Securiti Named a 2022 Cool Vendor in Data Security by GartnerDownload Now
The Republic of Korea, South Korea, recognizes privacy rights such as communications and freedom of expression as fundamental rights under its Constitution.
South Korea has elaborate laws and regulations related to data protection. The country's Personal Information Protection Act PIPA (amended in 2020) brings forth strict rules, which govern the collection, usage, disclosure, and other processing of personal information by government bodies, private entities, and individuals.
Under the PIPA, South Korea has laid out specific requirements for handling personal data and taking the data subject's consent as an integral part of almost every step.
The PIPA applies to any personal information controller. A personal information controller could either be an individual, a public agency, a juridical person, or an organization, that either themselves or through a third party handles the data subject's personal data. If PIPA applies to an entity, it must comply with the law. The PIPA applies to the handling of personal data. Handling under the law is defined as the 'collection, generation, recording, storage, retention, processing, editing, search, outputting, rectification, restoration, use, provision, disclosure, or destruction of personal data or any other action similar to any of the preceding.'
The PIPA does not explicitly define its territorial or extraterritorial scope. Nonetheless, PIPA does consider several factors when determining if a foreign entity is subject to the PIPA (for instance, whether the entity provides services targeted at Koreans or whether the company generates revenue from doing business in South Korea).
The PIPA has an extensive meaning of 'personal data.' For easier understanding purposes, personal data under PIPA refers to a natural living person with a:
Under the PIPA, sensitive data is regarded as the personal information of an individual's:
While the PIPA does not explicitly define biometric data, it takes an individual's physical, physiological, and behavioral characteristics from 'sensitive data' as a means to identify the person.
The PIPA takes inspiration from the EU's GDPR when it comes to the concept of a personal information controller or a personal information controller.
Under the PIPA, the concept of personal information controller is defined extensively and therefore requires data processing entities to provide personal information handlers with necessary educational programs on a regular basis in order to ensure the appropriate handling of personal information.
To ensure the safe administration of personal information, personal information handlers must perform proper control and supervision against those who process personal information under their command and supervision, such as officers or employees, temporary agency workers, and part-time workers.
Under the PIPA, personal information controllers are required to issue a notice when processing any personal data. Generally, explicit consent is required before collecting, using, and providing third parties' personal information, subject to certain exceptions.
Personal information controllers and Information and Communications Service Providers (ICSPs) are required to specify the following matters when seeking consent from data subjects for the collection and use of their personal data:
Additionally, personal information controllers and ICSPs are required to explicitly state the following matters when seeking consent from data subjects for the provision of personal data to third parties:
The PIPA demands personal information controllers to maintain the security of personal data under their possession. personal information controllers must diligently evade risks of infringement of data subjects' privacy by taking technical, administrative, and physical measures necessary to ensure the security of their personal data.
The PIPA enforces the personal information controller to notify a data subject whose data has been affected by a breach. When a personal information controller becomes aware that the personal information of data subjects has been breached, the personal information controller must promptly notify data subjects of the following:
PIPA requires a personal information controller to plan for and implement countermeasures to reduce the risk of harm in the event that personal information is disclosed.
The PIPA enables all personal information controllers to appoint certified officials as privacy officers. These privacy officers will eventually take control of how personal data is handled.
The CPO's responsibilities under the PIPA are:
The CPO does not have to be a citizen and if a CPO is not designated, a maximum administrative fine of KRW 10 million may be imposed on the entity engaging in personal information processing.
The PIPA instructs personal information controllers to publicly disclose their privacy policies in a way that allows data subjects to thoroughly examine the stated terms of these privacy policies, including any revisions made to them, at any time.
Under the PIPA, only the public institution shall conduct a Data Protection Impact Assessment (DPIA). The DPIA can be undertaken in cases where there is a noticeable risk of an infringement regarding the personal data of data subjects.
The head of the respective public institution will conduct an impact assessment to analyze risk factors (if any) and ways to improve them and submit the findings to the PIPC.
Even though the PIPA does not require organizations to maintain a record of processing activities, it does require personal information controllers to manage and sustain log-in records that document access given by personal information controllers to a data processing system.
The access could be given to officers, employees, workers, or anyone else who processed personal data under the direction and supervision of the personal information controller for at least one year. In addition, PIPA demands that the log-in records contain the reason of access, an ID number, date and time of entry, information to identify the person of access, and the number or types of tasks performed by the personal information controller while on the processing system.
Personal information controllers are advised not to enter into data transfer agreements with vendors that do not comply with the privacy laws and regulations. When it comes to data transfer to a third party overseas, the PIPA requires personal information controllers to obtain data subjects' prior consent.
The following situations are exceptions to the general rule:
A personal information controller must acquire consent after notifying the data subject of:
In an event where the personal data is transferred to a third party, PIPA makes it imperative that data subjects be notified of:
While the personal information controller is not subject to any additional obligations beyond the general standards for third-party transfer outlined above, there is a special provision for cross-border transfer of users' personal information. Users are defined as all individuals who use the telecommunications services provided by Online Service Providers.
If a user's personal information is transferred to an entity located outside of the country, Online Service Providers must inform the user and acquire their consent for the following:
The PIPA grants data subjects the following rights:
Under the PIPA, data subjects have the right to be informed of the storage, processing, and sharing of their personal data. Personal information controllers and ICSPs are responsible for informing the data subjects.
PIPA enables a data subject to request access to his/her personal data that is processed by the personal information controller and with whom it is shared.
The PIPA enables data subjects the right to request the rectification of their information by the relevant personal information controller if they have previously accessed their personal information. Data subjects who may have been denied access to their personal data may not exercise their right to request rectification of their personal data.
Under the PIPA, data subjects that have previously accessed their personal information have the right to request the erasure of their personal information from the relevant personal information controller.
Under the PIPA, personal information controllers who are ICSPs are required to allow data subjects to opt-out their consent to the data processing of their personal information at any given time. In addition, personal information controllers must also respond to a data subject's request if they wish further to suspend the processing of his/her personal information.
The data subjects have the right to choose whether or not to consent to the processing of their personal data, as well as the scope of that consent.
Data subjects have the right to swift and reasonable remedies for any harm caused by the processing of their personal data.
The main data protection authorities for PIPA are:
Data regulators such as the PIPC, the KCC, and the FSC have the power to impose numerous administrative penalties such as:
In addition, public prosecutors may also conduct examinations on any violations which may lead to criminal punishment. Simultaneously, under the PIPA, personal information controllers may become civilly liable to any data subjects who may suffer damages due to such violations.
Under the PIPA, a penalty amount not exceeding 100 million won and imprisonment of no more than 10 years is governed by the Personal Information Protection Commission (PIPC).
To comply with PIPA, organizations must:
The worldwide dynamics of accessing and sharing personal data are rapidly evolving, pushing businesses to become more privacy-conscious in their processes and responsible guardians of their customers' data, all while automating privacy and security operations for quick response.
With an ever-growing database of users and potential users, businesses must embrace robotic automation to operationalize compliance and avoid falling behind. While multiple services offer software that enables companies to comply with global privacy regulations, those solutions only go as far as possible with various restrictions or elementary data-driven functions.
Securiti binds reliability, intelligence, and simplicity, working on the PrivacyOps framework to allow end-to-end automation for organizations. Securiti can help you stay compliant with South Korea's PIPA and other privacy and security regulations worldwide. See how it works. Request a demo today.