All Regulations
🇰🇷South Korea

PIPA

Personal Information Protection Act (South Korea)

South Korea's comprehensive privacy law, considered one of the strictest in Asia, governing the collection and processing of personal information by all sectors.

Overview

South Korea's Personal Information Protection Act (PIPA) is widely regarded as one of the world's most stringent privacy laws. First enacted in 2011 and significantly amended in 2023, PIPA applies to all personal information processors — public and private — in South Korea, including foreign entities processing information of Korean residents. The 2023 amendments strengthened extraterritorial application, data localisation requirements for certain sectors, and introduced mobile app privacy obligations.

PIPA requires explicit, granular consent for virtually all personal information processing, with separate consent required for each specific purpose and for providing data to third parties. The law's strict consent requirements are accompanied by equally strict data subject rights, including the right to refuse automated decision-making. The PIPC, established as an independent agency in 2020, actively investigates violations and has issued substantial fines against domestic and foreign companies.

A notable feature of PIPA is its treatment of unique identification information. Processing of resident registration numbers (Korea's national ID numbers) is severely restricted and can only be done under specific legal authority, making PIPA compliance particularly challenging for organisations using national ID as an authentication factor. PIPA also has a notable right to refuse automated decisions that significantly affect the individual's rights.

Scope & Applicability

PIPA applies to all personal information processors in South Korea — any public institution, legal entity, organisation, or individual that processes personal information for business purposes. It applies extraterritorially to foreign entities processing personal information of Korean residents where they provide goods or services to Korean residents or monitor their behaviour. Personal information covers any information relating to a living individual that identifies or enables identification of that individual.

Key Principles

  1. 1
    Minimum Collectiononly personal information necessary for the processing purpose may be collected
  2. 2
    Purpose Specificationpurposes must be specified and communicated at collection, and data cannot be used for other purposes
  3. 3
    Informed and Voluntary Consentconsent must be separate for each purpose, explicit, and not bundled with terms of service
  4. 4
    Accuracy and Completenesspersonal information must be accurate, complete, and current
  5. 5
    Securitytechnical and managerial safeguards must protect personal information from loss, theft, leakage, alteration, or damage
  6. 6
    Transparencyindividuals must be informed of all relevant details of processing before or at collection
  7. 7
    Individual Rightsdata subjects have the right to access, correct, delete, suspend processing, and refuse automated decisions

Data Subject Rights

Right of Access

Data subjects can request access to their personal information, the purposes of processing, third parties receiving the data, and the source of collection.

Right to Correction and Deletion

Data subjects can request correction of inaccurate information or deletion when the processing period expires, the information is no longer necessary, or consent is withdrawn.

Right to Suspend Processing

Data subjects can request suspension of processing of their personal information in certain circumstances, such as where processing is unlawful or consent is withdrawn.

Right to Refuse Automated Decision-Making

Data subjects can refuse or request review of automated decisions that significantly affect their rights or interests, such as credit scoring or employment screening.

Right to Data Portability

Under 2023 amendments, data subjects can request transmission of their personal information to themselves or designated third parties in a structured, machine-readable format.

Right to Withdraw Consent

Data subjects can withdraw consent at any time; withdrawal must be as easy as giving consent and must not be contingent on the withdrawal of other consent.

Business Obligations

Appoint a Chief Privacy Officer (CPO)

All personal information processors must appoint a CPO responsible for PIPA compliance, with the CPO's details published. Large processors must appoint a CPO who meets specific qualifications.

Obtain Separate, Granular Consent

PIPA requires separate consent for each processing purpose, third-party disclosures, overseas transfers, and retention periods — omnibus consent is not permitted.

Maintain Internal Management Plan

A documented internal management plan covering all aspects of personal information processing — roles, security measures, breach response, and staff training — must be maintained.

Conduct Privacy Impact Assessment (PIA)

PIAs are mandatory for public institutions processing sensitive data or large volumes of data, and strongly recommended for private sector organisations.

Breach Notification within 72 Hours

Breaches involving personal information of 1,000 or more individuals must be reported to the PIPC within 72 hours. Affected individuals must be notified without delay.

Overseas Transfer Requirements

Transfer of personal information overseas requires either consent from the data subject or compliance with PIPC-prescribed cross-border transfer standards, including contractual safeguards.

Cross-Border Transfer Rules

Overseas transfers under PIPA require informed, specific consent from the data subject (disclosing the recipient, purpose, items transferred, retention period, and the right to refuse consent), or alternatively, a data transfer agreement meeting PIPC standards, binding corporate rules approved by the PIPC, or transfer to a country designated as having adequate protection. The 2023 amendments created additional pathways modelled on GDPR's transfer mechanisms. For transfers to processors (rather than independent controllers), a contract meeting minimum PIPC-prescribed terms is required.

Breach Notification Requirements

Notification Timeline

Without delay to data subjects; within 72 hours to the PIPC for breaches involving 1,000 or more individuals

Notify Authority

Personal Information Protection Commission (PIPC) and the Ministry of Science and ICT (for certain information and communications service providers)

Notify Individuals

All affected data subjects must be individually notified without delay, disclosing the items breached, timing, damage, measures taken, and the contact details of the CPO

How TruePrivacy Helps

Purpose-built tools for every PIPA obligation.

PIPA Consent Management

TruePrivacy's consent platform captures PIPA-compliant separate, granular consent for each purpose and third-party disclosure, with full consent lifecycle management.

72-Hour Breach Notification Automation

Automated breach triage and PIPC notification workflows ensure the 72-hour deadline is met, with data subject notification templates in Korean.

Privacy Impact Assessment Workflows

Guided PIA templates aligned with PIPC methodology support mandatory public sector assessments and voluntary private sector assessments.

Overseas Transfer Management

A comprehensive cross-border transfer registry with PIPC-approved contract templates and consent records for every international data flow.

CPO Support Dashboard

A dedicated CPO workspace consolidates data inventory, consent records, breach log, PIA tracker, and PIPC correspondence for efficient compliance management.

Ready to achieve PIPA compliance?

TruePrivacy automates your compliance workflows so your team can focus on what matters.

Start Free TrialBook a Demo