Overview of South Korea Personal Information Protection Act (PIPA)

Introduction

The Republic of Korea, South Korea, recognizes privacy rights such as communications and freedom of expression as fundamental rights under its Constitution.

South Korea has elaborate laws and regulations related to data protection. The country's Personal Information Protection Act PIPA (amended in 2020) brings forth strict rules, which govern the collection, usage, disclosure, and other processing of personal information by government bodies, private entities, and individuals.

Under the PIPA, South Korea has laid out specific requirements for handling personal data and taking the data subject's consent as an integral part of almost every step.

Who Needs to Comply with the Law

Personal Scope

The PIPA applies to any personal information controller. A personal information controller could either be an individual, a public agency, a juridical person, or an organization, that either themselves or through a third party handles the data subject's personal data. If PIPA applies to an entity, it must comply with the law. The PIPA applies to the handling of personal data. Handling under the law is defined as the 'collection, generation, recording, storage, retention, processing, editing, search, outputting, rectification, restoration, use, provision, disclosure, or destruction of personal data or any other action similar to any of the preceding.'

Territorial Scope

The PIPA does not explicitly define its territorial or extraterritorial scope. Nonetheless, PIPA does consider several factors when determining if a foreign entity is subject to the PIPA (for instance, whether the entity provides services targeted at Koreans or whether the company generates revenue from doing business in South Korea).

Definitions of Key Terms

Personal Data

The PIPA has an extensive meaning of 'personal data.' For easier understanding purposes, personal data under PIPA refers to a natural living person with a:

• Name
• Resident registration number (RRN)
• Image.

Sensitive Data

Under the PIPA, sensitive data is regarded as the personal information of an individual's:

• Ideology
• Faith
• Trade union
• Political party membership
• Political views
• Health
• Sexual orientation
• Genetic information
• Criminal records
• Physical information
• Physiological information
• Behavioral characteristics
• Any other personal information that may cause a material breach of privacy

Biometric Data

While the PIPA does not explicitly define biometric data, it takes an individual's physical, physiological, and behavioral characteristics from 'sensitive data' as a means to identify the person.

Personal Information Controller

The PIPA takes inspiration from the EU's GDPR when it comes to the concept of a personal information controller or a personal information controller.

Personal Information Handler

Under the PIPA, the concept of personal information controller is defined extensively and therefore requires data processing entities to provide personal information handlers with necessary educational programs on a regular basis in order to ensure the appropriate handling of personal information.

To ensure the safe administration of personal information, personal information handlers must perform proper control and supervision against those who process personal information under their command and supervision, such as officers or employees, temporary agency workers, and part-time workers.

Obligations for Organizations Under PIPA

Consent Requirements

Under the PIPA, personal information controllers are required to issue a notice when processing any personal data. Generally, explicit consent is required before collecting, using, and providing third parties' personal information, subject to certain exceptions.

Personal information controllers and Information and Communications Service Providers (ICSPs) are required to specify the following matters when seeking consent from data subjects for the collection and use of their personal data:

• The purpose of the collection and use of personal data;
• The items of personal data to be collected/used;
• The period for retaining and using the personal data; and
• The data subject's right to refuse his/her consent and outline any disadvantages, if any, which may follow from such refusal.

Additionally, personal information controllers and ICSPs are required to explicitly state the following matters when seeking consent from data subjects for the provision of personal data to third parties:

• The specific name of the third-party recipient;
• Items of personal information to be shared;
• Third party recipients' purposes of use;
• Period of retention and use by the third-party recipient; and
• The data subject's right to refuse his/her consent and outline any disadvantages, if any, which may follow from such refusal.

Security Requirements

The PIPA demands personal information controllers to maintain the security of personal data under their possession. personal information controllers must diligently evade risks of infringement of data subjects' privacy by taking technical, administrative, and physical measures necessary to ensure the security of their personal data.

Data Breach Requirements

The PIPA enforces the personal information controller to notify a data subject whose data has been affected by a breach. When a personal information controller becomes aware that the personal information of data subjects has been breached, the personal information controller must promptly notify data subjects of the following:

• Specifics of the disclosed personal information;
• When and how has personal information been made public;
• Any information regarding how data subjects can reduce the risk of harm from disclosure;
• The personal information controller's countermeasures and remediation procedure;
• Setting up a help desk and other contact points for the data subjects to report the damage.

PIPA requires a personal information controller to plan for and implement countermeasures to reduce the risk of harm in the event that personal information is disclosed.

Chief Privacy Officer Requirement

The PIPA enables all personal information controllers to appoint certified officials as privacy officers. These privacy officers will eventually take control of how personal data is handled.

The CPO's responsibilities under the PIPA are:

• Creating and implementing personal information protection plans,
• Conducting periodic investigations and updating the status and procedures of personal information processing,
• Resolving complaints and repairing damage caused by the processing of personal information,
• Developing internal control measures to avoid personal data loss, misuse, and abuse,
• Designing and implementing personal information protection training sessions,
• Monitoring, managing, and protecting personal information files,
• Developing, updating, and putting into effect a personal information processing policy,
• Managing items relating to the security of personal information, and
• Discarding personal information after the processing goal has been met or the retention time has passed.

The CPO does not have to be a citizen and if a CPO is not designated, a maximum administrative fine of KRW 10 million may be imposed on the entity engaging in personal information processing.

Privacy Policy Requirements

The PIPA outlines a series of information that must be included in a privacy policy, including, but not limited to:

• The purposes of use,
• Retention period,
• Information on provision and outsourcing,
• Disposal of personal data.

The PIPA instructs personal information controllers to publicly disclose their privacy policies in a way that allows data subjects to thoroughly examine the stated terms of these privacy policies, including any revisions made to them, at any time.

Data Protection Impact Assessment

Under the PIPA, only the public institution shall conduct a Data Protection Impact Assessment (DPIA). The DPIA can be undertaken in cases where there is a noticeable risk of an infringement regarding the personal data of data subjects.

The head of the respective public institution will conduct an impact assessment to analyze risk factors (if any) and ways to improve them and submit the findings to the PIPC.

Record of Processing Activities

Even though the PIPA does not require organizations to maintain a record of processing activities, it does require personal information controllers to manage and sustain log-in records that document access given by personal information controllers to a data processing system.

The access could be given to officers, employees, workers, or anyone else who processed personal data under the direction and supervision of the personal information controller for at least one year. In addition, PIPA demands that the log-in records contain the reason of access, an ID number, date and time of entry, information to identify the person of access, and the number or types of tasks performed by the personal information controller while on the processing system.

Cross border data transfer Requirements

Personal information controllers are advised not to enter into data transfer agreements with vendors that do not comply with the privacy laws and regulations. When it comes to data transfer to a third party overseas, the PIPA requires personal information controllers to obtain data subjects' prior consent.

The following situations are exceptions to the general rule:

• Whenever any Act contains special provisions or it is required to comply with an obligation imposed by or under any Act or subordinate act,
• When it is necessary for a public institution to carry out its responsibilities as set out in any Act or subordinate statute, and
• Where it is evident that it is necessary for a data subject's physical safety and property interests or the data subject is unable to give consent for whatever reason.

A personal information controller must acquire consent after notifying the data subject of:

• The individual or entity to whom personal information is transferred,
• The intended use of the personal information by the person or the entity,
• Categories of personal information transferred,
• The timeframe for which the person or the entity will possess the personal information, and
• The data subject has the right to refuse consent.

In an event where the personal data is transferred to a third party, PIPA makes it imperative that data subjects be notified of:

• The third-party source (transferor) from which the personal information was acquired,
• The intended purpose and use of obtaining the personal information, and
• The data subject has the right to suspend the use of their personal information.

While the personal information controller is not subject to any additional obligations beyond the general standards for third-party transfer outlined above, there is a special provision for cross-border transfer of users' personal information. Users are defined as all individuals who use the telecommunications services provided by Online Service Providers.

If a user's personal information is transferred to an entity located outside of the country, Online Service Providers must inform the user and acquire their consent for the following:

• The exact information to be sent to a foreign country;
• The destination country;
• The date, time, and method of transmission;
• The name of the third party and the contact details for the third party's person in control of personal information, and
• The aim of the third party's use of the personal information, as well as the retention and usage period.

Data Subject Rights

The PIPA grants data subjects the following rights:

Right to be informed

Under the PIPA, data subjects have the right to be informed of the storage, processing, and sharing of their personal data. Personal information controllers and ICSPs are responsible for informing the data subjects.

Right to access

PIPA enables a data subject to request access to his/her personal data that is processed by the personal information controller and with whom it is shared.

Right to rectification

The PIPA enables data subjects the right to request the rectification of their information by the relevant personal information controller if they have previously accessed their personal information. Data subjects who may have been denied access to their personal data may not exercise their right to request rectification of their personal data.

Right to erasure

Under the PIPA, data subjects that have previously accessed their personal information have the right to request the erasure of their personal information from the relevant personal information controller.

Right to object/opt-out

Under the PIPA, personal information controllers who are ICSPs are required to allow data subjects to opt-out their consent to the data processing of their personal information at any given time. In addition, personal information controllers must also respond to a data subject's request if they wish further to suspend the processing of his/her personal information.

Consent

The data subjects have the right to choose whether or not to consent to the processing of their personal data, as well as the scope of that consent.

Right to Redressal

Data subjects have the right to swift and reasonable remedies for any harm caused by the processing of their personal data.

Regulatory authority

The main data protection authorities for PIPA are:

1. Personal Information Protection Commission (PIPC);
2. Korea Communications Commission;
3. Korea Internet & Security Agency (KISA) and;
4. Financial Services Commission.

Penalties for Non-compliance

Data regulators such as the PIPC, the KCC, and the FSC have the power to impose numerous administrative penalties such as:

• Corrective orders,
• Administrative fines, and
• Penalty surcharges for violations of respective laws and regulations.

In addition, public prosecutors may also conduct examinations on any violations which may lead to criminal punishment. Simultaneously, under the PIPA, personal information controllers may become civilly liable to any data subjects who may suffer damages due to such violations.

Under the PIPA, a penalty amount not exceeding 100 million won and imprisonment of no more than 10 years is governed by the Personal Information Protection Commission (PIPC).

How an Organization Can Operationalize the Law

To comply with PIPA, organizations must:

• Carry out a thorough data mapping exercise to better understand the types of data an organization uses, its purposes, and well data chambers are protected.
• Should Identify personal information that they consider as “sensitive.”
• Stay consistent with the data mapping exercise to ensure it stays current and eliminate the need for 'additional personal information' that isn't necessarily required by the organization or the law.
• Update the organization's processes, policies, procedures, and systems to comply with the PIPA requirements.
• Conduct a data protection impact assessment.
• Possibly engage a third party to conduct a cybersecurity audit of the organization's processes, especially if they might pose a risk to consumers' privacy or security.
• Adopt Privacy by Design principles when developing new products and services.

How can Securiti Help

The worldwide dynamics of accessing and sharing personal data are rapidly evolving, pushing businesses to become more privacy-conscious in their processes and responsible guardians of their customers' data, all while automating privacy and security operations for quick response.

With an ever-growing database of users and potential users, businesses must embrace robotic automation to operationalize compliance and avoid falling behind. While multiple services offer software that enables companies to comply with global privacy regulations, those solutions only go as far as possible with various restrictions or elementary data-driven functions.

Securiti binds reliability, intelligence, and simplicity, working on the PrivacyOps framework to allow end-to-end automation for organizations. Securiti can help you stay compliant with South Korea's PIPA and other privacy and security regulations worldwide. See how it works. Request a demo today.