Last modified 20 March 2026

Data Protection in South Korea

Breach notification in South Korea

Download PDF

Download current country

Change countries

Change country

Law

Data protection laws in South Korea

The main laws that apply to the handling of data about individuals are the Personal Information Protection Act (“PIPA”), the Act on the Use and Protection of Credit Information (“CIA”) and the Act on the Protection and Use of Location Information (“LIA”).

The PIPA was amended on March 10, 2026, with most provisions set to take effect on September 11, 2026. This landmark amendment significantly enhances the personal information protection regime through the following key changes:

Significant increase in administrative penalties: The maximum administrative penalty has been raised from 3% to 10% of total revenue in specific circumstances, including:
- repeated violations involving willful misconduct or gross negligence within a three-year period;
- violations affecting 10 million or more data subjects; or
- failure to comply with a corrective order issued by the PIPC.
Expanded scope of notification obligations: The definition of “breach, etc.” has been expanded to include not only loss, theft or leakage, but also the forgery, alteration or damage of personal information. Furthermore, notification to data subjects is now required upon becoming aware of a “possibility of a breach, etc.”, moving the notification trigger to an earlier stage of an incident.
Clarification of CEO accountability: The amended PIPA explicitly designates the business owner or representative of a personal data controller as the “ultimate person responsible for the processing and protection of personal information.” For certain personal data controllers meeting criteria to be specified in the Presidential Decree of the PIPA, the appointment and dismissal of the Chief Privacy Officer (CPO) must now be approved by the Board of Directors and the designation must be formally reported to the PIPC.
Mandatory ISMS-P certification: The Personal Information & Information Security Management System (ISMS-P) certification, previously voluntary, is now mandatory for private entities meeting specific criteria. While the general law takes effect in 2026, this mandatory certification requirement will be enforced starting July 1, 2027.

Related resources

Definitions

Definitions in South Korea

Definition of personal data

Under the PIPA, “personal information” means information relating to a living individual that constitutes any of the following:

Information that identifies a particular individual by his / her full name, resident registration number, image, etc.;
Information which, even if by itself does not identify a particular individual, may be easily combined with other information to identify a particular individual (in this case, whether or not there is ease of combination shall be determined by reasonably considering the time, cost, technology, etc. used to identify the individual such as likelihood that the other information can be procured);
Information under items (a) or (b) above that is pseudonymised in accordance with the relevant provisions and thereby becomes incapable of identifying a particular individual without the use or combination of information for restoration to the original state (referred to as “pseudonymised information”).

Definition of sensitive personal data

Under the PIPA, “sensitive information” is defined as personal information concerning an individual’s ideology, faith, labor union.

membership, political views or membership in a political party, health or medical treatment information, sexual orientation, genetic information, criminal records and biometric data for the purpose of uniquely identifying a natural person and race / ethnic information. Sensitive information can be processed if (a) such processing is required or permitted by a statute, or (b) the consent of the data subject is separately obtained.

Definition of unique identification personal data

Under the PIPA, “unique identification information” is defined to be Resident registration number (“RRN”), driver’s license number, passport number, and foreigner registration number. Other information, apart from RRNs, can be processed if (a) such processing is required or permitted by statute, or (b) the consent of the data subject is separately obtained. RRN can only be processed based on a legal basis, irrespective of whether consent to the processing is obtained from the data subject.

Related resources

Authority

National data protection authority in South Korea

The PIPC is in charge of the enforcement of the PIPA.

The PIPC shall perform the following work:

Matters concerning the improvement of law relating to personal information protection;
Matters concerning the establishment or execution of policies, systems or plans relating to personal information protection;
Matters concerning investigation into infringement upon the rights of data subjects and the ensuing dispositions;
Handling of complaints or remedial procedures relating to personal information processing and mediation of disputes over personal information;
Exchange and cooperation with international organizations and foreign personal information protection agencies to protect personal information;
Matters concerning the investigation and study, education and promotion of law, policies, systems and status relating to personal information protection;
Matters concerning the support of technological development and dissemination relating to personal information protection and nurturing of experts; and
Matters specified as the work of the PIPC by the PIPA or other statutes.

Related resources

Registration

Registration in South Korea

Under the PIPA, there is no general rule regarding the registration of personal data controller. However, a public institution (that is, in this context any government agency or institution) which manages a personal information file (i.e. collection of personal information) must register the following with the PIPC:

name of the personal information file;
basis and purpose of operation of the personal information file;
items of personal information which are recorded in the personal information file;
the method to process personal information;
period to retain personal information file;
person who receives personal information generally or repeatedly; and
other matters prescribed by the Presidential Decree.

The Presidential Decree of PIPA stipulates that the following also shall be registered with the PIPC:

the name of the institution which operates the personal information file;
the number of subjects of the personal information included in the personal information file;
the department of the institution in charge of personal information processing;
the department of the institution handling the data subjects’ request for inspection of personal information; and
the scope of personal information inspection of which can be restricted or rejected and the grounds.

Therefore, only “public institutions” are required to register with the PIPC.

Related resources

Data protection officers

Data protection officers in South Korea

Under PIPA, every personal data controller (which means any person, any government entity, company, individual or other person that, directly or through a third party, controls and / or processes personal information in order to operate personal information files as part of its activities) must designate a chief privacy officer (“CPO”). The CPO must be an employee or executive of the company.

In addition, personal data controllers that meet certain criteria are required to designate a CPO with:

at least three years of experience in personal information protection; and
a combined career of at least six years in personal information protection, data protection and information technology.

More specifically, the obligation to designate a CPO with the foregoing qualifications is applicable to an entity whose annual sales revenue or income amounts to at least KRW 150 billion, and:

processes sensitive information or unique identification information of at least 50,000 data subjects, or processes personal information of at least 1 million data subjects;
is a school under the Higher Education Act with at least 10,000 enrolled students as of December 31 of the immediately preceding year;
is a tertiary hospital under the Medical Service Act; or
is a public institution operating a personal information processing system which meets the standards set by the PIPC.

There are no nationality or residency requirements for the CPO.

If a CPO is not designated, the personal information processing entity may be subject to a maximum administrative fine of KRW 10 million under the PIPA.

The recently amended PIPA mandates that personal data controllers meeting certain thresholds – to be specified in the forthcoming Presidential Decree currently undergoing the legislative process – must obtain approval from the Board of Directors for the appointment, change or dismissal of a CPO, and formally report such designation to the PIPC.

Furthermore, to establish a continuous and robust personal information safety management system, the CPO’s role has been significantly strengthened. The CPO’s obligations under the amended PIPA are as follows:

establishing and implementing plans for the protection of personal information;
managing specialized personnel and securing necessary budgets for the protection of personal information;
reporting the current status and key matters of personal information protection to the business owner, representative and the Board of Directors;
performing periodic investigations and improving the status and practices of the processing of personal information;
handling complaints and dealing with damage pertaining to the processing of personal information;
establishing internal control systems for preventing leakage, misuse and abuse of personal information;
establishing and implementing training sessions for the protection of personal information;
protecting, managing, and monitoring personal information files;
establishing, amending, and implementing a privacy policy;
managing materials concerning the protection of personal information; and
destroying personal information for which the purpose of processing has been achieved or for which the retention period has expired.

Related resources

Collection and processing

Collection and processing in South Korea

Under the PIPA, there must be a specific legitimate basis for collection and use of personal information, with the most representative basis being the data subject's consent. As a result, in principle, the explicit consent of data subjects must be obtained before processing their personal information. However, the data subjects' consent is not required in cases where the processing of personal information is prescribed by a statute or where it is necessary for an entity to process personal information in order to comply with its legal obligations.

Exceptions to the general rule above which are applicable to personal data controllers are as follows:

where special provisions exist in other statutes or it is unavoidable due to obligations under statutes or regulations;
where it is unavoidable for a public institution’s performance of work under its jurisdiction as prescribed by statutes or regulations, etc.;
where it is necessary to perform an agreement entered into with a data subject or to take measures as requested by a data subject in the course of executing such agreement;
where it is deemed manifestly necessary for the protection, from imminent danger, of life, bodily and property interests of a data subject or a third party;
where it is necessary to attain the legitimate interests of a personal data controller, the interest of which is manifestly superior to the rights of the data subject. In such cases, processing shall be allowed only to the extent the processing is substantially related to the legitimate interests of the personal data controller and does not go beyond a reasonable scope; or
where it is urgently necessary for public safety and security, public health, etc.

While one consent form may be used, separate consents must be obtained respectively for each type of processing activity (e.g. collection and use, third party provision) and for different types of personal information (e.g. unique identification information and sensitive information).

Under the PIPA, data subjects must be informed of, and provide their consent to, the following matters before their personal information is collected and / or used:

the purpose of the collection and use;
the items of personal information that will be collected;
the duration of the possession and use of the personal information; and
the fact that the data subject has a right to refuse to give consent and the negative consequences or disadvantages that may result due to any such refusal.

The processing of the RRN (which is a type of unique identification information) is prohibited even with the consent of the data subject unless the processing is explicitly required or permitted under a statute.

If the data subject is under the age of 14, the consent of their legal guardian must be obtained.

Related resources

Transfer of personal data

Transfer of personal data in South Korea

As a general rule, a personal data controller may not provide personal information to a third party without obtaining the prior opt in consent of the data subject.

Exceptions to the general rule above apply in the following cases:

where there exist special provisions in any Act or it is necessary to fulfil an obligation imposed by or under any Act and subordinate statute;
where it is necessary for a public institution to perform its affairs provided for in any Act and subordinate statute, etc.;
where it is deemed manifestly necessary for the protection of life, bodily and property interests of a data subject or a third party where imminently endangered;
where it is necessary to attain the legitimate interests of a personal data controller, the interest of which is manifestly superior to the rights of the data subject. In such cases, processing shall be allowed only to the extent the processing is substantially related to the legitimate interests of the personal data controller and does not go beyond a reasonable scope; and
where it is urgently necessary for the public safety and security, public health, etc.

Under the PIPA, a personal data controller must obtain consent after it notifies the data subject of:

recipient of personal information;
purposes for which the recipient of personal information uses such information;
particulars of personal information to be provided;
period during which the recipient retains and uses personal information;
the fact that the data subject is entitled to deny consent, and disadvantages, if any, resulting from the denial of consent.

If a business transfer occurs, the personal data controller may transfer personal information without consent, provided that it must provide its data subjects a chance to opt out by providing a notice of:

expected personal information transfer;
contact information of the recipient of the personal information, including the name, address, telephone number and other contact details of the recipient; and
means and process by which the data subjects may refuse to consent to the transfer of personal information.

In addition to the restrictions set out above, consent must be received as a general rule for the cross-border transfer of personal information under the PIPA. That said, consent need not be received in the following cases:

where there are special provisions on cross-border transfers under laws, treaties or other international agreements;
where delegation of processing or storage is necessary for the execution and performance of agreements with data subjects, and such details are disclosed in the privacy policy or notified to the data subjects via email, etc.;
where the recipient of personal information has taken all necessary measures, such as authentication and safety measures required by the PIPC, such as ISMS-P; or
where the countries or international organizations that personal information is transferred to are recognized by the PIPC as having an adequate level of protection. Notably, on September 3, 2025, the PIPC formally recognized the EU’s data protection standards as equivalent to Korea’s. Consequently, personal data transfers from Korea to the EU are now permitted without prior consent, mirroring the EU’s adequacy decision and significantly facilitating bilateral data flows.

When obtaining consent for cross-border transfers, personal data controllers must notify the following:

specific information to be transferred overseas;
destination country;
date, time, and method of transmission;
name and the contact information of the third party;
third party's purpose of use of the personal information and the period of retention and usage; and
method and procedure for rejecting the cross-border transfer and the consequences thereof.

Related resources

Security

Security in South Korea

Under the PIPA, every personal data controller must, when it processes personal information of a data subject, take the following technical and administrative measures in accordance with the guidelines prescribed by the Presidential Decree to prevent loss, theft, leakage, alteration or destruction of personal information:

establishment and implementation of an internal control plan for handling personal information in a safe way;
installation and operation of an access control device, such as a system for blocking intrusion to cut off illegal access to personal information;
measures for preventing fabrication and alteration of access / log records;
measures for security including encryption technology and other methods for safe storage and transmission of personal information; and
measures for preventing intrusion of computer viruses, including installation and operation of vaccine software, and other protective measures necessary for securing the safety of personal information.

The PIPA provides detailed measures to be taken by the personal data controller in its subordinate regulations. On October 31, 2024, the PIPC released the updated Guidelines on Standards for Measures to Ensure Security of Personal Information (the “Guidelines”) (link).

Related resources

Breach notification

Breach notification in South Korea

In the event of a personal information leakage, the personal data controller must notify the affected data subjects within 72 hours of becoming aware of the leakage. The personal data controller must also report to the regulator within 72 hours if:

personal information of 1,000 or more data subjects has been leaked;
sensitive information or unique identification information has been leaked; or
personal information has been leaked through unauthorized access from the outside.

However, no regulatory reporting is needed if the personal data controller is able to take measures to significantly reduce the possibility of infringement of the rights and interests of the affected data subjects, such as retrieving or deleting the compromised personal information.

The 2026 PIPA amendment significantly broadens the scope and timing of these obligations:

Expanded definition of “breach, etc.”: The statutory definition of a reportable incident has been expanded beyond “loss, theft, or leakage” to now explicitly include “forgery, alteration, or damage” of personal information.
Lowered notification trigger: Crucially, while the previous law required notification only after a breach “has occurred,” the amended PIPA mandates notification upon becoming aware of a “possibility of a breach, etc.” The specific criteria for this “possibility” will be further defined in the Presidential Decree, taking into account the type of information, the level of risk, and the potential impact on data subjects.
Mandatory disclosure of remedies: When notifying data subjects and reporting to the regulator, personal data controllers must now include information on available remedial measures. This includes providing clear guidance on procedures for claiming damages or applying for dispute mediation, ensuring that both individuals and the regulator are informed of the necessary steps for post-incident relief.

Related resources

Enforcement

Enforcement in South Korea

Non-compliance with the PIPA may result in administrative surcharges, administrative fines, corrective orders, and/or criminal punishment. For example, PIPC, the supervising authority, can issue a corrective order in response to any breach of an obligation not to provide personal information to a third party. Breach of a corrective order leads to an administrative fine of not more than KRW 30 million. Prior to issuing a corrective order, PIPC may take an incremental approach and instruct, advise and make recommendations to the personal data controller. On the other hand, where personal information has been transferred to a third party without the consent of the data subject and in the absence of exceptional circumstances, both the transferor and the transferee (if it received the personal information knowing that the data subject had not given consent) can be subject to criminal sanctions (imprisonment of up to 5 years or a criminal fine of up to KRW 50 million).

Punitive damages

In instances of data breaches caused by the personal data controller's intentional act or negligence, the personal data controller may be liable for up to five times the damages suffered.

Administrative penalties

See also Law as regards the significant increase in administrative penalties introduced under amendment to the PIPA passed on March 10, 2026, with most provisions set to take effect on September 11, 2026.

Related resources

Electronic marketing

Electronic marketing in South Korea

Under the Act on the Promotion of Information and Communications Network (the “Network Act”), anyone who intends to transmit an advertisement by electronic transmission media must receive the explicit consent of the individual; but if the individual either withdraws consent or does not give consent, then an advertisement for profit may not be transmitted.

In addition, the transmitter of advertisement information for profit must disclose the following information specifically within the advertisement:

the identity and contact information of the transmitter; and
instructions on how to consent or withdraw consent for receipt of the advertisement information.

A person who transmits an advertisement must not take any of the following technical measures:

a measure to avoid or impede the addressee's denial of reception of the advertising information or the revocation of his consent to receive such information;
a measure to generate an addressee's contact information, such as telephone number and electronic mail address, automatically by combining figures, codes, or letters;
a measure to register electronic mail addresses automatically with intent to transmit advertising information for profit, and various measures to hide the identity of the sender of advertising information or the source of transmission of an advertisement.

Related resources

Online privacy

Online privacy in South Korea

Cookie, logs, IP information, etc. may also be regulated by the PIPA as personal information if, combined with other information, it may enable the identification of a specific individual person easily.

The protection of location information is governed by the LIA. Under the LIA, any person who intends to collect, use, or provide location information of a person or mobile object shall obtain the prior consent of the person or the owner of the object, unless:

there is a request for emergency relief or the issuance of a warning by an emergency rescue and relief agency;
there is a request by the police for the rescue of the person whose life or physical safety is in immediate danger, or there exist special provisions in any Act.

Any person (entity) who intends to provide services based on location information (“Location-based Service Provider”) shall report to the Korea Communications Commission (“KCC”). Further, any person (entity) who intends to collect location information and provide the collected location information to Location-based Service Providers (“Location Information Provider”) shall obtain a license from the KCC.

If a Location Information Provider intends to collect personal location information, it must specify the following information in its service agreement, and obtain the consent of the subjects of personal location information:

name, address, phone number and other contact information of the Location Information Provider;
rights held by the subjects of personal location information and their legal agents and methods of exercising the rights;
details of the services the Location Information Provider intends to provide to Location-based Service Providers;
grounds for and period of retaining data confirming the collection of location information; and
methods of collecting location information.

If a Location-based Service Provider intends to provide location-based services by utilizing personal location information provided by a Location Information Provider, it must specify the following information in its service agreement, and obtain the consent of the subjects of personal location information:

name, address, phone number and other contact information of the Location-based Service Provider;
rights held by the subjects of personal location information and their legal agents and methods of exercising the rights;
details of the location-based services;
grounds for and period of retaining data confirming the use and provision of location information; and
matters concerning notifying the personal location information subject of the provision of location information to a third party as below.

If a Location-based Service Provider intends to provide location information to a third party, in addition to the above, it must notify the subjects of personal location information of the third party who will receive the location information and the purpose of this provision.

Related resources

Key contacts

Data protection lawyers in South Korea

Michael Kim

Senior Foreign Attorney

Kim & Chang

Seoul

Email Full bio

Ari Yoon

Senior Korean Attorney

Kim & Chang

Seoul

Email Full bio

personal information of 1,000 or more data subjects has been leaked;
sensitive information or unique identification information has been leaked; or
personal information has been leaked through unauthorized access from the outside.

The 2026 PIPA amendment significantly broadens the scope and timing of these obligations:

Expanded definition of “breach, etc.”: The statutory definition of a reportable incident has been expanded beyond “loss, theft, or leakage” to now explicitly include “forgery, alteration, or damage” of personal information.
Lowered notification trigger: Crucially, while the previous law required notification only after a breach “has occurred,” the amended PIPA mandates notification upon becoming aware of a “possibility of a breach, etc.” The specific criteria for this “possibility” will be further defined in the Presidential Decree, taking into account the type of information, the level of risk, and the potential impact on data subjects.
Mandatory disclosure of remedies: When notifying data subjects and reporting to the regulator, personal data controllers must now include information on available remedial measures. This includes providing clear guidance on procedures for claiming damages or applying for dispute mediation, ensuring that both individuals and the regulator are informed of the necessary steps for post-incident relief.

Quick links

Data Protection in South Korea

Breach notification in South Korea

Continue reading