What are the cross-border data transfer requirements under Korea PIPA?

Cross-border transfers under PIPA Article 17 require: data subject consent specifying recipient country, recipient identity, and transfer purpose; equivalent protection level in recipient country; or binding corporate rules approved by PIPC. The 2020 amendment strengthened requirements for overseas transfers with mandatory disclosure and consent.

Does Korea PIPA require consent for data collection?

Yes, PIPA Article 15 requires explicit consent before collecting personal information, with specific consent required for: collection purpose, items collected, retention period, and right to refuse. Sensitive information (Article 23) requires separate, specific consent. Pseudonymized data has relaxed consent requirements under the 2020 Data Three Laws amendment.

Korea PIPA Compliance Checker | 개인정보 보호법 Assessment Tool | K-PIPA

PIPA Compliance Assessment

개인정보 보호법 준수 평가

📋 About Korea's PIPA (개인정보 보호법)

Korea's Personal Information Protection Act is one of the world's strictest data protection laws, enacted in 2011 and significantly strengthened by the 2020 "Data Three Laws" amendment. It regulates collection, use, and transfer of personal information with explicit consent requirements. Korea received EU adequacy decision in 2022, recognizing PIPA's equivalence to GDPR.

🏛️ Enforced by: PIPC (개인정보보호위원회)

0 of 22 questions answered • 0/22 답변 완료

✅ Consent for Collection

수집 동의

📖 Article 15 (제15조)

Do you obtain explicit consent before collecting personal information, specifying collection purpose?

개인정보 수집 전 수집 목적을 명시하여 명시적 동의를 받습니까?

Do you inform data subjects of specific items collected and retention period?

수집 항목과 보유 기간을 정보주체에게 고지합니까?

Do you inform data subjects of their right to refuse consent and consequences of refusal?

동의 거부권 및 거부 시 불이익을 고지합니까?

🔐 Sensitive Information

민감정보

📖 Article 23 (제23조)

Do you obtain separate, specific consent for sensitive information (health, beliefs, genetics, criminal records)?

민감정보(건강, 신념, 유전자, 범죄경력)에 대해 별도의 구체적 동의를 받습니까?

Do you apply enhanced security measures for sensitive information processing?

민감정보 처리에 강화된 보안 조치를 적용합니까?

🌍 Cross-Border Transfer

국외 이전

📖 Article 17, 28-2 (제17조, 제28조의2)

Do you obtain consent specifying recipient country, recipient identity, and transfer purpose before overseas transfers?

국외 이전 전 이전 국가, 수령인, 이전 목적을 명시하여 동의를 받습니까?

Do you ensure overseas recipients maintain equivalent protection levels or have binding agreements?

해외 수령인이 동등한 보호 수준을 유지하거나 구속력 있는 계약을 체결합니까?

👤 Data Subject Rights

정보주체 권리

📖 Articles 35-37 (제35조-제37조)

Do you provide mechanisms for data subjects to access their personal information?

정보주체가 자신의 개인정보에 접근할 수 있는 메커니즘을 제공합니까?

Can data subjects request correction or deletion of their personal information?

정보주체가 개인정보 정정 또는 삭제를 요청할 수 있습니까?

Can data subjects request suspension of processing their personal information?

정보주체가 개인정보 처리 정지를 요청할 수 있습니까?

🔒 Security Safeguards

안전조치

📖 Article 29 (제29조)

Do you implement technical safeguards (encryption, access control) as required by PIPC guidelines?

개인정보보호위원회 지침에 따라 기술적 안전조치(암호화, 접근통제)를 구현합니까?

Do you encrypt personal information during transmission and storage (especially resident registration numbers)?

전송 및 저장 시 개인정보(특히 주민등록번호)를 암호화합니까?

Do you maintain access logs and conduct regular security audits?

접근 로그를 유지하고 정기적인 보안 감사를 수행합니까?

🚨 Breach Notification

유출 통지

📖 Article 34 (제34조)

Do you have procedures to notify affected data subjects within 72 hours of discovering a breach?

유출 발견 후 72시간 이내에 정보주체에게 통지하는 절차가 있습니까?

Do you have procedures to report breaches affecting 1,000+ data subjects to PIPC?

1,000명 이상 유출 시 개인정보보호위원회에 신고하는 절차가 있습니까?

📋 Privacy Policy

개인정보 처리방침

📖 Article 30 (제30조)

Do you have a publicly accessible privacy policy (개인정보 처리방침) in Korean?

한국어로 된 공개 접근 가능한 개인정보 처리방침이 있습니까?

Does your privacy policy include all required disclosures (purposes, items, retention, rights, third parties, overseas transfers)?

개인정보 처리방침에 모든 필수 공개사항이 포함되어 있습니까?

👔 Chief Privacy Officer

개인정보 보호책임자

📖 Article 31 (제31조)

Have you designated a Chief Privacy Officer (CPO/개인정보 보호책임자)?

개인정보 보호책임자를 지정했습니까?

Is your CPO's contact information publicly disclosed in your privacy policy?

개인정보 처리방침에 개인정보 보호책임자 연락처가 공개되어 있습니까?

🤝 Data Processor Management

수탁자 관리

📖 Article 26 (제26조)

Do you have written contracts with data processors (수탁자) specifying scope and security requirements?

수탁자와 범위 및 보안 요구사항을 명시한 서면 계약을 체결합니까?

Do you supervise and audit your data processors' compliance?

수탁자의 준수 여부를 감독하고 감사합니까?

📦 Retention & Destruction

보유 및 파기

📖 Article 21 (제21조)

Do you destroy personal information without delay when retention period expires or purpose is achieved?

보유 기간 만료 또는 목적 달성 시 지체 없이 개인정보를 파기합니까?

Korea PIPA Compliance Score

개인정보 보호법 준수 점수

Calculating...

✨ Recommendations • 권고사항 ✨

Need Help with Korea PIPA Compliance? 🇰🇷

Our consultants help organizations implement PIPA-compliant systems, prepare for PIPC inspections, and establish cross-border data transfer mechanisms. We serve clients across APAC with Korean data protection expertise.

💬 Get Free Consultation • 무료 상담

Understanding Korea's Personal Information Protection Act (PIPA)

What is Korea PIPA (개인정보 보호법)?

Korea's Personal Information Protection Act (PIPA/개인정보 보호법) is one of the world's most comprehensive data protection laws. Enacted in 2011 and significantly strengthened by the 2020 "Data Three Laws" (데이터 3법) amendment, PIPA regulates the collection, use, provision, and management of personal information by both public and private sectors.

Who Must Comply with Korea PIPA?

PIPA applies to all "personal information handlers" (개인정보처리자):

Korean organizations - All companies and entities operating in Korea
Foreign companies - With establishments in Korea or processing Korean residents' data
Government agencies - Public sector entities
Data processors (수탁자) - Third parties handling data on behalf of controllers

The 2020 amendment added extraterritorial scope, applying to foreign entities processing Korean residents' data even without Korean presence.

Key Requirements Under Korea PIPA

Explicit Consent (Article 15) - Must obtain consent before collection, specifying purpose, items, retention period, and right to refuse
Sensitive Information (Article 23) - Separate, specific consent for health, beliefs, genetics, criminal records, biometrics
Cross-Border Transfer (Article 17) - Requires consent specifying recipient country, identity, and purpose
Data Subject Rights (Articles 35-37) - Access, correction, deletion, and processing suspension rights
Security Safeguards (Article 29) - Technical measures including encryption, access control, audit logs
72-Hour Breach Notification (Article 34) - Notify affected subjects within 72 hours; report to PIPC if 1,000+ affected
CPO Designation (Article 31) - Mandatory Chief Privacy Officer (개인정보 보호책임자) appointment

Penalties for PIPA Non-Compliance

The Personal Information Protection Commission (PIPC/개인정보보호위원회) enforces PIPA with:

Administrative fines - Up to 5% of related revenue or 400 million KRW (~$300,000 USD)
Criminal penalties - Up to 5 years imprisonment or 50 million KRW for willful violations
Corrective orders - Including public disclosure of violations
Civil liability - Statutory damages of up to 3 million KRW per affected individual

Korea PIPA vs. GDPR

Korea received EU adequacy decision in 2022, recognizing PIPA's equivalence to GDPR. Key similarities include consent requirements, data subject rights, and 72-hour breach notification. However, PIPA requires separate consent for each processing purpose (stricter than GDPR) and has specific rules for pseudonymized data processing under the Data Three Laws amendment.

Frequently Asked Questions • 자주 묻는 질문

What is Korea's Personal Information Protection Act (PIPA)?

Korea's PIPA (개인정보 보호법), enacted in 2011 and amended in 2020, is South Korea's comprehensive data protection law regulating collection, use, provision, and management of personal information by both public and private sectors. It is enforced by the Personal Information Protection Commission (PIPC/개인정보보호위원회).

Who must comply with Korea PIPA?

PIPA applies to all personal information handlers (개인정보처리자) including Korean companies, foreign companies with Korea operations, foreign companies processing Korean residents' data (extraterritorial scope), government agencies, and data processors (수탁자) handling data on behalf of controllers.

What are the penalties for PIPA non-compliance?

Penalties include administrative fines up to 5% of related revenue or 400 million KRW (~$300,000 USD), criminal penalties including imprisonment up to 5 years or fines up to 50 million KRW for willful violations, and corrective orders including public disclosure of violations.

What are Korea's cross-border data transfer requirements?

Cross-border transfers require data subject consent specifying recipient country, recipient identity, and transfer purpose. Alternatively, transfers are permitted to countries with equivalent protection levels or through binding corporate rules approved by PIPC. The 2020 amendment strengthened these requirements significantly.

How does Korea PIPA compare to GDPR?

Korea received EU adequacy decision in 2022, recognizing PIPA's equivalence to GDPR. Both share consent requirements, data subject rights, and 72-hour breach notification. Key differences: PIPA requires separate consent for each processing purpose (stricter), has specific pseudonymized data rules under the Data Three Laws, and is enforced by PIPC rather than multiple national authorities.

Does Korea PIPA require a Data Protection Officer?

Yes, Article 31 requires designation of a Chief Privacy Officer (CPO/개인정보 보호책임자) who oversees personal information protection. The CPO's contact information must be publicly disclosed in the organization's privacy policy (개인정보 처리방침). This is mandatory for all personal information handlers.

Korea PIPACompliance Checker