers to manage and store log-in records which document the access to a data processing system by 'personal data managers' (i.e. officers, employees, workers, etc. who process personal data under the direction and supervision of the data handler) for at least one year. Such log-in records shall contain the facts of access, including ID, date and time of access, information to identify the person of access, and tasks performed by the personal data manager while connected to the processing system.

7.4. Data protection impact assessment

Under the PIPA, only public institutions are obligated to conduct a Data Protection Impact Assessment (DPIA) (Article 33(11) of the PIPA). Specifically, in cases where there is a risk of an infringement to the personal data of data subjects due to the operation of personal data files meeting certain criteria, the head of a public institution shall conduct an assessment to analyze risk factors and improve them and submit the results thereof to the PIPC.

The head of the public institution must, in case of probable violation of personal data of data subjects owing to the operation of personal data files applicable to the criteria as specified by the PIPA Enforcement Decree, conduct a DPIA for the analysis and improvement of such risk factor (Article 33(1) of the PIPA).

An institution or organization that is defined as a public institution of South Korea must undertake a DPIA when there is a probable breach of a data subjects' personal data arising out of a processing activity (Article 33(11) of the PIPA).

A DPIA must cover (Article 33(3) of the PIPA):

• the number of personal data that is to be processed;
• whether such data has been provided by a third party or not;
• the probability of violating the rights of data subjects and the degree of such risks by such processing; and
• any other matters prescribed by the PIPA Enforcement Decree.

The PIPC may provide its opinions on a DPIA conducted by any public institution (Article 33(4) of the PIPA).

Exceptions

A DPIA conducted by the Supreme Court and the National Election Commission (including their affiliated entities) (the Executive Bodies of South Korea) must be provided by the respective rules of the Executive Bodies of South Korea (Article 33(10) of the PIPA).

7.5. Data protection officer appointment

Under the PIPA, all data handlers must appoint qualified officials as privacy officers to take charge of all aspects of their handling of personal data (Article 31(1) of the PIPA). Specifically, data handlers, excluding public institutions, must appoint a person satisfying any one of the following conditions as their privacy officer (Article 32(3) of the PIPA Enforcement Decree):

• the owner or representative director of a business; or
• an executive officer, however, if there are no executive officers, then the head of the department is responsible for processing personal data.

However, data handlers who qualify as small business owners are deemed to have appointed their owner or representative as their privacy officer unless they specifically appoint someone else.

In the case of public institutions, the privacy officer must be a public official who meets certain requirements prescribed by law.

Also, data handlers who meet certain criteria under the PIPA are obligated to appoint a privacy officer who meets certain qualifications prescribed by the PIPA Enforcement Decree.

The DPO's primary role is listed under the PIPA as seven distinct requirements (Article 31(3) of the PIPA):

• establishing and implementing a data protection plan;
• completing regular surveys of the actual state and practices of personal data processing, and improving shortcomings;
• treating grievances and remedial compensation in relation to personal data processing;
• setting up the internal control system to prevent the leak, abuse, and misuse, of personal data;
• preparing and implementing the data protection education program;
• protecting, controlling, and managing the personal data files; and
• undertaking any other functions for the appropriate processing of personal data, as prescribed by the PIPA Enforcement Decree.

Additional functions under the PIPA are further defined as any of the following (Article 32(2) of the PIPA Enforcement Decree):

• assisting with the establishment, modification, and implementation of the privacy policy referred to in Article 30 of the PIPA;
• management of human and physical resources and information related to personal data processing; and
• destroying personal data after the retention period has expired or after it has been used for the purpose for which it was obtained.

The DPO must, when they become aware of any violation of the PIPA or any other relevant laws or regulations relating to data protection, take immediate corrective measures, and, if necessary, report such corrective measures to the head of the institution itself or the relevant organizations (Article 31(5) of the PIPA).

Data handlers shall not allow the privacy officer to give or be subject to disadvantages without good cause while performing the affairs and comply with the following to ensure the independence of the privacy officer (Article 31(6) of the PIPA, Article 32(6) of the PIPA Enforcement Decree):

• protecting privacy officer's access to information related to personal data processing;
• establishment of a system in which a privacy officer may directly report the establishment and implementation of a personal data protection plan and the results thereof to the representative or the board of directors on a regular basis; and
• preparation of an organizational system suitable for privacy officer to perform their duties and provision of human and material resources.

7.6. Data breach notification

A data handler must provide notice to affected data subjects without delay within 72 hours when they become aware of a breach of personal data, pursuant to the PIPA. However, if there are justifiable grounds, such as when the contact information of the data subjects is unknown, the data handler may instead disclose the prescribed information on its internet homepage, or at noticeable places in its business place if it does not operate an internet homepage, for at least 30 days.

Additionally, if the data handler becomes aware that personal data has been breached in any of the following cases, it must report the incident to the PIPC or the KISA within 72 hours:

• where there has been a breach, etc. of personal data of at least 1,000 data subjects or more;
• where there has been a breach, etc. of sensitive data or particular identification data; and
• where there has been a breach, etc. of personal data due to illegal external access to personal data processing systems or information technology equipment used by personal data handlers for processing personal data.

However, where it is impracticable to file a report within 72 hours due to a natural disaster or any other unavoidable cause, a report may be filed without delay after the relevant cause ceases to exist and where the possibility of infringing on the rights and interests of data subjects is substantially reduced after the path of the breach, etc. of personal data is confirmed and measures are taken such as the recovery and deletion of the relevant personal data, the data handlers need not file a report thereon.

7.7. Data retention

The basic principles applicable to data retention include:

• the principle of fair and legitimate collection of the minimum necessary personal data to the extent necessary for the explicitly stated and consented purposes; and
• the principle that such personal data must be handled only to the extent necessary for explicitly stated and consented purposes.

If the retention of personal data is required by South Korean law or regulations beyond the retention period notified to, and consented to by, data subjects, such personal data will need to be kept separate from any other personal data.

7.8. Children's data

The PIPA provides that when consent is required under the PIPA to process the personal data of a child under the age of 14, the data handler must obtain the consent of the data subject's legal representative. The PIPA also provides that when obtaining the consent of the child's legal representative, the data handler may, without the legal representative's consent, collect data directly from the child that is necessary to seek consent from the child's legal representative. In such cases, the data to be collected directly from the child must be minimized to only what is necessary to seek the consent of the legal representative.

Also, data handlers are required to:

• communicate in an easily understandable form and use clear and plain language when notifying children of matters relating to the processing of personal data; and
• obtain the legal representative's consent if the ICSP wishes to obtain consent in order to collect, use, or provide the personal data of a child under 14 and confirm whether the legal representative has granted consent to process the child's personal data in a statutorily prescribed manner.

7.9. Special categories of personal data

Sensitive data is considered a special category of personal data under the PIPA. Criminal records are included in the scope of sensitive data. In addition, the PIPA defines another special category of personal data, which is 'particular identification data', that includes RRNs, passport numbers, driver's license numbers, and alien registration numbers.

In principle, the handling of sensitive data/particular identification data is prohibited without express consent by the data subject, specifically express opt-in consent from the data subject, unless an exception applies. Consent to the processing of particular identification data or sensitive data must be obtained separately from each other, and from any other consent. In particular, with respect to RRNs, data handlers may not collect or use RRNs unless an exception applies under applicable laws.

Obtaining an individual's criminal records and investigation records is, in principle, prohibited, unless one of the exceptions under the Act on the Lapse of Criminal Sentences applies. Therefore, even with the data subject's consent, data handlers may not directly acquire a data subject's criminal records and investigation records.

7.10. Controller and processor contracts

Outsourcing the processing of personal data to a third-party data processor requires a written agreement that must include:

• the terms prohibiting a data processor from processing personal data for any purpose other than for the performance of outsourced tasks;
• the technical and administrative safeguards implemented for the protection of personal data; and
• any other matters prescribed by the PIPA Enforcement Decree for the safe administration of personal data.

8. Data Subject Rights

The data handler must ensure that personal data is accurate, complete, and up to date to the extent necessary for achieving the purposes of its handling, and data subjects may exercise their rights of access, correction, suspension of use, and removal of their personal data. In addition, the PIPA provides for data subjects’ right to data portability (i.e., the right to request data handlers to transmit the data subject's personal data in their possession to the data subjects themselves or others designated by the data subject) and the right to contest automated decision-making. Further, the PIPA provides explicit provisions on the data subject's right to withdraw consent in the general provision section. To this end, the PIPA also has prescriptive procedural rules to ensure data subjects' exercise of such rights.

Meanwhile, under the amended UPCIA, credit information subjects have the right to data portability, i.e. the right to request credit information providers/users to transmit the subject's personal credit information in their possession to the credit information subjects themselves or others designated by the credit information subject.

8.1. Right to be informed

Notification when obtaining consent from data subjects

Under the PIPA, data handlers are required to provide notice of the following matters when obtaining consent from data subjects for the collection and use of personal data:

• the purpose of the collection and use of personal data;
• the items of personal data to be collected/used;
• the period for retaining and using the personal data; and
• the data subject's right to refuse his/her consent and outline any disadvantages, if any, which may follow from such refusal.

In addition, data handlers are required to provide notice of the following matters when obtaining consent from data subjects for the provision of personal data to third parties:

• the specific name of the third-party recipient;
• items of personal data to be shared;
• third-party recipients' purposes of use;
• period of retention and use by the third-party recipient; and
• the data subject's right to refuse his/her consent and outline disadvantages, if any, which may follow from such refusal.

Notification through a privacy policy

The PIPA has a prescriptive list of information that must be contained in a privacy policy, including, but not limited to, the purposes of use, retention period, information on provision and outsourcing, and disposal of personal data. Data handlers must publicly disclose their privacy policies in a manner that enables data subjects to examine the terms of these privacy policies, including any revisions made to them, at any time.

Furthermore, these privacy policies may be subject to evaluation and recommendations for improvement by the PIPC. The targets for the evaluation of privacy policies are comprehensively selected based on various factors, such as the type and revenue scale of the data handler, the type, and scale of personal data processed (including sensitive information and particular identification data), the legal basis and method of processing personal data, whether any violations of the law have occurred, and the characteristics of data subjects, such as children and adolescents.

8.2. Right to access

Under the PIPA, a data subject may request access to their personal data processed by the data handler. The PIPA establishes that the right of access may only be limited or denied in circumstances where:

• such access is prohibited or restricted by law; or
• it may cause damage to the life or body of a third party, or improperly violate the property, and other interests of a third party.

The PIPA Enforcement Decree specifies that the data subject may request access to any of the following information from the data handler:

• the items of personal data concerned;
• the purpose for collecting/using the personal data;
• the retention and use period of the personal data;
• the status of any provision of personal data to third parties; and
• the fact that the data subject consented to the data handler's processing of personal data.

The PIPA provides that a request must be made in accordance with the procedures determined by the data handler. Such procedure should meet the following requirements:

• the methods available to the data subject in making the request need to be data subject-friendly, such as in writing, by telephone or electronic mail, or via the Internet;
• data subjects must be able to request access at least through the same window or in the same manner that the data handler uses to collect such personal data unless a justifiable reason exists (e.g. difficulty in continuously operating such window); and
• details regarding the manner and procedure for exercising the right to request access are to be posted on the website operated by the data handler (if such a website exists).

Data handlers must confirm that the request is made by the data subject whose personal data is to be accessed or their appropriate legal representative. In addition, data handlers must respond to the data subject who requests access within ten days of receiving the request. The response should either be the granting of access (if the request was accepted) or the fact that access has been put on hold, in which case the grounds for the delay must be explained. Once the reason for the delay no longer exists or is cured, access must be granted without delay.

8.3. Right to rectification

The PIPA provides data subjects who have accessed their personal data with a right to request the rectification of such information from the relevant data handler. Since only data subjects who have accessed their personal data may request rectification of such information, data subjects who were denied access to their personal data may not exercise their right to request rectification.

Meanwhile, the PIPA stipulates the right to rectification in parallel with the right to erasure in the same provision, so the data subject's method of exercising the right to rectification, the data handler's timeline for responding to such request, and the data handler's rights regarding the right to rectification are the same as those for the right to erasure. Therefore, please see the section on the right to erasure below for more details.

8.4. Right to erasure

The PIPA provides data subjects who have accessed their personal data with a right to request the erasure of such information from the relevant data handler. However, the erasure is not permitted when the collection of personal data is required by other laws or the data subject's right to access has been denied by the data handler.

The PIPA does not specifically address how requests should be made. However, the PIPA Enforcement Decree provides that a request must be made in accordance with the procedure determined by the data handler. Such procedure should meet the following requirements:

• the methods available to the data subject in making the request need to be data subject-friendly, such as in writing, by telephone or electronic mail, or via the Internet;
• data subjects must be able to request the erasure of their own personal data at least through the same window or in the same manner that the data handler uses to collect such personal data, unless a justifiable reason exists, such as difficulty in continuously operating such window; and
• the manner and procedure for exercising the right to request erasure is to be posted on a website if the handler operates the website.

The data handler must respond to the data subject who requests erasure within ten days of receiving the request. The response should either be confirmation that the data subject's personal data has been deleted (if the request was granted), or the fact that the request has been denied and the reasons for such denial and the method of objecting to such denial. The PIPA also provides that data handlers, where necessary, can request relevant evidence necessary to confirm the erasure of personal data. In addition, the PIPA Enforcement Decree provides that the data handler must confirm that the request is actually made by the data subject whose personal data is to be deleted or their appropriate legal representative.

8.5. Right to object/opt-out

Data handlers must allow data subjects to withdraw their consent to the processing (e.g. collection, use, and provision) of their personal data at any time.

Also, data handlers must respond to a data subject's request to suspend the processing of their personal data.

Data handlers must comply with a data subject's request to suspend processing of their personal data or to withdraw consent unless one of the following exceptions applies:

• where special provisions exist in law or it is inevitable to observe the data handler's legal obligations;
• where suspension may possibly cause damage to the life or body of a third party, or unfairly infringe upon a third party's property or other interest;
• where such suspension causes grave difficulties for the public institution in its performance of any one of the certain duties described in applicable laws; or
• where the data handler would not be able to perform the terms of a contract entered into with the data subject if it does not process the personal data and the data subject did not clearly indicate his/her intention to terminate the contract.

The request must be made in accordance with the procedure determined by the data handler. Such procedure should meet the following requirements:

• the methods available to the data subject in making the request need to be data subject-friendly, such as in writing, by telephone or electronic mail, or via the Internet;
• data subjects must be able to request suspension of their own personal data or withdrawal of consent at least through the same window or in the same manner that the data handler uses to collect such personal data unless a justifiable reason exists (e.g. difficulty in continuously operating such window); and
• details regarding the manner and procedure for exercising the right to request suspension/withdrawal or consent is to be posted on the website operated by the data handler (if such website exists).

The data handler must respond to the data subject who requests suspension within ten days of receiving the request. The response should either be confirmation that the processing of a data subject's personal data has been suspended (if the request was granted) or the fact that the request has been denied and the reasons for such denial and the method of objecting to such denial.

8.6. Right to data portability

T

The PIPA expressly provides for data subjects' rights to their data portability (the provisions on the right to data portability were expected to take effect sometime after March 15, 2024, but the exact effective date has not been determined yet).

Under the PIPA, the right to portability refers to the right of the data subject to request the data handler, which meets certain standards set out in the PIPA Enforcement Decree, to transmit their personal data to either the data subject themselves or a third party. This right applies as long as the personal data is not generated from the analysis/processing of the same collected data by the data handler and meets the following criteria:

• the personal data must have been:
  • processed based on the data subject’s consent;
  • processed to perform a contract executed with the data subject or to implement measures requested by the data subject in the course of executing the contract; or
  • designated by the PIPC pursuant to a request from a central administrative agency for the data subject's or public interest in cases where the transmission thereof is permitted by or unavoidably necessary for compliance with the law, is unavoidably necessary for a public institution to conduct its statutorily prescribed tasks, or concerns sensitive data or unique identification data and its processing is permitted or required by law; and
• the personal data must have been processed by an information processing device such as a computer.

In cases of requests for transmission to a third party, the third party must be a professional institution specialized in personal data management (the Specialized Institution) or another data handler that has implemented the requisite technical, managerial, and physical security measures and has satisfied relevant standards for facilities/equipment prescribed by the PIPA and PIPA Enforcement Decree. The Specialized Institution must be designated by the PIPC or relevant central administrative agency.

Upon request from the data subject, the data handler must transmit the personal data in a format that can be processed through a data processing device such as a computer, to the extent technically feasible and reasonable in terms of time and cost.

Furthermore, the PIPA states that the right to portability must not infringe on the rights or legitimate interests of others. Also, the data handler will be able to reject the data subject's request for data portability in cases where the identity of the data subject cannot be verified, or in other cases as prescribed by the PIPA Enforcement Decree.

Specifics such as the criteria for personal data which may be the subject of a transmission request and standards for determining which data handlers would be subject to the data subjects' right to data portability are expected to be determined in the PIPA Enforcement Decree that will be amended when the provisions on the right to data portability take effect. As explained above, to enable the exercise of this right, the Specialized Institution will be responsible for (Article 35-3 of the PIPA):

• providing support to data subjects for their exercise of their rights as data subjects (e.g. right to data portability, right of request perusal, right to request rectification/erasure, right to suspend processing); and
• the transmission/management of their personal data.

8.7. Right not to be subject to automated decision-making

The PIPA expressly provides for a data subject's right to contest automated decision-making (i.e., decisions made solely by automated means without any human involvement, such as artificial intelligence (AI)-driven systems).

The right to contest automated decision-making allows data subjects to refuse automated decisions (with an exception for certain administrative dispositions made by administrative agencies) that significantly affect their rights or obligations.

Where a data subject contests an automated decision, a data handler shall take any of the following measures and notify the data subject of the results thereof unless there is a compelling reason not to do so:

• measures not to apply automated decisions; and
• reprocessing by personal intervention.

However, a data handler can reject the data subject's request as follows:

• where the automated decision-making process has taken place with the data subject's consent;
• where there is a specific provision in the law or when compliance with legal obligations makes the automated decision-making process necessary; or
• where the automated decision-making process is required for the execution and performance of a contract with the data subject.

In addition, data subjects may request the following explanation from data handlers regarding automated decisions:

• explaining the standards for the relevant automated decision and the processing process, etc. of the relevant automated decision; and
• reviewing whether the data subject can submit opinions, such as additional personal data, etc., so that the data handler can consider reflecting the relevant opinions in the automated decision.

Where a data subject requests an explanation for an automated decision, the data handler shall provide the data subject with a concise and meaningful explanation, including the following matters, unless there is good cause:

• the result of the relevant automated decision;
• the types of major personal data used for the relevant automated decision;
• major criteria for automated decisions, such as the impact of the types of personal data described directly above on automated decisions; and
• procedures in which automated decisions are made, such as the process of major personal data used for the relevant automated decisions.

If a data handler establishes methods and procedures for a data subject to refuse automated decisions, request explanations, and request reviews, the following methods and procedures must be followed:

• the methods available to the data subject in making the request need to be data subject-friendly, such as in writing, by telephone or electronic mail, or via the Internet;
• data subjects must be able to request refusal or explanation of automated decisions at least through the same window or in the same manner that the data handler uses to collect such personal data unless a justifiable reason exists (e.g. difficulty in continuously operating such window); and
• details regarding the manner and procedure for exercising the right to request refusal/explanation is to be posted on the website operated by the data handler (if such website exists.

8.8. Other rights

Not applicable.

9. Penalties

Regulators such as the PIPC, the KCC, and the FSC may impose various administrative sanctions such as corrective orders, administrative fines, and penalty surcharges for violations of respective laws and regulations.

Public prosecutors may also investigate any violations which are also subject to criminal punishment. Additionally, data handlers may become civilly liable to any data subjects who suffer damages as a result of such violations.

9.1 Enforcement decisions

As discussed below, there have been several cases where the PIPC has imposed large amounts of penalty surcharges for related violations.

On November 25, 2020, the PIPC imposed a penalty surcharge of KRW 6.7 billion (approx. $4.8 million) on an international social media corporation for the provision of personal data to a third-party business operator without the consent of the data subjects and referred the case to an investigative authority for a violation of the PIPA.

On August 25, 2021, the PIPC issued a corrective order and imposed a penalty surcharge of KRW 6.44 billion (approx. $4.67 million) on an international social media platform operator for generating and using personally recognizable facial images without the consent of the data subjects. On the same day, the PIPC issued a corrective order and imposed a penalty surcharge of KRW 220 million (approx. $159,759) on an international over-the-top (OTT) service provider for collecting personal data without the consent of the data subjects before the completion of their membership application process.

On September 14, 2022, the PIPC imposed on two online platform operators that provided customized advertisements penalty surcharge of KRW 69.2 billion (approx. $50.4 million) and KRW 30.8 billion (approx. $22.4 million), respectively, and corrective orders for the collection and use of behavioral data without obtaining proper consent from the relevant data subjects.

On February 8, 2023, the PIPC imposed on a global social media company an administrative fine of KRW 6.6 million (approx. $47,927) and a corrective order on the ground that the company prevented users from subscribing for membership to the company’s SNS service unless they consent to the collection and use of behavioral data, which was considered as unlawful conduct that unreasonably restricted users' right to choose whether to consent or not in light of the fact that behavioral data collected and used by the company to create customized advertisements was not the minimum level of personal data necessary for the company to provide its SNS service.

On July 12, 2023, in the aftermath of a data breach occurrence that resulted in the leakage of nearly 300,000 items of personal data, the PIPC imposed an administrative penalty of KRW 6.8 billion (approx. $4.9 million), an administrative fine of KRW 27 million (approx. $19,605), and a corrective order on a major mobile network operator for its failure to implement or adequately implement various security measures (e.g., restriction of access to systems processing personal data, establishment/implementation of password policy, maintenance/management of access records, etc.) for the protection of personal data as well as its failures to properly destroy personal data after it became no longer necessary and timely report the data breach incident to the relevant authorities.

On October 25, 2023, the PIPC imposed an administrative penalty of KRW 906 million (approx. $659,365) and an administrative fine of KRW 16.2 million (approx. $11,789 on an overseas online easy payment service provider. This was based on the fact that the company neglected its duty to take security measures, such as operating an intrusion prevention and detection system for its personal data processing system, in violation of the PIPA, resulting in the leakage of personal data. Furthermore, the company delayed providing notification and reporting of the data breach.