Skip to main content

Personal Information Protection Act (South Korea)

South Korea's Personal Information Protection Act is a comprehensive, consent-centric data protection law covering public and private sectors and foreign processors of Korean data. It grants broad data subject rights and carries turnover-based fines and criminal penalties, enforced by the PIPC.

Jurisdiction
South Korea

Personal Information Protection Act (South Korea)

The Personal Information Protection Act (PIPA) is South Korea's comprehensive data protection law. It took effect on September 30, 2011 and has been substantially strengthened over time, most notably by a major 2020 reform that consolidated oversight and a 2023 amendment that broadened data subject rights and modernized cross-border and automated-decision rules. PIPA is widely regarded as one of the strictest privacy regimes in the world, with a strong emphasis on consent.

Who It Applies To

PIPA applies to any personal information controller, defined as a public institution, legal entity, organization, or individual that processes personal information to operate personal information files as part of its activities. It covers both the public and private sectors and applies to foreign businesses that process the personal information of Korean data subjects. The Personal Information Protection Commission (PIPC) is the independent supervisory authority.

Key Requirements

Processing generally requires the data subject's consent, which must be specific and informed; separate consent is required for sensitive information and unique identifiers. Controllers must limit collection to the minimum necessary and use data only for notified purposes. Data subjects have rights to access, correct, delete, suspend processing, and, under recent amendments, to data portability and to contest fully automated decisions. Cross-border transfers require a lawful basis such as consent or adequacy-style mechanisms. Controllers must notify affected subjects and the PIPC of certain data breaches, and many must appoint a privacy officer.

Penalties for Non-Compliance

The PIPC can impose administrative fines and, since the 2023 reform, turnover-based penalty surcharges of up to 3 percent of total relevant revenue for serious violations. PIPA also carries criminal liability, including imprisonment and fines for certain offenses, making it one of the more punitive regimes globally.

How to Comply

Map data flows and build granular consent mechanisms, with separate consent for sensitive data. Minimize collection and honor data subject rights, including the newer portability and automated-decision rights. Establish lawful cross-border transfer mechanisms, implement breach notification procedures, and appoint a qualified privacy officer where required.

How to Comply

Beyond consent, organizations should align their programs with PIPC guidance, maintain detailed records of processing and consent, and prepare for the strengthened automated-decision and portability rights introduced in the 2023 reform. Because PIPA combines turnover-based administrative surcharges with criminal liability, executive accountability and documented internal controls are essential, and global firms should not assume that GDPR compliance alone satisfies Korea's stricter, consent-first expectations.

Building a Durable Program

Organizations operating across borders should treat this regime as one input into a unified, principles-based privacy program rather than a standalone checklist. Practical foundations include maintaining a current record of processing activities that documents purposes, lawful bases, data categories, recipients, retention periods, and any cross-border transfers; classifying data so that sensitive categories receive heightened safeguards by default; and embedding privacy-by-design reviews into product and engineering workflows so that new features are assessed before launch. Robust consent and preference management, demonstrable through audit logs, is essential where the law is consent-centric, since the burden of proving a valid lawful basis typically rests on the controller. Incident-response runbooks should encode the applicable breach-notification timelines and decision criteria so that the organization can act within tight windows. Vendor management should ensure processors are bound by contracts that flow down core obligations, and periodic audits should verify that controls remain effective. Aligning to recognized frameworks such as ISO 27701 and privacy-by-design principles helps satisfy overlapping obligations across jurisdictions while reducing duplicated effort and the risk of gaps.