<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=5678177&amp;fmt=gif">

    South Korea PIPA

    South Korea’s data privacy law.

    Book a Demo

    What is South Korea's PIPA?

    South Korea’s Personal Information Protection Act, or PIPA, is the country’s data privacy law that came into effect in September 2011. 

    It is considered to be one of the world’s strictest and most comprehensive privacy laws, its penalties being enforced enthusiastically and it stands out through the fact that it applies to most organization types, including government entities.

    In order to keep up with ever-changing technology, PIPA mandates that the regulating body, the Personal Information Protection Commission, has to periodically release “a Master Plan to protect personal information every three years in consultation with the heads of relevant central administrative agencies to ensure the protection of personal information and the rights and interests of data subjects.” The Personal Information Protection Commission released the last Personal Information Master Plan on November 24, 2020.

    On September 15, 2023, a revision of PIPA entered into force. The revised version was approved and announced to the State Council on September 5, 2023, by the Personal Information Protection Committee (PIPC), after months of its being analyzed. 

    Key changes included the following: 

    • Changes have been made so that the protection of the rights and interests of the people could be more practically achieved. In cases where it is necessary to protect the individuals’ urgent life, body, and property, such as emergency rescue, or if it is necessary to collect, use, and provide personal information for public safety, priority measures can be taken, but personal information safety measures apply.
    • The dispute mediation procedure is changed and data processors now have an obligation to participate in mediations in order to speed up the remediation process in cases of infringement on personal data.
    • For cases where video is recorded for work purposes via mobile image information processing devices, i.e., drones, etc., if the recording is sufficiently announced through information boards, for example, the recording is allowed unless the data subject expressly denies consent. 
    • The different standards for online and offline data processing have been unified so that all personal information processors are subject to the same standards in accordance with the principle of equal regulation of the same behavior.
    • Data breaches have to be reported within the first 72 hours, as opposed to the previous version of the law where controllers had to report breaches within 5 days and information and communication service providers had only 24 hours for this.
    • Measures to ensure safety have been strengthened so that personal information can be safely processed in the public sector. 
    • In line with global standards, the requirements for the transfer of personal information abroad were diversified and the penalty system was reorganized. The requirements now allow overseas transfer to a country that protects personal information at the same level as Korea or to a company that has obtained personal information protection certification, etc., and if there are reasons such as violation of the law, an order to suspend overseas transfer is now made possible. 
    • The upper limit calculation for the penalty surcharge is now modified to ensure that the penalty surcharge was not excessively calculated outside the scope of responsibility. In addition, in consideration for small and medium-sized business operators, the deadline for paying penalties can now be postponed by two years or penalties can be paid in installments.

    What is Personal Information and what are other key definitions?

    South Korea’s PIPA offers a fairly broad definition for ‘personal information’ as “information relating to a living individual that makes it possible to identify the individual by his/her full name, resident registration number, image, etc. (including information which, if not by itself, makes it possible to identify any specific individual if combined with other information).”

    In the case of ‘sensitive personal information,’ the law states that this is any information “including ideology, belief, admission to or withdrawal from a trade union or political party, political opinions, health, sexual life, and other personal information that is likely to threat the privacy of any data subject” and includes here also criminal records or genetic information related to the individual’s physical, physiological or behavioral traits that are generated through various technical means with the purpose of identifying a specific individual or ethnic/racial data. 

    PIPA defines ‘processing’ as “the collection, generation, connecting, interlocking, recording, storage, retention, value-added processing, editing, retrieval, output, correction, recovery, use, provision, and disclosure, destruction of personal information and other similar activities,” and the ‘data subject’ as “an individual who is identifiable by the information processed” in such a way that they become recognizable by it.

    Under the law, the general term for organizations covered is ‘personal information controller,’ which means both data processor and data controller, defined as “a public institution, legal person, organization, individual, etc. that processes personal information directly or indirectly to operate the personal information files for official or business purposes.”

    Because it also applies to government entities, the law defines what it sees as a ‘public institution,’ namely, “the administrative bodies of the National Assembly, the Courts, the Constitutional Court, and the National Election Commission; the central administrative agencies (including agencies under the Presidential Office and the Prime Minister’s Office) and their affiliated entities; and local governments; or other national agencies and public entities prescribed by Presidential Decree.”

     

    Who has to comply with South Korea's PIPA?

    South Korea’s law applies to any public institution or corporate body that handles personal information, whether directly or via a third party. 

    This means that if you are a data handler, whether a person or a public agency, a juridical person or you manage an organization that, in the course of or in relation to its business activities, handles personal information directly or through a third party, you have an obligation to comply with the law. 

    Territorially, PIPA is not specifically outlined however, the enforcement standard is similar to that of the GDPR, which means that if your organization is established in South Korea, you are subject to the law and if you target users that are residents of South Korea you are likely to have to be compliant.

    Who is excluded from compliance with South Korea's PIPA? 

    There are a few categories of personal information that the privacy law in South Korea excludes, such as: 

    • “personal information collected pursuant to the Statistics Act for processing by public institutions;
    • personal information collected or requested to be provided for the analysis of information related to national security;
    • personal information processed temporarily where it is urgently necessary for the public safety and security, public health, etc.;
    • personal information collected or used for its own purposes of reporting by the press, missionary activities by religious organizations, and nomination of candidates by political parties, respectively;
    • any personal information that is processed by means of the visual data processing devices installed and operated at open places;
    • any personal information that is processed by a personal information controller to operate a group or association for friendship, such as an alumni association and a hobby club;
    • information that no longer identifies a certain individual when combined with other information, reasonably considering time, cost, technology, etc.”

    How can I facilitate my organization’s compliance  with PIPA?

    South Korea’s privacy law outlines eighth principles that organizations should follow to facilitate compliance, including that they should:

    • “specify and be explicit about the purposes for which personal information is processed; and collect personal information lawfully and fairly to the minimum extent necessary for such purposes;
    • process personal information in a manner compatible with the purposes for which the personal information is processed, and do not use it beyond such purposes;
    • ensure personal information is accurate, complete, and up to date to the extent necessary in relation to the purposes for which the personal information is processed;
    • manage personal information safely according to the processing methods, types, etc. of personal information, taking into account the possibility of infringement on the data subject rights and the severity of the relevant risks;
    • make public your privacy policy and other matters related to personal information processing; and guarantee the data subject rights, such as the right to access their personal information;
    • process personal information in a manner to minimize the possibility to infringe on the privacy of a data subject;
    • endeavor to process personal information in anonymity, if possible; and
    • endeavor to obtain trust of data subjects by observing and performing such duties and responsibilities as provided for in this Act and other related statutes.”

    Additionally, you have to follow several other guidelines: 

    • In the case of consent for processing the personal information of a child, which is any individual under the age of 14 years, you are obliged to obtain the consent of their legal representative. For this purpose, a minimal amount of personal information may be collected directly from the child in question, without the consent of their legal representative.
    • You are required to “take such technical, managerial, and physical measures as establishing an internal management plan and preserving log- on records, etc. that are necessary to ensure safety as prescribed by Presidential Decree so that the personal information may not be lost, stolen, divulged, forged, altered, or damaged,” and to have a Privacy Policy that outlines the following details:
      • The purposes for which personal information is processed;
      • The period for processing and retaining personal information;
      • Provision of personal information to a third party (if applicable);
      • Outsourcing of personal information processing (if applicable);
      • The rights and obligations of data subjects and legal representatives, and how to exercise the rights;
      • Contact information, such as the name of the privacy officer designated under Article 31 or the name, telephone number, etc. of the department which performs the duties related to personal information protection and handles related grievances;
      • Installation and operation of an automatic collection tool of personal information, including Internet access data files, and the denial thereof (if applicable);
      • Other matters prescribed by Presidential Decree in relation to the processing of personal information.
    • You must designate “a privacy officer who comprehensively takes charge of personal information processing,” whose duties are listed in Article 32 of the text of the law. 
    • Conduct Privacy Impact Assessments (PIAs) and submit these to the Minister of the Interior, in the event of a probable breach. These should be requested from a PIA institution, which has been designated as such by the Minister.
    • In the event of a data breach you have to notify the regulatory authority and the affected individual(s) within 72 hours of the following: 
      • Particulars of the personal information divulged;
      • When and how personal information has been divulged;
      • Any information about how the data subjects can do to minimize the risk of damage from divulgence;
      • Countermeasures of the personal information controller and remedial procedure;
      • Help desk and contact points for the data subjects to report damage.

    What data access rights does South Korea's PIPA grant? 

    According to PIPA, “a data subject has the following rights in relation to the processing of his or her own personal information:

    • The right to be informed of the processing of such personal information;
    • The right to determine whether or not to consent and the scope of consent regarding the processing of such personal information;
    • The right to confirm whether or not personal information is being processed and to request access (including the provision of copies; hereinafter the same applies) to such personal information;
    • The right to suspend the processing of, and to request correction, deletion, and destruction of such personal information;
    • The right to appropriate redress for any damage arising out of the processing of such personal information through a prompt and fair procedure.

    Basically, individuals have the following rights granted to them by the law: 

    • Right to access data
    • Right to correct inaccurate data
    • Right to the portability of data
    • Right to delete personal data
    • Right to information about how entities are sharing your data
    • Right to restrict processing
    • Right to object to processing
    • Right to object to automated processing

    PIPA South Korea compliant website with Clym

    Book a Demo

    How to address data subject access requests under South Korea's PIPA?

    Although the text of the law itself does not go into the particular requirements for addressing data subject access requests, you can find these outlined in the Enforcement Decree. In combination with the text of the law, the decree mandates the following steps for addressing data subject access requests: 

    • an individual can request access directly from the organization or via the Protection Commision;
    • when submitting a request, the individual must do so “stating the information that he/she intends to access among the following information, in the manner and following the procedure determined by the personal information controller”
    • once you receive such a request, you are required to grant them access to the information “within the period prescribed by Presidential Decree” which is, according to the Enforcement Decree, ten days. 
    • in order to determine the manner and procedure for requesting access you have to take the following steps to ensure that the procedure is not more difficult than the way in which you collect personal information: 
      • provide the requested personal information in a data subject-friendly manner, such as in writing, by telephone or electronic mail, or via the Internet;
      • allow individuals to request access to their own personal information at least through the same window or in the same manner that you use to collect such personal information, unless just cause exists, such as difficulty in continuously operating such window;
      • post on a website the manner and procedure for requesting access if you operate the website.
    • you may demand a fee and postage in the case of a request to mail copies of the data.
    • in the event that your organization postpones replying to an access request, or even refuses to respond, the individual has to be notified of this as well as the means through which he can submit a complaint.

    Enforcement and penalties

    The Personal Information Protection Commission (PIPC) is the regulating body for PIPA in South Korea, its main powers including: 

    • “enforcing the PIPA;
    • addressing issues regarding formal interpretations;
    • imposing administrative fines, penalty surcharges, corrective orders, and other administrative sanctions;
    • shaping data protection policy; and
    • assessing the enactment/amendment of laws and administrative measures relating to the protection of personal information.”

    Penalties under PIPA vary depending on the part of the law that was violated as well as several factors that have to be considered when determining the amount to be imposed, as outlined in the Enforcement Decree. These may vary based on the following levels: 

    • for online service providers there is an administrative charge of 3% of total revenue, or if this cannot be calculated, up to KRW 400 million (approx. $282,000); 
    • for pseudonymised information that was processed in order to identify a certain individual, 3% of total sales generated from the violation, or where this cannot be calculated, up to KRW 400 million (approx. $282,000) or 3% of the capital amount, whichever is higher;
    • where the violation relates to resident registration numbers, up to KRW 500 million (approx. $353,000); and
    • for other administrative offenses, between KRW10 million to KRW 50 million (approx. $7,000 to $36,000).

    Data Subject Rights - GDPR vs. POPIA South Korea 

     

    How can Clym help?

    Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:

    • All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
    • Seamless integration into your website;
    • Adaptability to your users’ location and applicable regulation;
    • Customizable branding;
    • ReadyCompliance™: Covering 30+ data privacy regulations;
    • Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.

    You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.

    Table of contents
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596