South Korea - Data Protection Overview
Under the Constitution of South Korea ('the Constitution'), the rights to privacy, privacy of communications and freedom of expression are recognised as fundamental rights. In addition, the Constitutional Court of South Korea ('Constitutional Court') and Supreme Court of South Korea ('Supreme Court') have established through subsequent court decisions that the right to informational self-determination should be viewed as a separate fundamental right, despite not being stipulated in the Constitution.
The main law and regulations related to data protection are the Personal Information Protection Act 2011 (as amended in 2020) ('the PIPA') and its implementing regulations, which regulate the collection, usage, disclosure, and other processing of personal information by governmental or private entities as well as individuals. The data protection laws in South Korea provide very prescriptive specific requirements throughout the lifecycle of the handling of personal data. Under these laws, the data subject's consent is almost always required, in principle, to process his/her personal data.
1. GOVERNING TEXTS
Generally speaking, the data protection laws in South Korea provide very prescriptive specific requirements throughout the lifecycle of the handling of personal data, and, due to the requirements of prior notification and opt-in consent and relatively heavy sanctions prescribed by law, they are known as one of the strictest sets of data protection laws in the world. The data protection laws consist of a general law and several special laws pertaining to certain specific industry sectors.
General data protection law
The collection and processing of personal data is governed by the PIPA, the comprehensive general data protection law.
On 4 February 2020, the National Assembly passed several amendments to the PIPA (only available to download in Korean here) ('the 2020 Amendments'), which entered into effect on 5 August 2020. In particular, the 2020 Amendments include, among other things, revised definitions for pseudonymous and anonymous processing, as well as associated requirements, restrictions, and penalties, and measures for centralising personal information protection services within the Personal Information Protection Commission ('PIPC').
Meanwhile, on 6 January 2021, an additional amendment to the PIPA was published by the PIPC for public comment (only available to download in Korean here). Among others, the proposed amendment introduces the right to data portability and the right to be excluded from automated decision-making, diversifies the methods of transferring personal data overseas and includes pseudonymised data in the scope of information that a data handler is required to destroy.
There are special laws regulating the handling of personal data in certain specific industries, most notably, the Use and Protection of Credit Information Act 2009 (English version without 2020 Amendments available here; up-to-date version only available in Korean here) ('UPCIA').
Meanwhile, the processing of personal data by information and communications service providers and recipients of such information ('ICSPs'), which was previously governed by the Act on Promotion of Information and Communication Network Utilization and Information Protection 2001 (English version with 2020 Amendments available here) ('ICNA'), is now governed by the PIPA following the deletion of the relevant provisions from ICNA and their transfer to the PIPA on 5 August 2020. These provisions are now included in the PIPA as a new chapter ('the Special Provisions for ICSPs').
Data protection authorities have also issued various guidelines related to the protection of personal data, including:
- A guide to the Interpretation of Data Protection Laws and Regulations, issued by the PIPC (only available in Korean here);
- Guidelines for the De-Identification of Personal Data, issued by a pan-government announcement made under the joint leadership of the Office for Government Policy Coordination, the MOIS, the Korea Communications Commission ('KCC'), the Financial Services Commission ('FSC'), the Ministry of Science and ICT, and the Ministry of Health and Welfare;
- Guidelines for the Pseudonymization of Personal Data, issued by the PIPC (only available in Korean here);
- Draft Guidelines for the Pseudonymization of Personal Data (Volume: Combination and Export of Pseudonymized Personal Data), issued by the PIPC (only available in Korean here); and
- Handbook on the Psedonymization and Anonymization of Personal Data in the Financial Sector (only available in Korean here).
Although such guidelines lack binding legal effect, they may, nevertheless, serve as useful reference materials on how laws and regulations are likely to be interpreted in practice.
1.3. Case law
Being a civil law jurisdiction, South Korea's principal source of legal authority is legislation, as opposed to case law in common law jurisdictions, and in particular, codifications in the Constitution and statutes enacted by the Government of the Republic of Korea or the National Assembly. However, several important court decisions have been issued recently which may serve as useful references for how data protection laws and regulations may be interpreted in practice.
In the Supreme Court Decision 2016Do13263, decided on 7 April 2017, the Supreme Court of Korea invalidated the consent obtained from data subjects because the defendant had collected personal information under circumstances that made it difficult for data subjects to clearly understand what they had consented to, even though the consent they had provided satisfied formalities prescribed by law, i.e. the notice was provided in font size of 1mm.
Furthermore, in the Seoul High Court ('the High Court') Decision 2017Na2074963/2017Na2074970 (Consolidated), decided on 3 May 2019, the High Court ruled that the Korea Pharmaceutical Information Center's provision of sensitive personal information, i.e. prescription data of patients to third parties, without consent constituted a violation of the PIPA. At the same time, the High Court noted that if the personal information has undergone appropriate de-identification measures, such as encryption, which makes it impossible to identify specific individuals, then the provision of such de-identified data to third parties without the consent of data subjects should not be considered a violation of the PIPA.
2. SCOPE OF APPLICATION
General data protection law
The PIPA is applicable to a data handler, which is a person, whether a public agency, juridical person, organisation or individual, that, by itself or through a third party, handles personal data to make use of, or carry out, any operation on a personal data file in the course of, or in relation to, its business activities. The personal data file means a collection of personal data in which personal data is systematically organised pursuant to certain rules for easy search or use of such personal data.
Although most of the ICNA's personal information-related provisions have been transferred to the PIPA as the Special Provisions for ICSPs, the ICNA still applies to certain data processing matters by ICSPs, which include:
- commercial providers of information services, including those provided through the use of a telecommunications service, i.e. internet service and online service providers, including content providers and application providers; and
- telecommunications service providers.
The UPCIA applies specifically to:
- credit information companies (i.e. credit bureaus for individuals, credit bureaus for sole proprietorships, credit bureaus for corporations, credit investigation companies);
- credit information self-management companies (i.e. MyData service providers) that are engaged in the business of providing credit information to credit information subjects by combining statutorily prescribed information relevant to the credit information subject through certain methods;
- credit information collection agencies that manage/utilise credit information they have collected;
- debt collection agencies; and
- credit information users and providers, meaning persons providing a third party with credit information obtained or generated in connection with its commercial transactions, such as financial transactions, with customers, or persons being provided by a third party with such credit information to be used for their business, e.g. a bank or a credit card company.
The PIPA, as a general law, would apply unless any applicable special laws exist. Thus, if a provision of a special law is found to be applicable to an entity, it must comply with the provision of the special law (e.g. the UPCIA) ahead of the PIPA. For ICSPs, even in cases where the PIPA applies, the Special Provisions for ICSPs will apply with priority.
While it is understood that the PIPA applies to all data handlers and outsourced processors within South Korea, the PIPA does not explicitly specify its territorial scope. Furthermore, the PIPA does not reference its extraterritorial scope, however in practice several factors are considered when deciding whether a foreign entity is subject to the PIPA (e.g. whether the company provide services targeted at Koreans, whether the company generates revenue from doing business in South Korea).
The PIPA is applicable to the 'handling of personal data,' defined as the 'collection, generation, recording, storage, retention, processing, editing, search, outputting, rectification, restoration, use, provision, disclosure, or destruction of personal data or any other action similar to any of the foregoing.'
3.1. Main regulator for data protection
The main data protection authorities are:
- the PIPC;
- the KCC;
- the Korea Internet & Security Agency ('KISA') and;
- the FSC.
3.2. Main powers, duties and responsibilities
The main powers of the PIPC are:
- enforcing the PIPA;
- addressing issues regarding formal interpretations;
- imposing administrative fines, penalty surcharges, corrective orders, and other administrative sanctions;
- shaping data protection policy; and
- assessing the enactment/amendment of laws and administrative measures relating to the protection of personal information.
The main functions of the KCC are:
- enforcing the ICNA;
- addressing issues regarding formal interpretations; and
- imposing administrative fines, penalty surcharges, corrective orders, and other administrative sanctions.
The main duty of KISA is to:
- perform tasks delegated to it by the KCC and PIPC.
The main duties of the FSC are:
- enforcing the UPCIA; and
- addressing issues regarding formal interpretations.
4. KEY DEFINITIONS
Data controller: The concept of data handler, or personal information controller, under the PIPA is similar to the concept of data controller under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Specifically, the PIPA defines a data handler as 'a public institution, corporate body, organisation, individual, who, by itself or through a third party, processes, i.e., collects, generates, connects, interlocks, records, stores, retains, processes, edits, searches, outputs, corrects, restores, uses, provides, discloses, destroys, or otherwise handles personal data to administer personal data files for official or business purposes.'
Data processor: Data handlers may outsource the processing of personal data and personal information to third parties, i.e. data processors. Under the PIPA, the concept of data handler is defined quite broadly, and therefore includes data protection authorities that process data.
- identifies a particular individual by his or her full name, resident registration number ('RRN'), image, or the like;
- even if it by itself does not identify a particular individual, may be easily combined with other information to identify a particular individual (in such cases, whether or not the information may be 'easily combined' shall be determined by reasonably considering the time, cost, and technology used to identify the individual such as the likelihood that the other information can be procured); or
- is information under items 1 or 2 above which is pseudonymised and thereby becomes incapable of identifying a particular individual without the use or combination of additional information for restoration to its original state.
Sensitive data: Sensitive data is defined as 'personal information regarding an individual's ideology, faith, trade union or political party membership, political views, health, sexual orientation and other personal information that may cause a material breach of privacy,' and further includes genetic information, criminal records, information on an individual's physical, physiological, and behavioural characteristics generated through certain technical means for the purpose of identifying a specific individual and racial/ethnic data as stated in Article 18 of the Enforcement Decree of the Personal Information Protection Act 2011 (English version without 2020 Amendments available here; up-to-date version only available in Korean here) ('the PIPA Enforcement Decree').
Health data: The PIPA only stipulates that health data is deemed sensitive data without providing a direct definition of 'health data.' According to the PIPC guidelines, health data is data about an individual's current and past medical history and physical/mental disabilities (e.g., disability rating).
Biometric data: The PIPA does not specifically define biometric data, but items of sensitive data that are 'information on an individual's physical, physiological, and behavioural characteristics generated through certain technical means for the purpose of identifying a specific individual' would likely be considered similar in concept. According to the PIPC guidelines, the data described above is data that is manufactured using technology that extracts unique characteristics of an individual such as his/her face, fingerprint, iris and handwriting sample in order to confirm or verify the individual's identity.
Pseudonymisation: The PIPA defines pseudonymised data as 'data from which the specific individual cannot be identified without the use or combination of additional information for restoring to the original state.' Furthermore, the PIPA defines 'pseudonymisation' as 'the processing of personal information to the extent where the specific individual cannot be identified anymore from that information without additional information, by deleting or replacing in whole or in part the personal information, or by any other means.'
Data Collection: 'Handling' of personal data is defined to mean the 'collection, generation, recording, storage, retention, processing, editing, search, outputting, rectification, restoration, use, provision, disclosure or destruction of personal data or any other action similar to any of the foregoing.'
Data Subject: Referred to as being an individual who is a subject of the handled data by which that individual can be identifiable.
Anonymised information: Is defined as any information which cannot be used to identify a specific individual even if the information is combined with other information, after reasonably considering factors such as time, cost, technology, is not subject to the PIPA.
5. LEGAL BASES
Data handlers must provide notice when processing personal data. Explicit consent is generally required prior to the collection, use, and provision to third parties of personal information, subject to certain exceptions.
For your reference, the PIPC guidelines provide that data handlers should:
- provide notice, in a clear and easily understandable manner, of information on the items of personal data collected and the reasons for such collection when obtaining consent from users; and
- obtain 'explicit consent' because they are required to obtain consent in accordance with Article 22 of the PIPA (which, among other things, prohibits data handlers from obtaining blanket consent for all types of processing, requires data controllers to provide notice of material information and the scope of consent, and requires data handlers to differentiate between required/optional consent (e.g. for marketing/promotional purposes).
In addition, the PIPC guidelines provide that consent for the collection and use of personal data which is required by the PIPA should be voluntary opt-in (via written signature, oral confirmation, or an online checkbox) consent and be clearly verifiable.
The PIPA stipulates that data handlers may collect and use personal data without the data subject's consent in order to enter into and perform a contract with the data subject. However, please note that this legal basis is not valid for the provision of personal data to a third party.
The PIPA stipulates that when required to comply with the data handler's obligations under other applicable laws, or it is specifically required or permissible under other applicable laws and regulations, data handlers may collect, use, and/or provide personal data without the data subject's consent. As such, this legal basis may only be relied on if applicable laws specifically require or permit the collection or use of personal data, or it is impossible for the data handler to comply with its obligations under another applicable law without collecting the personal data, or it would be extremely difficult to use another method to comply with their obligation.
The PIPA stipulates that where there is a clear and urgent need to protect the life, physical, or economic interest of the data subject or a third party, and the consent to the processing of personal information cannot be obtained in an ordinary manner because either the data subject or their legal representative cannot express intent or the data subject's address is unknown, the data handler may collect, use, and/or provide the data subject's personal data without his/her consent.
The PIPA does not recognise public interest as a legitimate basis for processing personal data without the data subject's consent. Please note that pseudonymised data may be processed without consent for the purpose of preserving records for public interest, and/or for public institutions that cannot perform their work as prescribed by other laws without processing the personal information in question, they may collect, use, and/or provide the personal data without the data subject's consent.
The PIPA exceptionally provides that personal data may be collected and used without consent in cases where the collection and use is necessary to achieve a legitimate interest of the data handler and where such legitimate interest clearly overrides the rights of the data subject (provided that the collection and use is substantially relevant to the legitimate interest of the data handler and that the collection and use is only done to a reasonable extent). The PIPC guidelines provide that 'the preparation/procurement of supporting materials for the collection/calculation of service fees, collection of debts, and commencement/continuation of legal action' may be examples of what may constitute a 'legitimate interest.'
Please note that the 'legitimate interest' ground is only recognised in very limited instances, given the specific language of the PIPA and the PIPC's guidelines. Also, 'legitimate interest' cannot be used as a basis for providing personal data to third parties without the data subject's consent.
Under the ICNA, the transmission of for-profit advertisements through an electronic medium (e.g. telephone, mobile phone, fax, email, etc.) requires the express prior consent of the recipients. Additionally, the ICNA provides a list of certain information which must be included in the for-profit advertisements and certain acts that are prohibited from being performed by the sender.
Validity periods for the retention of personal data
If the special provisions for ICSPs apply, in order to protect personal data of the users who do not use information and communications services for a period of one year, ICSPs must either destroy the inactive user's personal data immediately after the aforementioned time period, or separate the inactive user's personal data from other users' personal data for separate storage and administration.
ICSPs, including but not limited to app developers, wishing to access stored data or functions within a user's mobile device, including smartphones and tablets, will be required to obtain the user's prior informed consent to gain such access.
ICSPs must notify the following to the users:
- the items of data;
- the reason why the access authority is necessary; and
- the fact that the user may refuse to grant the access authority, if such granting is not indispensable to provide the service in question.
The PIPA sets out eight key principles that apply to data handlers:
- the data handler shall explicitly specify the purposes for which personal information is processed, and shall collect personal data lawfully and fairly to the minimum extent necessary for such purposes;
- the data handler shall process personal data in an appropriate manner necessary for the purposes for which the personal data is processed, and shall not use it beyond such purposes;
- the data handler shall ensure personal data is accurate, complete, and up to date to the extent necessary in relation to the purposes for which the personal data is processed;
- the data handler shall manage personal data safely according to the processing methods, types, etc. of personal data, taking into account the possibility of infringement on the data subject's rights and the severity of the relevant risks;
- the data handler shall process personal data in a manner to minimise the possibility of infringing the privacy of a data subject;
- if it is still possible to fulfil the purposes of collecting personal data by processing anonymised or pseudonymised personal data, the data handler shall process personal data through anonymisation, where anonymisation is possible, or through pseudonymisation, if it is impossible to fulfil the purposes of collecting personal data through anonymisation; and
- the data handler shall endeavour to obtain the trust of data subjects by observing and performing such duties and responsibilities as provided for in the PIPA and other related statutes.
7. CONTROLLER AND PROCESSOR OBLIGATIONS
Data handlers have various other obligations under the PIPA, including handling personal data in a way which minimises any possible infringement upon the privacy of data subjects, and, where possible, anonymising personal data, and if anonymisation is not possible, pseudonymising the data before processing. Specifically, data handlers must maintain the security of personal data, taking into account the likelihood and risk of infringement of data subjects' privacy. This likelihood and level of risk may vary depending on various factors such as the types and methods of the handling of personal data. In particular, data handlers are required to take the technical, administrative, and physical measures necessary to ensure the security of personal data. These measures include, among other things, the establishment of internal rules for adequate administration of personal data, and the keeping of access logs to prevent personal data from being lost, stolen, leaked, fabricated, or destroyed. The PIPA has a prescriptive list of the minimal measures to be taken in this regard.
Data handlers must also provide notice when processing personal data. Express consent is generally required prior to the collection, use, and provision of personal data, subject to certain exceptions. The consent for a provision must be obtained separately from the consent for the collection and use of personal data. Moreover, consent for the processing of particular identification data, i.e. RRNs, passport numbers, driver's license numbers, and alien registration numbers, and sensitive data must be obtained separately from each other, and from any other consent. Personal data must not be used beyond consented purposes unless the separate consent of data subjects has been obtained.
Only a few limited exceptions to this consent requirement are recognised under South Korean law. However, pursuant to the 2020 Amendments, personal data may be used and provided without the data subject's consent within the scope reasonably related to the original purpose of the collection after considering whether the contemplated use and provision is related to the original purpose of the collection, such use and provision of the personal information could have been predicted in light of the circumstances surrounding the collection and customary handling practices, the use and provision will not result in any disadvantage to the data subject, and/or the data handler has implemented the necessary safeguards to ensure the security of the personal information (e.g. encryption).
As data processors are likely to be treated as data handlers, data processors will, in general, be subject to the same legal obligations as those applicable to data handlers. In the case of a violation of the PIPA by a data processor, i.e. an outsourced service provider, the data processor will be deemed as an employee of the data handler and the data handler will have vicarious liability.
There are no legal obligations for data controllers and/or data processors to notify any regulatory authority of their data processing activities.
There are separate requirements for provision and outsourcing to data processors.
Specifically, a provision refers to cases where a data transfer is conducted for the benefit and business purpose of the transferee, whereas outsourcing refers to cases where a data transfer is conducted for the benefit and business purpose of the transferor.
The prior consent of data subjects is required in order to conduct a provision, whereas in the case of an outsourcing, the PIPA does not require the prior consent of data subjects.
Data handlers may not enter into data transfer agreements which violate relevant laws and regulations. In particular, the PIPA requires data handlers to obtain the prior consent of data subjects when conducting a provision to a third party overseas. For ICSPs and recipients of personal data provided by ICSPs, the prior consent of data subjects will be required for all cross-border transfers, irrespective of whether such transfer constitutes a provision or outsourcing, unless an exception is applicable.
The European Commission issued, on the 16 June 2021, its statement on the launch of the adequacy decision adoption process, publishing its Draft Decision on the adequate protection of personal data by the Republic of Korea, which awaits the opinion of the European Data Protection Board and the approval of member states.
The PIPA does not require organisations to maintain a record of processing activities. However, the PIPA does require data handlers to manage and store log-in records which document the access to a data processing system by 'personal data handlers' (i.e. officers, employees, workers, etc. who process personal data under the direction and supervision of the data handler) for at least one year. Such log-in records shall contain the facts of access, including ID, date and time of access, information to identify the person of access, and tasks performed by the personal data handler while connected to the processing system.
Under the PIPA, only public institutions are obligated to conduct a Data Protection Impact Assessment ('DPIA'). Specifically, in cases where there is a risk of an infringement with respect to the personal data of data subjects due to the operation of personal data files meeting certain criteria, the head of a public institution shall conduct an assessment to analyse risk factors and improve them, and submit the results thereof to the PIPC.
Under the PIPA, all data handlers must appoint qualified officials as privacy officers to take charge of all aspects of their handling of personal data. Specifically, data handlers, excluding public institutions, must appoint a person satisfying any one of the following conditions as their privacy officer:
- the owner or representative director of a business; or
- an executive officer, however if there are no executive officers, then the head of the department responsible for processing personal data.
However, data handlers who qualify as small business owners are deemed to have appointed their owner or representative as their privacy officer unless they specifically appoint someone else.
In the case of public institutions, the privacy officer must be a public official who meets certain requirements prescribed by law.
A data handler must provide notice to affected data subjects without delay when he/she becomes aware of a breach of personal data, pursuant to the PIPA. Further, where there is a data breach involving 1,000 data subjects or more, the data handler must, in addition to individual notices to data subjects, report the data breach to the PIPC or a specialist institution designated under the PIPA, and also disclose the prescribed information on its internet homepage, or at noticeable places in its business place if it does not operate an internet homepage, for at least seven days.
Both ICSPs and recipients of personal data provided by ICSPs are subject to the Special Provisions on ICSPs, so notice must be provided to data subjects and the PIPC or the specialist institution mentioned above without delay within 24 hours upon the occurrence of a data breach, unless there is a justifiable reason otherwise. Information that must be included when providing notification is identical to cases in which the Special Provisions on ICSPs do not apply.
The basic principles applicable to data retention include:
- the principle of fair and legitimate collection of the minimum necessary personal data to the extent necessary for the explicitly stated and consented purposes; and
- the principle that such personal data must be handled only to the extent necessary for the explicitly stated and consented purposes.
If the retention of personal data is required by South Korean law or regulations beyond the retention period notified to, and consented by, data subjects, such personal data will need to be kept separate from any other personal data.
Validity periods for the retention of personal data
If the Special Provisions for ICSPs apply, in order to protect personal data of the users who do not use information and communications services for a period of one year, ICSPs must either destroy the inactive user's personal data immediately after the aforementioned time period, or separate the inactive user's personal data from other users' personal data for separate storage and administration.
The PIPA provides that when consent is required under the PIPA to process the personal information of a child under the age of 14, the data handler must obtain the consent of the data subject's legal representative. The PIPA also provides that when obtaining the consent of the child's legal representative, the data handler may, without the legal representative's consent, collect data directly from the child that is necessary to seek consent from the child's legal representative. In such case, the data to be collected directly from the child must be minimised to only what is necessary to seek consent of the legal representative.
Also, data handlers that are ICSPs are required to:
- communicate in an easily understandable form and use clear and plain language when notifying children of matters relating to the processing of personal information; and
- obtain the legal representative's consent if the ICSP wishes to obtain consent in order to collect, use, or provide the personal data of a child under 14 and confirm whether the legal representative has granted consent to process the child's personal information in a statutorily-prescribed manner.
Sensitive data is considered a special category of personal data under the PIPA. Criminal records are included in the scope of sensitive data. In addition, the PIPA defines another special category of personal data, which is 'particular identification data,' that includes RRNs, passport numbers, drivers' license numbers, and alien registration numbers.
In principle, the handling of sensitive data/particular identification data is prohibited without express consent by the data subject, specifically express opt-in consent from the data subject, unless an exception applies. Consent to the processing of particular identification data or sensitive data must be obtained separately from each other, and from any other consent. In particular, with respect to RRNs, data handlers may not collect or use RRNs unless an exception applies under the PIPA, and no ICSPs may collect or use RRNs unless an exception applies under the ICNA.
Obtaining an individual's criminal records and investigation records is, in principle, prohibited, unless one of the exceptions under the Act on the Lapse of Criminal Sentences applies. Therefore, even with the data subject's consent, data handlers may not directly acquire a data subject's criminal records and investigation records.
Outsourcing the processing of personal data to a third-party data processor requires a written agreement that must include:
- the terms prohibiting a data processor from processing personal data for any purpose other than for the performance of outsourced tasks;
- the technical and administrative safeguards implemented for the protection of personal data; and
- any other matters prescribed by the PIPA Enforcement Decree for the safe administration of personal data.
8. DATA SUBJECT RIGHTS
The data handler must ensure that personal data is accurate, complete, and up to date to the extent necessary for achieving the purposes of its handling, and data subjects may exercise their rights of access, correction, suspension of use, and removal of their personal data. To this end, the PIPA also has prescriptive procedural rules to ensure data subjects' exercise of such rights.
Meanwhile, under the amended UPCIA, credit information subjects have the right to data portability, i.e. the right to request credit information providers/users to transmit the subject's personal credit information in their possession to the credit information subjects themselves or others designated by the credit information subject.
Notification when obtaining consent from data subjects
Under the PIPA, data handlers and ICSPs are required to provide notice of the following matters when obtaining consent from data subjects for the collection and use of personal data:
- the purpose of the collection and use of personal data;
- the items of personal data to be collected/used;
- the period for retaining and using the personal data; and
- the data subject's right to refuse his/her consent and outline any disadvantages, if any, which may follow from such refusal.
In addition, data handlers and ICSPs are required to provide notice of the following matters when obtaining consent from data subjects for the provision of personal data to third parties:
- the specific name of the third-party recipient;
- items of personal information to be shared;
- third party recipients' purposes of use;
- period of retention and use by the third-party recipient; and
- the data subject's right to refuse his/her consent and outline any disadvantages, if any, which may follow from such refusal.
Under the PIPA, a data subject may request access to his/her personal data processed by the data handler. The PIPA establishes that the right of access may only be limited or denied in circumstances where:
- such access is prohibited or restricted by law; or
- it may possibly cause damage to the life or body of a third party, or improperly violate the property, and other interests of a third party.
Additional grounds for limiting or denying the right of access are available for public institutions.
The PIPA Enforcement Decree specifies that the data subject may request access to any of the following information from the data handler:
- the items of personal data concerned;
- the purpose for collecting/using the personal data;
- the retention and use period of the personal data;
- the status of any provision of personal data to third parties; and
- the fact that the data subject consented to the data handler's processing of personal data.
The PIPA provides that a request must be made in accordance with the procedures determined by the data handler. Such procedure should meet the following requirements:
- the methods available to the data subject in making the request need to be data subject-friendly, such as in writing, by telephone or electronic mail, or via the internet;
- data subjects must be able to request access at least through the same window or in the same manner that the data handler uses to collect such personal information, unless a justifiable reason exists (e.g. difficulty in continuously operating such window); and
- details regarding the manner and procedure for exercising the right to request access is to be posted on the website operated by the data handler (if such website exists).
Data handlers must confirm that the request is made by the data subject whose personal data is to be accessed, or his/her appropriate legal representative. In addition, data handlers must respond to the data subject who requests access within ten days of receiving the request. The response should either be the granting of access (if the request was accepted), or the fact that access has been put on hold, in which case the grounds for the delay must be explained. Once the reason for delay no longer exists or is cured, access must be granted without delay.
The PIPA provides data subjects that have accessed their personal information with a right to request the rectification of such information from the relevant data handler. Since only data subjects who have accessed their personal data may request rectification of such information, data subjects who were denied access to their personal data may not exercise their right to request rectification.
Meanwhile, the PIPA stipulates the right to rectification in parallel with the right to erasure in the same provision, so the data subject's method of exercising the right to rectification, the data handler's timeline for responding to such request and the data handler's rights regarding the right to rectification are the same as those for the right to erasure. Therefore, please see section 8.4 below for more details.
The PIPA provides data subjects that have accessed their personal information with a right to request the erasure of such information from the relevant data handler. However, the erasure is not permitted when the collection of the personal information is required by other laws or the data subject's right to access has been denied by the data handler.
The PIPA does not specifically address how requests should be made. However, the PIPA Enforcement Decree provides that a request must be made in accordance with the procedure determined by the data handler. Such procedure should meet the following requirements:
- the methods available to the data subject in making the request need to be data subject-friendly, such as in writing, by telephone or electronic mail, or via the Internet;
- data subjects must be able to request erasure of their own personal information at least through the same window or in the same manner that the data handler uses to collect such personal information, unless a justifiable reason exists, such as difficulty in continuously operating such window; and
- the manner and procedure for the manner and procedure for exercising the right to request erasure is to be posted on a website if the handler operates the website.
The data handler must respond to the data subject who requests erasure within ten days of receiving the request. The response should either be confirmation that the data subject's personal information has been deleted (if the request was granted), or the fact that the request has been denied and the reasons for such denial and method of objecting to such denial. The PIPA also provides that data handlers, where necessary, have the ability to request relevant evidence necessary to confirm the erasure of personal information. In addition, the PIPA Enforcement Decree provides that the data handler must confirm that the request is actually made by the data subject whose personal information is to be deleted, or his/her appropriate legal representative.
Data handlers who are ICSPs must allow data subjects to withdraw their consent to the processing (e.g. collection, use, and provision) of their personal information at any time. Also, data handlers must respond to a data subject's request to suspend the processing of his/her personal information.
Data handlers must comply with a data subject's request to suspend processing of his/her personal information unless one of the following exceptions applies:
- where special provisions exist in law or it is inevitable to observe the data handler's legal obligations;
- where access may possibly cause damage to the life or body of a third party, or unfairly infringe upon a third party's property or other interest; or
- where the data handler would not be able to perform the terms of a contract entered into with the data subject if it does not process the personal information and the data subject did not clearly indicate his/her intention to terminate the contract.
The request must be made in accordance with the procedure determined by the data handler. Such procedure should meet the following requirements:
- the methods available to the data subject in making the request need to be data subject-friendly, such as in writing, by telephone or electronic mail, or via the Internet;
- data subjects must be able to request suspension of their own personal information or withdrawal of consent at least through the same window or in the same manner that the data handler uses to collect such personal information, unless a justifiable reason exists (e.g. difficulty in continuously operating such window); and
- details regarding the manner and procedure for exercising the right to request suspension/withdrawal or consent is to be posted on the website operated by the data handler (if such website exists).
The data handler must respond to the data subject who requests suspension within ten days of receiving the request. The response should either be confirmation that the processing of data subject's personal information has been suspended (if the request was granted), or the fact that the request has been denied and the reasons for such denial and method of objecting to such denial.
The current PIPA does not recognise the right to data portability. However, proposed amendments to the PIPA published by the PIPC for public comment on 6 January 2021 expressly provide for data subjects' rights to their data portability.
To enable the exercise of this right, the amendments also introduce the concept of a professional data management institution which will be responsible for:
- providing support to data subjects for their exercise of their rights as data subjects (e.g. right to data portability, right of request perusal, right to request rectification/erasure, right to suspend processing); and
- the integration/management of their personal information.
The PIPA does not recognise the right not to be subject to automated decision-making. However, proposed amendments to the PIPA mentioned above expressly provide for a data subject's right not to be subject to automated decision-making.
Regulators such as the PIPC, the KCC, and the FSC may impose various administrative sanctions such as corrective orders, administrative fines, and penalty surcharges for violations of respective laws and regulations.
Public prosecutors may also investigate any violations which are also subject to criminal punishment. Additionally, data handlers may become civilly liable to any data subjects who suffer damages as a result of such violations.
In addition, as discussed below, there have been several cases where the KCC and, following recent amendments to the PIPA, the PIPC have imposed large amounts of penalty surcharges for related violations.
On 15 July 2020 (before the amendments took effect), the KCC issued a corrective order and imposed a penalty surcharge of KRW 180 million (approx. €130,600) on an international media platform operator for its collection of personal information of minors under the age of 14 without the consent of their legal representatives.
On 25 November 2020, the PIPC imposed a penalty surcharge of KRW 6.7 billion (approx. €4.9 million) on an international social media corporation for the provision of personal information to a third-party business operator without the consent of the data subjects, and referred the case to an investigative authority for a violation of the PIPA.