Skip to Main Content
Main Menu

Personal Information Protection Act (PIPA)

The purpose of South Korea’s PIPA aims to protect the rights, freedoms and dignity of individuals through the protection of their personal data.

Are you subject to South Korea’s PIPA?

While the PIPA does not include an article explicitly describing its applicability and territorial scope, it is understood that it applies to any personal information controller and personal information managers (e.g. public institutions) who:
  • Process personal information within South Korea.

  • Are established domestically and/or internationally.

Key obligations of the PIPA

Consent for processing

Personal information controllers may process personal information based on (among other conditions) consent, and the following shall be disclosed to data subjects at the time of obtaining consent:

  • The purpose of collection and use of personal information;
  • Categories of personal information that will be collected and processed; and
  • The period for retaining and using personal information.

Processing children’s personal information

Personal information controllers and managers must obtain consent from the legal representative of a child to process personal information of a child under the age of 14, and verify the validity of the representative’s consent.

Notice to children and/or their legal representative about the processing of the child’s personal information must be provided in a clear and comprehensible manner.

Processing unique identifiers

Personal information controllers may process individuals’ resident registration numbers under specified conditions, including where:

  • Prescribed Acts and/or Regulations permit or require such processing; and
  • It is necessary for the protection of life, bodily and property interest of a data subject or third-party.
  • Personal information controllers shall safeguard resident registration numbers via encryption methods to prevent unauthorized access and tampering.

Installation of fixed visual data processing devices (e.g., video cameras)

Personal information controllers and managers may install such devices:

  • Where specifically permitted by prescribed statues;
  • A legitimate authority is authorized to operate such devices for prevention and criminal investigations, facility safety, fire management, and traffic control; and
  • When appropriate signage is also posted to inform data subjects of the occurrence, activities and activeness of such devices within an vicinity.

Designation of domestic representative

A representative shall be assigned and live within the territory of South Korea if an international personal information controller and/or manager does not have an established address or business office in South Korea. The contact information, duties and responsibilities of the representative shall be provided to the Personal Information Protection Commission.


CBPR – Navigating Cross-Border Data Privacy Compliance

In this highly anticipated webinar, we explore the background the future direction and assess the potential business case for companies considering certification under the new Global CBPR System.


  • Will personal information controllers and/or managers receive a certificate for demonstrating compliance with PIPA?

    Yes. The Minister for Interior and Safety may issue a certificate to those whose data processing activities exhibit compliance with PIPA. The effectiveness of the certificate is valid for three years.

  • Does the PIPA provide data subjects with a right of action?

    Yes. PIPA provides data subjects with a private right of action to seek compensation for damages suffered under PIPA. The most severe penalty for violations includes a fine not exceeding 100,000,000 Won (USD 75,000) and/or labor imprisonment not exceeding 10 years.

  • Is pseudonymized information permitted to be processed under PIPA?

    Yes. Personal information controllers may process pseudonymized information without obtaining consent from data subjects for statistical and scientific research purposes, and for record preservation in the public interest. However:

    • Pseudonymized information shall not be processed to identify a certain data subject;
    • Additional information may not be combined with pseudonymized information, that may be used to identify a certain data subject, when disclosing pseudonymized information to a third-party; and
    • When information, that may be used to identify a certain data subject, is generated as a byproduct from processing pseudonymized information, the personal information controller shall cease the processing, and retrieve and destroy the information immediately.

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.

Back to Top