3. Data Protection Agencies ｜ Regulatory Agencies

1. Introduction

Korea's main data security laws and regulations are the Personal Information Protection Act (2020 Revision) ("PIPA") and its implementing regulations, which stipulate the requirements for the government, private entities, and individuals in the collection, use, and disclosure of data. Korea's data protection law provides very specific and standardized requirements throughout the entire lifecycle of processing personal data. According to these laws, in principle, almost always the consent of the data subject is required to process their personal data.

1.1. Main Acts, Regulations, Directives

Korea's data protection law provides very specific and standardized requirements throughout the entire lifecycle of processing personal data, and due to the legal provisionspre-notificationandChoice of consentrequirements and relatively severe sanctions, making it one of the strictest data protection laws in the world. Korea's data protection is composed of a common law and several industry laws applicable to certain specific industry sectors.
Personal Information Protection Act
On February 4, 2020, the National Assembly passed several amendments to PIPA ("2020 Amendments"), which came into effect on August 5, 2020. The amendments include relevant requirements, restrictions, and penalties for anonymization and anonymization processing.
The amendment proposed by the Korea Personal Information Protection Commission (PIPC) on January 6, 2021, introduced the rights of data portability and the right to refuse automated decision-making, expanded the methods for transmitting personal data overseas, andAnonymized dataTo be includedTo be destroyedScope.
Industry Law
Korea has special legal regulations for the processing of personal data in certain specific industries, most notably the 'Credit Information Utilization and Protection Act' (UPCIA) of 2009.

1.2. Guidelines

The data protection agency has also issued various guidelines related to personal data protection, including:

• PIPC issued the Guidelines for the Interpretation of the Personal Information Protection Act ("PIPC Guidelines");

• Guidelines for Personal Data De-identification, jointly issued by the Office of Government Policy Coordination, the Ministry of the Interior and Security, the Korea Communications Commission, the Financial Services Commission, the Ministry of Science and Information and Communication Technology, and the Ministry of Health and Welfare;

• Published by PIPCGuidelines for Personal Data Anonymization;

• Manual on Personal Data Anonymization and De-anonymization in the Financial Sector;

• Biometric Data Protection Guidelines ("Biometric Data Protection Guidelines Proposal").

Although these guidelines do not have binding legal effect, they can serve as useful references to understand how laws and regulations may be interpreted in practice.

1.3. Case Law

The main source of legal authority in Korea is legislation, rather than case law in the common law jurisdiction. However, several important judgments issued by the courts may provide useful references for interpretation in practice.
In the decision of the Supreme Court in April 2017, the Supreme Court of Korea announced that the consent obtained from the data subject was invalid because the defendant collected personal information without the data subject clearly understanding their consent, even though the consent provided by them conformed to the legal procedures, namely, the font size of the notice was 1 millimeter.
In the judgment rendered by the Seoul High Court on May 3, 2019, it was ruled that the Korea Pharmaceutical Information Center violated PIPA by providing sensitive personal information to third parties without consent, namely, patients' prescription data. The High Court also pointed out that if personal information has been appropriately de-identified, such as through encryption, which makes it impossible to identify specific individuals, then providing such de-identified data to third parties without the consent of the data subject should not be considered a violation of PIPA.

2. Scope of Application

2.1. Scope of Individuals

PIPA applies to data processors, whether public institutions, legal persons, organizations, or individuals, who process personal data independently or through third parties.

2.2. Territorial Scope

PIPA applies to all data processors and outsourcing processors within South Korea, but PIPA does not explicitly specify its territorial scope. PIPA does not mention its extraterritorial scope, but in practice, multiple factors are considered when determining whether a foreign entity is subject to PIPA (for example, whether a company provides services to South Koreans, or whether a company generates revenue from conducting business in South Korea).

3. Data Protection Agencies | Regulatory Agencies

3.1. Main Regulatory Agencies for Data Protection

The main data protection agency is:

• Personal Information Protection Commission (PIPC);

• Korea Communications Commission (KCC);

• Korea Internet & Security Agency (KISA);

• Financial Services Commission (FSC).

3.2. Main Powers, Responsibilities, and Liabilities

The main powers of PIPC are:

• Implement PIPA;

• Resolve issues related to formal interpretations;

• Impose administrative fines, additional fines, orders to correct, and other administrative sanctions;

• Establish data protection policies;

• Assess the establishment/revision of laws and administrative measures related to the protection of personal information.

The main functions of KCC are:

• Implement ICNA;

• Resolve issues related to formal interpretations; and

• Impose administrative fines, additional fines, orders to correct, and other administrative sanctions.

The main responsibilities of FSC are:

• Implement UPCIA;

• Resolve issues related to formal interpretations.

4. Key Definitions

• Data controller: Data processors under PIPA are similar to the concept of data controllers under GDPR.

• Personal data: PIPA has a broad definition of personal data, that is, any data related to living natural persons:

  1. Identify specific individuals through name, residential registration number ('RRN'), images, and other means;

  2. Even if it itself cannot identify a specific individual, it can be easily combined with other information to identify a specific individual (whether information can be 'easily combined' should be determined through reasonable consideration of time, cost, and the technology used for identifying an individual's identity, such as the possibility of obtaining other information).

• Sensitive data: Refers to personal information about an individual's ideology, beliefs, trade union or political party membership, political views, health status, sexual orientation, and other personal information that may lead to significant privacy disclosures, including genetic information, criminal records, biometric data (such as facial, fingerprint, iris, and handwriting samples), and racial/ethnic data.

• Anonymized information: Defined as information that cannot identify a specific individual even when combined with other information, after reasonable consideration of time, cost, and technical factors, and is not subject to the constraints of PIPA.

• Processing of personal data: Includes actions such as 'collecting, generating, recording, storing, retaining, processing, editing, searching, outputting, correcting, restoring, using, providing, disclosing, or destroying personal data'.

• Data Protection Officer: There is no definition of 'Data Protection Officer' in PIPA. However, Article 31 of PIPA refers to the 'Privacy Officer' (DPO) as an individual fully responsible for the processing of personal information.

• Privacy Impact Assessment|Data Protection Impact Assessment: There is no definition of 'PIA' in PIPA. However, PIPA establishes PIA as an assessment of risk factors related to the operation of personal data for analysis and improvement (Article 33 of PIPA).

5. Legal basis

5.1. Consent

Data processors must issue notifications when processing personal data. In most cases, it is usually necessary to collect, use, and provide personal information to third parties before doing so, except for certain exceptions.Express consent
For reference, the PIPC guidelines state that data processors should:

• Under the condition of obtaining user consent, inform users in a clear and understandable manner about the types of personal data collected and the reasons for collecting such information;

• Obtain explicit consent under Article 22 of PIPA (prohibiting the data processor from obtaining comprehensive consent for all types of processing and requiring the data processor to differentiate between necessary/optional consent).

In addition, the PIPC guidelines state that the consent required by PIPA for the collection and use of personal data should be a voluntary choice of consent (through written signature, oral confirmation, or online checkbox) and can be clearly verified.

5.2. Contract with the data subject

PIPA stipulates that when entering into and performing a contract with the data subject, the data processor may collect and use personal data without the additional consent of the data subject. However, please note that this legal basis does not apply to providing personal information to third parties.

5.3. Legal obligations

PIPA stipulates that when other applicable laws require the data processor to fulfill obligations, or when other applicable laws, regulations, or provisions specifically require or permit, the data processor may collect, use, and/or provide personal data without the consent of the data subject.

5.4. The interests of the data subject

PIPA stipulates that when there is a clear and urgent need to protect the life, body, or economic interests of the data subject or a third party, and it is not possible to obtain consent for the processing of personal information in a normal manner, the data processor may collect, use, and/or provide the personal data of the data subject without the consent of the data subject.

5.5. Public Interest (not applicable)

PIPA does not recognize public interest as a legitimate basis for processing personal data without the consent of the data subject.

5.6. Legitimate Interests of the Data Controller

PIPA stipulates that if the collection and use of data are necessary for the legitimate interests of the data processor and such legitimate interests clearly outweigh the rights of the data subject.
Please note that, considering the specific language of PIPA and the guidelines of PIPC, the 'legitimate interest' reason is only recognized in very limited cases. In addition, 'legitimate interests' may not be used as a basis for providing personal data to third parties without the consent of the data subject.

5.7. Legal basis in other cases

Direct marketing
According to ICNA, explicit prior consent of the recipient is required to transmit commercial advertisements through electronic media (such as telephone, mobile phone, fax, email, etc.).
Retention Period of Personal Data
If there are special provisions for ICSP, in order to protectWithin one yearICSP must immediately destroy the personal data of inactive users after the above period, or separate the personal data of non-active users from that of other users, for users who do not use information and communication services.Separate storageand management.

6. Principles

PIPA lists eight key principles applicable to data processors:

• Inform the purpose and handle it legally and fairly;

• Purpose limitation;

• Accurate and complete;

• Manage personal data securely;

• Disclose privacy policies, protect user rights;

• Process as much as possible through anonymization/pseudonymization.

7. Obligations of the controller and processor

Obligations of the data processor (equivalent to the controller in GDPR)

• Process personal data in a manner that minimizes the violation of the data subject's privacy and, as far as possible, anonymize or pseudonymize.

• The data processor needs to take necessary technical, organizational, and physical measures to ensure the security of personal data. PIPA provides a list of minimum measures to be taken in this regard.

• The data processor must also provide notice when processing personal data.

• Consent to process specific identity data (i.e., RRN, passport number, driver's license number, foreigner registration number, and sensitive data) must be separate from each other and from any other consent.

Obligations of the data processing trustee (equivalent to the processor in GDPR)
Since the data processing trustee may be considered as a data processor, the data processing trustee usually bears the same legal obligations as the data processor. If the data processor (i.e., the outsourcing service provider) violates PIPA, the data processor will be regarded as an employee of the data processor, and the data processor will bear vicarious liability.

7.1. Notification of Data Processing

Data controllers and data processors have no legal obligation to notify any supervisory authority of their data processing activities.
The head of the public institution must notify MOIS of the processing of personal data (Article 32(1) of PIPA).

7.2. Data Transmission

PIPA requires data processors to obtain the prior consent of the data subject when providing services to overseas third parties.
The European Commission published its decision on December 17, 2021, regarding the adequacy of the protection of personal data in Korea, allowing the transfer of personal data from EU member states to Korea without the need to complete any additional procedures or evidence (such as standard contract clauses). This decision will be subject to review by the European Commission within three years of its entry into force, and at least every four years thereafter.
PIPC issued the 'Interpretation and Supplementary Provisions on the Processing of Personal Information Transmitted to Korea under the Personal Information Protection Act', which shall take effect from the date on which the adequacy decision of the European Commission comes into force.

7.3. Data Processing Records

PIPA requires data processorsManage and store log recordsThat is, the access of 'personal data processors' (that is, officers, employees, workers, etc. who process personal data under guidance and supervision) to the data processing system, with records kept at least for one year. Such log records should contain details of the access, including ID, access date and time, information identifying the person accessing, and the tasks performed by the personal data processor when connected to the processing system.

7.4. Data Protection Impact Assessment

According to PIPA, only public institutions have the obligation to carry out data protection impact assessment (‘DPIA’)(Article 33(8) of PIPA). However, please note that proposed amendments to PIPA may expand the scope of PIA, requiring private companies and institutions to carry out PIA.
PIA must cover:

• The amount of personal information to be processed;

• Whether such information is provided by a third party;

• The possibility of such processing infringing on the rights of the data subject and the extent of such risks; and

• Other matters prescribed by the presidential decree.

7.5. Data Protection Officer Appointment

According to PIPA, all data processors must appoint qualified officers as privacy officers, responsible for all aspects of their processing of personal data. Data processors must appoint a person who meets any of the following conditions as their privacy officer:

• The owner or representative of the board of the enterprise; or

• The executive officer, but if there is no executive officer, then the head of the department responsible for handling personal data.

The main responsibilities of the DPO include:

• Develop and implement data protection plans;

• Regularly complete investigations of the current status and practices of personal information processing, and improve shortcomings;

• Handle complaints and remedial compensation related to the processing of personal information;

• Establish internal control systems to prevent the leakage, abuse, and misuse of personal information;

• Prepare and implement data protection education programs;

• Protect, control, and manage personal information files; and

• Perform any other functions prescribed by the law for the appropriate handling of personal information.

The DPO must take immediate corrective action upon discovering any violation of PIPA and, if necessary, report such corrective measures to the head of the institution itself or the relevant organization (Article 31(4) of PIPA).

7.6. Data Breach Notification

When the processor becomes aware of a data breach involving personal data, it must act immediatelyNotify the affected data subjectsIn addition, if a data breach involves 1,000 or more data subjects, the processor must also report the data breach to PIPC or a professional agency designated by PIPA, and disclose the specified information on its internet homepage, if it does not have an internet homepage, then disclose it at a prominent location in its business premises for at least 7 days.

7.7. Data Retention

If Korean law or regulations require the retention of personal data after notifying the data subject and obtaining their consent, such personal data will need to be kept separately from any other personal data.
Retention Period of Personal Data
If ICSP has special provisions applicable, in order to protect the personal data of users who do not use information and communication services within one year, ICSP must immediately destroy the personal data of inactive users after the aforementioned period, or separately store and manage the personal data of inactive users from that of other users.

7.8. Children's Information

PIPA stipulates that when PIPA requires consent to process the personal information of children under the age of 14, the data processor must obtain the consent of the legal representative of the data subject.
In addition, as the data processor of ICSP, it is necessary to:

• When notifying children of matters related to the processing of personal information, communicate in an easily understandable form and use clear and concise language; and

• If ICSP collects, uses, or provides personal data of children under the age of 14, the consent of the legal representative must be obtained, and it must be confirmed whether the legal representative agrees to the processing of the child's personal information in a legal manner.

7.9. Special Categories of Personal Data

PIPA defines a special category of personal data, namely 'specific identity data', including RRN, passport number, driver's license number, and foreigner registration number.
In principle, the processing of sensitive data/specific identity data is prohibited without the explicit consent of the data subject. Consent to the processing of specific identity data or sensitive data must be obtained separately and independently of any other consent. In particular, for RRN, the processor may not collect or use RRN unless there are exceptions provided for by PIPA.

7.10. Controller and Processor Contract

Outsourcing the processing of personal data to a third-party data processor requires a written agreement, which must include:

• Provisions prohibiting the processor from processing personal data for any purpose other than the execution of outsourced tasks;

• Technological and administrative safeguards measures implemented to protect personal data; and

• Any other matters prescribed by the PIPA Executive Order for the security management of personal data.

8. Rights of the Data Subject

The data processor must ensure that personal data is accurate, complete, and up-to-date to the extent necessary to achieve the processing purpose, and the data subject may exercise the right to access, correct, suspend the use, and delete their personal data. To this end, PIPA has also established normative procedural rules to ensure the exercise of such rights by the data subject.
At the same time, according to the amended UPCIA, credit reporting entities enjoy the right of data portability, that is, they have the right to require credit providers/creditors to transmit the credit information they hold about the credit reporting entity to the credit reporting entity itself or to the designated other person.

8.1. Right of Information

According to PIPA, when the data processor obtains the data subject's consent, it must provide the following notifications:

• The purpose of collecting and using personal data;

• The types of personal data collected and used;

• The retention and use period of personal data;

• The data subject has the right to refuse consent and outline any adverse conditions that may arise from such refusal (if any).

When the data processor and ICSP provide personal data to third parties, they must inform the following matters and obtain user consent:

• The specific name of the third-party recipient;

• The types of personal data to be shared;

• The use purpose of the third-party recipient;

• The retention and use period of the third-party recipient;

• The data subject has the right to refuse consent and outline the adverse conditions that may arise from such refusal (if any).

Through privacy policy notification
PIPA has a list of information that must be included in a privacy policy, including but not limited to use purposes, retention periods, provision and outsourcing information, and the disposal of personal data. The data processor must publicly disclose its privacy policy, allowing the data subject to check the terms of these privacy policies at any time, including any revisions made.

8.2. Right of Access

The data subject can request access to their personal data. PIPA stipulates that access rights can only be restricted or refused under the following circumstances:

• The law prohibits or restricts such access; or

• That may cause harm to the life or body of a third party, or improperly infringe on the property and other interests of a third party.

PIPA's executive decree stipulates that the data subject can request the data processor to access the following information:

• The types of personal data concerned;

• The purpose of collecting/use of personal data;

• The retention and use period of personal data;

• The status of providing any personal data to third parties;

• The data subject agrees to the data processor's processing of personal data.

• PIPA stipulates that requests must be made in accordance with the procedures determined by the data processor. These procedures should meet the following requirements:

• The methods available to the data subject when making a request must be user-friendly, such as in writing, by phone, or by email, or via the internet;

• The data subject must be able to request access through the same window or in the same manner as the collection of personal information, unless there is a legitimate reason (such as difficulty in continuously operating such a window); and

• Details of the methods and procedures for exercising the right of access to the data should be published on the website operated by the data processor.

The data processor must act within the period of time after receiving the requestWithin ten daysRespond to the data subject's request for access to the data. The response should grant access rights (if the request is accepted), or access rights have been suspended, in which case, the reasons for the delay must be explained. Access rights must be granted immediately once the reasons for the delay no longer exist.

8.3. Right of Rectification

PIPA stipulates the right of data subjects to request the correction of their personal information from data processors.

8.4 Right to deletion

PIPA stipulates the right of data subjects to request the deletion of their personal information from data processors. However, deletion is not permitted when other laws require the collection of personal information or when the data processor refuses the data subject's right of access.
The PIPA enforcement decree stipulates that requests must be submitted according to the procedures determined by the data processor (as with the right of access).

8.5 Right to object/opt-out

As a data processor of ICSP, it must allow the data subject to withdraw consent at any time. The data processor must respond to the data subject's request to suspend the processing of their personal information.

8.6 Right to data portability

The current PIPA does not recognize the right to data portability. However, the PIPA amendment issued by PIPC on January 6, 2021, solicited public opinion and clearly stipulated the right of data subjects to data portability.
To be able to exercise this right, the amendment also introduces the concept of a professional data management authority, which will be responsible for:

• • Provide support for the data subject to exercise their rights as a data subject (such as data portability, right to be informed, right to rectification/deletion, right to suspension of processing); and

• • Integrate/Manage their personal information.

8.7 Right not to be subject to automatic decision-making

PIPA does not stipulate the right not to be subject to automatic decision-making. However, the proposed amendment to PIPA above clearly stipulates the right of data subjects not to be subject to automatic decision-making.

9. Penalties

Regulatory agencies such as PIPC, KCC, and FSC can implement various administrative penalties for violations of their respective laws and regulations, such as correction orders, administrative fines, and additional fines.
Prosecutors can also investigate any violations that should be subject to criminal penalties. Data processors may be held civilly liable to data subjects for damages suffered due to such violations.

9.1 Execution Decision

KCC and PIPC imposed substantial fines on related violations.

• On July 15, 2020 (before the amendment took effect), KCC issued a correction order imposing a fine of 1.8 billion South Korean won (approximately 131,280 euros) on an international media platform operator for collecting personal information of minors under the age of 10 (under the age of 14 requires consent from their guardians).

• On November 25, 2020, PIPC imposed an additional fine of 6.7 billion South Korean won (approximately 490,000 euros) on an international social media company for providing personal information to third-party operators without the consent of the data subjects.

• On August 25, 2021, PIPC issued a correction order imposing an additional fine of 64.4 billion South Korean won (approximately 4.7 million euros) on social media platforms that generated and used personal identifiable facial images without the consent of the data subjects. On the same day, PIPC also issued a correction order imposing an additional fine of 2.2 billion South Korean won (approximately 160,445 euros) on an international internet service provider that collected personal information (belonging to unauthorized data subjects) before completing the member application process.