Get compliant today


By submitting this form, you consent to be contacted about products and services from members of Relentless. Relentless is committed to safeguarding your privacy. If you require  further  information on how we collect and use your personal data, please read our Privacy Policy


South Korea’s Personal Information Protection Act (“PIPA”) was enacted on September 30, 2011 and is considered to be one of the strictest data protection regimes in the world.

South Korea’s prior Public Agency Data Protection Act was largely limited. In the private sector, it applied only to those businesses that used telecommunications services. And in the public sector, the legislation covered all public agencies but lacked enough limits on government collection of data. The old Act was replaced with the more comprehensive PIPA, which applies to both public and private sectors. As a result, “more than 3.5 million public entities and private businesses are now regulated by common criteria and principles, and common enforcement mechanisms.”


Material Scope 

Applies to any public institution, corporate body, organization, individual, etc., that manages personal information directly or via another person to administer personal information files as part of their duties.

Territorial Scope 

Although the territorial scope is not specified in the law, the standard for enforcement of South Korean data protection law is similar to the GDPR in that companies established in South Korea are certainly subject the law, and foreign companies that target South Korean users are likely also within the ambit of enforcement action.

Scope of the Personal Information Protection Act

PIPA applies to personal information processing organizations, known as “data handlers,” that are defined as a person, government entity, company, individual, or any other person that, directly or through a third party, handles personal information for work or business purposes. Personal information refers to information pertaining to a living individual, which contains information identifying a specific person, such as name, national identification number, images, or other similar information.

Under the Act on the Promotion of Information and Communication Network Utilization and Information Protection (the “Network Act”), which supplements PIPA, personal information includes name, national identification number, letter, voice, sound image, and all other information that makes it possible to identify a specific person. The Network Act provides measures for protecting the personal information of users collected and used by the telecommunications business operators.

In addition to regulating personal information, the Acts impose compliance measures to ensure proper collection, use, and transfer, among other things, of users’ personal information. Technical and managerial protective measures must be taken in order to store personal information. Organizations must also inform data subjects of their rights and its obligations as a data handler.

Though the two Acts do not specify whether the laws apply to foreign organizations or acts occurring abroad, the Korea Communications Commission (the “KCC”), among other regulatory authorities, applies the Acts if foreign organizations target Korean users. In determining whether the Network Act applies, for example, the KCC will consider: (a) the location of the website’s server; (b) whether the website is written in the Korean language and the website uses a Korean domain name; and (c) whether the website conducts promotional activities in Korea. In January 2014, a multinational corporation was fined KRW 200 million by the KCC for collecting Korean users’ personal information without obtaining consent.

Data Controller

There is no concept of a “Data Controller” under Japanese law. However, the APPI uses the term “business operator,” which essentially refers to the entity responsible for the proper handling of all “Personal Information.” This is similar to the concept of data controller under EU law.

Data Processor

There is no concept of a “Data Processor” under Japanese law. As such, handling of personal data under the APPI should pertain to how a “business operator” treats and manages the personal information or personal data in its possession.

Lawfulness , Fairness and Transparency

The personal information processor shall make the personal information processing purposes explicit and specified and shall collect minimum personal information lawfully and fairly to the extent necessary for such purposes.

Purpose Limitation

An information processor should use personal information only for the purposes specified to the data subject in any applicable consent.

Data Minimisation

Personal information processor should collect only the minimum amount of personal information necessary for the purposes specified to the data subject.


The personal information processor shall ensure the personal information is accurate, complete and up-to-date to the extent necessary to attain the personal information processing purposes.

Storage Limitation

The personal information processor shall inform the data subject of the duration of data retention when obtaining consent for processing as well as make efforts to process personal information in anonymity, if possible.

Strict Enforcement

South Korea also has a track record of enforcement of data protection laws. Chapter 9 of PIPA contains severe sanctions for data security breaches including substantial fines and imprisonment – up to 50 million won in fines and imprisonment of up to five years are potential consequences.

Relentless Your PIPA Partner of Choice

Relentless Privacy and Compliance Services provides quality, cost-effective compliance, assurance and global privacy maturity services to companies of all sizes.


Through the use of technology and our centralized, streamlined structure, we are able to serve our clients in the timeliest manner and with the highest level of efficiency. And because of our unique model and approach, we are able to deliver this exceptional service at highly competitive rates.


We have 20+ years of compliance and assurance experience and are committed to providing a personalized and responsive service.

With a tailor-made approach, we work with our clients in executing each project to their specific need and help maximize the long-term business value of their compliance and privacy assurance strategies ensuring their global operations remain within the law.

Relentless PIPA Service What's Included?

Our South Korea PIPA Service Includes the Following

  • PIPA Assessment
  • Dedicated DPO
  • Unlimited Support Calls
  • Unlimited Email Support
  • Data Mapping
  • Record of Processing Activities
  • Subject Access Request Service
  • Data Risk Assessments
  • Data Breach Support
  • Data Protection Policy Writing
  • PIPA Framework Design
  • PIPA Privacy Maturity Gap Analysis and Remediation Report
southkorea pipa


At relentless we have helped companies from startups to PLC’s our
services are rich, comprehensive, and built for every budget

error: Content is protected !!