š°š· South Korea
Informations
Extracts :
Extract :
No mention of the subject rignt related to Citizens outside their jurisdiction
2021
Reference :
South Korea Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extract :
There is not a definition of data subject
2022
Reference :
Data protection appointment officer | DataGuidance
Information on data protection appointment office - KOR
Extracts :
Extract :
No mention of the subject rignt related to Persons within their jurisdiction
2021
Reference :
South Korea Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extract :
There is not a definition of data subject
2022
Reference :
Data protection appointment officer | DataGuidance
Information on data protection appointment office - KOR
Extracts :
Extract :
No mention of the subject rignt related to Legal entities
2021
Reference :
South Korea Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extract :
There is not a definition of data subject
2022
Reference :
Data protection appointment officer | DataGuidance
Information on data protection appointment office - KOR
Extracts :
Extract :
"While it is understood that the PIPA applies to all data handlers and outsourced processors within South Korea, the PIPA does not explicitly specify its territorial scope. Furthermore, the PIPA does not reference its extraterritorial scope, however, in practice, several factors are considered when deciding whether a foreign entity is subject to the PIPA (e.g. whether the company provides services targeted at Koreans, or whether the company generates revenue from doing business in South Korea)."
2023
Reference :
South Korea Data protection overview | DataGuidance
Updated DataGuidance reports
Extracts :
Extract :
"While it is understood that the PIPA applies to all data handlers and outsourced processors within South
Korea, the PIPA does not explicitly specify its territorial scope. Furthermore, the PIPA does not reference
its extraterritorial scope, however in practice several factors are considered when deciding whether a
foreign entity is subject to the PIPA (e.g. whether the company provide services targeted at Koreans"
2021
Reference :
South Korea Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"Data controller: The concept of data handler, or personal information controller, under the PIPA is similar
to the concept of data controller under the General Data Protection Regulation (Regulation (EU)
2016/679) ('GDPR'). Specifically, the PIPA defines a data handler as 'a public institution, corporate body,
organisation, individual, who, by itself or through a third party, processes, i.e., collects, generates, connects,
interlocks, records, stores, retains, processes, edits, searches, outputs, corrects, restores, uses,
provides, discloses, destroys, or otherwise handles personal data to administer personal data files for
official or business purposes.'
Data processor: Data handlers may outsource the processing of personal data and personal information
to third parties, i.e. data processors. Under the PIPA, the concept of data handler is defined quite
broadly, and therefore includes data protection authorities that process data."
2021
Reference :
South Korea Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
While it is understood that the PIPA applies to all data handlers and outsourced processors within South Korea, the PIPA does not explicitly specify its territorial scope. Furthermore, the PIPA does not reference its extraterritorial scope, however, in practice, several factors are considered when deciding whether a foreign entity is subject to the PIPA (e.g. whether the company provides services targeted at Koreans, or whether the company generates revenue from doing business in South Korea).
2023
Reference :
South Korea Data protection overview | DataGuidance
Updated DataGuidance reports
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
āPIPA provides the possibility of administrative fines and penalty surcharges to be issued by regulatorsā
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - KOR
Extracts :
Extract :
"Depending on the violation occurred the penalty may be up to either (i) KRW 500 million (approx. ā¬377,500) (which is only imposed if the personal information affected includes RRNs), (ii) 3/100 of the total revenue, or (iii) 3/100 of the revenue generated from the act constituting the violation."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - KOR
Extracts :
Extract :
"Depending on the violation occurred the penalty may be up to either (i) KRW 500 million (approx. ā¬377,500) (which is only imposed if the personal information affected includes RRNs), (ii) 3/100 of the total revenue, or (iii) 3/100 of the revenue generated from the act constituting the violation."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - KOR
Extracts :
Extract :
"PIPA establishes provisions for imprisonment."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - KOR
Extracts :
Extract :
Data entered based on reference.
2020
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"Alternative dispute resolution (mediation for personal data disputes) and class actions are available to facilitate faster resolution of disputes. However, class actions are limited to obtaining injunctive relief against a responsible party who violates the law and cannot be used for compensation purposes."
2022
Reference :
South KoreaĀ“s Personal Information Protection Act (PIPA)
Information on South Korea |ActiveMind Legal
Link to reference Extracts :
Extract :
"Under PIPA, data subjects may seek compensation against data handlers for any damages they suffer due to violations committed by such data handlers. In such cases, data handlers will be held liable for the damages suffered by data subjects unless they can prove that they were neither intentionally nor negligently at fault for such damages."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - KOR
Extracts :
Extract :
"PIPA establishes provisions for imprisonment."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - KOR
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"Under PIPA, only public institutions are obligated to conduct a PIA."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - KOR
Extracts :
Extract :
"The Enforcement Decree provides a list of measures data handlers can take to ensure the safety of personal information, including:
establishing and implementing an internal management plan for handling personal information;
measures to control access to personal information;
application of encryption technology to safely store and transmit personal information; and prevent forgery and alteration in response to personal information infringement incidents;
installation and update of security programs for personal information; and
physical measures such as provision of storage facilities for safe storage of personal information or installation of locking devices."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - KOR
Extracts :
Extract :
" The Enforcement Decree provides that a data handler must notify data subjects without delay upon becoming aware of a breach of personal information. In practice, without delay is construed to mean within five days of becoming aware of the breach, unless there is a justifiable reason for the delay. However, if the data handler is an ICSP, the notice must be made within 24 hours, unless there is a justifiable reason for the delay."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - KOR
Extracts :
Extract :
"Under PIPA, if the personal information above the scale prescribed by the Enforcement Decree of 1,000 or more individuals is leaked, a report must be made to the regulator in writing without delay. In practice, this is construed to mean within five days of becoming aware of the breach. However, if the data handler is an ICSP, such report must be made irrespective of the number of data subjects affected within 24 hours of becoming aware of the breach."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - KOR
Extracts :
Extract :
There is no comment by DataGuidance.
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - KOR
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"The current PIPA does not recognize the right to data portability. However, the 2023 Amendments expressly provide for data subjects' rights to their data portability (the provisions on the right to data portability are expected to take effect sometime after March 15, 2024)."
2023
Reference :
South Korea Data protection overview | DataGuidance
Updated DataGuidance reports
Extracts :
Extract :
"The current PIPA does not recognize the right not to be subject to automated decision-making (i.e., decisions made solely by automated means without any human involvement, such as artificial intelligence ('AI')-driven systems). However, the 2023 Amendments to the PIPA expressly provide for a data subject's right to contest automated decision-making (the relevant provisions of the 2023 Amendments concerning the right to contest automated decision-making will take effect on March 15, 2024)."
2023
Reference :
South Korea Data protection overview | DataGuidance
Updated DataGuidance reports
Extracts :
Extract :
"8.1. Right to be informed
Notification when obtaining consent from data subjects
Under the PIPA, data handlers and ICSPs are required to provide notice of the following matters when
obtaining consent from data subjects for the collection and use of personal data:
ā¢ the purpose of the collection and use of personal data;
ā¢ the items of personal data to be collected/used;
ā¢ the period for retaining and using the personal data; and
ā¢ the data subject's right to refuse his/her consent and outline any disadvantages, if any, which
may follow from such refusal."
2021
Reference :
South Korea Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"8.2. Right to access
Under the PIPA, a data subject may request access to his/her personal data processed by the data handler.
The PIPA establishes that the right of access may only be limited or denied in circumstances where:
ā¢ such access is prohibited or restricted by law; or
ā¢ it may possibly cause damage to the life or body of a third party, or improperly violate the
property, and other interests of a third party."
2021
Reference :
South Korea Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"8.3. Right to rectification
The PIPA provides data subjects that have accessed their personal information with a right to request
the rectification of such information from the relevant data handler. Since only data subjects who have
accessed their personal data may request rectification of such information, data subjects who were denied
access to their personal data may not exercise their right to request rectification."
2021
Reference :
South Korea Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"8.4. Right to erasure
The PIPA provides data subjects that have accessed their personal information with a right to request
the erasure of such information from the relevant data handler. However, the erasure is not permitted
when the collection of the personal information is required by other laws or the data subject's right to
access has been denied by the data handler."
2021
Reference :
South Korea Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"Further, the 2023 Amendments grant the PIPC powers similar to those of data protection authorities under the GDPR, such as the power to order a data handler to suspend a cross-border data transfer if the transfer violates or is expected to violate the PIPA or if the recipient does not adequately protect data in accordance with the PIPA."
2023
Reference :
South Korea Data protection overview | DataGuidance
Updated DataGuidance reports
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
International Data transfer Agreements | DataGuidance
Comparison of international data transfer agreements
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
International Data transfer Agreements | DataGuidance
Comparison of international data transfer agreements
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"Under PIPA, only public institutions are obligated to conduct a PIA."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - KOR
Extracts :
Extract :
"Under PIPA, data handlers must appoint a privacy officer who will be responsible for overseeing
all data processing-related matters."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - KOR
Extracts :
Extract :
"Under the PIPA, all data handlers must appoint qualified officials as privacy officers to take charge of all aspects of their handling of personal data (Article 31(1) of PIPA). "
2022
Reference :
South Korea Data protection overview | DataGuidance
Updated DataGuidance reports
Extracts :
Extract :
"The privacy officer shall perform a list of tasks including:
to establish and execute a plan to protect personal information;
to carry out routine check-ups and improve actual conditions and practices concerning the processing of personal information;
to respond to complaints relating to the processing of personal information, and provide remedies for damages incurred by data subjects;
to establish an internal control system to prevent leaks, misuse, and abuse of personal information;
to plan and implement education programmes about the protection of personal information;
to protect, manage, and supervise personal data files;
to take corrective measures immediately upon discovering any violation of laws, and report such corrective measures to the head of the organisation;
to establish, modify, and implement the privacy policy pursuant to Article 30 of the PIPA;
to maintain materials related with personal information protection; and
to destroy personal information whose purpose of processing is attain or retention period expires."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - KOR
Extracts :
Extract :
PIPA provides that each data handler must appoint their own privacy officer, therefore a group of data handlers cannot appoint a single privacy officer.
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - KOR
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"PIPA does not explicitly state whether data subjects may contact the privacy officer in relation to the processing of their personal data or the exercising of their rights. However, the contact details of the privacy officer must be included in the data handler's privacy policy."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - KOR
Extracts :
Extract :
"PIPA does not explicitly outline any exemptions in relation to notifying data subjects of a data breach. However, if emergency measures (e.g. blocking of access channels, inspection/remedy of external and internal system vulnerabilities in the network or firewall, deletion of leaked personal data, retention of external access records for use in the investigation) are required to prevent the further spread or additional leakage of personal informa-
tion, the data handler may implement such measures first and notify the data subject without delay after such measures have been taken. In practice, without delay is construed to mean within five days"
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - KOR
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"PIPA does not require organisations to maintain a record of processing activities. However, PIPA does require data handlers to manage and store log-in records which document the access to a data processing system by 'personal information handlers' (i.e. officers, employees, workers, etc. who process personal information under the direction and supervision of the data handler) for at least one year. Such log-in records shall contain the facts of access, including ID, date and time of access, information to identify the person of access, and tasks performed by the personal information handler while connected to the processing system."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - KOR
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference | Name | Short name | Classification | Jurisdiction | Year of creation |
|---|---|---|---|---|
| Fair Trade Commission (FTC) | Regulator | Under the government authority | 1981 | |
| Ministry of Science and ICT (MSIT) | Regulator | Ministry | 2017 | |
| Ministry of Trade, Industry, and Energy (MOTIE) | Regulator | Ministry | 2013 | |
| Personal Information Protection Commission (PIPC) | PIPC | Regulator | Independant agency | 2011 |
| Financial Services Commission (FSC) | Regulator | Under the government authority | 1998 | |
| Korea Communications Commission (KCC) | Regulator | Under the government authority | 2008 | |
| Korean Internet and Security Agency (KISA) | Regulator | Under the government authority | 2009 |
| Legal text name | Original text name | Legislation type | Year signed | Regulation status | In effect since | Latest update initiated | Latest update areas | Latest update signed year |
|---|---|---|---|---|---|---|---|---|
| Personal Information Protection Act | Personal Information Protection Act (PIPA) | General privacy/data protection law | 2011 | Active | 2011 | 2023 | Rights, penalties, definitions | 2023 |