This country-specific Q&A provides an overview of Data Protection & Cyber Security Law laws and regulations applicable in South Korea.
Please provide an overview of the legal and regulatory framework governing data protection and privacy in your jurisdiction (e.g., a summary of the key laws, who is covered by them, what sectors, activities or data do they regulate, and who enforces the relevant laws). Are there any expected changes in the data protection and privacy law landscape in 2022-2023 (e.g., new laws or regulations coming into effect, enforcement of any new laws or regulations, expected regulations or amendments)?
In Korea, there are various laws, regulations and guidelines that govern privacy as discussed below.
The Personal Information Protection Act (the “PIPA”) acts as a general law on processing and protecting personal data.
The Credit Information Use and Protection Act (the “Credit Information Act”) regulates entities that collect, use, investigate, manage or provide credit information.
The Act on the Protection and Use of Location Information (the “Location Information Act”) specifically targets the protection of “location information” and “personal location information”.
The Act on the Promotion of IT Network Use and Information Protection (the “Network Act”) played an important part in governing privacy in the context of IT networks. However, the new Network Act, which took effect on August 5, 2020, transferred the provisions related to personal information protection to PIPA. Still, the new Network Act prohibits any unauthorized access to a network system by means of a transfer or distribution of a program that may damage, destroy, alter or corrupt the network system, or its data or programs.
Several government agencies function as regulators who operate these privacy-related laws. Personal Information Protection Commission (“PIPC”) and Ministry of the Interior and Safety (“MOIS”) enforce the PIPA and issue policies, administrative measures relating to the protection of personal information and formal interpretations thereon. Financial Services Commission (“FSC”) and Financial Supervisory Service (“FSS”) enforce the Credit Information Act and issue formal interpretations thereon. Korea Communications Commission (“KCC”) enforces the Location Information Act & the Network Act and issues formal interpretations thereon. And, Korea Internet & Security Agency (“KISA”) performs tasks delegated to it by PIPC, MOIS and KCC.
Currently, there are several pending proposals to amend the PIPA, and the most notable one is proposed by the PIPC. This proposed amendment includes:
Introduction of the data subject’s right to data portability and right to be excluded from automated decision making;
Abolition of the special regulations for information and communication service providers so that the same regulations can be applied to all data controllers;
Establishment of operation standards for mobile visual data processing devices, such as drones and autonomous vehicles;
Diversifying the methods of transferring personal information overseas (allowing personal information to be transferred overseas without consent when the PIPC recognizes that the country, where the information is transferred, has a level of protection substantially equal to the level of protection offered by the PIPA;
Changes to the rules on criminal and administrative sanctions (shifting the focus from criminal punishments to economic sanctions to improve effectiveness);
Changes to the current personal information dispute mediation system to encourage data subjects to resolve claims via dispute mediation.
This proposed amendment has been submitted to the National Assembly after being reviewed and approved by the government, and it is under the review of the committees of the National Assembly.
There are two recent notable changes in the privacy law landscape in Korea: (i) the European Commission’s adoption of an adequacy decision for Korea, and (ii) the amendment to the Location Information Act.
On December 17, 2021, the European Commission adopted its adequacy decision on the Republic of Korea with immediate effect. The adequacy decision allows the transfer of personal information between the EU and Korea without any separate authorization or procedure.
The amendment to the Location Information Act will be enforced from April 20, 2022. In this amendment, any person who intends to engage in a “location information business” is no longer required to obtain a license from the KCC, but can simply register with the KCC (the registration is a simpler process than applying for a license).
Are there any registration or licensing requirements for entities covered by these laws and, if so, what are the requirements? Are there any exemptions?
Korea does not have any privacy-oriented general requirements to register personal information processing activities. However, certain specific data processing may require registration or licensing.
For example, under the Location Information Act, any person who intends to engage in a “location information business” shall register with the KCC, and any person who intends to engage in a “location-based service business” should file a report to the KCC. However, exemptions are available if location information is to be used only for non-profit purposes.
How do these laws define personal data or personally identifiable information (PII) versus special category or sensitive PII? What other key definitions are set forth in the laws in your jurisdiction?
In a nutshell, “Personal Information” is defined under the PIPA as information relating to a natural person where such information may be used – either by itself or combined with other information – to specifically identify that person.
As to special category of PII, PIPA also has a definition for (i) “Sensitive Information” which is defined as information on the ideology, belief, admission to or withdrawal from a trade union or political party, political opinions, health, sex life, bio-data, criminal records and other personal information that is likely to markedly threaten the privacy of any data subject; and (ii) “Unique Identifiable Information” which is defined as unique identifiers assigned to each individual as prescribed by the presidential decree of the PIPA, such as resident registration numbers, driver’s license numbers, passport numbers, and alien registration numbers.
What are the principles related to, the general processing of personal data or PII – for example, must a covered entity establish a legal basis for processing personal data or PII in your jurisdiction or must personal data or PII only be kept for a certain period? Please outline any such principles or “fair information practice principles” in detail.
Under the PIPA, personal information should be protected under the following general principles:
Purpose of processing should be explicitly specified and collection should be lawful and fair to the minimum extent necessary;
Processing should be made in an appropriate manner necessary and not beyond the original purpose;
Accuracy, completeness, and freshness of personal information should be ensured;
Personal information should be managed safely after taking into account possibility of infringement upon the data subject’s rights;
The data controller should process personal information in a manner to minimize the possibility of infringing the privacy of a data subject;
The data controller should endeavor to process personal information through anonymization where possible (or through pseudonymisation, if it is impossible to fulfil the collection purpose through anonymization) if the purpose of collection can be achieved by processing anonymized (or pseudonymised) personal information;
The data controller should endeavor to obtain trust of data subjects by observing and performing such duties and responsibilities as provided for in the PIPA and other related statutes; and
The data controller should destroy personal information without delay when the personal information becomes unnecessary.
Are there any circumstances where consent is required or typically used in connection with the general processing of personal data or PII?
Under the PIPA, the consent of the data subject is required when (i) collecting personal information; (ii) providing or sharing personal information to/with a third party; and (iii) using personal information or providing it to a third party for any purpose other than the purpose with respect to which the data subject’s consent has already been obtained, unless doing so is likely to unfairly infringe upon the interest of a data subject or a third party.
What are the rules relating to the form, content and administration of such consent? For instance, can consent be implied, incorporated into a broader document (such as a terms of service) or bundled with other matters (such as consents for multiple processing operations)?
When making a request for consent of the data subject to the processing of personal information, the data controller should present such request in a clearly recognizable manner where each matter requiring consent is distinctly presented.
When obtaining the consent, the following should be communicated to the data subject: (i) purpose of the collection and use; (ii) particulars of personal information to be collected; (iii) anticipated retention and use period; and (iv) the fact that the data subject may refuse to give consent, and disadvantages, if any, resulting from such refusal.
Further, when a data controller intends to provide any personal information to a third party, a separate consent must be obtained by informing the data subject the following information: (i) the intended recipient; (ii) the recipient’s purpose of use; (iii) particulars of personal information to be provided; (iv) the anticipated retention and use period; and (v) the fact that the data subject may refuse to give consent, and disadvantages, if any, resulting from such refusal.
What special requirements, if any, are required for processing sensitive PII? Are there any categories of personal data or PII that are prohibited from collection?
“Sensitive Information” may not be processed unless (i) the data subject’s consent is duly obtained on a separate basis; or (ii) specifically required or permitted under any statute.
Further, “Unique Identifiable Information” may not be processed unless (i) the data subject’s consent is duly obtained on a separate basis or (ii) specifically required or permitted under any statute, except for a person’s resident registration number. The PIPA specifically protects one’s resident registration number by prohibiting personal information controller from processing resident registration number unless (i) any Act, Presidential Decree, National Assembly Regulations, Supreme Court Regulations, Constitutional Court Regulations, National Election Commission Regulations or Board of Audit and Inspection Regulations specifically requires or permits the processing of resident registration numbers; or (ii) where it is otherwise deemed manifestly necessary for the protection, from imminent danger, of life, bodily and property interests of a data subject or a third party.
How do the laws in your jurisdiction address children’s personal data or PII?
In order to obtain consent for processing of any personal information of a child under 14 years of age, consent of the child’s legal representative should be obtained. Further, in the course of requesting consent of such minor, communications should be made in understandable forms and plain and readily comprehensible language. The legal representative of a child under 14 years of age may file a request for access, correction/erasure, suspension of processing, and withdrawal of consent related to the personal information of the child with a personal information controller.
Does the law include any derogations, exclusions or limitations other than those already described? Please describe the relevant provisions.
Under the PIPA, pseudonymized information may be processed without obtaining the consent of data subject if used for such purposes as statistical purposes, scientific research purposes, and archiving purposes in the public interest.
Further, the general rules relating to the restrictions upon the processing of personal information do not apply if the personal information (i) is collected pursuant to the Statistics Act for processing by public institutions; (ii) is collected or requested for the analysis of information related to national security; (iii) is processed temporarily where there is an urgent need for the public safety, security and public health; or (iv) is collected or used for its own purposes of reporting by the press, missionary activities by religious organizations, and nomination of candidates by political parties, respectively.
Also, PIPA does not apply to anonymized information that no longer identifies a particular individual when combined with other information, reasonably considering such factors as required time, cost, and technology.
Does your jurisdiction impose requirements of 'data protection by design' or 'data protection by default' or similar? If so, please describe the requirement and how businesses typically meet the requirement.
Korea does not impose legal requirements of data protection by design or default. However, MOIS and KISA have jointly published a guideline on the data protection for personal data processing system developers and operators. The guideline explains the methods and procedures to ensure compliance with the legal requirement of the data privacy laws in the developing and operating stage of the system. It would be a best practice to follow the aforesaid guideline and also consider other legal requirements from the designing stage of a personal data processing system.
Also, the PIPA provides the principle of ‘data minimization,’ which is a concept closely related to the ‘data protection by design or default’ under the EU’s GDPR. According to PIPA, the processor shall collect and use only personal data which are necessary for each specific purpose of the processing. The data processor should consider this principle in terms of the amount of personal data collected, the extent of their processing, and the period of their storage.
Are owners or processors of personal data or PII required to maintain any internal records of their data processing activities or to establish internal processes or written documentation? If so, please describe how businesses typically meet these requirements.
The PIPA and its subordinate regulations require records of certain personal data processing activities to be maintained and retained for a certain period, which includes, (i) access records to the personal data processing system; (ii) records on the out-of-purpose use & provision and destruction of visual personal data; and (iii) records on the pseudonymization of personal data. Also, businesses are required to establish and implement an internal management plan for data protection.
Other laws also exist that requires keeping of personal data processing records. For example, under the Credit Information Act, certain credit related business operators are required to maintain and retain records on the collection & use, provision, and destruction of personal credit information for 3 years. Businesses should first determine which law would be applicable to their activities, and abide by the record retention requirements of such laws.
Do the laws in your jurisdiction require or recommend having defined data retention and data disposal policies and procedures? If so, please describe these data retention and disposal requirements.
The PIPA states that a personal information controller shall destroy personal information without delay when the personal information becomes unnecessary (e.g., when the notified retention period is expired, when the personal information is no longer necessary for the purpose of its collection and use, etc.). When destroying personal information, appropriate measures must be taken by the personal information controller to prevent the recovery or revival of the deleted information.
However, the personal information controller is not obligated to delete certain personal information if it is subject to a legal retention requirement. In this case, the relevant personal information must be stored and managed separately from other personal information managed by the personal information controller.
Regarding the disposal procedures, the Presidential Decree of the PIPA states that personal information in electronic files shall be permanently deleted so that it cannot be restored, and other records, printouts, paper documents, and media containing personal information, shall be either shredded or incinerated.
When are you required to, or when is it recommended that you, consult with data privacy regulators in your jurisdiction?
Businesses of certain scale or engaged in the information communication service sector are required to report to the relevant authorities when a leakage, loss, or theft of personal data occurs in their system. In addition, information communication service businesses are obliged to report to the authorities on other unlawful activities such as cyber-attacks on the information system and fraudulent solicitation of personal data. Conversely, businesses can be contacted from or inquired by the regulators, where consulting or cooperating with the regulators is recommended if the issue pertains to the unlawful activities of the business in connection with the processing of personal data.
Do the laws in your jurisdiction require or recommend conducting risk assessments regarding data processing activities and, if so, in what circumstances? How are these risk assessments typically carried out?
In the case where there is a risk of an infringement with respect to personal information of data subjects due to the operation of personal information files meeting the criteria prescribed by Presidential Decree of the PIPA, the head of a public institution is required to conduct an assessment to analyze risk factors and improve them, and submit its results to the PIPC. The privacy impact assessment should cover the following matters: (i) the number of personal information being processed; (ii) whether the personal information is provided to a third party; (iii) likelihood of violating rights of the data subjects and the degree of risk; (iv) certain other matters specifically prescribed by the Presidential Decree.
On the other hand, private sector businesses are not generally mandated to conduct a specific risk assessment on their data processing activities. However, since businesses are required by law to implement technical, physical, and managerial measure on the protection of personal data and that the leakage of personal data may enable the business to encounter a significant amount of liability, a risk assessment procedure can be utilized to improve and strengthen the data protection measures of the business.
Do the laws in your jurisdiction require appointment of a data protection officer (or other person to be in charge of privacy or data protection at the organization) and what are their legal responsibilities?
Businesses are required to appoint a Chief Privacy Officer who is in charge of the business’s processing of personal data. Duties of the Chief Privacy Officer imposed by law include: (i) establishing and implementing a personal data protection plan, (ii) conducting investigation and improvements of the status and practices of personal data processing, (iii) handling grievances and providing remedial measure in relation to personal data processing, (iv) establishing an internal control system to prevent the divulgence, abuse, or misuse of personal data, (v) preparing and implementing education programs on the protection of personal data, and (vi) protecting and managing personal data files.
If the business is an information communication service business, the business is required to, with certain exemptions, to appoint a Chief Information Security Officer in charge of data protection and system security. Duties of the Chief Information Security Officer imposed by law include: (i) establishing, operating, and improving an information protection plan, (ii) auditing and improving information protection conditions and practices regularly, (iii) identifying and evaluating information security risks and preparing information protection measures, and (iv) establishing and implementing information security education and simulation training plans.
Do the laws in your jurisdiction require or recommend employee training? If so, please describe these training requirements.
The PIPA states that a personal information controller shall provide necessary training to its personal information handlers (employees) regularly to ensure the appropriate handling of personal information. Also, a Chief Privacy Officer shall prepare and implement employee training on personal information protection.
Do the laws in your jurisdiction require businesses to providing notice to individuals of their processing activities? If so, please describe these notice requirements (e.g., posting an online privacy notice).
Certain information communication service businesses are required to periodically notify the service users of the details on the usage of personal data collected by the business and any transfers of personal data to third parties.
Do the laws in your jurisdiction draw any distinction between the owners/controllers and the processors of personal data and, if so, what are they? (e.g., are obligations placed on processors by operation of law, or do they typically only apply through flow-down contractual requirements from the owners/controller?)
Korea distinguishes the (i) processor of personal data (similar to ‘data controller’ of GDPR), from (ii) entities entrusted with the processing of personal data (entrustee, similar to ‘processor’ of GDPR) from the processors. Processors are usually the entity initially collecting the personal data from the data subjects and its obligations are mostly placed by the operation of law.
On the other hand, processors may entrust or outsource its functions that require the processing of personal data to service providers, the entrustees. Obligations of the entrustee are placed by the operation of law where the legal obligation of the processor is applied with necessary modifications, and through the contractual requirements from the entrustment contract executed with the processor.
Do the laws in your jurisdiction require minimum contract terms with processors of personal data or PII or are there any other restrictions relating to the appointment of processors (e.g., due diligence or privacy and security assessments)?
Korea requires necessary terms to be included in the entrustment contract governing the entrustment relationship, such as, (i) the prohibition of personal data processing for purposes other than the entrusted purpose, (ii) technical and managerial safeguards of personal data, (iii) the work being entrusted and (iv) the restrictions on the re-entrustments.
While the law does not specifically mandate any due diligence or assessment to be carried out when appointing entrustees, it recommends comprehensively considering the entrustee’s personal data processing and protection capabilities, such as personnel, physical facilities, financial capability, technological capacity, and responsibility capacity.
Please describe any restrictions on monitoring, automated decision-making or profiling in your jurisdiction including the use of tracking technologies such as cookies. How are these terms defined and what restrictions are imposed, if any?
There is no explicit statute governing monitoring or profiling activities in Korea. If certain information that is generated on a real-time basis (such as log info), when readily combined with other information and thereupon becomes personal information, such information will be protected by the PIPA and the data subject’s consent should be obtained for the collection thereof.
Regarding automated decision-making, the Credit Information Act has recently introduced certain rights of the data subject for automated decision-making regarding his/her personal credit information. These rights enable the data subject to request credit bureaus, banks, insurance companies, etc. to provide meaningful information about the result, major criteria, logic, and information involved in automated decision-making. Further, the data subject may submit data to draw a favorable result, and raise objections to the automated decisions.
Please describe any restrictions on cross-contextual behavioral advertising. How is this term or related terms defined?
The term “cross-contextual behavior advertising” is not defined in Korea’s privacy laws.
However, the Online Personalized Advertising Privacy Guidelines, published by the KCC and the KISA, provide certain principles for online personalized advertising using data subjects’ behavioral information. According to such guidelines, the advertisers should notify data subjects about the details of how their behavioral information is being processed, such as the identity of the processor, and the items and method of collecting behavioral information. Also, the advertisers should allow the data subjects to control the receipt or block of the personalized advertisements, and should implement certain security measures to prevent unlawful disclosure or illegal use of behavioral information being collected.
For more information about the restrictions on advertising, please refer to our answer to Question 23 below.
Please describe any laws in your jurisdiction addressing the sale of personal information. How is “sale” or related terms defined and what restrictions are imposed, if any?
The term “sale” of personal information is not defined in Korea’s privacy laws. However, the sale of personal information is an example of “provision” of personal information to a third party under the PIPA. Therefore, the data controller shall obtain the data subject’s consent for provision of personal information, as we have commented in our answers to Questions 5 and 6.
Please describe any laws in your jurisdiction addressing telephone calls, text messaging, email communication or direct marketing. How are these terms defined and what restrictions are imposed, if any?
Under the Network Act, one should obtain explicit consent of the recipient if he/she intends to transmit marketing information for profit via electronic means. There is an exception to the foregoing rule where consent is not necessary when a person who has directly obtained the contact information of the recipient through a trade relationship (for goods and/or services) intends to transmit marketing information for profit pertaining to a good/service that is of the same kind as the good/service previously traded within 6 months from the date upon which the previous trade relationship had ended.
In addition, when transmitting marketing information for profit, the sender should specifically include information such as the name and contact information of the sender and the guidance on the method to refuse to receive such marketing information.
Please describe any laws in your jurisdiction addressing biometrics, such as facial recognition. How are these terms defined and what restrictions are imposed, if any?
Under Korean law, information pertaining to one’s bodily, physiological and/or behavioral characteristics which is generated for the purposes of distinguishing a particular individual constitutes “Sensitive Information.” Please refer to our earlier comments relating to the treatment of Sensitive Information under Korean privacy law.
Is the transfer of personal data or PII outside the jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (e.g., does a cross-border transfer of personal data require a specified mechanism? Does a cross-border transfer of personal data or PII require notification to or authorization from a regulator?)
What security obligations are imposed on personal data or PII owners/controllers and on processors, if any, in your jurisdiction?
Data controllers must take technical, managerial and physical measures for the protection of personal information that are specified in the regulation which include, among others, formulating and implementing an internal management plan for the safe processing of personal information, controlling access to personal information and restricting the authority to access personal information, and adopting encryption technology to safely store and transmit personal information.
Do the laws in your jurisdiction address security breaches and, if so, how does the law define “security breach”?
Under the Standard PI Protection Guideline, which is a rule subordinate to the PIPA, defines PI “leakage” as the data controller’s loss of control over, or having let a third party gain access to, the PI other than pursuant to applicable law or the data controller’s free will which falls under either of the following: (i) loss or theft of written instrument, portable device or computers or the likes which contains personal information; (ii) access by one without authorization to a PI processing system such as database containing PI; (iii) delivery of any file, paper or other storage media containing PI to one without authorization due to the data controller’s willful act or negligence; or (iv) any other transmission of PI to unauthorized person.
Separately, the Network Act defines “breach incident” as “an occurrence which results from attacks against information/telecommunications network or other related information system by such means as hacking, computer virus, logic/mail bomb, service refusal or high-intensity electromagnetic wave.” Further, under the Network Act, “network infringement” includes (i) trespassing upon a network without authorization or exceeding permitted authorization level; (ii) transmission or dissemination of any malicious program; and (iii) causing difficulties to an information network by such measures as transmitting vast volume of signals or data or having the network process improper commands.
Does your jurisdiction impose specific security requirements on certain sectors, industries or technologies (e.g., telecoms, infrastructure, artificial intelligence)?
Yes. Certain industries, such as certain telecommunications business operators, credit information business operators and operators of electronic database containing medical records are subject to more detailed or aggravated security requirements.
Under what circumstances must a business report security breaches to regulators, to individuals, or to other persons or entities? If breach notification is not required by law, is it recommended by the regulator and what is the typical custom or practice in your jurisdiction?
Under the PIPA, the relevant data subject should be informed immediately when the data controller becomes aware of a PI leakage incident, and if PI relating to 1,000 or more data subjects is leaked, in addition to the requirement to inform the data subjects individually, such fact should be immediately disclosed on the data controller’s internet homepage and reported to the PIPC and KISA.
Further, under the Network Act, a “breach incident” to an information network should be reported immediately to the Ministry of Science and ICT or KISA.
Does your jurisdiction have any specific legal requirement or guidance regarding dealing with cyber-crime, such as the payment of ransoms in ransomware attacks?
Under the Network Act, an information and communication service provider should take certain protective measures against hacking and other breach incidents as specified in the Information Protection Guidance, a rule subordinate to the Network Act.
These protective measures include, among others, organization and operation of an information protection organization, establishment and management of an information protection plan, and response to infringement incidents.
Does your jurisdiction have a separate cybersecurity regulator? If so, please provide details.
In general, cybersecurity matters relating to information and communication networks are regulated by KISA and other law enforcement bodies such as the police and the National Intelligence Service.
Do the laws in your jurisdiction provide individual data privacy rights, such as the right to access and the right to deletion? If so, please provide a general description of the rights, how they are exercised, what exceptions exist and any other relevant details.
The PIPA provides for certain privacy rights including right to access (which is the right to demand the data controller to grant access to matters relating to his/her personal information such as the particulars of the personal information collected, the purpose of collection/use, period of retention and use, etc.) and right to request correction/deletion (which cannot be exercised if the PI in question is specified under law as information to be collected) or cessation of processing of his/her personal information (which may be denied if prohibited by law or there otherwise is a risk of unduly infringing upon another person’s right).
The Credit Information Act has also newly introduced the data subject’s ‘right to data portability’ and the ‘right to object to automated decision making,’ which are concepts similar to the GDPR, although with some differences.
Are individual data privacy rights exercisable through the judicial system or enforced by a regulator or both?
Both. Individual data privacy rights are exercisable through the judicial system and enforced by other regulating bodies such as the PIPC.
Does the law in your jurisdiction provide for a private right of action and, if so, in what circumstances?
Yes. One may claim damages against the data controller if he/she has suffered losses due to the data controller’s violation of the PIPA, unless the data controller has proven absence of intention or negligence. The PIPA also provides for a punitive damages provision (up to 3 times the amount of damages suffered) in the event of loss, theft, leakage, forgery, falsification and/or impairment of personal information caused by the data controller’s willful act or gross negligence.
Similarly, one may claim damages against the data controller if he/she has suffered losses due to the data controller’s violation of the Credit Information Act, unless the data controller has proven an absence of intention or negligence. The Credit Information Act also provides for a punitive damages provision (up to 5 times the amount of damages suffered) in the event of divulgence, loss, stealth, divulgence, alteration or compromise of credit information in violation of the Credit Information Act intentionally or with gross negligence.
According to the Location Information Act, where a subject of personal location information suffers damage because a location information provider has violated the Location Information Act, he/she may claim damages against the location information provider, unless the location information provider proves that there was no intention or negligence on their part.
Are individuals entitled to monetary damages or compensation if they are affected by breaches of data privacy laws? Is actual damage required or is injury of feelings sufficient?
Yes. While damages claims may be made for both monetary and mental damages, the burden of proof on the scope of damages is on the claiming party.
How are the laws governing privacy and data protection enforced?
Please refer to our earlier comments.
What is the range of sanctions (including fines and penalties) for violation of these laws?
First and foremost, a penalty surcharge in the amount of up to 3% of revenue to which the violation relates may apply for an information and communication service provider’s violation of certain major privacy regulations specified in the PIPA. Also, a penalty surcharge of up to KRW500 Million may apply upon the data controller in the event of a loss, theft, leakage, forgery, falsification and/or impairment of resident registration numbers under its processing.
Further, criminal penalties of varying degree of severity are imposed as follows:
Imprisonment of up to 10 years or criminal fine of up to KRW100 Million upon any person who has caused severe impediment upon the operation of public institutions through alteration or deletion of personal information processed by said public institution;
Imprisonment of up to 5 years or criminal fine of up to KRW50 Million upon any person who provides to a third party, or is provided with from a third party, personal information without obtaining the data subject’s consent;
Imprisonment of up to 3 years or criminal fine of up to KRW30 Million upon any person who has obtained personal information or consent to the processing of personal information through fraud or other improper means; and
Imprisonment of up to 2 years or criminal fine of up to KRW20 Million upon any person who has caused the loss, theft, leakage, forgery, falsification or impairment of personal information by failing to take necessary security measures.
In addition, administrative penalties are imposed as follows:
up to KRW50 Million for collection of personal information without complying with the PI collection/use guidelines;
up to KRW30 Million for failing to inform the data subject of matters specified in law when obtaining the data subject’s consent;
up to KRW20 Million for having PI entrusted or stored overseas without informing the data subject; and
up to KRW10 Million for failing to comply with applicable data retention obligation.
Are there any guidelines or rules published regarding the calculation of fines or thresholds for the imposition of sanctions?
The Presidential Decree of the PIPA provides certain guidelines for the calculation of the sanctions above. The methods for specific calculation of the penalty surcharges are provided in Annex 1-3 and Annex 1-5, and the methods for specific calculation of the administrative penalties are provided in Annex 2 of the Presidential Decree. The calculations consider factors such as the degree of violation, measures to minimize damages, cooperation with the investigation, duration and number of violations, etc.
Meanwhile, the calculation of the criminal penalties is up to the discretion of the criminal court.
Can personal data or PII owners/controllers appeal to the courts against orders of the regulators?
Yes. An appeal can be made directly to the administrative court and can be further appealed at the High Court and Supreme Court.
Are there any proposals for reforming data protection or cybersecurity laws currently under review? Please provide an overview of any proposed changes and how far such proposals are through the legislative process.
Currently, there are several pending proposals to amend the PIPA, and among them, the most notable one is proposed by the PIPC. For further explanations, please refer to our answer to Question 1 about the expected changes in the data protection and privacy law landscape in Korea.
Estimated word count: 6440
Privacy & Cookies Policy