含羞草社区

← Back to index

The Personal Information Protection Act (PIPA), enacted in 2011, is the primary legislation governing the processing of personal information in South Korea. The Personal Information Protection Commission (PIPC) serves as the main regulatory body enforcing the PIPA and developing related policies. In addition to the PIPA, sector-specific laws regulate specific categories of personal information, such as location data and credit information. This article outlines key considerations for foreign entities operating in Korea, focusing on the extraterritorial scope of the PIPA, enforcement trends, cross-border data transfers and obligations in responding to data breaches.

Extraterritorial application

While the PIPA does not explicitly define its extraterritorial applicability, it is generally understood to apply when: (1) a foreign entity, regardless of its location, processes the personal information of Korean nationals or residents; or (2) the personal information is processed in South Korea by a Korean or foreign entity.

To clarify its application, the PIPC released the Guidelines on Applying the Personal Information Protection Act to Foreign Business Operators on 4 April 2024, stating that the PIPA applies when: (1) goods or services are provided to Korean data subjects; (2) personal information is processed in a manner that directly or significantly affects Korean data subjects; or (3) the operator maintains a place of business within South Korean territory.

The broad interpretation of the extraterritorial scope of the PIPA demonstrates the critical need for foreign entities to comply with South Korea’s data protection regulations.

Strengthened enforcement

In 2023, the PIPA underwent a comprehensive revision, which partially removed criminal penalties applicable to the leakage and collection of personal information, while significantly increasing administrative sanctions. Notably, the basis for calculating administrative penalties was revised from “revenue related to the violation” to “total revenue of the entity”.

For instance, the PIPC may impose an administrative penalty of up to 3% of the total revenue – excluding any revenue unrelated to the violation – if the data controller fails to take appropriate security measures (article 64-2(1)(ix) and (2) of the PIPA). The scope of revenue unrelated to the violation has become a significant factor in both the imposition and calculation of administrative penalties.

Under the amended PIPA, the PIPC imposed a KRW7.5 billion (USD5.2 million) administrative penalty on Golfzon on 8 May 2024, following a data breach, marking the largest penalty imposed on a domestic company. This highlights the necessity of a strategic legal approach to ensure the proper exclusion of unrelated revenue in the penalty calculation.

Foreign entities must also navigate Korea’s increasingly assertive regulatory enforcement environment. In January 2025, the PIPC imposed one of its largest administrative sanctions to date in connection with cross-border data transfer: administrative penalties of KRW5.9 billion on KakaoPay and KRW2.4 billion (plus a KRW2.2 million administrative fine) on Apple Distribution International Limited.

These sanctions were based on findings that KakaoPay and Apple had failed to notify users of the cross-border processing of their personal information via their service relationship with Alipay. The legality of these sanctions is currently being contested in court.

Recent enforcement actions, including the above, highlight not only the financial magnitude of recent administrative penalties, but also the PIPC’s sharpened focus on cross-border data compliance by foreign entities.

Meanwhile, recent amendments to the PIPA, effective from 2 October 2025, have further strengthened the obligation of foreign entities to designate a domestic representative. Initially introduced in 2020 for information and communication service providers, this requirement was extended in 2023 to apply to any foreign entity that: (1) has total annual revenue exceeding KRW1 trillion; (2) processes the personal data of more than one million Korean data subjects per day on average during the last three months of the previous year; or (3) has been requested to submit documents under article 63(1) of the PIPA and the PIPC determines that an appointment is necessary.

The representative must be designated from: (1) a domestic entity established by the foreign entity; or (2) a domestic entity over which the foreign entity exercises dominant influence. The foreign entity must properly manage and supervise the designated representative and ensure that the representative’s name, address and telephone number are disclosed in the privacy policy. Failure to comply with the above requirements may result in administrative fines.

Responding to data breaches

When a data controller becomes aware of any loss, theft or unauthorised disclosure of personal information (data breach), it must notify the affected data subjects within 72 hours (article 34(1) of the PIPA; article 39(1) of its Enforcement Decree). The notification must include:

1. The types of personal information involved in the breach;
2. The time and circumstances under which the breach occurred;
3. Measures that data subjects may take to mitigate potential harm resulting from the breach;
4. Countermeasures taken by the data controller and procedures for remedy; and
5. Contact details of the department responsible for handling reports or claims.

The data controller is also required to file a report with the PIPC or the Korea Internet and Security Agency (KISA) within 72 hours if the data breach involves: (1) personal information of 1,000 or more data subjects; (2) sensitive information or unique identification information; or (3) illegal external access to the data controller’s data systems or data processing devices (article 34(3) of the PIPA; article 40(1) of its Enforcement Decree).

Failure to notify the data subjects or to report to the PIPC or KISA within 72 hours of becoming aware of a data breach may result in an administrative fine of up to KRW30 million.

Data subjects may claim compensation of up to KRW3 million for breaches caused by the data controller’s negligence or willful misconduct. In such cases, the data controller must prove the absence of intent or negligence (article 39-2 of the PIPA).

On receiving a report of a data breach or becoming aware of such an incident through its own monitoring, the PIPC may require the data controller to submit relevant material.

If a data controller fails to do so or is found to have violated the PIPA, the PIPC may also enter and inspect the business premises of the relevant parties (article 63 of the PIPA). Co-operation during investigations may serve as a mitigating factor in the calculation of administrative fines.

Cross-border data transfers

For a data controller to provide, outsource or store personal information abroad (cross-border transfer), it must comply with the legal requirements stipulated in article 28-8(1) of the PIPA, as violations often result in administrative penalties.

In addition to the data subject’s consent, which was previously the sole basis, the amended PIPA of 2023 outlines other grounds for cross-border transfers:

1. When there are specific provisions regarding the cross-border transfer in laws, treaties to which South Korea is a party, or other international agreements;
2. When it is necessary to outsource or store personal information for the execution of a contract with the data subject, and the data subject is notified through the privacy policy or other methods prescribed by the Enforcement Decree;
3. When the data recipient has obtained a personal information protection certification or other certifications recognised by the PIPC; or
4. When the personal information is transferred to a country or international organisation recognised by the PIPC as offering an adequate level of protection.

The amended PIPA also grants the PIPC the authority to order the suspension of cross-border transfers (article 28-9 of the PIPA).

When obtaining consent for the cross-border transfer of personal information, the data controller must provide the data subject with prior notice of the transfer details (article 28-8(2) of the PIPA). These details must also be incorporated into the privacy policy (article 30(1)(viii) of the PIPA; article 31(1)(ii) of its Enforcement Decree).

When entering into a contract related to such a transfer, the data controller must also ensure that the terms of the agreement do not contravene the provisions of the PIPA (article 28-8(5) of the PIPA).

The evolving Korean data privacy landscape requires foreign entities to plan carefully. With the PIPC tightening enforcement against cross-border data transfers, failures in consent, notice and contract now carry steep penalties. A Korea-specific compliance strategy is essential for regulatory success and consumer trust.