South Korea - Data Protection Overview
1. Governing Texts
Under the Constitution of South Korea ('the Constitution'), the rights to privacy, privacy of communications, and freedom of expression are recognized as fundamental rights. In addition, the Constitutional Court of South Korea ('Constitutional Court') and Supreme Court of South Korea ('Supreme Court') have established through subsequent court decisions that the right to informational self-determination should be viewed as a separate fundamental right, despite not being stipulated in the Constitution.
The main law and regulations related to data protection are the Personal Information Protection Act 2011 (as amended in 2023) ('the PIPA') and its implementing regulations, which regulate the collection, usage, disclosure, and other processing of personal data by governmental or private entities as well as individuals. The data protection laws in South Korea provide very prescriptive specific requirements throughout the lifecycle of the handling of personal data. Under these laws, the data subject's consent is almost always required, in principle, to process their personal data.
Generally speaking, the data protection laws in South Korea provide very prescriptive specific requirements throughout the lifecycle of the handling of personal data, and, due to the requirements of prior notification and opt-in consent and relatively heavy sanctions prescribed by law, they are known as one of the strictest sets of data protection laws in the world. The data protection laws consist of a general law and several special laws pertaining to certain specific industry sectors.
General data protection law
The collection and processing of personal data is governed by the PIPA, the comprehensive general data protection law.
On 4 February 2020, the National Assembly passed several amendments to the PIPA ('the 2020 Amendments'), which entered into effect on August 5, 2020. In particular, the 2020 Amendments include, among other things, revised definitions for pseudonymous and anonymous processing, as well as associated requirements, restrictions, penalties, and measures for centralizing personal information protection services within the Personal Information Protection Commission ('PIPC').
On March 14, 2023, the National Assembly passed additional amendments to the PIPA ('the 2023 Amendments'). Among others, the 2023 Amendments introduce the data subject's right to data portability and the right to contest automated decision-making, the unification of the Special Provisions for ICSPs (as defined in the special laws section below) and general provisions for data handlers, the relaxation of certain consent requirements for the processing of personal data, diversified legal bases of transferring personal data overseas, the PIPC's power to suspend overseas personal data transfers, and data handlers' obligation to destroy pseudonymized data. Since further details will be included in the forthcoming amendments to the Enforcement Decree of the PIPA, companies should closely monitor the amendments to both the PIPA and its Enforcement Decree to ensure compliance with any additional data protection requirements that they may be subject to.
There are special laws regulating the handling of personal data in certain specific industries, most notably, the Use and Protection of Credit Information Act 2009 (English version without 2020 Amendments available here; up-to-date version only available in Korean here) ('UPCIA').
Meanwhile, the processing of personal data by information and communications service providers and recipients of such information ('ICSPs'), which was previously governed by the Act on Promotion of Information and Communication Network Utilization and Information Protection 2001 (English version with 2020 Amendments available here, Up-to-date version available in Korean here) ('ICNA'), is now governed by the PIPA following the deletion of the relevant provisions from ICNA and their transfer to the PIPA on August 5, 2020. These provisions are now included in the PIPA as a new chapter ('the Special Provisions for ICSPs'). However, in the 2023 Amendments, the Special Provisions for ICSPs that overlap with or are similar to the general provisions have been incorporated into the general provisions, and regulations existing only within the special provisions for ICSPs have been either deleted or incorporated into the general provision section.
Data protection authorities have also issued various guidelines related to the protection of personal data, including:
- A guide to the Interpretation of Data Protection Laws and Regulations, issued by the PIPC (only available in Korean here) ('the PIPC Guidelines');
- Guidelines for the Pseudonymization of Personal Data, issued by the PIPC (only available in Korean here);
- Handbook on the Pseudonymization and Anonymization of Personal Data in the Financial Sector (only available in Korean here);
- Biometric Protection Guidelines (only available in Korean here).
Although such guidelines lack binding legal effect, they may, nevertheless, serve as useful reference materials on how laws and regulations are likely to be interpreted in practice.
1.3. Case law
Being a civil law jurisdiction, South Korea's principal source of legal authority is legislation, as opposed to case law in common law jurisdictions, and in particular, codifications in the Constitution and statutes enacted by the Government of the Republic of Korea or the National Assembly. However, several important court decisions have been issued recently which may serve as useful references for how data protection laws and regulations may be interpreted in practice.
In the Supreme Court Decision 2016Do13263, decided on April 7, 2017, the Supreme Court of Korea invalidated the consent obtained from data subjects because the defendant had collected personal data under circumstances that made it difficult for data subjects to clearly understand what they had consented to, even though the consent they had provided satisfied formalities prescribed by law, i.e. the notice was provided in font size of 1mm.
Furthermore, in the Seoul High Court ('the High Court') Decision 2017Na2074963/2017Na2074970 (Consolidated), decided on May 3, 2019, the High Court ruled that the Korea Pharmaceutical Information Center's provision of sensitive personal data, i.e. prescription data of patients to third parties, without consent constituted a violation of the PIPA. At the same time, the High Court noted that if the personal data has undergone appropriate de-identification measures, such as encryption, which makes it impossible to identify specific individuals, then the provision of such de-identified data to third parties without the consent of data subjects should not be considered a violation of the PIPA.
2. Scope of Application
General data protection law
The PIPA is applicable to a data handler, which is a person, whether a public agency, juridical person, organization, or individual, that, by itself or through a third party, handles personal data to make use of, or carries out, any operation on a personal data file in the course of, or in relation to, its business activities. A personal data file means a collection of personal data in which personal data is systematically organized pursuant to certain rules for easy search or use of such personal data.
Although most of the ICNA's personal data-related provisions have been transferred to the PIPA as the Special Provisions for ICSPs in the 2020 Amendments, and Special Provisions for ICSPs have been deleted and/or incorporated into the general provisions in the 2023 Amendments, the ICNA still applies to certain data processing matters by ICSPs, which include:
- commercial providers of information services, including those provided through the use of a telecommunications service, i.e. internet service and online service providers, including content providers and application providers; and
- telecommunications service providers.
The UPCIA applies specifically to:
- credit information companies (i.e. credit bureaus for individuals, credit bureaus for sole proprietorships, credit bureaus for corporations, and credit investigation companies);
- credit information self-management companies (i.e. MyData service providers) that are engaged in the business of providing credit information to credit information subjects by combining statutorily prescribed information relevant to the credit information subject through certain methods;
- credit information collection agencies that manage/utilize credit information they have collected;
- debt collection agencies; and
- credit information users and providers, meaning persons providing a third party with credit information obtained or generated in connection with its commercial transactions, such as financial transactions, with customers, or persons being provided by a third party with such credit information to be used for their business, e.g. a bank or a credit card company.
The PIPA, as a general law, would apply unless any applicable special laws exist. Thus, if a provision of a special law is found to be applicable to an entity, it must comply with the provision of the special law (e.g. the UPCIA) ahead of the PIPA. However, since the 2023 Amendments have deleted and incorporated the Special Provisions for ICSPs into the general provisions, the same rules will apply to both ICSPs and offline data handlers under the 2023 Amendments that will take effect on September 15, 2023.
While it is understood that the PIPA applies to all data handlers and outsourced processors within South Korea, the PIPA does not explicitly specify its territorial scope. Furthermore, the PIPA does not reference its extraterritorial scope, however, in practice, several factors are considered when deciding whether a foreign entity is subject to the PIPA (e.g. whether the company provides services targeted at Koreans, or whether the company generates revenue from doing business in South Korea).
The PIPA is applicable to the 'handling of personal data', defined as the 'collection, generation, recording, storage, retention, processing, editing, search, outputting, rectification, restoration, use, provision, disclosure, or destruction of personal data or any other action similar to any of the foregoing'.
3.1. Main regulator for data protection
The main data protection authorities are:
- the PIPC;
- the KCC;
- the Korea Internet & Security Agency ('KISA'); and
- the FSC.
3.2. Main powers, duties and responsibilities
The main powers of the PIPC are:
- enforcing the PIPA;
- addressing issues regarding formal interpretations;
- imposing administrative fines, penalty surcharges, corrective orders, and other administrative sanctions;
- shaping data protection policy; and
- assessing the enactment/amendment of laws and administrative measures relating to the protection of personal data.
The main functions of the KCC are:
- enforcing the ICNA;
- addressing issues regarding formal interpretations; and
- imposing administrative fines, penalty surcharges, corrective orders, and other administrative sanctions.
The main duty of KISA is to perform tasks delegated to it by the KCC and PIPC.
The main duties of the FSC are:
- enforcing the UPCIA; and
- addressing issues regarding formal interpretations.
4. Key Definitions
Data controller: The concept of data handler, or personal information controller, under the PIPA is similar to the concept of data controller under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Specifically, the PIPA defines a data handler as 'a public institution, corporate body, organization, individual, who, by itself or through a third party, processes, i.e., collects, generates, connects, interlocks, records, stores, retains, processes, edits, searches, outputs, corrects, restores, uses, provides, discloses, destroys, or otherwise handles personal data to administer personal data files for official or business purposes'.
Data processor: Data handlers may outsource the processing of personal data to third parties, i.e. data processors. Under the PIPA, the concept of data handler is defined quite broadly, and therefore includes data protection authorities that process data.
- identifies a particular individual by their full name, resident registration number ('RRN'), image, or the like;
- even if it by itself does not identify a particular individual, may be easily combined with other information to identify a particular individual (in such cases, whether or not the information may be 'easily combined' shall be determined by reasonably considering the time, cost, and technology used to identify the individual such as the likelihood that the other information can be procured); or
- is information under items 1 or 2 above which is pseudonymized and thereby becomes incapable of identifying a particular individual without the use or combination of additional information for restoration to its original state.
Sensitive data: Sensitive data is defined as 'personal data regarding an individual's ideology, faith, trade union or political party membership, political views, health, information on sexual activities and other personal data that may cause a material breach of privacy', and further includes genetic information, criminal records, information on an individual's physical, physiological, and behavioral characteristics generated through certain technical means for the purpose of identifying a specific individual and racial/ethnic data as stated in Article 18 of the Enforcement Decree of the Personal Information Protection Act 2011 (as amended in 2021 and 2022) (up-to-date version only available in Korean here) ('the PIPA Enforcement Decree').
Health data: The PIPA only stipulates that health data is deemed sensitive data without providing a direct definition of 'health data'. According to the PIPC guidelines, health data is data about an individual's current and past medical history and physical/mental disabilities (e.g., disability rating).
Biometric data: The PIPA does not specifically define biometric data, but items of sensitive data that are 'information on an individual's physical, physiological, and behavioral characteristics generated through certain technical means for the purpose of identifying a specific individual' would likely be considered similar in concept. According to the PIPC guidelines, the data described above is data that is manufactured using technology that extracts unique characteristics of an individual such as their face, fingerprint, iris, and handwriting sample in order to confirm or verify the individual's identity.
Pseudonymization: The PIPA defines pseudonymized data as 'data from which the specific individual cannot be identified without the use or combination of additional information for restoring to the original state.' Furthermore, the PIPA defines 'pseudonymization' as 'the processing of personal data to the extent where the specific individual cannot be identified anymore from that information without additional information, by deleting or replacing in whole or in part the personal data, or by any other means'.
Data Collection: 'Handling' of personal data is defined to mean the 'collection, generation, recording, storage, retention, processing, editing, search, outputting, rectification, restoration, use, provision, disclosure or destruction of personal data or any other action similar to any of the foregoing'.
Data Subject: Referred to as being an individual who is a subject of the handled data by which that individual can be identifiable.
Anonymized information: Is defined as any information which cannot be used to identify a specific individual even if the information is combined with other information, after reasonably considering factors such as time, cost, and technology, and is not subject to the PIPA.
Data protection officer: There is no definition of 'data protection officer' under PIPA. However, Article 31 of the PIPA refers to a 'privacy official' ('DPO') as the individual who comprehensively takes charge of personal data processing.
Privacy Impact Assessment | Data Protection Impact Assessment: There is no definition of 'PIA' under the PIPA. However, the PIPA establishes PIAs as the assessment for the analysis and improvement of risk factors relating to the operations of personal data (Article 33 of the PIPA).
5. Legal Bases
Data handlers must provide notice when processing personal data. Explicit consent is generally required prior to the collection, use, and provision to third parties of personal data, subject to certain exceptions.
For your reference, the PIPC guidelines provide that data handlers should:
- provide notice, in a clear and easily understandable manner, of information on the items of personal data collected and the reasons for such collection when obtaining consent from users; and
- obtain 'explicit consent' because they are required to obtain consent in accordance with Article 22 of the PIPA (which, among other things, prohibits data handlers from obtaining blanket consent for all types of processing) requires data handlers to provide notice of material information and the scope of consent, and requires data handlers to differentiate between required/optional consent (e.g. for marketing/promotional purposes).
In addition, the PIPC guidelines provide that consent for the collection and use of personal data which is required by the PIPA should be voluntary opt-in consent (via written signature, oral confirmation, or an online checkbox) and be clearly verifiable.
The PIPA stipulates that data handlers may collect and use personal data without the data subject's consent in order to enter into and perform a contract with the data subject. However, please note that this legal basis is not valid for the provision of personal data to a third party.
The pre-2023 Amendments version of the PIPA provides that the legal basis above applies if the collection or use of personal data is 'inevitably' necessary to enter into and perform a contract with the data subject. In the 2023 Amendments, the term 'inevitably' has been deleted from the relevant provision so that the collection and use of the personal data would be permitted without the subject's consent so long as such collection or use is necessary enter into and perform a contract with the data subject. This amendment is viewed as an attempt to ease the unreasonably excessive consent requirement in the current PIPA.
The PIPA stipulates that when required to comply with the data handler's obligations under other applicable laws, or it is specifically required or permissible under other applicable laws and regulations, data handlers may collect, use, and/or provide personal data without the data subject's consent. As such, this legal basis may only be relied on if applicable laws specifically require or permit the collection or use of personal data, it is impossible for the data handler to comply with its obligations under another applicable law without collecting the personal data, or it would be extremely difficult to use another method to comply with their obligation.
The PIPA stipulates that where there is a clear and urgent need to protect the life, physical, or economic interest of the data subject or a third party, and the consent to the processing of personal data cannot be obtained in an ordinary manner because either the data subject or their legal representative cannot express intent or the data subject's address is unknown, the data handler may collect, use, and/or provide the data subject's personal data without their consent.
In the 2023 Amendments, however, the second prong - the consent for such use or provision cannot be obtained – has been deleted from the relevant provision, allowing the use or provision of personal data without consent under the prescribed circumstances even if it is possible to obtain consent from the subject. This amendment is also viewed as an attempt to ease the unreasonably excessive consent requirement in the current PIPA.
The PIPA does not recognize public interest as a legitimate basis for processing personal data without the data subject's consent. Please note that pseudonymized data may be processed without consent for the purpose of preserving records for the public interest, and/or for public institutions that cannot perform their work as prescribed by other laws without processing the personal data in question, they may collect, use, and/or provide the personal data without the data subject's consent.
The 2023 Amendments contain newly created provisions that will allow the collection and use of personal data without consent if it is necessary to ensure public safety such as public health and well-being - for instance, the prevention of the spread of COVID-19 and other infectious diseases.
The PIPA exceptionally provides that personal data may be collected and used without consent in cases where the collection and use are necessary to achieve a legitimate interest of the data handler and where such legitimate interest clearly overrides the rights of the data subject (provided that the collection and use are substantially relevant to the legitimate interest of the data handler and that the collection and use are only done to a reasonable extent). The PIPC guidelines provide that 'the preparation/procurement of supporting materials for the collection/calculation of service fees, collection of debts, and commencement/continuation of legal action' may be examples of what may constitute a 'legitimate interest'.
Please note that the 'legitimate interest' ground is only recognized in very limited instances, given the specific language of the PIPA and the PIPC's guidelines. Also, 'legitimate interest' cannot be used as a basis for providing personal data to third parties without the data subject's consent.
Under the ICNA, the transmission of for-profit advertisements through an electronic medium (e.g. telephone, mobile phone, fax, email, etc.) requires the express prior consent of the recipients. Additionally, the ICNA provides a list of certain information which must be included in the for-profit advertisements and certain acts that are prohibited from being performed by the sender.
ICSPs, including but not limited to app developers, wishing to access stored data or functions within a user's mobile device, including smartphones and tablets, will be required to obtain the user's prior informed consent to gain such access.
ICSPs must notify the following to the users:
- the items of data;
- the reason why the access authority is necessary; and
- the fact that the user may refuse to grant the access authority, if such granting is not indispensable to provide the service in question.
The PIPA sets out eight key principles that apply to data handlers:
- the data handler shall explicitly specify the purposes for which personal data is processed, and shall collect personal data lawfully and fairly to the minimum extent necessary for such purposes;
- the data handler shall process personal data in an appropriate manner necessary for the purposes for which the personal data is processed, and shall not use it beyond such purposes;
- the data handler shall ensure personal data is accurate, complete, and up to date to the extent necessary in relation to the purposes for which the personal data is processed;
- the data handler shall manage personal data safely according to the processing methods, types, etc. of personal data, taking into account the possibility of infringement on the data subject's rights and the severity of the relevant risks;
- the data handler shall process personal data in a manner to minimize the possibility of infringing the privacy of a data subject;
- if it is still possible to fulfill the purposes of collecting personal data by processing anonymized or pseudonymized personal data, the data handler shall process personal data through anonymization, where anonymization is possible, or through pseudonymization, if it is impossible to fulfill the purposes of collecting personal data through anonymization; and
- the data handler shall endeavor to obtain the trust of data subjects by observing and performing such duties and responsibilities as provided for in the PIPA and other related statutes.
7. Controller and Processor Obligations
Data handlers have various other obligations under the PIPA, including handling personal data in a way that minimizes any possible infringement upon the privacy of data subjects, and, where possible, anonymizing personal data, and if anonymization is not possible, pseudonymizing the data before processing. Specifically, data handlers must maintain the security of personal data, taking into account the likelihood and risk of infringement of data subjects' privacy. This likelihood and level of risk may vary depending on various factors such as the types and methods of the handling of personal data. In particular, data handlers are required to take the technical, administrative, and physical measures necessary to ensure the security of personal data. These measures include, among other things, the establishment of internal rules for adequate administration of personal data, and the keeping of access logs to prevent personal data from being lost, stolen, leaked, fabricated, or destroyed. The PIPA has a prescriptive list of the minimal measures to be taken in this regard.
Data handlers must also provide notice when processing personal data. Express consent is generally required prior to the collection, use, and provision of personal data, subject to certain exceptions. The consent for a provision must be obtained separately from the consent for the collection and use of personal data. Moreover, consent for the processing of certain particular identification data (i.e. passport numbers, driver's license numbers, alien registration numbers) and sensitive data must be obtained separately from each other, and from any other consent. Personal data must not be used beyond consented purposes unless the separate consent of data subjects has been obtained.
Only a few limited exceptions to this consent requirement are recognized under South Korean law. However, pursuant to the 2020 Amendments, personal data may be used and provided without the data subject's consent within the scope reasonably related to the original purpose of the collection after considering whether the contemplated use and provision are related to the original purpose of the collection, such use and provision of the personal data could have been predicted in light of the circumstances surrounding the collection and customary handling practices, the use and provision will not result in any disadvantage to the data subject, and/or the data handler has implemented the necessary safeguards to ensure the security of the personal data (e.g. encryption).
As data processors are likely to be treated as data handlers, data processors will, in general, be subject to the same legal obligations as those applicable to data handlers. In the case of a violation of the PIPA by a data processor, i.e. an outsourced service provider, the data processor will be deemed as an employee of the data handler and the data handler will have vicarious liability.
There are no legal obligations for data handlers and/or data processors to notify any regulatory authority of their data processing activities.
The head of a public institution is required to notify the processing of personal data to the PIPC (Article 32(1) of the PIPA).
There are separate requirements for provision and outsourcing to data processors.
Specifically, a provision refers to cases where a data transfer is conducted for the benefit and business purpose of the transferee, whereas outsourcing refers to cases where a data transfer is conducted for the benefit and business purpose of the transferor. The prior consent of data subjects is required in order to conduct a provision, whereas in the case of outsourcing, the PIPA does not require the prior consent of data subjects.
Data handlers may not enter into data transfer agreements that violate relevant laws and regulations. In particular, the 2020 Amendments require data handlers to obtain the prior consent of data subjects when conducting a provision to a third party overseas. For ICSPs and recipients of personal data provided by ICSPs, the prior consent of data subjects is required for all cross-border transfers, irrespective of whether such transfer constitutes a provision or outsourcing unless an exception is applicable.
In addition to the existing legal bases for cross-border transfers under the current PIPA, the 2023 Amendments have expanded the legal bases to include cases where (i) the applicable laws, treaties, or international agreements provide for a special provision allowing cross-border transfers without consent, (ii) if the overseas recipient has obtained a data protection certification designated by the PIPC and taken necessary data protection measures, or (iii) if the overseas recipient is a country or international organization recognized by the PIPC as having an essentially equivalent level of personal data protection.
Further, the 2023 Amendments grant the PIPC powers similar to those of data protection authorities under the GDPR, such as the power to order a data handler to suspend a cross-border data transfer if the transfer violates or is expected to violate the PIPA or if the recipient does not adequately protect data in accordance with the PIPA.
The European Commission published, on December 17, 2021, its decision on the adequate protection of personal data by the Republic of Korea, allowing the transfer of personal data from the EU Member States to Korea without having to complete any additional process or certification such as entering into Standard Contractual Clauses ('SCCs') for data transfers. This decision will be subject to a first review by the European Commission within three years after its entry into force, and thereafter, at least once every four years. Also, on December 19, 2022, the UK granted data adequacy status to Korea.
In order to establish clear interpretation standards and to address any discrepancies between the EU and Korea's data protection regimes, the PIPC issued the Supplementary Regulations for Interpretation and Application of the Personal Information Protection Act with respect to the Processing of Personal Information Transferred to Korea (up-to-date version only available in Korean here), which entered into force as of the effective date of the European Commission's adequacy decision.
For your information, companies that are supervised by the FSC in processing personal data pursuant to the UPCIA are explicitly exempt from the application of the above decision. Accordingly, such companies should have a separate legal basis (e.g., SCCs for data transfers as stipulated in Article 5 of the GDPR).
The PIPA does not require organizations to maintain a record of processing activities. However, the PIPA does require data handlers to manage and store log-in records which document the access to a data processing system by 'personal data handlers' (i.e. officers, employees, workers, etc. who process personal data under the direction and supervision of the data handler) for at least one year. Such log-in records shall contain the facts of access, including ID, date and time of access, information to identify the person of access, and tasks performed by the personal data handler while connected to the processing system.
Under the PIPA, only public institutions are obligated to conduct a Data Protection Impact Assessment ('DPIA') (Article 33(8) of the PIPA, Article 33(11) of the PIPA with the 2023 Amendments). Specifically, in cases where there is a risk of an infringement with respect to the personal data of data subjects due to the operation of personal data files meeting certain criteria, the head of a public institution shall conduct an assessment to analyze risk factors and improve them and submit the results thereof to the PIPC.
The head of the public institution must, in case of probable violation of personal data of data subjects owing to the operation of personal data files applicable to the criteria as specified by the PIPA Enforcement Decree, conduct a DPIA for the analysis and improvement of such risk factor (Article 33(1) of the PIPA).
An institution or organization that is defined as a public institution of South Korea must undertake a DPIA when there is a probable breach of a data subjects' personal data arising out of a processing activity (Article 33(8) of the PIPA, Article 33(11) of the PIPA with the 2023 Amendments).
A DPIA must cover (Article 33(2) of the PIPA, Article 33(3) of the PIPA with the 2023 Amendments):
- the number of personal data that is to be processed;
- whether such data has been provided by a third party or not;
- the probability of violating the rights of data subjects and the degree of such risks by such processing; and
- any other matters prescribed by the PIPA Enforcement Decree.
The PIPC may provide its opinions on a DPIA conducted by any public institution (Article 33(3) of the PIPA, Article 33(4) of the PIPA with the 2023 Amendments).
A DPIA conducted by the National Assembly, the Court, the Constitutional Court, and the National Election Commission (including their affiliated entities) ('the Executive Bodies of South Korea') must be provided by the respective rules of the Executive Bodies of South Korea (Article 33(7) of the PIPA, Article 33(10) of the PIPA with the 2023 Amendments).
Under the PIPA, all data handlers must appoint qualified officials as privacy officers to take charge of all aspects of their handling of personal data (Article 31(1) of the PIPA). Specifically, data handlers, excluding public institutions, must appoint a person satisfying any one of the following conditions as their privacy officer (Article 32(2) of the PIPA Enforcement Decree):
- the owner or representative director of a business; or
- an executive officer, however, if there are no executive officers, then the head of the department is responsible for processing personal data.
However, data handlers who qualify as small business owners are deemed to have appointed their owner or representative as their privacy officer unless they specifically appoint someone else.
In the case of public institutions, the privacy officer must be a public official who meets certain requirements prescribed by law.
The DPO's primary role is listed under the PIPA as seven distinct requirements (Article 31(2) of the PIPA, Article 31(3) of the PIPA with the 2023 Amendments):
- establishing and implementing a data protection plan;
- completing regular surveys of the actual state and practices of personal data processing, and improving shortcomings;
- treating grievances and remedial compensation in relation to personal data processing;
- setting up the internal control system to prevent the leak, abuse, and misuse of personal data;
- preparing and implementing the data protection education program;
- protecting, controlling, and managing the personal data files; and
- undertaking any other functions for the appropriate processing of personal data, as prescribed by the PIPA Enforcement Decree.
Additional functions under the PIPA are further defined as any of the following (Article 32(1) of the PIPA Enforcement Decree):
- maintaining the materials related to personal data protection; and
- destroying personal data after the retention period has expired or after it has been used for the purpose for which it was obtained.
The DPO must, when he/she becomes aware of any violation of the PIPA or any other relevant laws or regulations relating to data protection, take immediate corrective measures, and, if necessary, report such corrective measures to the head of the institution itself or the relevant organizations (Article 31(4) of the PIPA, Article 31(5) of the PIPA with the 2023 Amendments).
A data handler must provide notice to affected data subjects without delay when he/she becomes aware of a breach of personal data, pursuant to the PIPA. Further, where there is a data breach involving 1,000 data subjects or more, the data handler must, in addition to individual notices to data subjects, report the data breach to the PIPC or a specialist institution designated under the PIPA, and also disclose the prescribed information on its internet homepage, or at noticeable places in its business place if it does not operate an internet homepage, for at least seven days.
Both ICSPs and recipients of personal data provided by ICSPs are subject to the Special Provisions on ICSPs, so notice must be provided to data subjects and the PIPC or the specialist institution mentioned above without delay within 24 hours upon the occurrence of a data breach, unless there is a justifiable reason otherwise. Information that must be included when providing notification is identical to cases in which the Special Provisions on ICSPs do not apply.
Meanwhile, as a result of the 2023 Amendments' unification of the Special Provisions for ICSPs and general provisions, and because ICSPs' obligation to notify data breaches within 24 hours has been deleted, it is necessary to closely monitor the forthcoming amendments to the Enforcement Decree of the PIPA with respect to the data breach notification period and the PIPC's interpretation and enforcement of such amended provisions of the Enforcement Decree.
The basic principles applicable to data retention include:
- the principle of fair and legitimate collection of the minimum necessary personal data to the extent necessary for the explicitly stated and consented purposes; and
- the principle that such personal data must be handled only to the extent necessary for explicitly stated and consented purposes.
If the retention of personal data is required by South Korean law or regulations beyond the retention period notified to, and consented to by, data subjects, such personal data will need to be kept separate from any other personal data.
Validity periods for the retention of personal data
If the Special Provisions for ICSPs apply, in order to protect personal data of the users who do not use information and communications services for a period of one year, ICSPs must either destroy the inactive user's personal data immediately after the aforementioned time period or separate the inactive user's personal data from other users' personal data for separate storage and administration. Please note, however, that the Special Provisions above have been deleted in the 2023 Amendments, and will no longer apply to ICSPs as of September 15, 2023.
The PIPA provides that when consent is required under the PIPA to process the personal data of a child under the age of 14, the data handler must obtain the consent of the data subject's legal representative. The PIPA also provides that when obtaining the consent of the child's legal representative, the data handler may, without the legal representative's consent, collect data directly from the child that is necessary to seek consent from the child's legal representative. In such cases, the data to be collected directly from the child must be minimized to only what is necessary to seek the consent of the legal representative.
Also, data handlers that are ICSPs are required to:
- communicate in an easily understandable form and use clear and plain language when notifying children of matters relating to the processing of personal data; and
- obtain the legal representative's consent if the ICSP wishes to obtain consent in order to collect, use, or provide the personal data of a child under 14 and confirm whether the legal representative has granted consent to process the child's personal data in a statutorily prescribed manner.
As a result of the 2023 Amendments' unification of the Special Provisions for ICSPs and general provisions, ICSPs' obligations with respect to children's data above will apply to all data handlers as of September 15, 2023.
Sensitive data is considered a special category of personal data under the PIPA. Criminal records are included in the scope of sensitive data. In addition, the PIPA defines another special category of personal data, which is 'particular identification data', that includes RRNs, passport numbers, drivers' license numbers, and alien registration numbers.
In principle, the handling of sensitive data/particular identification data is prohibited without express consent by the data subject, specifically express opt-in consent from the data subject, unless an exception applies. Consent to the processing of particular identification data or sensitive data must be obtained separately from each other, and from any other consent. In particular, with respect to RRNs, data handlers may not collect or use RRNs unless an exception applies under applicable laws.
Obtaining an individual's criminal records and investigation records is, in principle, prohibited, unless one of the exceptions under the Act on the Lapse of Criminal Sentences applies. Therefore, even with the data subject's consent, data handlers may not directly acquire a data subject's criminal records and investigation records.
Outsourcing the processing of personal data to a third-party data processor requires a written agreement that must include:
- the terms prohibiting a data processor from processing personal data for any purpose other than for the performance of outsourced tasks;
- the technical and administrative safeguards implemented for the protection of personal data; and
- any other matters prescribed by the PIPA Enforcement Decree for the safe administration of personal data.
8. Data Subject Rights
The data handler must ensure that personal data is accurate, complete, and up to date to the extent necessary for achieving the purposes of its handling, and data subjects may exercise their rights of access, correction, suspension of use, and removal of their personal data. In addition, the 2023 Amendments provide for data subjects' right to data portability (i.e., the right to request data handlers to transmit the data subject's personal data in their possession to the data subjects themselves or others designated by the data subject) and the right to contest automated decision-making. Further, the 2023 Amendments have adopted explicit provisions on data subjects' right to withdraw consent into the general provision section, which used to apply only to data subjects only in circumstances where ICSPs are involved. To this end, the PIPA also has prescriptive procedural rules to ensure data subjects' exercise of such rights.
Meanwhile, under the amended UPCIA, credit information subjects have the right to data portability, i.e. the right to request credit information providers/users to transmit the subject's personal credit information in their possession to the credit information subjects themselves or others designated by the credit information subject.
Notification when obtaining consent from data subjects
Under the PIPA, data handlers and ICSPs (albeit the distinction between ICSPs and other offline data handlers will be removed by the 2023 Amendments as of September 15, 2023) are required to provide notice of the following matters when obtaining consent from data subjects for the collection and use of personal data:
- the purpose of the collection and use of personal data;
- the items of personal data to be collected/used;
- the period for retaining and using the personal data; and
- the data subject's right to refuse their consent and outline any disadvantages, if any, which may follow from such refusal.
In addition, data handlers and ICSPs (albeit the distinction between ICSPs and other offline data handlers will be removed by the 2023 Amendments as of September 15, 2023) are required to provide notice of the following matters when obtaining consent from data subjects for the provision of personal data to third parties:
- the specific name of the third-party recipient;
- items of personal data to be shared;
- third-party recipients' purposes of use;
- period of retention and use by the third-party recipient; and
- the data subject's right to refuse their consent and outline disadvantages, if any, which may follow from such refusal.
Under the PIPA, a data subject may request access to their personal data processed by the data handler. The PIPA establishes that the right of access may only be limited or denied in circumstances where:
- such access is prohibited or restricted by law; or
- it may possibly cause damage to the life or body of a third party, or improperly violate the property, and other interests of a third party.
The PIPA Enforcement Decree specifies that the data subject may request access to any of the following information from the data handler:
- the items of personal data concerned;
- the purpose for collecting/using the personal data;
- the retention and use period of the personal data;
- the status of any provision of personal data to third parties; and
- the fact that the data subject consented to the data handler's processing of personal data.
The PIPA provides that a request must be made in accordance with the procedures determined by the data handler. Such procedure should meet the following requirements:
- the methods available to the data subject in making the request need to be data subject-friendly, such as in writing, by telephone or electronic mail, or via the Internet;
- data subjects must be able to request access at least through the same window or in the same manner that the data handler uses to collect such personal data, unless a justifiable reason exists (e.g. difficulty in continuously operating such window); and
- details regarding the manner and procedure for exercising the right to request access are to be posted on the website operated by the data handler (if such a website exists).
Data handlers must confirm that the request is made by the data subject whose personal data is to be accessed, or their appropriate legal representative. In addition, data handlers must respond to the data subject who requests access within ten days of receiving the request. The response should either be the granting of access (if the request was accepted), or the fact that access has been put on hold, in which case the grounds for the delay must be explained. Once the reason for the delay no longer exists or is cured, access must be granted without delay.
The PIPA provides data subjects that have accessed their personal data with a right to request the rectification of such information from the relevant data handler. Since only data subjects who have accessed their personal data may request rectification of such information, data subjects who were denied access to their personal data may not exercise their right to request rectification.
Meanwhile, the PIPA stipulates the right to rectification in parallel with the right to erasure in the same provision, so the data subject's method of exercising the right to rectification, the data handler's timeline for responding to such request, and the data handler's rights regarding the right to rectification are the same as those for the right to erasure. Therefore, please see the section on the right to erasure below for more details.
The PIPA provides data subjects that have accessed their personal data with a right to request the erasure of such information from the relevant data handler. However, the erasure is not permitted when the collection of personal data is required by other laws or the data subject's right to access has been denied by the data handler.
The PIPA does not specifically address how requests should be made. However, the PIPA Enforcement Decree provides that a request must be made in accordance with the procedure determined by the data handler. Such procedure should meet the following requirements:
- the methods available to the data subject in making the request need to be data subject-friendly, such as in writing, by telephone or electronic mail, or via the Internet;
- data subjects must be able to request the erasure of their own personal data at least through the same window or in the same manner that the data handler uses to collect such personal data, unless a justifiable reason exists, such as difficulty in continuously operating such window; and
- the manner and procedure for exercising the right to request erasure is to be posted on a website if the handler operates the website.
The data handler must respond to the data subject who requests erasure within ten days of receiving the request. The response should either be confirmation that the data subject's personal data has been deleted (if the request was granted), or the fact that the request has been denied and the reasons for such denial and the method of objecting to such denial. The PIPA also provides that data handlers, where necessary, have the ability to request relevant evidence necessary to confirm the erasure of personal data. In addition, the PIPA Enforcement Decree provides that the data handler must confirm that the request is actually made by the data subject whose personal data is to be deleted, or their appropriate legal representative.
Data handlers who are ICSPs must allow data subjects to withdraw their consent to the processing (e.g. collection, use, and provision) of their personal data at any time. Also, the 2023 Amendments provide for data handlers' obligation to ensure data subjects' right to withdraw consent.
Also, data handlers must respond to a data subject's request to suspend the processing of their personal data.
Data handlers must comply with a data subject's request to suspend processing of their personal data (or to withdraw consent, under the 2023 Amendments) unless one of the following exceptions applies:
- where special provisions exist in law or it is inevitable to observe the data handler's legal obligations;
- where suspension may possibly cause damage to the life or body of a third party, or unfairly infringe upon a third party's property or other interest;
- where such suspension causes grave difficulties for the public institution in its performance of any one of the certain duties described in applicable laws; or
- where the data handler would not be able to perform the terms of a contract entered into with the data subject if it does not process the personal data and the data subject did not clearly indicate their intention to terminate the contract.
The request must be made in accordance with the procedure determined by the data handler. Such procedure should meet the following requirements:
- the methods available to the data subject in making the request need to be data subject-friendly, such as in writing, by telephone or electronic mail, or via the Internet;
- data subjects must be able to request suspension of their own personal data or withdrawal of consent at least through the same window or in the same manner that the data handler uses to collect such personal data, unless a justifiable reason exists (e.g. difficulty in continuously operating such window); and
- details regarding the manner and procedure for exercising the right to request suspension/withdrawal or consent is to be posted on the website operated by the data handler (if such website exists).
The data handler must respond to the data subject who requests suspension within ten days of receiving the request. The response should either be confirmation that the processing of data subject's personal data has been suspended (if the request was granted), or the fact that the request has been denied and the reasons for such denial and the method of objecting to such denial.
The current PIPA does not recognize the right to data portability. However, the 2023 Amendments expressly provide for data subjects' rights to their data portability (the provisions on the right to data portability are expected to take effect sometime after March 15, 2024).
Under the 2023 Amendments, the right to portability refers to the right of the data subject to request the data handler, which meets certain standards set out in the PIPA Enforcement Decree, to transmit their personal data to either the data subject themselves or a third party. This right applies as long as the personal data is not generated from the analysis/processing of the same collected data by the data handler and meets the following criteria:
- the personal data must have been:
- processed based on the data subject's consent;
- processed to perform a contract executed with the data subject or to implement measures requested by the data subject in the course of executing the contract; or
- designated by the PIPC pursuant to a request from a central administrative agency for the data subject's or public interest in cases where the transmission thereof is permitted by or unavoidably necessary for compliance with the law, is unavoidably necessary for a public institution to conduct its statutorily prescribed tasks, or concerns sensitive data or unique identification data and its processing is permitted or required by law; and
- the personal data must have been processed by an information processing device such as a computer.
In cases of requests for transmission to a third party, the third party must be a professional institution specialized in personal data management (the 'Specialized Institution') or another data handler that has implemented the requisite technical, managerial, and physical security measures and has satisfied relevant standards for facilities/equipment prescribed by the PIPA and the PIPA Enforcement Decree. The Specialized Institution must be designated by the PIPC or relevant central administrative agency.
Upon request from the data subject, the data handler must transmit the personal data in a format that can be processed through a data processing device such as a computer, to the extent technically feasible and reasonable in terms of time and cost.
Furthermore, the 2023 Amendments state that the right to portability must not infringe on the rights or legitimate interests of others. Also, the data handler will be able to reject the data subject's request for data portability in cases where the identity of the data subject cannot be verified, or in other cases as prescribed by the PIPA Enforcement Decree.
Specifics such as the criteria for personal data which may be the subject of a transmission request, and standards for determining which data handlers would be subject to the data subjects' right to data portability are expected to be determined in the PIPA Enforcement Decree that will be amended along with the 2023 Amendments. As explained above, to enable the exercise of this right, the Specialized Institution newly adopted by the 2023 Amendments will be responsible for (the relevant provisions of the 2023 Amendments concerning the Specialized Institutions will take effect on March 15, 2024):
- providing support to data subjects for their exercise of their rights as data subjects (e.g. right to data portability, right of request perusal, right to request rectification/erasure, right to suspend processing); and
- the transmission/management of their personal data.
The current PIPA does not recognize the right not to be subject to automated decision-making (i.e., decisions made solely by automated means without any human involvement, such as artificial intelligence ('AI')-driven systems). However, the 2023 Amendments to the PIPA expressly provide for a data subject's right to contest automated decision-making (the relevant provisions of the 2023 Amendments concerning the right to contest automated decision-making will take effect on March 15, 2024).
The right to contest automated decision-making allows data subjects to refuse automated decisions (with an exception for certain administrative dispositions made by administrative agencies) that significantly affect their rights or obligations.
However, a data handler can reject the data subject's request as follows:
- where the automated decision-making process has taken place with the data subject's consent;
- where there is a specific provision in the law or when compliance with legal obligations makes the automated decision-making process necessary; or
- where the automated decision-making process is required for the execution and performance of a contract with the data subject.
In addition, data subjects may request an explanation from data handlers regarding automated decisions.
In response to such requests from data subjects, data handlers are required to take necessary measures, such as excluding the subjects from automated decisions, reprocessing the subjects' personal data by involving humans, or providing an explanation to the data subjects, unless there is a justifiable reason not to do so.
Data handlers must also disclose criteria and procedures of automated decision-making in a manner easily understandable by data subjects.
The specific requirements and details related to the right to contest automated decision-making are expected to be determined in the forthcoming amendments to the PIPA Enforcement Decree.
Regulators such as the PIPC, the KCC, and the FSC may impose various administrative sanctions such as corrective orders, administrative fines, and penalty surcharges for violations of respective laws and regulations.
Public prosecutors may also investigate any violations which are also subject to criminal punishment. Additionally, data handlers may become civilly liable to any data subjects who suffer damages as a result of such violations.
In addition, as discussed below, there have been several cases where the KCC and, following the 2020 Amendments, the PIPC have imposed large amounts of penalty surcharges for related violations.
On July 15, 2020, (before the amendments took effect), the KCC issued a corrective order and imposed a penalty surcharge of KRW 180 million (approx. $140,550) on an international media platform operator for its collection of personal data of minors under the age of 14 without the consent of their legal representatives.
On November 25, 2020, the PIPC imposed a penalty surcharge of KRW 6.7 billion (approx. $5.2 million) on an international social media corporation for the provision of personal data to a third-party business operator without the consent of the data subjects, and referred the case to an investigative authority for a violation of the PIPA.
On August 25, 2021, the PIPC issued a corrective order and imposed a penalty surcharge of KRW 6.44 billion (approx. $5 million) on an international social media platform operator for generating and using personally recognizable facial images without the consent of the data subjects. On the same day, the PIPC issued a corrective order and imposed a penalty surcharge of KRW 220 million (approx. $171,800) on an international over-the-top ('OTT') service provider for collecting personal data without the consent of the data subjects prior to the completion of their membership application process.
On September 14, 2022, the PIPC imposed on two online platform operators that provided customized advertisements penalty surcharge of KRW 69.2 billion (approx. $54 million) and KRW 30.8 billion (approx. $24 million), respectively, and corrective orders for the collection and use of behavioral data without obtaining proper consent from the relevant data subjects.
On February 8, 2023, the PIPC imposed on a global social media company an administrative fine of KRW 6.6 million (approx. $5,155) and a corrective order on the ground that the company prevented users from subscribing for membership to the company's SNS service unless they consent to the collection and use of behavioral data, which was considered as unlawful conduct that unreasonably restricted users' right to choose whether to consent or not in light of the fact that behavioral data collected and used by the company to create customized advertisements was not the minimum level of personal data necessary for the company to provide its SNS service.