SOUTH KOREA PIPA SERVICE

RELENTLESS PRIVACY AND COMPLIANCE SERVICES

Number One  Global Privacy Partner Of Choice

Relentless PIPA Service has you covered!

South Korea’s Personal Information Protection Act (“PIPA”) was enacted on September 30, 2011 and is considered to be one of the strictest data protection regimes in the world. South Korea’s prior Public Agency Data Protection Act was largely limited. In the private sector, it applied only to those businesses that used telecommunications services. And in the public sector, the legislation covered all public agencies but lacked enough limits on government collection of data. The old Act was replaced with the more comprehensive PIPA, which applies to both public and private sectors. As a result, “more than 3.5 million public entities and private businesses are now regulated by common criteria and principles, and common enforcement mechanisms.”tees.

The PIPA South Korea's Data Protection Law

PIPA aims to enhance the right and interest of citizens by protecting their privacy from the “unauthorized collection, leak, abuse or misuse of personal information.
What is the PIPA

South Korea’s Personal Information Protection Act (“PIPA”) was enacted on September 30, 2011 and is considered to be one of the strictest data protection regimes in the world.

South Korea’s prior Public Agency Data Protection Act was largely limited. In the private sector, it applied only to those businesses that used telecommunications services. And in the public sector, the legislation covered all public agencies but lacked enough limits on government collection of data. The old Act was replaced with the more comprehensive PIPA, which applies to both public and private sectors. As a result, “more than 3.5 million public entities and private businesses are now regulated by common criteria and principles, and common enforcement mechanisms.”

What is the Scope of the PIPA
Material Scope 

Applies to any public institution, corporate body, organization, individual, etc., that manages personal information directly or via another person to administer personal information files as part of their duties.

Territorial Scope 

Although the territorial scope is not specified in the law, the standard for enforcement of South Korean data protection law is similar to the GDPR in that companies established in South Korea are certainly subject the law, and foreign companies that target South Korean users are likely also within the ambit of enforcement action.

Who Does the PIPA Apply To

Scope of the Personal Information Protection Act

PIPA applies to personal information processing organizations, known as “data handlers,” that are defined as a person, government entity, company, individual, or any other person that, directly or through a third party, handles personal information for work or business purposes. Personal information refers to information pertaining to a living individual, which contains information identifying a specific person, such as name, national identification number, images, or other similar information.

Under the Act on the Promotion of Information and Communication Network Utilization and Information Protection (the “Network Act”), which supplements PIPA, personal information includes name, national identification number, letter, voice, sound image, and all other information that makes it possible to identify a specific person. The Network Act provides measures for protecting the personal information of users collected and used by the telecommunications business operators.

In addition to regulating personal information, the Acts impose compliance measures to ensure proper collection, use, and transfer, among other things, of users’ personal information. Technical and managerial protective measures must be taken in order to store personal information. Organizations must also inform data subjects of their rights and its obligations as a data handler.

Though the two Acts do not specify whether the laws apply to foreign organizations or acts occurring abroad, the Korea Communications Commission (the “KCC”), among other regulatory authorities, applies the Acts if foreign organizations target Korean users. In determining whether the Network Act applies, for example, the KCC will consider: (a) the location of the website’s server; (b) whether the website is written in the Korean language and the website uses a Korean domain name; and (c) whether the website conducts promotional activities in Korea. In January 2014, a multinational corporation was fined KRW 200 million by the KCC for collecting Korean users’ personal information without obtaining consent.

How Are Data Controllers and Data Processors treated

Data Controller

There is no concept of a “Data Controller” under Japanese law. However, the APPI uses the term “business operator,” which essentially refers to the entity responsible for the proper handling of all “Personal Information.” This is similar to the concept of data controller under EU law.

Data Processor

There is no concept of a “Data Processor” under Japanese law. As such, handling of personal data under the APPI should pertain to how a “business operator” treats and manages the personal information or personal data in its possession.

What are the lawful bases for collection and data processing?
Lawfulness , Fairness and Transparency

The personal information processor shall make the personal information processing purposes explicit and specified and shall collect minimum personal information lawfully and fairly to the extent necessary for such purposes.

Purpose Limitation

An information processor should use personal information only for the purposes specified to the data subject in any applicable consent.

Data Minimisation

Personal information processor should collect only the minimum amount of personal information necessary for the purposes specified to the data subject.

Accuracy

The personal information processor shall ensure the personal information is accurate, complete and up-to-date to the extent necessary to attain the personal information processing purposes.

Storage Limitation

The personal information processor shall inform the data subject of the duration of data retention when obtaining consent for processing as well as make efforts to process personal information in anonymity, if possible.

What are the penalties?
Strict Enforcement

South Korea also has a track record of enforcement of data protection laws. Chapter 9 of PIPA contains severe sanctions for data security breaches including substantial fines and imprisonment – up to 50 million won in fines and imprisonment of up to five years are potential consequences.

Relentless Your PIPA Partner of Choice

Relentless Privacy and Compliance Services provides quality, cost-effective compliance, assurance and global privacy maturity assessments to companies  of all sizes. Unlike traditional compliance firms, we don’t have four or five layers of management. Through the use of technology and our centralized, streamlined structure, we are able to serve our clients in the timeliest manner and with the highest level of efficiency. And because of our unique model and approach, we are able to deliver this exceptional service at highly competitive rates.

We have 20+ years of compliance and assurance experience and are committed to providing a personalized and responsive service.

With a tailor made approach, we work with our clients in executing each project to their specific need and help maximize the long term business value of their compliance and privacy assurance strategies ensuring their global operations remain  within the law.

Worldwide Data Privacy, South Korea PIPA Service, Relentless Data Privacy and Compliance | Birmingham| United Kingdom

Relentless PIPA Service What's Included?

Our PIPA Service Includes the Following
  • PIPA Assessment
  • Dedicated DPO
  • Unlimited Support Calls
  • Unlimited Email Support
  • Data  Mapping
  • Record of Processing Activities
  • Subject Access Request  Service
  • Data Breach Support
Worldwide Data Privacy, South Korea PIPA Service, Relentless Data Privacy and Compliance | Birmingham| United Kingdom