South Korea PIPA: Data Protection Compliance Guide

South Korea's Personal Information Protection Act (PIPA — 개인정보 보호법) is widely considered one of the strictest data protection laws in the world. Comprehensive in scope, detailed in technical requirements, and aggressively enforced by the Personal Information Protection Commission (PIPC — 개인정보보호위원회), PIPA has significant implications for any business operating in or serving South Korea's highly digitised market.

Enacted in 2011 and substantially amended in 2023, PIPA now aligns more closely with international standards — including the EU's GDPR — while maintaining distinctive Korean features such as mandatory encryption requirements, specific technical standards, and a unified enforcement structure under the PIPC following the integration of the Korea Communications Commission (KCC) and the Korea Internet & Security Agency's (KISA) privacy enforcement roles.

Key Takeaways

• PIPA applies to all public and private entities processing personal information in South Korea, with extraterritorial scope
• Sensitive information (biometrics, health, criminal records, location, etc.) requires explicit consent — the consent standard is stricter than most other jurisdictions
• Privacy policy must be publicly posted and approved by PIPC annual audit guidance
• Data breach notification required within 72 hours (5 days for certain incidents) to PIPC
• Cross-border transfers prohibited without consent, contractual safeguards, or adequacy determination
• PIPC can impose fines up to 3% of total revenue; criminal penalties up to 5 years imprisonment
• Mandatory technical standards: specific encryption algorithms (AES-256 for sensitive data), access control requirements, pseudonymisation guidance
• Overseas operators with South Korean users must designate a local representative

---

PIPA Framework and Scope

Coverage

PIPA applies to:

• Personal information processors: Any public institution, corporation, organisation, or individual that processes personal information for business purposes
• Both public sector (government agencies) and private sector entities
• Overseas operators: Entities not established in South Korea that provide goods or services to South Korean residents, or that monitor the behaviour of South Korean residents (Article 2 and 39-11)

This extraterritorial scope — added in the 2023 amendments — mirrors GDPR Article 3(2) and requires overseas operators to designate a South Korean representative.

Personal Information Definition

Personal information (개인정보) under PIPA means information about a living individual that allows identification of that individual (including combination with other information), including:

• Name, registration number (주민등록번호), image
• Information that can be easily combined with other information to identify an individual

Pseudonymous information (가명정보): Personal information processed in a way that makes identification impossible without additional information. Can be used for statistical compilation, research, and archiving without consent, subject to specific restrictions.

Anonymised information: Information that cannot be re-identified under any circumstances — no longer personal information and outside PIPA scope.

---

Sensitive Information

PIPA defines sensitive information (민감정보) as requiring explicit consent for collection and use, with limited exceptions. Categories include:

• Ideology, belief
• Joining or leaving labour unions or political parties
• Political opinions
• Health and medical information
• Sexual life and sexual orientation
• Past criminal records (crimes and punishments)
• Biometric information that can identify individuals
• Racial or ethnic background
• Financial information (account numbers, card numbers — classified as unique identification information requiring special treatment)

Resident registration numbers (주민등록번호 — Korean national ID): Treated with the highest protection. Collection is generally prohibited except where expressly permitted by law. Processing and provision to third parties are strictly regulated. This is one of the strictest national ID number protections globally.

---

Legal Bases for Processing Personal Information

Article 15 of PIPA provides five legal grounds for collecting and using personal information:

1. Prior consent of the data subject
2. Special provisions of the law, or necessary to comply with legal obligations
3. Clear and significant interests of the data subject or a third party where it is not possible to obtain prior consent (vital interests)
4. Necessary to perform tasks conferred by laws and regulations for public institutions
5. Legitimate interests of the personal information processor — where the processing is clearly necessary for the legitimate interests of the processor, within a reasonable scope

Consent requirements:

• Informed: data subject must be told the items collected, purpose, retention period, and right to withhold consent with consequences
• Voluntary: cannot condition the provision of goods/services on consent to optional processing
• Specific: separate consent for each purpose
• Written proof: retain evidence of consent

---

Privacy Policy Requirements

Article 30 requires personal information processors to create and publicly post a privacy policy (개인정보 처리방침). Required contents:

• Items of personal information processed
• Purpose of processing
• Retention period (destruction period)
• If provided to third parties, the details of the third parties, items provided, purpose, and retention period
• Matters concerning entrustment of processing (processors)
• Rights and obligations of data subjects and how to exercise them
• Measures taken to ensure the safety of personal information
• Name and contact information of the Personal Information Protection Officer (PIPO — 개인정보 보호책임자)
• Department handling data subject rights requests
• Any overseas transfer information
• Automatic collection devices (cookies)

Privacy policy update: Changes must be notified in advance. The PIPC provides model privacy policy guidelines and an annual assessment — companies scoring below a minimum standard receive improvement recommendations.

---

Personal Information Protection Officer (PIPO)

Article 31 requires all personal information processors to designate a Personal Information Protection Officer (개인정보 보호책임자). The PIPO must:

• Be a senior executive with authority and responsibility for privacy
• Receive complaints about personal information handling and process them
• Monitor compliance
• Manage training and awareness
• Conduct privacy risk assessments

Criteria for PIPO: Must have substantial authority in the organisation — not merely a nominal designation. The PIPO must have authority to direct technical measures, access all personal information systems, and communicate directly with leadership.

Overseas operators: Must designate a domestic representative in South Korea responsible for PIPO functions.

---

Technical and Security Requirements

PIPA and its implementing regulations (Personal Information Safety Measures Standards — 개인정보의 안전성 확보조치 기준) specify detailed technical requirements — among the most prescriptive globally:

Encryption requirements:

• Passwords: must be encrypted using a one-way encryption algorithm; plain text storage prohibited
• Resident registration numbers, biometric, financial information: must be encrypted using AES-256 or equivalent
• Transmission encryption: TLS/SSL required for all personal information transmitted over networks
• Mobile device storage: encryption required for personal information on mobile devices

Access control requirements:

• Unique user IDs; shared accounts prohibited
• Access control based on task necessity (least privilege)
• Session timeout after maximum 30 minutes of inactivity for web services
• Account lockout after 5 failed login attempts
• Two-factor authentication required for administrative access to personal information systems

Access log management:

• All access to personal information databases must be logged
• Logs must include: access ID, date and time, type of operation (create, read, update, delete)
• Logs must be retained for at least 1 year (3 years for sensitive and health information)
• Logs must be protected from tampering; anomaly detection implemented

Network separation:

• For processors handling personal information of 100,000+ individuals or processing sensitive information, network separation between internet-facing systems and internal personal information systems is required
• Firewall configuration must be documented

Vulnerability management:

• Security patches applied within 6 months of vendor release for operating systems and major software
• Security vulnerability assessments at least annually

---

Data Subject Rights

PIPA grants data subjects rights that must be fulfilled within a specified period:

---

Cross-Border Data Transfer

Article 28-8 (2023 amendment) governs international data transfers:

Permitted mechanisms:

1. Consent: Explicit, prior consent after disclosure of: recipient information, transfer purpose, items transferred, retention period, and information about refusal rights
2. Adequacy determination: Transfer to countries designated by PIPC as having adequate protection
3. Standard contractual clauses: Use of PIPC-approved SCCs with the overseas recipient
4. Binding corporate rules: Approved by PIPC for intragroup transfers
5. Contractual necessity: Transfer necessary for contract with data subject
6. Legal obligation: Required by treaty or international agreement

PIPC adequacy list: The PIPC is developing its list of adequate countries. Currently, the EU has a reciprocal adequacy relationship with South Korea. Japan is in discussion.

Notification requirements for consent-based transfers: Mandatory disclosure before obtaining consent includes: name of foreign country, recipient name and contact, purpose of transfer, items transferred, retention/use period, and information about refusing consent and consequences.

---

Breach Notification

Article 34 requires notification upon discovery of loss, theft, or leakage of personal information:

Notification to PIPC (Article 34(3)): Required when loss, theft, or leakage of personal information occurs — within 72 hours for incidents involving:

• 1,000 or more data subjects
• Sensitive information or unique identification information
• Any amount where systemic breach is suspected

For other incidents: notification to the data protection authority (KISA operates a reporting portal on behalf of PIPC) within 5 business days.

Individual notification (Article 34(1)): Required without undue delay when loss, theft, or leakage occurs. Must include:

• Items of personal information that were lost, stolen, or leaked
• Time of the incident (if known)
• Actions data subjects can take
• Contact information for the personal information processor

Notification to PIPC: Use the PIPC/KISA incident report portal (privacy.go.kr).

---

PIPC Enforcement and Penalties

The Personal Information Protection Commission (PIPC) was strengthened as an independent commission in 2020 and further empowered in the 2023 amendments.

Administrative penalties:

• Fines up to 3% of total sales/revenue for violations involving personal information collected without legitimate basis, or unauthorized provision to third parties
• Fines up to 3% of total sales for serious violations of technical protection measures
• Corrective orders: PIPC can order operational changes, data destruction, public notices

Criminal penalties (Article 70–74):

• Collecting personal information without consent: up to 5 years imprisonment + fines up to ₩50 million
• Providing to third parties without consent: up to 5 years imprisonment + fines up to ₩50 million
• Violating resident registration number processing prohibition: up to 5 years imprisonment + fines up to ₩100 million
• Data broker violations: up to 10 years imprisonment

Recent enforcement: The PIPC fined Meta ₩6.7 billion ($5 million) in 2022 for collecting sensitive information without consent. Samsung Electronics received multiple PIPC guidance actions. Kakao was investigated for data handling practices. Enforcement is active and expanding.

---

PIPA Compliance Checklist

• PIPA applicability confirmed including overseas operator status
• South Korean representative designated (overseas operators)
• Personal information inventory completed including sensitive information identification
• Resident registration numbers usage assessed — collection eliminated unless legally required
• Legal basis documented for every processing activity
• Consent forms reviewed: specific, informed, voluntary, each purpose separate
• Privacy policy published on website with all required elements
• PIPO designated: senior executive with appropriate authority
• Access controls implemented: unique IDs, session timeout (30 min), lockout after 5 failures
• Encryption implemented: AES-256 for sensitive/biometric/financial data; TLS for transmission; one-way for passwords
• Access logs enabled and configured (retain minimum 1 year, 3 years for sensitive)
• Network separation implemented if processing 100,000+ individuals
• Data subject rights procedures: 10-day response for access/correction/suspension
• Cross-border transfer mechanisms in place for overseas transfers
• 72-hour breach notification procedure to PIPC
• Individual breach notification procedure documented
• Employee training on PIPA obligations completed
• Annual vulnerability assessment scheduled

---

Frequently Asked Questions

Why is PIPA considered one of the strictest data protection laws globally?

PIPA combines comprehensive scope (applying to all entities including small businesses), strict consent requirements (explicit, purpose-specific, voluntary), prescriptive technical standards (mandatory encryption algorithms, specific access log requirements, network separation), strong enforcement (criminal penalties up to 10 years, administrative fines of 3% of revenue), and the prohibition on using national resident registration numbers — one of the strictest national ID protections in the world. The PIPC has demonstrated willingness to fine major domestic and foreign companies. Additionally, PIPA's detailed implementing regulations leave less room for alternative compliance approaches than GDPR's principle-based framework.

What are the specific encryption requirements under PIPA?

PIPA implementing regulations (Personal Information Safety Measures Standards) specify: (1) Passwords must be stored using a one-way hash function (bcrypt, Argon2, or approved algorithms) — plain text or reversible encryption is prohibited; (2) Sensitive information, resident registration numbers, biometric information, and financial account numbers must be encrypted using AES-128 minimum (AES-256 recommended) for storage; (3) All personal information transmitted over networks must use TLS 1.2 or higher; (4) Personal information on mobile devices must be encrypted; (5) For cloud-based systems, end-to-end encryption is recommended.

What is pseudonymous information under the 2023 PIPA amendments?

Pseudonymous information (가명정보) was introduced in the 2020 amendment (effective 2023) as a category between personal information and anonymised information. It refers to personal information processed so that a specific individual cannot be identified without the use of additional information, which is kept separately with security measures. Pseudonymous information can be used without consent for statistical compilation, scientific research, or preservation of public records — enabling data analytics while reducing privacy risk. Processors must: keep the additional information (mapping table) separately and securely; prohibit re-identification attempts; maintain records of pseudonymisation; implement technical and administrative security measures.

How does PIPA's "legitimate interests" basis work?

The legitimate interests basis under PIPA (Article 15(1)(6)) was introduced in the 2023 amendments. It permits processing where clearly necessary for the legitimate interests of the processor, without overriding the rights of data subjects. This mirrors GDPR's legitimate interests but with narrower application — PIPA's legislative history indicates this should be used for incidental, supplementary processing rather than as a general-purpose basis replacing consent. The processor must document the legitimate interest, assess whether it overrides data subjects' interests, and implement safeguards. Sensitive information cannot be collected/used under legitimate interests — it requires explicit consent or specific legal authorisation.

What constitutes a data breach requiring 72-hour notification to PIPC?

The 72-hour notification requirement applies when: (1) 1,000 or more data subjects are affected by loss, theft, or leakage; (2) Sensitive information or unique identification information (resident registration numbers, passport numbers, driver's licence numbers, alien registration numbers) is involved in any breach; (3) The breach appears systemic (suggesting wider vulnerability). Other breaches (affecting fewer than 1,000 individuals with non-sensitive data) require notification within 5 business days. The notification must be filed through the PIPC/KISA reporting portal (privacy.go.kr). Individual notification is required regardless of scale — immediately upon discovering a breach.

---

Next Steps

South Korea's PIPA is a demanding compliance framework that requires investment in both organisational processes and technical infrastructure. For businesses entering the South Korean market or expanding existing Korea operations, building PIPA compliance into your system architecture from the start — particularly the encryption requirements and access logging — is significantly more efficient than retrofitting.

ECOSIRE's technology implementation team can help design PIPA-compliant architectures, implement the specific technical standards required, and build privacy management processes suitable for the South Korean market.

Learn more: ECOSIRE Services

Disclaimer: This guide is for informational purposes only and does not constitute legal advice. PIPA has been significantly amended and continues to evolve. Consult qualified Korean legal counsel for advice specific to your organisation.