Breaking down data rules from around the globe

Privacy laws

South Korean Personal Information Protection Act PIPA

South Korean Data Privacy Law: A Comprehensive Guide

In South Korea, the Personal Information Protection Act (PIPA) came into effect on September 30, 2011. Amendments were made in 2021, in 2023, and lately in 2024. The main amendments became effective on September 15, 2023. The amendments increased the rights of data subjects, namely the right to data portability and the right to be excluded from automated decision-making. It also set new requirements for overseas personal data transfer, and replaced criminal sanctions with fines, among other changes.

On 15 March 2024, an amended Enforcement Decree for South Korea’s Personal Information Protection Act came into effect.

What Is the South Korean Personal Information Protection Act (PIPA)?

The Personal Information Protection Act (PIPA) is a data privacy law that governs the collection, use, and processing of personal data of data subjects, i.e., residents of South Korea.

The PIPA is applicable to a data handler, which is a person, either an individual, a public agency, a juridical person, an organization, business, or governmental organization, that, by itself or through a third party, handles personal data to perform its business activities.

Handling of personal data is defined in the PIPA as “processing, storage, retention, search, outputting, restoration, rectification, use, collection, generation, recording, provision, disclosure or destruction of personal data or any other action similar to any of the foregoing”.

Personal data is defined as “data that is systematically organized in accordance with certain rules for easy search or use of such personal data”.

Note that the territorial scope is not specified in the law. However, for enforcement of the PIPA is similar to the EU’s GDPR. This means that South Korean companies and organizations are subject to the law, while foreign companies that provide services for South Korean users are likely to be affected by the law as well. Several factors should be considered when deciding whether a foreign company is subject to the PIPA, for example, whether the company provides services or products for South Korean users, or whether the company generates revenue from doing business in South Korea.

Scan your website for free to see all cookies in use.

The 2020 PIPA amendment

First amendment took effect on August 5th, 2020. It introduced pseudonymization and anonymization of data, excluding pseudonymous and anonymous data processing restricted data processing activities. It also implemented new requirements, restrictions, and penalties.

The 2020 PIPA amendment also integrated parts of the Network Act, a separate act that regulated the processing of users’ personal information by online service providers, and the National Credit Information Act into the PIPA. This is an important feature of the 2020 PIPA amendment.

The 2023 PIPA amendment

The amendments were passed into law on 27 February 2023 and entered into force on 15th September 2023.

The 2023 PIPA amendment foresees the following changes in the law:

  • Introduces the right to data portability. Data subjects can now request a copy of their sensitive personal information.
  • Introduces the right to be excluded from automated decision-making Data subjects can object to or reject decisions from AI-generated tools that have processed data subjects' personal information relating to them.
  • Replaces criminal sanctions with more administrative penalties, including fines. The current amendment also introduces new violations of the law, in particular obstruction of investigations.
  • Introduces new requirements for transferring sensitive personal information outside of the country.
  • Levels the compliance requirements for Online Service Providers (OSPs) and Ordinary Data Controllers (ODCs). Now, OSPs and ODCs are regulated uniformly by the PIPA.

The Adequacy Decision

The new amendments align the Personal Information Protection Act of South Korea with the GDPR standards regarding personal data privacy to reach an adequacy decision (pursuant to Article 45 of the GDPR) dated 17 December 2021.

The adequacy decision means that South Korea is considered by the EU to have adequate personal data protection. This allows an unrestricted personal data flow of EU residents between the EU and South Korea.

The 2024 PIPA amendment

On 15 March 2024, an amended Enforcement Decree for South Korea’s Personal Information Protection Act came into effect.

The Amended Enforcement Decree introduced specific rules which came into effect on March 15, 2024. These include:

  • Rules concerning automated decisions facilitated by artificial intelligence (AI) and similar technologies;
  • Qualification requirements for Chief Privacy Officers (CPOs); and
  • Insurance requirements.

South Korean individuals have the right to refuse automated decisions that affects user rights or obligations and are made through the processing of personal information by automated systems such as AI, which operate without any substantive human intervention. Upon request, the data controller must provide a concise and meaningful explanation about the criteria and processing procedures that led to the decision. This explanation does not need to provide very technical details.

Data subjects can refuse automated decisions if they significantly affect their rights and obligations. However, if data subjects have been clearly informed in advance that automated decisions will be made, they cannot exercise the right to refuse the decision, they can only request an explanation or review of the decision. 

Key Principles of South Korean Data Privacy Law

According to the Personal Information Protection Act of South Korea, all data handlers must follow the following principles while handling the personal data of South Korean users:

  1. Transparency. The PIPA imposes extensive requirements of transparency and disclosure, including disclosure of the types of personal data collected and processed, the purposes of such processing, the data transfer, retention periods, timing and method of data deletion when it is no longer needed.
  2. Lawful basis for data processing. The main basis for processing is data subject's consent. Data controllers must obtain explicit consent from individuals before collecting their personal information. This consent must be informed and freely given, which comes as a response to a clearly written and understandable privacy notice regarding of how individuals’ data will be used. 
    Under the PIPA, it is not enough to have a single checkbox to affirm consent in general for processing all personal data. Rather, an additional specific consent is required for data processing of several classes, including: controller–controller data transfers, offshore data transfers, processing of sensitive personal information, use of personal data for marketing purposes, and other cases.
  3. Purpose limitation. To handle personal data, companies must have specific and legitimate purposes disclosed to the individuals. Any other use of data, not necessary for the performance of business activities, is prohibited.
  4. Data minimization. Companies should collect and keep only the minimum amount of personal data necessary to achieve the business activities for which the data was collected. This requirement should minimize the possibility of data breaches and mistreatment.
  5. Data retention. Personal data must be retained only for so long as necessary to fulfil the purposes of the collection of the data. The PIPA requires businesses to disclose specific information regarding data use and retention periods in their Privacy Policy.
  6. Data Protection Officers (DPOs). Public administrations are required to appoint Data Protection Officers responsible for ensuring compliance with the PIPA. The DPO may be an internal staff member or may be contracted externally. A DPO can be an individual or an organization. Courts acting in their judicial capacity are exempt from this Principle.
  7. International data transfer. To transfer personal data internationally, data handlers must ensure that the data is transferred only to countries having adequate data protection laws. An example could be countries covered by the GDPR. This ensures that personal information remains protected when transferred to other countries.

To sum up, the PIPA provides detailed obligations and very strict requirements for personal data processing, like prior notification, opt-in consent, purpose limitation, data minimization and retention, need for the Data Protection Officers, and heavy sanctions prescribed by the law. This makes the law one of the strictest data protection laws in the world.

Use CookieScript Consent Management Platform, which can help you comply with all major privacy laws, including the Personal Information Protection Act of South Korea.

Register for free Show pricing plans

User Rights under the PIPA

Under the South Korean data privacy law, individuals have the following rights:

  • Right of access to data: A data subject has the right to access or view the data collected by the data controller.  Upon request by a data subject, the data controller must provide such data within 10 days.
  • Right to deletion: A data subject has the right to require the data controller to destroy all the personal data possessed by the data controller.
  • Right to stop data processing: A data subject may at any time require a data controller to stop processing their personal data or withdraw consent to the processing at any time, which also means stopping processing any user data. Upon such a request, the data controller must stop data processing and destroy relevant data “without delay,” i.e., within 10 days.
  • Right to data portability: A data subject has the right to require a data controller to transfer personal data to one of the specialized personal data management agencies or to another data controller that meets related standards. This limited right allows data subjects to ask for transfers of credit-related records from one bank or other financial institution to another, under the Credit Information Protection Act.
  • Right to object to marketing: If data controllers want to use personal data for marketing purposes, they must obtain explicit user consent.  The consent should be separate, not making a part of a broader consent.
  • Right to protect against automated decision-making and profiling: A data subject has the right to refuse an automated decision where this would have a serious impact on their rights or obligations. For example, this right could cover automated employment-related decisions. A data subject also has the right to ask for an explanation of any automated decision. Data controllers must disclose related standards and methods for automated decision-making and profiling in their Privacy Policy.

Business obligations under the PIPA

Companies are required to maintain the following guidelines for complying with the law:

  1. Data governance. Companies and organizations must establish strong data management system inside the company to manage personal data according to the law.
  2. Consent management. Companies and organizations must provide a clear and unambiguous privacy notice regarding personal data management and get explicit consent to use the data of individuals. The consent must be received before any collection or processing of data takes place.
  3. Data security. Companies and organizations must implement strong cybersecurity measures to protect personal data from breaches or unauthorized access. They must train their staff working with personal data to know the principles of the data privacy law, and to keep these principles.
  4. International data transfers. Companies and organizations must ensure that the data is transferred only to countries that have adequate data protection laws. No data could be sent to countries, lacking adequate level of personal data protection.
  5. Compliance reporting. Companies and organizations must maintain detailed records of data processing activities and show these records when asked by relevant authorities. In the case of data breaches, they should be prepared to report it to the relevant authorities immediately. Companies must also inform data subjects about the leakage “without delay” before notifying the relevant authorities.

Enforcement and Penalties

The Personal Information Protection Commission (PIPC) is South Korea's national data protection authority (DPA), responsible for enforcing data protection laws and regulations within the country.

Formed in 2011, PIPC initially had just an advisory status. In 2020, PIPC became an independent regulatory agency with the power to investigate personal data privacy breaches and impose administrative fines.

There are different penalties for breaching the PIPA. These include administrative sanctions such as fines, penalty surcharges, or corrective orders.

The PIPA can impose fines up to KRW 3 billion (approximately €2.1 million) or 3% of the company’s annual revenue, whichever is higher.

For example, in September 2022, the PIPC fined Google $50 million and Meta $22 million for violating the PIPA.

Guidelines on Applying the PIPA to Foreign Business Operators

Compliance with the South Korean Personal Information Protection Act is not a recommendation but a legal requirement. When a foreign company processes South Korean citizens’ data or carries out personal data processing on South Korean territory, it is subject to the PIPA.

In 2024, PIPC released “Guidelines on Applying the PIPA to Foreign Business Operators” 

The guidelines aim to encourage foreign companies to adopt robust data protection practices to protect South Korean citizens. They present educative scenarios and case law in the field of personal data protection to clarify the applicable legislation for foreign companies already operating in South Korea.

The Differences between Europe's GDPR and South Korea's PIPA

South Korea’s Personal Information Protection Act (PIPA) and the EU’s General Data Protection Regulation (GDPR) share many similarities, including the scope of the law, personal data protection principles, user consent requirements, etc.

However, there are some differences:

  • Definition of Personal Data: PIPA defines personal data slightly narrower. For example, PIPA does not consider pseudonymized data to be personal information if the data cannot be used to identify an individual.
  • Data subject rights: Both privacy laws guarantee the basic data subject rights, including the right of access, correction, and deletion. However, the GDPR includes further rights, like the right to transfer personal information to other organizations, the right to limit personal information processing, the right to refuse profiling, and the right to be forgotten.
  • Data breach procedure: Where a data breach occurs, the GDPR requires companies to notify the relevant authority first and then notify data subjects. The PIPA requires companies to inform data subjects about the leakage “without delay” before notifying the relevant authority.
  • Territorial scope: The GDPR applies to the personal information processing of data subjects within the EU, regardless of where the personal information processing takes place. The PIPA applies to the personal information processing of data subjects based in South Korea, regardless of the nationality or residence of the individuals.
  • Overseas transfer of personal data: The GDPR allows international personal data transfer without the data subject's approval once an adequacy decision or safeguard mechanism exists. The PIPA requires companies to obtain the data subject's consent to transfer personal information overseas, regardless of safeguard measures.
  • Appointment of Data Protection Officer (DPO): The PIPA requires companies to appoint a CPO (Chief Privacy Officer), that must be in-house. The CPO could be the authorized employees or an executive or company representative. In contrast, the EU’s GDPR allows for external or joint DPOs.
  • Fines: Europe’s GDPR imposes higher fines for non-compliance, up to 4% of an organization's annual global revenue or €20 million, whichever is higher. The PIPA imposes fines up to KRW 3 billion (approximately €2.8 million) or 3% of the company’s annual revenue, whichever is higher.
  • Impact assessments: The PIPA only requires public institutions to conduct data privacy impact assessments (DPIA), while the GDPR requires public institutions and private companies managing much personal data to conduct DPIA.

How to Ensure Compliance with South Korea’s PIPA?

To be compliant with the PIPA, companies and organizations are advised to consider the following actions:

  • Update your Privacy Policy.
  • Provide additional rights to data subjects, particularly regarding rights to data portability and rights against automated decision-making.
  • Establish a robust data management system.
  • Implement a consent management system.
  • Implement strong cybersecurity measures to protect personal data from breaches or unauthorized access.
  • Use data encryption.
  • Set rules for international data transfers.

How Can CookieScript Help with the PIPA Compliance?

CookieScript Consent Management System is an optimal solution for compliance with the South Korean Personal Information Protection Act. It’s a user-friendly plugin, so you can be fully compliant without the need to use complicated technical implementation.

CookieScript CMP Privacy Policy Generator helps you to create the PIPA-compliant Privacy Policy for your company or website.

Our Cookie Scanner scans your website for cookies and other tracking technologies and provides a detailed scan report including details about your website’s cookies with their provider, duration, and third parties if any.

CookieScript CMP allows you to create a fully customizable and configurable Cookie Banner. You can personalize colors, fonts, text, and style, and adjust the banner to your website's design. You can create the Cookie Banner in 30+ languages or even add any custom language.

If you are an international company and have users from different countries, CookieScript CMP allows you to display multiple cookie banners using geo-targeting. Different cookie banners will be delivered to website users based on their geographic locations.

You can easily integrate your Cookie Banner with the most popular CMS platforms like WordPress, Shopify, Wix, Kajabi, Joomla, and others.

Finally, you can maintain a full history of user consent for proof of compliance.

Frequently Asked Questions

What is the South Korean Personal Information Protection Act (PIPA)?

The Personal Information Protection Act (PIPA) is a data privacy law of South Korea that governs the collection, use, and processing of personal data of individuals in South Korea. It provides individuals with the rights regarding their personal data and sets obligations for businesses to protect that data. Use CookieScript to comply with the PIPA and other privacy laws.

How to comply with South Korea’s PIPA?

To comply with the PIPA, companies should update their Privacy Policy, inform South Korean users about the processing of their personal data handling before processing any of their personal data and get consent from them, establish a robust data management system, implement a consent management system, implement strong cybersecurity measures to protect personal data from breaches or unauthorized access, use data encryption, and set rules for international data transfers. CookieScript CMP can help you to comply with the PIPA and other privacy laws.

What are the key principles of South Korean data privacy law (PIPA)?

According to the Personal Information Protection Act (PIPA) of South Korea, all data handlers must follow the following principles: obtain explicit consent from individuals, have specific and legitimate purposes for the processing of data, collect and keep only the minimum amount of personal data, appoint Data Protection Officers, and ensure that the data is transferred internationally only to the countries having adequate data protection laws. CookieScript CMP can help you to comply with the PIPA and other privacy laws.

Who does South Korea’s PIPA apply to?

The PIPA applies to a data handler, which is a person, either an individual, a public agency, juridical person, organization, business, or governmental organization, that, by itself or through a third party, handles personal data to perform its business activities. Use CookieScript CMP, and we will take care of your company’s compliance with the law on your behalf.

What is the penalty for breaching the South Korean PIPA?

There are different penalties for breaching the PIPA. These include administrative sanctions such as fines, penalty surcharges, or corrective orders. The PIPA can impose fines up to KRW 3 billion (approximately €2.1 million) or 3% of the company’s annual revenue, whichever is higher. Use CookieScript CMP to comply with the South Korean data privacy law and avoid penalties.

How can I know which cookies and trackers my website uses?

Use Our Cookie Scanner, which is a free tool, scans your website for cookies and other trackers, and then provides a detailed scan report including details about your website’s cookies with their provider, duration, and third parties if any.

ON THIS PAGE

New to CookieScript?

CookieScript helps to make the website ePrivacy and GDPR compliant.

We have all the necessary tools to comply with the latest privacy policy regulations: third-party script management, consent recording, monthly website scans, automatic cookie categorization, cookie declaration automatic update, translations to 34 languages, and much more.