PIPA (Personal Information Protection Act) in South Korea: A Practical Guide
1. Overview of PIPA and Its Scope of Application to Foreigners
A. The purpose and basic structure of PIPA
The purpose of the Personal Information Protection Act (hereinafter “PIPA”) is to protect the freedom and rights of individuals, and further to realize the dignity and value of the individual, by providing for matters relating to the processing and protection of personal information (PIPA, Article 1).
PIPA has been amended several times since it took effect on September 30, 2011, with the most recent major amendment made by Act No. 19234 of March 14, 2023. The 2020 amendment unified the personal-information-protection provisions formerly in the Act on Promotion of Information and Communications Network Utilization and Information Protection into PIPA.
B. Whether it applies to foreigners
PIPA protects “information relating to a living individual” (PIPA, Article 2, subparagraph 1) and places no restriction as to nationality. A foreigner, too, is therefore protected equally as a data subject (Article 2, subparagraph 3) under PIPA.
The matters of particular importance in foreigner-related practice are as follows.
| Category | Content |
|---|---|
| A foreigner as data subject | A foreigner, too, may exercise all rights regarding his or her own personal information—the right to demand access, correction, deletion, suspension of processing, and the like |
| Alien registration number | As unique identifying information, processing is prohibited in principle and permitted only exceptionally (PIPA, Article 24) |
| Cross-border transfer | Where a foreign business transfers the personal information of a domestic data subject abroad, separate regulation applies |
2. Key Concepts Relevant to Foreigners
A. The definition of personal information (Article 2, subparagraph 1)
“Personal information” means information relating to a living individual that falls under any of the following (PIPA, Article 2, subparagraph 1):
- Item (a): Information by which an individual can be identified, such as a name, resident registration number, or image.
- Item (b): Information by which a particular individual cannot be identified by that information alone but can be identified when easily combined with other information (the possibility of combination is judged by reasonably considering the time, cost, technology, etc. required, such as the likelihood of obtaining the other information).
- Item (c): Pseudonymized information.
For a foreigner, the alien registration number, passport number, name, address, contact details, image information, and the like all constitute personal information.
B. The alien registration number — special treatment as unique identifying information
The alien registration number constitutes unique identifying information under Article 19 of the Enforcement Decree of PIPA. The processing of unique identifying information is prohibited in principle and must be permitted only cautiously and strictly.
The processing of unique identifying information is permitted in the following two cases (PIPA, Article 24(1)):
- Where the data subject is informed of the purpose of collection and use, the items, the retention period, the right to refuse consent, and the like, and separate consent—distinct from consent to the processing of other personal information—is obtained.
- Where a statute specifically requires or permits the processing of unique identifying information.
Practical point: When collecting an alien registration number, separate consent must always be obtained, and it cannot be obtained together with the consent form for collecting other personal information. The collected alien registration number must also be subject to safety-securing measures such as encryption (PIPA, Article 24(3)).
C. The concept of processing (Article 2, subparagraph 2)
“Processing” means the collection, generation, linkage, interlocking, recording, storage, retention, value-adding, editing, retrieval, output, correction, recovery, use, provision, disclosure, destruction, and other similar acts in relation to personal information (PIPA, Article 2, subparagraph 2).
On the “use” of personal information in particular, the Supreme Court has held as follows.
The “use” of personal information provided in Article 18(1) of the former Personal Information Protection Act means an act by which a personal information controller itself uses personal information without transferring the right of control and management over it. The use of personal information includes not only the act of using personal information in the collected form as it is, but also the act of using collected personal information by value-adding or editing it, or of extracting and using information from it. (Supreme Court, June 26, 2025, 2023do18539)
3. Collection and Use of Personal Information — Foreigner-Related Practice
A. Lawful grounds for collection and use (Article 15)
A personal information controller may collect personal information, and use it within the scope of the purpose of collection, only where it falls under any of the following (PIPA, Article 15(1)).
| Subpara. | Content |
|---|---|
| 1 | Where the data subject’s consent is obtained |
| 2 | Where there is a special provision in a statute, or it is unavoidable to comply with a statutory obligation |
| 3 | Where unavoidable for a public institution to perform duties under its jurisdiction prescribed by statute, etc. |
| 4 | Where necessary to perform a contract concluded with the data subject, or to take measures at the data subject’s request in the course of concluding a contract |
| 5 | Where deemed manifestly necessary for the urgent interests of the life, body, or property of the data subject or a third party |
| 6 | Where necessary to achieve the legitimate interests of the personal information controller, and this manifestly takes precedence over the rights of the data subject |
| 7 | Where urgently necessary for public safety and security, such as public health |
B. Matters to be disclosed when obtaining consent (Article 15(2))
When obtaining consent, the following must be disclosed to the data subject:
- The purpose of collection and use of the personal information.
- The items of personal information to be collected.
- The period of retention and use of the personal information.
- The fact that there is a right to refuse consent, and, where there is a disadvantage following refusal, the content of that disadvantage.
Practical point for foreigners: When obtaining consent from a foreign data subject, it is advisable to give notice in a language the foreigner can understand. Consent obtained without an understanding of the content of the notice may be difficult to recognize as valid consent.
C. Processing of already-disclosed personal information
On already-disclosed personal information, the Supreme Court has held as follows.
Where already-disclosed personal information is processed—collected, used, provided, etc.—within the scope objectively recognized as having had the data subject’s consent, the data subject’s separate consent is unnecessary, and not having obtained separate consent cannot be regarded as a violation of Article 15 or Article 17 of the Personal Information Protection Act. (Supreme Court, Aug. 17, 2016, 2014da235080)
4. Provision to Third Parties and Entrustment of Processing — Foreigner-Related Practice
A. Distinguishing third-party provision from entrustment of processing
The Supreme Court distinguishes third-party provision from entrustment of processing as follows.
The “third-party provision” of personal information referred to in Article 17 of the Personal Information Protection Act is the case where personal information is transferred, beyond the scope of the original purpose of collection and use, for the business processing and benefit of the party receiving the information; whereas the “entrustment of processing” referred to in Article 26 is the case where personal information is transferred for the business processing and benefit of the entrusting party itself, in relation to the original purpose of collection and use. (Supreme Court, Apr. 7, 2017, 2016do13263)
Whether an act is a provision or an entrustment of processing must be judged comprehensively by considering the purpose and method of acquiring the personal information, whether consideration is exchanged, whether there is substantive management and supervision of the entrustee, the effect on the need to protect the data subject’s personal information, and who substantively is the party that needs to use the personal information (Supreme Court, Apr. 7, 2017, 2016do13263).
B. Matters to be disclosed when obtaining consent for third-party provision (Article 17(2))
When obtaining consent for third-party provision, the following must be disclosed:
- The party to whom the personal information is provided.
- The purpose for which the recipient will use the personal information.
- The items of personal information provided.
- The period for which the recipient will retain and use the personal information.
- The fact that there is a right to refuse consent, and, where there is a disadvantage following refusal, the content of that disadvantage.
C. Prohibition on use or provision for other purposes (Article 18)
A personal information controller must not use personal information beyond the scope under Article 15(1), or provide it to a third party beyond the scope under Article 17(1) (PIPA, Article 18(1)).
Related precedent: In a case in which an airline employee inquired into a passenger’s personal information 55 times for private purposes and used it, the court found the employee had used the victim’s personal information for private purposes beyond the scope of the collection purpose of “performance of the contract for a passenger who purchased a ticket, etc.,” and convicted (Seoul Southern District Court, July 4, 2024, 2024gojeong274; a fine of KRW 4 million, suspended for 1 year).
5. Cross-Border Transfer of Personal Information — A Key Foreigner-Related Issue
One of the most important issues in foreigner-related practice is the cross-border transfer of personal information. The March 14, 2023 amendment newly established Section 4 (Articles 28-8 through 28-11), substantially strengthening the regulation of cross-border transfers.
A. The principle prohibiting cross-border transfer, and the exceptions (Article 28-8)
A personal information controller must not provide (including where it is queried), entrust the processing of, or store personal information abroad. However, a cross-border transfer is permitted where it falls under any of the following (PIPA, Article 28-8(1)).
| Subpara. | Permitted requirement |
|---|---|
| 1 | Where separate consent to the cross-border transfer is obtained from the data subject |
| 2 | Where there is a special provision in a statute, a treaty to which the Republic of Korea is a party, or another international agreement |
| 3 | Where entrustment of processing or storage is necessary for the conclusion and performance of a contract with the data subject, and this is disclosed in the processing policy or notified to the data subject |
| 4 | Where the recipient has obtained a certification announced by the Protection Commission, and has taken both safety measures and implementation measures |
| 5 | Where the Protection Commission recognizes that the personal-information-protection system of the destination country or international organization has a level substantially equivalent to the level of protection under this Act |
B. Matters to be disclosed when obtaining consent for cross-border transfer (Article 28-8(2))
When obtaining the consent under paragraph 1, subparagraph 1, the following must be disclosed to the data subject in advance:
- The items of personal information to be transferred.
- The country to which the personal information is transferred, and the timing and method of transfer.
- The name of the recipient (for a corporation, its name and contact details).
- The recipient’s purpose of use and period of retention and use.
- The method and procedure for refusing the transfer, and the effect of refusal.
C. Order to suspend a cross-border transfer (Article 28-9)
The Protection Commission may order the suspension of a cross-border transfer where the transfer is ongoing or a further transfer is anticipated, and either (1) Article 28-8(1), (4), or (5) has been violated, or (2) the recipient, or the destination country or international organization, does not adequately protect the personal information compared with the level of protection under this Act, so that damage has arisen or is markedly likely to arise to the data subject (PIPA, Article 28-9(1)).
The matters the Protection Commission must consider comprehensively when ordering suspension are as follows:
- The type and scale of the personal information that has been transferred or whose further transfer is anticipated.
- The gravity of the violation.
- Whether the damage that has arisen or is likely to arise to the data subject is grave or difficult to recover.
- Whether ordering the suspension of the transfer is manifestly to the benefit of the data subject.
- Whether the protection of personal information and the prevention of infringement are possible through measures under the subparagraphs of Article 64(1).
- Whether the recipient, the destination country, etc. has an effective means for the relief of the data subject’s damage.
- Whether grounds exist to recognize that adequate protection of personal information is difficult—such as a grave personal-information infringement occurring at the recipient, the destination country, etc.
Practical point: A personal information controller may raise an objection with the Protection Commission within 7 days from the date of receiving the suspension order (PIPA, Article 28-9(2)).
6. Prohibited Acts and Criminal Punishment — Key Foreigner-Related Issues
A. Types of prohibited acts (Article 59)
A person who processes or has processed personal information must not engage in the following acts (PIPA, Article 59).
| Subpara. | Prohibited act |
|---|---|
| 1 | Acquiring personal information, or obtaining consent to its processing, by false or other improper means or methods |
| 2 | Disclosing personal information learned in the course of duty, or providing it for another’s use without authority |
| 3 | Using, damaging, destroying, altering, forging, or leaking another’s personal information without legitimate authority or beyond permitted authority |
B. The scope of the duty-bearer under Article 59, subparagraph 2 — an important precedent
On the scope of “a person who processes or has processed personal information,” the duty-bearer under Article 59, subparagraph 2, the Supreme Court has held as follows.
The “person who processes or has processed personal information,” the duty-bearer under Article 59, subparagraph 2 of the Personal Information Protection Act, is not limited to the “personal information controller” under Article 2, subparagraph 5, but includes a person who has processed, or had processed, the “personal information” under Article 2, subparagraph 1 learned in the course of duty, by the method under Article 2, subparagraph 2. (Supreme Court, Oct. 27, 2022, 2022do9510; Supreme Court, Mar. 10, 2016, 2015do8766)
In other words, even a foreign employee or an officer of a foreign company becomes a duty-bearer under Article 59, subparagraph 2 if he or she processed personal information in the course of duty.
C. Acquisition of personal information by improper means (Article 59, subparagraph 1)
On the meaning of “false or other improper means or methods,” the Supreme Court has held as follows.
The “false or other improper means or methods” provided in Article 72, subparagraph 2 of the Personal Information Protection Act means deception or another method recognized as improper by socially accepted standards, used to acquire personal information or to obtain consent to its processing—that is, an active or passive act capable of affecting the data subject’s decision-making on whether to acquire personal information or consent to its processing. (Supreme Court, Apr. 7, 2017, 2016do13263)
In judging this, the act of obtaining consent must not be separated and judged individually on its own; rather, the entire process of acquiring the personal information or obtaining consent to its processing must be examined (Supreme Court, Apr. 7, 2017, 2016do13263).
D. The criminal-punishment framework
| Provision | Violation | Statutory penalty |
|---|---|---|
| Article 70 | Paralyzing operations by altering/erasing a public institution’s personal information / providing to a third party for profit or improper purpose after acquisition by improper means | Up to 10 years’ imprisonment or a fine of up to KRW 100 million |
| Article 71, subpara. 1 | Providing personal information to a third party without consent / a recipient who received it knowing the circumstances | Up to 5 years’ imprisonment or a fine of up to KRW 50 million |
| Article 71, subpara. 2 | Use or provision for other purposes | Up to 5 years’ imprisonment or a fine of up to KRW 50 million |
| Article 71, subpara. 9 | Disclosing personal information learned in the course of duty / providing without authority (violation of Article 59, subpara. 2) | Up to 5 years’ imprisonment or a fine of up to KRW 50 million |
| Article 71, subpara. 10 | Using/damaging/leaking personal information without legitimate authority, etc. (violation of Article 59, subpara. 3) | Up to 5 years’ imprisonment or a fine of up to KRW 50 million |
| Article 72, subpara. 2 | Acquiring personal information by improper means (violation of Article 59, subpara. 1) | Up to 3 years’ imprisonment or a fine of up to KRW 30 million |
7. CCTV Image Information in Practice — A Frequent Foreigner-Related Issue
In disputes involving foreigners, the issue of providing CCTV image information frequently arises.
A. Whether CCTV footage constitutes personal information
An individual’s appearance captured in CCTV footage constitutes personal information. It also constitutes personal information where a particular individual cannot be identified by that information alone but can be identified when easily combined with other information (PIPA, Article 2, subparagraph 1, item (b)).
B. The legal character of viewing/providing CCTV footage
The Supreme Court has held that even where personal information is acquired by the method of viewing CCTV footage, the person may constitute a “recipient of personal information.”
In the case of personal information that exists in the form of footage—such as an individual’s portrait, bodily appearance, and location information captured by an image information processing device—a person may constitute a “recipient of personal information” not only where he is transferred personal information in footage form, such as by receiving the medium containing the footage, but also where he acquires the right of control and management by learning, through viewing or the like, the information on a specific and identifiable living individual contained in the footage. (Supreme Court, Sept. 13, 2024, 2022do14155)
C. Provision of footage in which the data subject is included
Even with respect to CCTV footage in which one is captured, where another data subject is captured together in the footage, one remains in the position of a third party in relation to that other data subject; so, receiving the footage without the other data subject’s consent is unlawful (Suwon District Court, May 15, 2017, 2016no7700).
8. Civil Damages — Relief for Foreign Data Subjects
A. The basis for a damages claim (Article 39)
A data subject who suffers damage from an act of a personal information controller in violation of this Act may claim damages from the controller. In this case, the controller cannot escape liability unless it proves the absence of intent or negligence (PIPA, Article 39(1)).
B. The allocation of the burden of proof — an important precedent
On the allocation of the burden of proof, the Supreme Court has held as follows.
This provision merely shifts the burden of proof to the personal information controller, in consideration of the difficulty of proving the controller’s intent or negligence where the data subject claims damages for harm suffered from the controller’s violation of the Personal Information Protection Act; the fact itself that the controller committed an act in violation of the Act must be asserted and proved by the data subject. (Supreme Court, May 17, 2024, 2018da302957)
That is, the fact of the violation itself must be proved by the data subject (the plaintiff), while the absence of intent or negligence must be proved by the personal information controller (the defendant).
C. Punitive damages (Article 39(3))
Where personal information is lost, stolen, leaked, forged, altered, or damaged owing to the intent or gross negligence of the personal information controller, and damage arises to the data subject, the court may set the damages within a range not exceeding 5 times the amount of the damage (PIPA, Article 39(3)).
D. Statutory damages (Article 39-2)
Where personal information is lost, stolen, leaked, forged, altered, or damaged owing to the intent or negligence of the personal information controller, the data subject may claim damages by setting a reasonable amount within KRW 3 million as the amount of damage (PIPA, Article 39-2(1)). This is a system for cases where proving the amount of damage is difficult.
E. Key practical issues in a damages claim
(1) Standing as a data subject: To claim damages for a violation of the Personal Information Protection Act, one must be the data subject of the personal information concerned. Where another person’s personal information is leaked, a person who is not its data subject cannot claim damages under Article 39 of PIPA (Suwon District Court, Apr. 23, 2025, 2024na56856; Daegu District Court, Aug. 31, 2017, 2016na314190).
(2) Occurrence of damage: Even where there is a violation of the Personal Information Protection Act, the data subject must assert and prove that actual damage arose.
9. Administrative Fines and Sanctions
A. Imposition of an administrative monetary penalty (Article 64-2)
The Protection Commission may impose on a personal information controller, where any of the relevant grounds applies, an administrative monetary penalty within a range not exceeding 3/100 of total revenue (PIPA, Article 64-2(1)). Where there is no revenue or its calculation is difficult, it may be imposed within a range not exceeding KRW 2 billion.
The principal grounds for imposition are as follows:
- Violation of Article 15(1), Article 17(1), Article 18(1) and (2), or Article 19.
- Violation in processing sensitive information, unique identifying information, or resident registration numbers.
- Violation in combining pseudonymized information.
- Violation of the cross-border transfer of personal information.
- Leakage of personal information (excluding where safety-securing measures were fully taken).
B. Administrative fines (Article 75)
| Ceiling | Principal violations |
|---|---|
| Up to KRW 50 million | Installing/operating CCTV in a place where privacy infringement is of concern |
| Up to KRW 30 million | Violation of the duty to destroy personal information, failure to take safety-securing measures, violation in processing resident registration numbers, violation of the duty to notify/report a personal-information leak, etc. |
| Up to KRW 20 million | Failure to obtain the entrustor’s consent on sub-entrustment, failure to designate a domestic representative, etc. |
| Up to KRW 10 million | Violation of the consent method, failure to establish/disclose a personal information processing policy, failure to designate a personal information protection officer, etc. |
10. Application of PIPA to Foreign Businesses — Key Practical Issues
A. The duty to designate a domestic representative (Article 31-2)
A personal information controller without an address or place of business in Korea, as prescribed by Presidential Decree, must designate a domestic representative to handle the following on its behalf (PIPA, Article 31-2(1)):
- The handling of complaints and the relief of damage relating to the processing of personal information.
- The notification and reporting of personal-information leaks, etc.
- The submission of materials.
The domestic representative must have an address or place of business in Korea, and where there is a domestic corporation that the controller established or over which it exercises a controlling influence, the representative must be designated from among such corporations (PIPA, Article 31-2(2)).
Practical point: Where the domestic representative violates PIPA, the personal information controller is deemed to have committed the act (PIPA, Article 31-2(5)). A foreign business must therefore take particular care in selecting and managing a domestic representative.
B. Reciprocity (Article 28-10)
Notwithstanding Article 28-8, with respect to a personal information controller of a country that restricts the cross-border transfer of personal information, a restriction corresponding to the level of that country may be applied. However, this does not apply where necessary for the performance of a treaty or other international agreement (PIPA, Article 28-10).
11. The Rights of the Data Subject — How a Foreigner Exercises Rights
A. The list of data-subject rights (Article 4)
A foreign data subject has the following rights (PIPA, Article 4):
- The right to be provided information on the processing of personal information.
- The right to choose and decide whether to consent to the processing of personal information, the scope of consent, and the like.
- The right to confirm whether personal information is processed and to demand access to (including the issuance of a copy) and transmission of the personal information.
- The right to demand the suspension of processing, and the correction, deletion, and destruction, of personal information.
- The right to be relieved, through a prompt and fair procedure, of damage arising from the processing of personal information.
- The right to refuse a decision made through fully automated processing of personal information, or to demand an explanation thereof, and the like.
B. The dispute mediation system
A person who wishes to have a dispute relating to personal information mediated may apply for dispute mediation to the Personal Information Dispute Mediation Committee (PIPA, Article 43(1)). The Committee must prepare a mediation proposal within 60 days from the date of receiving the application (PIPA, Article 44(1)). Where the content of the mediation is accepted, it has the same effect as a judicial settlement (PIPA, Article 47(5)).
12. Comprehensive Summary of Key Practical Points
A. Points for businesses employing foreigners
| Point | Content |
|---|---|
| Collecting alien registration numbers | Separate consent essential; duty to store encrypted |
| Processing foreign employees’ personal information | May be used only within the scope of performing the employment contract |
| Foreign employees’ duties | Prohibition on disclosing personal information learned in the course of duty (Article 59, subpara. 2) |
| Cross-border transfer | Where transferring abroad to headquarters, etc., the requirements of Article 28-8 must be met |
B. Points for foreign businesses
| Point | Content |
|---|---|
| Designating a domestic representative | Mandatory where the Presidential Decree criteria apply |
| Personal information processing policy | Must include the domestic representative’s information |
| Cross-border transfer requirements | Requirements such as consent, certification, or adequacy recognition must be met |
| Administrative monetary penalty | 3% of revenue, or up to KRW 2 billion |
C. Points for foreign data subjects
| Point | Content |
|---|---|
| Understanding the meaning of consent | Before consenting, fully understand the content of the notice and decide whether to consent |
| How to exercise rights | May demand access, correction, deletion, and suspension of processing directly from the controller |
| Relief of damage | May apply to the Dispute Mediation Committee or claim damages in court |
| Burden of proof | The fact of the violation itself must be proved by the data subject |
Thank you for reading!
Leave a comment