Products

Data Command Center
View

Data+AI Teams

Data+AI Security Teams

Data Governance Teams

Data Privacy Teams

Build safe enterprise AI systems

Safe Enterprise AI Copilots

Implement rule-aware AI copilots across your organization’s data anywhere

Data Vectorization and Ingestion

Extract info from complex Unstructured Files, convert it into AI-ready formats, and sync to vector databases

Data Curation and Sanitization for AI

Transform raw, unstructured files into data ready for model training and tuning

Context-aware LLM Firewalls

Protect AI interactions with intelligent retrieval, response, and prompt firewalls

Unstructured Data Governance

Manage and govern unstructured data to enable its safe use with generative AI

Secure Data+AI anywhere

Data Security Posture Management

Secure sensitive data everywhere from hybrid multicloud to SaaS

AI Security & Governance

Establish controls for safe adoption of AI technologies including GenAI

Security for AI Copilots in SaaS

Unblock the biggest impediments for Safe Adoption of AI Copilots like Microsoft 365 Copilot

Data Access Intelligence & Governance

Monitor user access to data and enforce least privilege controls

Data Discovery & Classification

Discover shadow and cloud-native assets and accurately classify data

Compliance Management

Assess & improve compliance with security best practices frameworks

Breach Impact Analysis

Analyze breach impact & automate notifications to affected individuals

Data Flow Governance

Understand data lineage and secure real-time streaming data

Govern data for safe innovation

Data Discovery & Classification

Discover shadow and cloud-native assets and accurately classify data

Unstructured Data Governance

Manage unstructured data to enable safe use with generative AI

Data Access Governance

Monitor sensitive data access and prevent unauthorized use

AI Governance

Establish controls for safe adoption of AI technologies including GenAI

Data Catalog

Enable users to easily find, understand, trust and access the data they need

Data Lineage

Automatically track changes and transformations of data throughout its lifecycle

Data Quality

Conduct data quality checks and validation across various data types

Automate data privacy operations

Data Mapping Automation

Manage your entire data mapping lifecycle and automate RoPA reports

AI Governance

Comply with emerging AI regulations and ensure safe use of AI

Data Subject Request Automation

Automate entire DSR lifecycle from consumer request intake to secure report delivery

Assessment Automation

Automate your entire assessment lifecycle and demonstrate compliance

Consent Management

Manage your first-party and third-party consent lifecycle from scanning to reporting

Breach Management

Automate your incident management and optimize notifications to users & regulatory bodies

Privacy Center

Elegant Consumer Frontend, Fully Automated Backend, Privacy Regulation Intelligent Everywhere

Compliance Management

Use automation to audit and improve compliance with global regulations and industry standards
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

GCP

View

AWS

View

Databricks

View

Snowflake

View

Azure

View

+ More

View

Learn more

Regulations & Frameworks

Automate compliance with global privacy regulations.

CDMC

View

EU AI Act

View

NIST AI RMF

View

European Union GDPR

View

California's CPRA

View

Brazil's LGPD

View

Canada's PIPEDA

View

China's PIPL

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Data+AI Builders

View

Data Security

View

Data Privacy

View

Data Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.

Webinars

Learn from industry thought leaders why you need a Data Command Center to enable safe use of data.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

Knowledge Center » Data Privacy Automation

Overview of South Korea’s Personal Information Protection Act (PIPA)

Published April 3, 2022 / Updated October 1, 2024

1. Introduction

South Korea has elaborate laws and regulations related to personal data protection. The Personal Information Protection Act ("PIPA") was first enacted on September 30, 2011. The Act sets strict rules that govern the collection, usage, disclosure, and other processing of personal information by government bodies, private entities, and individuals. The recent amendments to the Act and the amended Enforcement Decree came into force on September 15, 2023.

Under the PIPA, South Korea has laid out specific requirements for handling personal information and taking the data subject's consent as an integral part of almost every step.

2. Who Needs to Comply with PIPA

A. Personal Scope

The PIPA applies to any personal information controller. A personal information controller could be an individual, a public agency, a juridical person, or an organization that handles the data subject's personal information either themselves or through a third party. If PIPA applies to an entity, it must comply with the law.

The PIPA applies to the processing of personal information. ‘Processing’ under the law is defined as the 'collection, generation, recording, storage, retention, processing, editing, search, outputting, rectification, restoration, use, provision, disclosure, or destruction of personal information or any other action similar to any of the preceding.'

B. Territorial Scope

The PIPA does not explicitly define its territorial or extraterritorial scope. Nonetheless, it considers several factors when determining whether a foreign entity is subject to the PIPA (for instance, whether the entity provides services targeted at Koreans or whether the company generates revenue from doing business in South Korea).

3. Definitions of Key Terms

A. Personal Information

The PIPA has an extensive meaning of ‘personal information.’ For easier understanding purposes, personal information under PIPA refers to a natural living person with a:

Name
Resident registration number (RRN)
Image.

B. Sensitive Data

Under the PIPA, sensitive data is regarded as the personal information of an individual's:

Ideology
Faith
Trade union
Political party membership
Political views
Health
Sexual orientation
Genetic information
Criminal records
Physical information
Physiological information
Behavioral characteristics
Any other personal information that may cause a material threat to the privacy of the data subject

C. Biometric Data

While the PIPA does not explicitly define biometric data, it takes an individual's physical, physiological, and behavioral characteristics from ‘sensitive data’ as a means to identify the person.

D. Personal Information Controller

The PIPA takes inspiration from the EU’s GDPR regarding the concept of a personal information controller. It includes natural and legal entities that process personal information.

E. Personal Information Handler

Under the PIPA, the concept of personal information controller is defined extensively. Therefore, data processing entities must regularly provide personal information handlers with necessary educational programs to ensure the appropriate handling of personal information.

To ensure the safe administration of personal information, personal information controllers must perform proper control and supervision against those who process personal information under their command and supervision, such as officers or employees, temporary agency workers, and part-time workers.

4. Obligations for Organizations Under PIPA

Under the PIPA, personal information controllers must issue a notice when processing personal information. Generally, explicit consent is required before collecting, using, and providing third parties’ personal information, subject to certain exceptions.

Personal information controllers and Information and Communications Service Providers (ICSPs) are required to specify the following matters when seeking consent from data subjects for the collection and use of their personal information:

the purpose of the collection and use of personal information;
the items of personal information to be collected/used;
the period for retaining and using personal information; and
the data subject's right to refuse his/her consent and outline any disadvantages, if any, which may follow from such refusal.

Additionally, personal information controllers and ICSPs are required to explicitly state the following matters when seeking consent from data subjects for the provision of personal information to third parties:

the specific name of the third-party recipient;
items of personal information to be shared;
third-party recipients' purposes of use;
period of retention and use by the third-party recipient; and
the data subject's right to refuse his/her consent and outline any disadvantages, if any, which may follow from such refusal.

According to the recent amendments, additional flexibility is allowed in data processing activities if the cases involve processing personal information to protect people from physical threats or property loss, emergency rescue operations, or mitigating public health crises such as COVID-19.

Moreover, the Personal Information Protection Commission (PIPC) has clarified certain principles for using personal information without consent. They have stated that as per the PIPA Enforcement Decree:

Personal information necessary for fulfilling a service contract can be processed without requiring explicit consent from the data subject. However, to ensure transparency and compliance, it must be separated from other information requiring consent.
If sensitive information or unique identifiers are needed for the service, separate explicit consent must be obtained unless otherwise provided by PIPA.

B. Security Requirements

The PIPA demands that personal information controllers maintain the security of personal information in their possession. They must diligently evade risks of infringement of data subjects' privacy by taking technical, administrative, and physical measures necessary to ensure the security of their personal information.

C. Data Breach Requirements

The PIPA enforces the personal information controller to notify a data subject whose data has been affected by a breach. When a personal information controller becomes aware that the personal information of data subjects has been breached, the personal information controller must promptly notify data subjects of the following:

Specifics of the disclosed personal information;
When and how has personal information been made public;
Any information regarding how data subjects can reduce the risk of harm from disclosure;
The personal information controller's countermeasures and remediation procedure;
Setting up a help desk and other contact points for the data subjects to report the damage.

PIPA requires a personal information controller to plan for and implement countermeasures to reduce the risk of harm in the event that personal information is disclosed.

D. Chief Privacy Officer (CPO) Requirement

The PIPA enables all personal information controllers to appoint certified officials as privacy officers. These privacy officers will eventually take control of how personal information is handled.

The CPO's responsibilities under the PIPA are:

Creating and implementing personal information protection plans,
Conducting periodic investigations and updating the status and procedures of personal information processing,
Resolving complaints and repairing damage caused by the processing of personal information,
Developing internal control measures to avoid personal information loss, misuse, and abuse,
Designing and implementing personal information protection training sessions,
Monitoring, managing, and protecting personal information files,
Developing, updating, and putting into effect a personal information processing policy,
Managing items relating to the security of personal information, and
Discarding personal information after the processing goal has been met or the retention time has passed.

The CPO does not have to be a citizen, and if a CPO is not designated, a maximum administrative fine of KRW 10 million may be imposed on the entity engaging in personal information processing.

E. Privacy Policy Requirements

The PIPA outlines a series of personal information processing policies that must be included in a privacy policy, including, but not limited to:

the purposes of processing,
retention period,
information on provision and outsourcing,
disposal of personal information.

The PIPA instructs personal information controllers to publicly disclose their privacy policies in a way that allows data subjects to thoroughly examine the stated terms of these privacy policies, including any revisions made to them, at any time.

F. Data Protection Impact Assessment

Under the PIPA, only a public institution shall conduct a Data Protection Impact Assessment (DPIA). The DPIA can be undertaken in cases where there is a noticeable risk of an infringement regarding the personal information of data subjects.

The head of the respective public institution will conduct an impact assessment to analyze risk factors (if any) and ways to improve them and submit the findings to the PIPC.

G. Record of Processing Activities

Even though the PIPA does not require organizations to maintain a record of processing activities, it does require personal information controllers to manage and sustain log-in records that document access given by personal information controllers to a data processing system.

The access could be given to officers, employees, workers, or anyone else who processed personal information under the direction and supervision of the personal information controller for at least one year. In addition, PIPA demands that the log-in records contain the reason of access, an ID number, date and time of entry, information to identify the person of access, and the number or types of tasks performed by the personal information controller while on the processing system.

H. Cross-Border Information Transfer Requirements

Personal information controllers are advised not to enter into information transfer agreements with vendors not complying with privacy laws and regulations. The Personal Information Protection Commission has released Regulations on the Overseas Transfer of Personal Information.

The PIPC delineates the operations of the Overseas Transfer Expert Committee, specifying procedures for recognizing the level of personal information protection in the destination country and addressing matters related to the cancellation and modification of such recognition.

This committee evaluates overseas data transfers and has the authority to issue certifications or order the suspension of transfers based on its assessments. Regarding information transfer to a third party overseas, the PIPA requires personal information controllers to obtain data subjects' prior consent.

I. Preliminary Adequacy Review System

The Personal Information Protection Commission (PIPC) also initiated the 'Preliminary Adequacy Review System’ on October 13, 2023. This initiative is designed to ensure secure personal information use in emerging technologies, such as artificial intelligence.

The system allows business operators uncertain about compliance with the PIPA to apply for a prior adequacy review by the PIPC. This review process determines a compliance plan. A pilot operation will assess effectiveness, with full-scale implementation anticipated by January 2024, contingent upon successful outcomes.

1. Exceptions to the General Rule

The following situations are exceptions to the general rule:

Whenever any Act contains special provisions, or it is required to comply with an obligation imposed by or under any Act or subordinate Act,
When it is necessary for a public institution to carry out its responsibilities as set out in any Act or subordinate statute, and
Where it is evident that it is necessary for a data subject's physical safety and property interests or the data subject is unable to give consent for whatever reason.

A personal information controller must acquire consent after notifying the data subject of:

The individual or entity to whom personal information is transferred,
The intended use of the personal information by the person or the entity,
Categories of personal information transferred,
The timeframe for which the person or the entity will possess the personal information, and
The data subject has the right to refuse consent.

3. Notification after Transfer of Information

In an event where personal information is transferred to a third party, PIPA makes it imperative that data subjects be notified of the following:

The third-party source (transferor) from which the personal information was acquired,
The intended purpose and use of obtaining the personal information, and
The data subject has the right to suspend the use of their personal information.

According to the recent amendments, the transfer of personal information to third-party destinations abroad has been broadened to allow it to countries with the same level of data protection as South Korea, or to certain certified companies. While the personal information controller is not subject to any additional obligations beyond the general standards for third-party transfer outlined above, there is a special provision for cross-border transfer of users' personal information. Users are defined as all individuals who use the telecommunications services provided by Online Service Providers.

If a user's personal information is transferred to an entity located outside of the country, Online Service Providers must inform the user and acquire their consent for the following:

The exact information to be sent to a foreign country;
The destination country;
The date, time, and method of transmission;
The name of the third party and the contact details for the third party's person in control of personal information; and
The aim of the third party's use of the personal information and the retention and usage period.

Additionally, the recent amendment introduces the possibility of ordering the suspension of cross-border data transfers in case of violation of the law. The maximum penalty amount is to be calculated based on the total revenue generated, minus the amount of revenue incurred from activities unrelated to the violation.

5. Data Subject Rights

The PIPA grants data subjects the following rights:

A. Right to be Informed

Under the PIPA, data subjects have the right to be informed of the storage, processing, and sharing of their personal information. Personal information controllers and ICSPs are responsible for informing the data subjects.

B. Right to Access

PIPA enables a data subject to request access to his/her personal information that is processed by the personal information controller and with whom it is shared.

C. Right to Rectification

The PIPA enables data subjects the right to request the rectification of their information by the relevant personal information controller if they have previously accessed their personal information. Data subjects who may have been denied access to their personal information may not exercise their right to request rectification of their personal information.

D. Right to Erasure

Under the PIPA, data subjects who have previously accessed their personal information have the right to request the erasure of their personal information from the relevant personal information controller.

E. Right to Object/Opt-Out

Under the PIPA, personal information controllers who are ICSPs are required to allow data subjects to opt-out of their consent to the processing of their personal information at any given time. In addition, personal information controllers must also respond to a data subject's request if they wish further to suspend the processing of his/her personal information.

The data subjects have the right to choose whether or not to consent to the processing of their personal information, as well as the scope of that consent.

G. Right to Redressal

Data subjects have the right to swift and reasonable remedies for any harm caused by the processing of their personal information. The recent amendments state that a more prompt remedy is to be provided through a privacy-related dispute resolution procedure and that both public institutions and private companies are mandated to participate in dispute resolution proceedings.

H. Right to Data Portability

The Amended PIPA contains provisions relating to the right to data portability that will take effect at a to-be-announced date between 12 and 24 months after its promulgation date, i.e., 14 March 2023. This would grant data subjects the right to request that their personal information be transmitted to either themselves or eligible third parties.

6. Regulatory Authority

The main data protection authorities for PIPA are:

7. Penalties for Non-Compliance

Data regulators such as the PIPC, the KCC, and the FSC have the power to impose numerous administrative penalties such as:

corrective orders,
administrative fines, and
penalty surcharges for violations of respective laws and regulations.

The PIPC has recently issued comprehensive guidelines in accordance with Article 65(2) of the PIPA and Article 58 of the PIPA Enforcement Decree. These guidelines outline specific standards for disciplinary action concerning violations of personal information protection laws and regulations. Effective September 15, 2023, these guidelines empower the PIPC to recommend disciplinary actions in certain cases.

In addition, public prosecutors may also conduct examinations on any violations which may lead to criminal punishment. Simultaneously, under the PIPA, personal information controllers may become civilly liable to any data subjects who may suffer damages due to such violations.

Under the PIPA, the PIPC may impose a penalty not exceeding 100 million won and imprisonment of no more than 10 years. Breach of PIPC provisions can lead to an administrative fine of up to 3% of the data controller’s sales revenue related to the activity violating the PIPA.

8. How an Organization Can Operationalize the PIPA

To comply with PIPA, organizations must:

Conduct a thorough data mapping exercise to better understand the types of data an organization uses, its purposes, and well data chambers are protected.
Should Identify personal information that they consider as “sensitive.”
Stay consistent with the data mapping exercise to ensure it stays current and eliminate the need for ‘additional personal information’ that isn’t necessarily required by the organization or the law.
Update the organization’s processes, policies, procedures, and systems to comply with the PIPA requirements.
Conduct a data protection impact assessment.
Possibly engage a third party to conduct a cybersecurity audit of the organization’s processes, especially if they might pose a risk to consumers’ privacy or security.
Adopt Privacy by Design principles when developing new products and services.

9. How Securiti Can Help

The worldwide dynamics of accessing and sharing personal data are rapidly evolving, pushing businesses to become more privacy-conscious in their processes and responsible guardians of their customer's data, all while automating privacy and security operations for quick response.

With an ever-growing database of users and potential users, businesses must embrace robotic automation to operationalize compliance and avoid falling behind. While multiple services offer software that enables companies to comply with global privacy regulations, those solutions only go as far as possible with various restrictions or elementary data-driven functions.

Securiti binds reliability, intelligence, and simplicity, working on the PrivacyOps framework to allow end-to-end automation for organizations. Securiti can help you comply with South Korea’s PIPA and other privacy and security regulations worldwide.

See how it works. Request a demo today.

Frequently Asked Questions (FAQs)

The personal information protection law in South Korea is the "Personal Information Protection Act" (PIPA), which governs the processing of personal information in the country and applies to any personal information controller.

Under the PIPA, the PIPC imposes a penalty amount not exceeding 100 million won and imprisonment of no more than 10 years. PIPA stipulates penalties for varying offenses, ranging from 70 million won to 10 million won. Additionally, imprisonment has also been prescribed for certain offenses, ranging from 2 years to 5 years. However, the recent amendments showcase a shift from certain criminal sanctions to economic sanctions in the form of administrative penalties.

The PIPA in South Korea refers to the Personal Information Protection Act, a law regulating personal information collection and processing.

PIPA sets requirements for obtaining consent, data breach, appointing a chief privacy officer, establishing a privacy notice, conducting data protection impact assessments, maintaining a record of processing activities, protecting sensitive information, and implementing security measures for personal information.

Overview of South Korea’s Personal Information Protection Act (PIPA)

1. Introduction

2. Who Needs to Comply with PIPA

A. Personal Scope

B. Territorial Scope

3. Definitions of Key Terms

A. Personal Information

B. Sensitive Data

C. Biometric Data

D. Personal Information Controller

E. Personal Information Handler

4. Obligations for Organizations Under PIPA

A. Consent Requirements

B. Security Requirements

C. Data Breach Requirements

D. Chief Privacy Officer (CPO) Requirement

E. Privacy Policy Requirements

F. Data Protection Impact Assessment

G. Record of Processing Activities

H. Cross-Border Information Transfer Requirements

I. Preliminary Adequacy Review System

1. Exceptions to the General Rule

2. Consent for Information Transfer

3. Notification after Transfer of Information

5. Data Subject Rights

A. Right to be Informed

B. Right to Access

C. Right to Rectification

D. Right to Erasure

E. Right to Object/Opt-Out

F. Consent

G. Right to Redressal

H. Right to Data Portability

6. Regulatory Authority

7. Penalties for Non-Compliance

8. How an Organization Can Operationalize the PIPA

9. How Securiti Can Help

Frequently Asked Questions (FAQs)

Join Our Newsletter

Share

More Stories that May Interest You

What is China’s Cybersecurity Law

An Overview of Australia’s Privacy and Other Legislation Amendment Bill 2024

An Overview of Austria’s DSB FAQs Addressing AI and Data Protection

Newsletter

Company

Resources

Terms

Get in touch

What'sNew

What's
New