The Personal Information Protection Act is the comprehensive general data protection law, and there exist several sector-specific laws that regulate the handling of personal data in certain industries.

Note: In South Korea, the collection and processing of personal data are governed by the Personal Information Protection Act ("PIPA"), the comprehensive general data protection law.

In addition, there are a number of sector-specific laws that regulate the handling of personal data in certain industries including:

• Act on the Promotion of Information and Communications Network Utilization and Information Protection ("Network Act");
• Utilization and Protection of Credit Information Act ("Credit Information Act");
• Act on the Protection and Use of Location Information; and
• Electronic Financial Transactions Act.

Meanwhile, the processing of personal data by data handlers which are information and communications service providers and third parties which receive personal data therefrom on the basis of consent (collectively “ICSPs”), which was previously governed by the Network Act, is now governed by the PIPA following the deletion of the relevant provisions from the Network Act and their transfer to the PIPA on August 5, 2020. These provisions are now included in the PIPA as a new chapter (the “Special Rules for ICSPs”). However, the rules regarding direct marketing via electronic means still remain in the Network Act.

 As the range of applicability of the PIPA was widely expanded by the aforementioned legislative amendments, we will focus our description on the PIPA.

The PIPA protects personal data – i.e., information relating to a living natural person from which a specific individual can be identified.

Note: The PIPA defines personal data as “any information relating to a living natural person that: (i) identifies a particular individual by his/her name, resident registration number, visual image, or the like; (ii) if not by itself, can be easily combined with other information to identify a particular individual (in such cases, factors such as time, cost, and technology required for identifying an individual, including the likelihood of obtaining additional information to be combined with the subject information, shall be reasonably considered when determining whether certain information can be “easily combined with any other information" to identify a particular individual); or (iii) is information under items (i) or (ii) above which is pseudonymized and thereby becomes incapable of identifying a particular individual without the use or combination of additional information for restoration to its original state”.

Also, special categories of personal data such as (i) Particular Identification Data (i.e. resident registration numbers, passport numbers, driver’s license numbers and alien registration numbers) and (ii) Sensitive Data (i.e., any information which, if divulged, may considerably infringe upon the data subject’s privacy including information related to an individual’s ideology, faith, trade union or political party membership, political views, health, sexual orientation, genetic information, criminal records, biometrics, race, or ethnicity) require stronger protection.

Data handlers are subject to privacy obligations.

In principle, prior opt-in consent of the data subject is required.

In principle, prior opt-in consent of the data subject is required.

Note: Data handlers must obtain the data subject’s prior opt-in consent in order to use the data subject’s personal data.  Also, separate consent must be obtained for transferring personal data to a third-party, unless such transfer qualifies as outsourcing. When seeking consent from a data subject regarding the transfer of personal data, the data handler must inform the data subject of the following:

• the identity of the third-party recipient of the personal data;
• the third-party recipient’s purpose of use of the personal data;
• items of personal data to be provided to the third-party recipient;
• duration of retention/use of personal data by the third-party recipient; and
• the fact that the data subject has the right to refuse to give consent to the contemplated transfer, and disadvantages, if any, to the data subject which may result due to such refusal.

However, personal data may be transferred without the data subject’s consent in the following cases:

• If the transfer is specifically required or permissible under other applicable laws and regulations, or necessary to comply with the data handler's obligations under other applicable laws and regulations;  or
• If there exists a clear and urgent need to protect the life, physical or economic interest of the data subject or a third party and the consent to the transfer of personal data cannot be obtained in an ordinary manner because the data subject (or his/her legal guardian) cannot express his/her intent or because his/her address is unknown.

 After collection of personal data based on consent, data handlers are permitted to further provide such personal data to third parties without additional consent if such provision is within the scope reasonably related to the original purpose of the collection after considering, among other factors, (i) whether such further provision is related to the original purpose of the collection, (ii) whether such further provision may unfairly impair the interests of the data subject, (iii) whether such further provision was foreseeable in light of the circumstances surrounding the collection of the personal data or the customary practice of processing the personal data, and (iv) whether the data handler has implemented the necessary safeguards (e.g., encryption) to ensure the security of the personal data.

Methods for Obtaining Consent

Data handlers must comply with the following requirements when obtaining consent from data subjects under the PIPA.

• Separate consent must be obtained for each form of processing (collection/use, third-party provision, etc.) after providing notice thereof in a manner clearly understandable by data subjects.
• When obtaining consent in writing, clearly indicate matters related to subsequent communications for promotion or solicitation purposes, Sensitive Data, passport numbers, driver’s license numbers, alien registration numbers, periods of retention/use for personal data in large font sizes and other methods easily noticeable by data subjects.
• Distinguish between personal data that may or may not be processed without the data subject’s consent.
• When obtaining consent for the processing of personal data for the promotion or solicitation of goods or services, provide notice thereof in a manner clearly understandable by data subjects. 
• Refrain from denying the provision of goods or services to any data subjects who have refused their consent for optional consent categories or use/provision of their personal data beyond consented purposes. 
• Obtain consent from legal guardians in cases where data subjects are children under the age of 14.
   

Personal data may only be stored after obtaining the data subject’s consent or pursuant to a statutorily permitted purpose and data handlers are legally required to implement detailed security measures when storing personal data.

Note:

The duration of the data retention period must be set out in (i) the data handler's notice for the data subject’s informed consent to collection/use of personal data; and (ii) the data handler's privacy policy.  If the personal data are no longer necessary upon (i) the passage of the duration of retention; or (ii) the achievement of the professed purposes of the processing of personal data, or for other reasons, the data handler must without delay destroy the personal data unless any other law or regulation requires it to keep them. 

The PIPA sets forth very specific security requirements with respect to the security of personal data.  For instance, the PIPA requires data handlers to implement the following safeguards:

• Establish and implement an internal administrative plan for the safe processing of personal data;
• Implement measures to place restrictions on the access to personal data and the access authority;
• Apply encryption technology to personal data or take other equivalent measures to ensure the secure storage and transmission of personal data.
• Maintain access logs/records and take measures to prevent the forgery or falsification of such records, in order to be able to effectively respond to an intrusion incident.
• Install and update security programs for the protection of personal data and implement physical measures, such as setting up separate storage facilities for storing personal data securely or installing security locks. The implementing regulations of the PIPA (e.g., the Enforcement Decree, Official Notices, etc.) set forth such measures in greater detail.

Data subjects are guaranteed the right of access, the right to request rectification/erasure, and the right to request suspension of processing.

Note: The data subject is entitled to the following rights against the data handler:

• Right of access: the data subject has the right to request access to his/her personal data that is being processed by the data handler;
• Right to request rectification, erasure: once the data subject accesses his/her personal data, the data subject has the right to request rectification or erasure of his/her personal data; and
• Right to request suspension of processing: the data subject has the right to request suspension of the processing of his/her personal data.

Please note, however, that pursuant to the Special Rules for ICSPs, data subjects which are users of ICSPs are additionally entitled to withdraw consent for the collection, use, and provision of their personal data.

The consent of the data subject may be required.

Note: The PIPA regulates cross-border transfers of personal data involving the transfer of personal data to third parties located overseas. Specifically, a data handler must obtain the data subject's consent in order to transfer personal data to third parties. However, the outsourcing of processing of personal data to an outsourced processor located overseas is treated in the same way as domestic outsourcing and thus consent is not required. 

Please note, however, that pursuant to the Special Rules for ICSPs, data handlers who are ICSPs are required to obtain consent for overseas storage of personal data and cross-border transfers, irrespective of whether such transfer constitutes a provision or outsourcing unless an exception is applicable.  In the case of cross-border transfers constituting outsourcing or storage, such consent may be omitted so long as the following information is disclosed in the ICSP’s privacy policy or is notified to the data subjects via email, document, or other similar methods: (i) items of the personal data to be transferred, (ii) countries where the personal data is to be transferred and the date/time/methods of transfer, (iii) recipients (if the recipient is a corporation then the name of the corporation and the contact information of the person in charge of the management of personal data) to whom the personal data is to be transferred to, and (iv) the purposes of use and the periods of retention of such recipients of personal data.

Consent of data subjects will be required for onward transfers of personal data to third countries after initial cross-border transfers from Korea.

 

In the event of a data security breach, the data handler must notify the relevant data subjects and report the breach to the competent regulatory authority.

Note: The data handler must notify data subjects of the following without delay:

• the items of personal data that were the subject of the breach;
• the time of the breach and the reasons for the breach;
• information concerning measures that can be taken by the data subject to minimize damages resulting from the breach;
• countermeasures taken by the data handler and procedures for providing redress to the data subject; and
• the contact information of its pertinent department for reporting damages incurred by the data subject.

Also, whenever there is a data breach involving the personal data of 1,000 or more data subjects, the data handler must

• report to the relevant authority (i.e., the Personal Information Protection Commission (“PIPC”)or the Korea Internet and Security Agency (“KISA”)) without delay

  • the fact that it informed its data subjects of the breach, and

  • the measures it took to minimize damages to the data subjects, and

• disclose certain statutorily-prescribed information on its internet homepage for at least seven days.

Please note, however, that pursuant to the Special Rules for ICSPs, ICSPs must, unless there is a justifiable reason for a delay, promptly (i.e., within 24 hours) report to the relevant authority upon becoming aware of a data breach which has affected 1 or more of their users. The information that must be included when ICSPs are reporting to the relevant authority is almost identical to that of an ordinary data handler.

ICSPs must also notify affected data subjects in the event of a data breach. Information that must be included when providing such notification is identical to the information that must be included when reporting to the relevant authority.

The PIPC is the government agency responsible for enforcing the PIPA.

Note: As explained above in our response to "What is the key legislation?", South Korea’s data protection laws are divided into one general comprehensive law (i.e., the PIPA) and several sector-specific laws. Each of these sector-specific laws is enforced by a different regulatory agency.

In the case of the PIPA, the PIPC is the government agency responsible for its enforcement.

Criminal, administrative penalties and/or civil liabilities.

Note: The PIPA sets forth detailed penalties for each type of violation. A data handler that commits a material violation of the PIPA may be subject to imprisonment of up to ten years or a fine of up to KRW 100 million. Further, a data handler may be subject to penalty surcharge of up to KRW 500 million for the loss, theft, leakage, falsification, alteration, or damage of any resident registration numbers.  

For other minor violations, the data handler may simply be ordered to take corrective measures or be subject to an administrative fine of up to KRW 50 million.

Data subjects who suffer damages from the data breach are entitled to seek compensation from the data handler. Data handlers may not avoid liability in such cases unless they are able to establish that they were neither intentionally nor negligently at fault for the data breach. 

If the Network Act is applicable, material violations related to the processing of personal data may be subject to imprisonment of up to five years or a criminal fine of up to KRW 50 million, and a penalty surcharge of up to three percent of the revenue generated from the information and communications service provider (“ICSP”)’s  relevant service(s).

In addition, ICSPs may also face a corrective order or an administrative fine of up to KRW 30 million. Provisions related to the civil liability of ICSPs under the Network Act or identical to those for data handlers under the PIPA. 

Additionally, In case the relevant data handler is an ICSP and the ICSP failed to implement certain security measures required by the PIPA, such ICSP may be subject to a penalty surcharge of up to three percent of the revenue generated from the ICSP’s relevant service(s).

In principle, the consent of the recipient is required.

Note: In general, electronic marketing is regulated by the Network Act. Under the Network Act, in principle, direct marketing (i.e., the transmission of for-profit advertisements) is only allowed if the recipient’s explicit consent was obtained in advance. (Only a few limited exceptions are recognized.)

Additionally, the Network Act provides for certain information that must be included in the for-profit advertisements (e.g., the name and contact details of the sender), and specifies certain acts that the sender is prohibited from engaging in (e.g., finding methods to prevent the recipient’s refusal to receive marketing communications).

In addition to the aforementioned amendments to the PIPA which took effect on August 5, 2020, a legislative bill proposing to amend the PIPA (“Proposed Amendments”) was recently introduced in the National Assembly by the PIPC on September 28, 2021.

Note: The Proposed Amendments contain provisions that, among other things, (i) introduce the right to data portability and the rights regarding automated decision-making, (ii) create new rules regarding mobile visual information processing devices, (iii) create new rules for cross-border transfers which are more in line those in other jurisdictions, (iv) increase (from a percentage of related revenue to total revenue) the potential amount of administrative penalty surcharges for violations.