The Personal Information Protection Act (PIPA) is the overarching privacy legislation in Korea. Other statutes governing particular types of personal information include the Credit Information Use and Protection Act (the “Credit Information Act”) and the Act on the Protection and Use of Location Information (the “Location Information Act”). The Act on Promotion of Information and Communications Network Utilisation and Information Protection, etc (the “Network Act”) also deals with some privacy issues, such as sending advertising information, appointing a Chief Information Security Officer and issuing certification for information security management systems.

While Korean constitutional law does not expressly guarantee rights related to personal information, the Constitutional Court’s position is that the right to self-determination of personal information derives from general personality rights, and the right to privacy and freedom and is thus protected under the Constitution.

The National Assembly passed the proposed bill for the Framework Act on the Development of Artificial Intelligence and the Establishment of a Foundation for Reliability (the “AI Framework Act”), which was set to take effect on 22 January 2026. This statute is Korea’s first foundational law in the field of AI, aiming to ensure transparency and safety by imposing various obligations on AI service providers.

Regarding extraterritorial reach, both the Network Act and the AI Framework Act expressly provide for extraterritorial application, and they apply to acts conducted outside Korea if such acts affect the Korean market or users (see Article 5-1 of the Network Act and Article 4 of the AI Framework Act).

By contrast, the PIPA does not contain an explicit provision on extraterritorial application. Nevertheless, the Personal Information Protection Commission (PIPC) explains in its Guideline on the Application of the PIPA to Overseas Business Operators (published in April 2024) that the applicability of the PIPA should be assessed by reference to factors such as:

• whether goods or services are offered to Korean data subject;
• whether the relevant activities have an impact on Korea or on Korean data subjects; and
• whether the business has an establishment within Korean territory.

The PIPA establishes the following general principles governing the processing of personal data.

• Purpose specification and data minimisation: the purpose of processing must be clearly specified and personal data may be collected lawfully only to the extent necessary to achieve that purpose.
• Purpose limitation: personal data must be processed within the scope of the stated purpose of collection. Any use beyond that purpose is prohibited.
• Data accuracy: data controllers must ensure that personal data is accurate, complete and kept up to date, and must maintain appropriate controls to that end.
• Security safeguards: data controllers must implement appropriate technical and administrative measures by taking into account the level of risk associated to ensure the secure processing and management of personal data.
• Transparency and protection of data subject rights: data controllers must make their privacy policies publicly available and ensure the effective exercise of data subject rights, including the right of access.
• Minimisation of privacy intrusion: processing activities should be designed to minimise infringement of data subjects’ privacy.
• Anonymisation or pseudonymisation: where anonymisation is feasible, anonymised data should preferably be used; if not, personal data should be pseudonymised.
• Accountability and trust: data controllers should build trust with data subjects through compliance with and faithful implementation of their statutory obligations.

The legal basis on which a data controller may rely varies depending on the type of personal data processing. For the collection and use of personal data, permissible legal bases include (among others):

• the data subject’s consent;
• where processing is expressly authorised by applicable law (ie, statutory authorisation);
• where processing is necessary for the performance of a contract to which the data subject is a party (ie, contractual necessity); and
• where processing is necessary to pursue the legitimate interests of the data controller, subject to applicable statutory limitations (ie, legitimate interests basis).

The legal bases applicable to third-party provision of personal information, delegation of processing to a third party, and overseas transfers of personal data are subject to additional requirements and are addressed separately. Please refer to 5.1 Restrictions on International Data Transfers.

Regarding data subjects’ rights, under the PIPA, data subjects have a broad set of rights, including:

• the right to request access to their personal data;
• the right of data portability;
• the right to request rectification, deletion and suspension of processing; and
• the right to withdraw consent.

They also have the right to object to the automated decision-making and to request an explanation of how such processing is carried out.

Under the Credit Information Act, credit data subjects have:

• the right to request data portability;
• the right to be notified of the credit information based on which a transaction refusal was based;
• the right to request explanations of, and raise objections to, the results of automated assessments;
• the right to withdraw consent to the transfer of personal credit information; and
• the right to request cessation of contact.

Credit data subjects may also request notification of credit inquiry records, free access to their credit information, and disclosure or access to information concerning changes in creditors related to their personal credit information.

Under the Location Information Act, personal location information subjects have:

• the right to withdraw consent;
• the right to request suspension of processing; and
• the right to request access to, notification of, and correction of their personal location information.

For compliance, the data controller must establish and rely on an appropriate legal basis corresponding to each type of personal data-processing activity. In addition, the PIPA requires data controllers to implement technical, administrative and physical security measures necessary to ensure the security of personal data in accordance with the Standards for Measures to Ensure the Security of Personal Information, a notice published by the PIPC. Data controllers are also required to establish and publicly disclose a privacy policy that accurately describes their personal processing practices to ensure transparency.

Under the PIPA, special categories of personal data are:

• sensitive information; and
• unique identification information.

Sensitive information is personal information relating to an individual’s ideology or beliefs, membership in or withdrawal from a labour union or a political party, political opinions, health or sex life, genetic information, criminal history, biometric data used for identification purposes, and race or ethnicity, where the processing of such information may seriously infringe upon one’s privacy.

Unique identification information includes resident registration numbers, passport numbers, driver’s licence numbers, and foreigner registration numbers.

Because both sensitive information and unique identification information are subject to heightened protection (ie, requiring separate legal bases and enhanced security measures compared to general personal data), particular caution is required in their processing.

Additionally, the PIPA requires the consent of a legal guardian for the processing of personal information of children under the age of 14, and allows the legal guardian to exercise the data subject’s rights on behalf of the child.

Similarly, the Location Information Act also requires legal guardian consent for the processing of personal location information of children under the age of 14. The regulator has taken the position that, for children aged 8 to under 14, the lawful processing of personal location information requires both the legal guardian’s consent and the child’s own consent (however, this issue remains subject to ongoing litigation). Under the Location Information Act, the legal guardian may likewise exercise the rights of a personal location information subject on the child’s behalf.

The PIPA permits the processing of pseudonymised information without the data subject’s consent if such processing is necessary for statistical purposes, scientific research, or the preservation of records for the public interest.

If pseudonymised information is provided to a third party, it must not include any information that would enable the identification of an individual, and all other regulatory requirements applicable to the processing of pseudonymised information must be complied with.

Additionally, in the case of healthcare providers, the processing of medical information may be subject to further restrictions under the Medical Service Act and other applicable sector-specific laws and regulations.

The AI Framework Act

The AI Framework Act was passed by the National Assembly on 26 December 2024 and came into effect on 22 January 2026. This legislation establishes obligations for providers of high-impact, generative and high-performance AI services to ensure safety and transparency. It does not designate any categories of AI as prohibited. Key provisions include the following.

Extraterritorial regulation and domestic agent system

The AI Framework Act can apply to actions taken outside Korea if they affect the Korean market or users. AI service providers without a business presence in Korea must designate a domestic agent and report to the Minister of Science and ICT (MSIT) if they meet certain criteria.

Obligations for high-impact AI

AI business operators providing high-impact AI products or services using such technology are required to pre-assess their AI technology to determine whether it is high-impact, give advance notice to users, implement comprehensive safety and reliability measures to ensure no undue risk, and possibly conduct an impact assessment on individuals’ fundamental rights and provide explanations to individuals affected by high-impact AI of the logic and principles behind AI-generated outcomes.

The high-impact AI category includes AI systems used in areas involving decisions that may have a material effect on individual’s rights or obligations, such as energy, drinking water, healthcare, nuclear power, and decision-making related to employment or credit assessment for loans.

Obligations for generative AI

AI business operators that offer products or services using generative AI technology are required to give advance notice to users that the products or services are powered by generative AI, label products or services as being created by generative AI, and clearly label deepfake content.

Obligations for high-performance AI

AI business operators offering AI with a significant cumulative amount of compute used for training that surpasses a certain threshold are required to identify, assess and mitigate risks throughout the AI life cycle, as well as establish a risk-management system to monitor and address AI-related safety issues and report the results to the MSIT.

Further Details

Details such as the scope of AI-related obligations will be determined by the subordinate laws and regulations. As the subordinate laws and guidelines for the AI Framework Act have not yet been finalised as of the date of this article, it is necessary to continue monitoring legislative developments.

The AI Framework Act relies on the existing PIPA regulations when it comes to personal information. The PIPC plays a key role in shaping these regulations.

• The PIPC is actively developing AI-related policies, having published various guidelines that define the application principles and standards of the PIPA. These guidelines cover topics including generative AI, privacy risk management model for safe use of AI, publicly disclosed information, unstructured data, biometric information, synthetic data, mobile image devices and transparency.
• In 2023, the PIPA was amended to introduce regulations on automated decisions made by fully automated systems, such as AI. Under these regulations, data subjects have the right to request explanations of automated decisions and, in some cases, the right to refuse them. Data controllers must disclose the standards and procedures for these decisions and how personal information is processed, ensuring that data subjects can easily understand this information.

The PIPC believes that applying the principle of personal information protection in a balanced manner is essential for maximising the benefits and opportunities of using AI, while minimising the risk of personal information infringement potentially caused by AI. In particular, the PIPC seeks to promote the use of data by resolving legal uncertainties through the following systems:

• regulatory sandbox – under certain conditions, products or services using new AI technologies can first be released, tested and verified without being subject to all or part of the existing personal information regulations, thereby promoting the use of data necessary for the development and provision of AI; and
• preliminary adequacy review system – if it is uncertain whether a service provider can comply with the PIPA in the course of planning new technologies or services such as AI, the service provider and the PIPC can work together to come up with a plan to resolve legal uncertainties.

A data controller is required to:

• report a data breach to the PIPC or the Korea Internet & Security Agency (KISA); and
• notify the affected data subjects within 72 hours from the time it becomes aware of the breach.

While the reporting obligation to the authorities is triggered only when certain statutory thresholds are met, notification to data subjects is mandatory in all cases where a data breach has occurred.

Separately, even where no data breach has occurred, online service providers may be subject to additional reporting obligations under other applicable laws. For example, if a cybersecurity incident affecting information networks or related systems is identified, a report must generally be filed within 24 hours. Depending on the interplay between applicable laws, certain reporting or notification obligations may be exempted. Accordingly, in practice, business operators must carefully review the laws applicable to each incident and determine whether they bear reporting or notification obligations.

In the event of a data breach or a cybersecurity incident, investigations are typically conducted by the PIPC and the MSIT, with the assistance of the KISA. If necessary, the MSIT may also form a public-private joint investigation task force for the investigation. In addition, the National Assembly may conduct audits or hold hearings, and the National Policy Agency may carry out witness investigations. Such investigations by different authorities often proceed simultaneously.

When a data breach takes place, data subjects may file an application for collective dispute mediation under the PIPA. Although the PIPA does not provide for a class action mechanism for damages, data subjects may individually bring civil claims for damages before the courts. If a data controller refuses to participate in collective dispute mediation or declines to accept the mediation outcome, consumer organisations or civic groups designated under the PIPA may file an injunctive action with the court seeking to prohibit or suspend the infringing conduct.

The key regulators are as follows:

• the PIPC (in charge of enforcing the PIPA);
• the Korea Media and Communications Commission (KMCC) (in charge of enforcing the Network Act and the Location Information Act);
• the KISA (conducts tasks related to information security as delegated by the PIPC, the KMCC and MSIT);
• the Financial Services Commission (FSC) (in charge of enforcing the Credit Information Act); and
• the MSIT (in charge of enforcing the AI Framework Act).

The PIPC, the KMCC, the FSC and the MSIT have the authority to conduct investigations – for example, through requests for information and on-site inspections. While the KISA does not have law enforcement authority by itself, it often conducts investigations on behalf of the PIPC, the KMCC and the MSIT.

Although investigations are often initiated when data controllers report a data breach or personal information infringement to the regulators, the regulators also conduct regular as well as ad hoc inspections based on the relevant laws and regulations. The regulators – including the PIPC, KMCC and FSC – issue an annual work plan at the beginning of each year, and this helps businesses to anticipate which industry sectors may be a target each year. Investigations can also be triggered when there is media coverage of a specific incident or issue. In data breaches where multiple regulators are involved, investigations are often conducted in parallel. While the guidance issued by each regulator is not legally binding, it effectively serves as the practical standard for enforcement in practice.

The PIPC has recently declared its intention to “secure leadership in global personal information regulatory norms”. To that end, it expressed its commitment to strengthening international co-operation, providing more detailed guidance for foreign business operators, and analysing major enforcement actions taken by overseas regulators. Through these efforts, the PIPC aims to enhance its global investigative capabilities and establish an international information-sharing network.

Regulators must provide a written notice before commencing an investigation, as well as prior to imposing an administrative disposition. In order for an administrative disposition to be lawful, not only should the procedures be lawful but the content of such disposition must also satisfy the principle of proportionality.

Where a data controller intends to object to an administrative fine, it may do so in writing and go through a trial. For other administrative dispositions, it may file an administrative appeal or an administrative lawsuit.

The administrative fine and the administrative penalty are both monetary sanctions for administrative violations, but they differ in the nature and severity of the offences they address. Typically, administrative fines are imposed for minor violations and have a maximum amount specified by law. In contrast, administrative penalties are reserved for more serious violations, with the maximum amount determined as a percentage of the violator’s revenue.

In practice, administrative fines are calculated based on a predetermined amount according to the type and number of violations. These fines can be adjusted – either increased or decreased – by considering factors such as the severity, duration, motive and damage caused by the violation, as well as other legal criteria. Generally, administrative penalties cannot exceed 3% of the violator’s total revenue, although revenue unrelated to the violation is to be excluded from this calculation. Administrative penalties may also be adjusted based on factors such as the number and duration of violations, the profits gained, voluntary corrective actions and efforts to mitigate damage.

Previously, the maximum base amount for administrative penalties was set at “no more than 3% of the revenue related to the violation”. However, with the implementation of the amended PIPA in 2023, this base amount was changed to “no more than 3% of the total revenue”, while allowing for the exclusion of unrelated revenues. Consequently, with the burden of proving the irrelevance to the violation shifting to the data controller, the amounts of imposed administrative penalties have been increasing.

The following are key regulatory actions taken by the PIPC from 2024 to 2025. As regulations have recently been strengthened, it is important to proactively assess potential legal violation risks and identify conduct that may be problematic for effective risk management.

In May 2024, the PIPC imposed an administrative penalty of approximately KRW7.5 billion and an administrative fine of KRW5.4 million in a case where personal information of over 2.21 million users was leaked. Additionally, an administrative penalty of approximately KRW15.1 billion and an administrative fine of KRW7.8 million were imposed in a case involving leaks of anonymous chatroom users’ information.

Additionally, in August 2025, the PIPC imposed an administrative penalty of approximately KRW134.7billion and an administrative fine of KRW9.6 million to a telecommunications carrier in a case where personal information of over 23 million users was leaked. This case marked the largest monetary penalty ever imposed for a personal information leak by the PIPC.

In July 2024, the PIPC fined a Chinese e-commerce service provider an administrative penalty of approximately KRW2 billion and an administrative fine of KRW7.8 million for failing to secure user consent for overseas transfers of personal information and not including necessary data protection measures in seller agreements. This case highlighted that overseas providers are subject to the level of regulation required of domestic service providers to ensure robust protections for managing personal information.

In November 2025, despite repeated requests from the PIPC to submit materials for an investigation, an online wiki operator refused to comply on the grounds that its headquarters were located overseas and that it was therefore not subject to Korean law. As a result, the PIPC referred the foreign operator to law enforcement authorities.

The administrative penalty amount imposed for violations of the PIPA has increased significantly, and the number of administrative lawsuits filed against the PIPC has been increasing – KRW61.1 billion/three cases in 2024 to KRW167.4 billion/seven cases in 2025 (up to November). Moreover, as explained in 1.8 Enforcement Proceedings and Fines, the amendment to the PIPA has changed the threshold for administrative penalties, which is expected to further increase the number of administrative lawsuits filed against the PIPC.

In contrast, civil lawsuits brought by data subjects against data controllers most often arise in connection with data breaches, where claims for damages or compensation for mental suffering are pursued. In practice, however, data subjects frequently face difficulties in proving actual financial loss and therefore tend to focus their claims on compensation for mental suffering.

Under the PIPA, data subjects may claim statutory damages of up to KRW3 million even without demonstrating an actual financial harm. In awarding damages, Korean courts consider factors such as the sensitivity of personal information involved, the scale of the breach, and the data controller’s response to the incident. To avoid liability, the data controller must prove that the breach was not caused by intent or negligence, but this burden is often difficult to meet in practice.

Major lawsuits related to privacy in 2025 were as follows.

In 2022, the PIPC imposed an administrative penalty of around KRW100 billion in total to two online platforms on the ground that they did not obtain legitimate consent from users for processing their personal information for personalised advertising purposes. The two online platforms have filed a lawsuit seeking revocation of the disposition imposed by the PIPC. In January 2025, the Seoul Administrative Court dismissed the claims of the two online platforms, though they have appealed to the Seoul High Court. As regulations on the collection of behavioural data and the use of personalised advertising are being tightened in other jurisdictions such as the EU, this case is the first decision in Korea regarding the collection and use of behavioural data on personalised online advertising platforms, drawing keen attention to the outcome of the court’s further decision.

In 2025, the Supreme Court held that, depending on the circumstances, submitting litigation documents or evidence containing personal information to a court to substantiate claims or to defend against criminal charges, and submitting evidentiary materials containing personal information to law enforcement authorities in connection with criminal complaints or investigations to substantiate allegations or to exercise the right of defence, may constitute “justifiable acts” under the Criminal Code – and therefore would not be punishable as violations of the PIPA. Previously, because the PIPA contained no explicit provision authorising the submission of documents containing personal information to courts or law enforcement authorities without a warrant or court order, such conduct had been regarded as potentially constituting a violation of the PIPA. However, following the Supreme Court’s ruling, the legal risk associated with such submissions has been reduced. 

In 2025, the Supreme Court held that a data subject’s right under the PIPA to request the suspension of personal information processing does not extend to pseudonymisation of personal information. The case arose when mobile subscribers sought to suspend the pseudonymisation of their personal information, which was being carried out for purposes of scientific research, statistical analysis, and the preservation of records in the public interest. Mobile service providers refused the request, and the dispute proceeded to litigation. In reaching this conclusion, the Supreme Court emphasised that the PIPA clearly distinguishes between “processing” and “pseudonymisation”, and reasoned that pseudonymisation is a method designed to reduce the risk of individual identification and is, therefore, different in nature from ordinary processing of personal information. The Court further noted that the legislative intent underlying the PIPA provision on pseudonymisation was to promote data utilisation and foster new industries. 

In 2025, the Supreme Court issued a decision adopting a broader interpretation of the scope of “use” of personal information under the PIPA. The case involved a daycare centre director, the defendant, who reviewed CCTV footage recorded at the daycare centre to check whether teachers were using their mobile phones during working hours, and then orally communicated information about such mobile phone use based on what was observed from the footage. The key issue in this case was whether conveying information obtained from the CCTV footage, rather than providing the footage itself, constituted a “use” of personal information beyond the original purpose for which the information was collected. The Supreme Court held that the “use” of personal information is not limited to using the data in its originally collected form, but also includes processing, editing or extracting information from the collected personal information and the subsequent use of the resulting information. On this basis, the Supreme Court concluded that the defendant had used the personal information beyond the scope of the original purpose for which it was collected, in violation of the PIPA.

The PIPA includes a mechanism for collective redress through a dispute mediation system. This allows national and local governments, personal information protection organisations, data subjects and data controllers to request or apply for collective dispute mediation via the Dispute Mediation Committee. This process is applicable in situations where multiple data subjects experience similar damage or rights infringements, provided the following criteria are met.

• At least 50 data subjects must have suffered harm, excluding:
1. data subjects who have already reached an agreement with the data controller regarding dispute resolution or compensation;
2. individuals who are currently involved in a dispute mediation process under different laws or regulations for the same issue; and
3. individuals who have filed a lawsuit regarding the personal information infringement in question.
• The case’s key issues must share common factual or legal characteristics.

Despite this framework, collective dispute mediation has been rarely utilised.

There are no general laws or regulations governing the protection and processing of non-personal data. Instead, such matters are regulated under sector-specific legislation. For instance, in the field of cloud computing, the Cloud Computing Act applies. While the Cloud Computing Act does not prescribe specific provisions on data transfer, it prohibits a cloud service provider, or any third party that has received user information from the provider, from providing such information to another third party or using it for purposes other than service provision without the user’s consent, unless required to do so by a court order or a warrant issued by a judge.

Separately, depending on the type of issue, the following individual laws and regulations may apply.

• Security and safety management: the Network Act mandates manufacturers and importers of IoT devices to implement protective measures to ensure the stability and reliability of information and communications networks. Additionally, the Network Act includes an information protection certification system for IoT products.
• Data sharing: there is no law similar to the EU Data Act that directly requires data holders to share data during the development, launch or operation of IoT products. However, the Framework Act on Promotion of Data Industry and Promotion of Use allows the government to support the establishment of data distribution and transaction systems.
• For issues such as wiretapping, Korean law restricts recording and listening to conversations among unspecified individuals. Service providers need to ensure compliance with these restrictions to avoid violations, including under the following:
1. the Protection of Communications Secrets Act – prohibits unauthorised wiretapping and recording of undisclosed conversations;
2. the Network Act – forbids damaging, misappropriating or divulging others’ information processed through a communications network; and
3. the Korean Criminal Code – deems it illegal to obtain confidential documents or electronic records through technical means without authorisation.
• Location information: in Korea, the use of location information is governed by the Location Information Act. The Location Information Act is particularly relevant when collecting and using location data.

Under Korean law, the frameworks mentioned in 3.1 Objectives and Scope of Data Regulation apply concurrently, unless a specific statue expressly excludes the application of another. 

For personal information, the PIPA serves as the general law. In cases where a more specific statute governs a particular type of personal information, that statute prevails over the PIPA under the lex specialis principle. For instance, as a special law for location information, the Location Information Act takes precedence over the PIPA for location information.

Unlike personal information, which entails specific legal rights and obligations under the PIPA, non-personal information faces lighter regulation, unless such non-personal information falls into special categories (eg, state secrets). For instance, data subjects whose personal information is processed may exercise the data subject’s rights under the PIPA, such as access and data portability, and data controllers must respond promptly.

By contrast, for non-personal information, there are no general laws or regulations that grant similar rights or obligations. For example, although public institutions are generally required to disclose most of their data for free use (with some exceptions), this requirement does not extend to private companies. Also, the government may recommend that cloud service providers establish co-operation frameworks to promote interoperability, though such recommendations are not legally binding. Therefore, companies should distinguish personal information from non-personal information and tailor compliance efforts accordingly.

As explained in 1.7 Regulators, the key regulatory authorities include the PIPC, KMCC, KISA, FSC and MSIT. If multiple laws apply to a given matter, these regulators may exercise regulatory authority concurrently. For instance, as noted in 1.6 Data Breach Requirement, recent cases have involved simultaneous investigations by the PIPC, KISA and MSIT’s joint private-public task force into cyber-incident and data breaches.

The PIPA does not require data controllers to obtain users’ consent for the installation of cookies, nor does it restrict the use of cookies. However, if the information collected through cookies qualifies as personal information – defined by the PIPA as information that can be easily combined with other information to identify an individual – it falls under the PIPA’s regulations, and legal basis such as explicit opt-in consent is required. The PIPA also obligates data controllers to state “matters concerning the installation, operation and refusal of a device that automatically collects personal information, such as an internet access data file” in their privacy policies – ie, data controllers are obligated to state such matters when installing and operating a device that automatically collects personal information such as a cookie or similar technology on their own web or app.

Please refer to 4.2 Personalised Advertising and Other Online Marketing Practices for enforcement trends related to behavioural information collected through cookies.

Personalised Advertising

In the absence of specific statutory regulations regarding the processing of behavioural data for personalised advertising, the general legal principles of the PIPA apply if such information is considered personal information. That is, if online identifiers used for targeted advertising, along with the behavioural information collected, can be combined to personally identify individuals, this information is classified as personal information. Consequently, to collect and use this behavioural data for personalised advertising, the legal requirements for processing personal information – such as securing legitimate legal grounds for processing – must be met.

Conversely, if the behavioural data does not enable the identification of specific users, it is not considered personal information under the PIPA. In this scenario, PIPA regulations do not apply, though the PIPC recommends implementing safety measures.

Online Marketing Practices

In order to send marketing communications via an electronic medium such as email or SMS, data controllers must obtain from the data subject:

• consent to processing their personal information for marketing purposes pursuant to the PIPA; and
• consent to receiving marketing communications in accordance with the Network Act.

Data controllers are required to comply with certain formality requirements to clearly show that the information is an advertisement, and separate consent from the data subject is required for night-time transmission.

Children’s Data

As explained in 1.3 Special Categories of Personal Data, the PIPA generally requires data controllers to obtain consent from a legal guardian when obtaining consent for processing personal information of children under 14. Moreover, when providing notices to such children under the age of 14, data controllers must use simple and clear language and formats. Separately, the “Guidelines to Protection of Children and Youth Personal Information (December 2024)” published by the PIPC require minimising targeted ads based on children’s behavioural data, providing clear prior notice and obtaining consent. If data controllers serve targeted ads by combining behavioural data and personal information of children under 14, they must obtain prior consent from the child’s legal guardian.

There are no specific regulations or considerations exclusively for processing employees’ personal information; instead, the general provisions of the PIPA apply. The PIPC’s “Guidelines for Protection of Personal Information by Field (December 2024)”, under the “HR/Labour” section, provides some guidance on processing personal information related to hiring and employment. Key details include the following.

Processing Employee Data in a Job Application Context

Under the Hiring Procedures Act, employers may collect only the personal information strictly necessary for hiring, and must not collect information unrelated to job duties. They may process such minimal information without the applicant’s consent, but they must obtain explicit consent before collecting sensitive information or unique identification information. If collecting sensitive information or unique identification information is unavoidable, employers must obtain separate consent from the applicant.

Criminal Background

Under the Act on the Lapse of Criminal Sentences, employers are restricted to a certain extent when collecting applicants’ criminal records.

Monitoring of Employees

When the legal basis for collecting and using employees’ personal information for monitoring purposes is unclear, employers must obtain the employees’ consent. In such cases, employers must ensure truly voluntary consent, considering the inherent imbalance in labour-management relations.

Surveillance Devices

Installing surveillance devices, such as CCTV, in the workplace requires labour-management consultation according to the Act on the Promotion of Workers’ Participation and Co-Operation. Employers must not use CCTV audio recording functions and are required to install signboards (or equivalent notices) disclosing the fact of filming and its scope.

Data Retention

Employers must retain employee data for a specific period as mandated by the Labour Standards Act.

Transparency

Employers must include details of employees’ personal information processing in their privacy policy and make it easily accessible to employees.

Also, in terms of sharing employees’ personal information with affiliates outside Korea, data controllers must pay close attention to the legal requirements explained in 5.1 Restrictions on International Data Transfers.

Regarding data protection in M&A, general principles and regulations of the PIPA apply. For example, data transfer to third parties, as detailed in 5.1 Restrictions on International Data Transfers, typically involves either third-party provision or delegation of processing. Transferring personal information in the course of M&A is likely to be considered as third-party provision.

While the PIPA generally requires consent from data subjects to provide personal information to a third party, it includes a specific provision regarding the transfer of personal data during asset deals. If a data controller transfers personal information as part of a business transfer or a merger involving all or part of its operations, the controller must notify the data subjects in advance about the following, and a consent requirement is exempted:

• the fact that their personal information will be transferred;
• the name, address, telephone number and other contact information of the recipient of the personal information; and
• the method and procedure for withdrawing consent if the data subject does not wish their personal information to be transferred.

In principle, the business transferor must provide the above information in writing (eg, written document, email, fax, phone, text message or any other equivalent method). However, if the business transferor is unable to provide such information in writing without negligence, the business transferor must publish this information on a website for at least 30 days. If there is a justifiable reason for not being able to publish the above information on a website, the business transferor must:

• publish the above information in an easily visible location within the business transferor’s place of business for at least 30 days; or
• publish it in a daily newspaper that is mainly distributed in the city, province or region where the business transferor’s place of business is located.

The business transferee has the same notification obligation as the business transferor. However, if the notification has been provided by the business transferor, the business transferee is not required to provide one. Meanwhile, a business transferee that has received personal information as part of a business transfer or merger may use the personal information or provide it to a third party only for the original purpose for which it received the information.

Under the PIPA, a data controller may transfer personal information overseas (ie, provide, delegate the processing of, or store personal information with an overseas entity) only on one or more of the following grounds:

• where the data controller obtains separate consent from the data subject;
• where there is specific authorisation by treaty or other international agreement;
• where personal information is stored overseas and/or personal information processing is delegated to an overseas entity because it is necessary for the execution and performance of an agreement with the data subject, and certain information regarding the overseas transfer (storage/delegation) is disclosed to the data subject, through either the data controller’s privacy policy or other written means such as email;
• where the recipient party located overseas has obtained certification from the PIPC, and has taken measures to ensure that personal information and rights of data subjects are protected and to implement the matters subject to certification in the destination country; or
• where the PIPC has recognised the adequacy of the level of the privacy protection provided in the destination country.

In the case of international data transfers, the data controller must consult with the recipient and reflect the following in the relevant agreement:

• measures to ensure safety for protecting personal information under the PIPA;
• measures to handle grievances and resolve disputes with respect to personal information breaches; and
• other measures necessary to protect the personal information of data subjects.

Third-Party Transfers

Separate from such regulation regarding overseas transfers, transferring personal information to a third party outside Korea for the purpose of either providing personal information to a third party or delegating the processing of personal information also constitutes third-party provision or delegation of processing of personal information under the PIPA, respectively – these are subject to the relevant provisions of the PIPA in addition to the above-mentioned regulation on overseas transfer. Third-party provision occurs where a data controller provides personal information to a third-party recipient for the purpose and benefit of the third-party recipient. Delegation occurs where a third-party entity processes personal information that it receives from the data controller for the purpose and benefit of the data controller.

Restrictions on third-party provision and delegation

If the transfer in question constitutes a third-party provision within the original purpose of collection, the PIPA requires the data controller to meet at least one of the following grounds:

• where the data controller obtains consent from the data subject;
• where there are special provisions in law allowing third-party provision, or third-party provision is inevitable to comply with statutory obligations;
• where third-party provision is evidently deemed necessary for urgent protection of life, body or property of a data subject or a third party;
• where third-party provision is necessary to achieve the legitimate interests of a data controller, and such necessity clearly supersedes the rights of the data subject – in such cases, third-party provision is limited to where the legitimate interests of the data controller are substantially related and do not go beyond the reasonable scope; or
• where third-party provision is urgently required for public safety and security.

If the transfer in question constitutes a delegation, consent from the data subject is not required. However, the data controller must disclose details of delegation and enter into a written agreement with the entity that is delegated with the processing of personal information. Such agreement must include matters that are statutorily required under the PIPA.

Apart from the regulations mentioned in 5.1 Restrictions on International Data Transfers and 5.3 Data Localisation Requirements, data controllers are not required to provide notification to government agencies or to obtain approvals.

While there is no general data localisation rule under the PIPA, there are individual laws that prohibit overseas transfer of specific types of data, such as the following:

• the Medical Services Act prohibits storing electronic medical records (EMR) outside Korea;
• the Act on the Establishment and Management of Spatial Data requires a licence to transfer certain map data outside Korea;
• the Industrial Technology Protection Act requires a company to obtain approval from or file a prior report with the Ministry of Trade, Industry and Energy in order to export national core technology;
• the Electronic Financial Transactions Act stipulates that financial companies or electronic financial business operators’ systems for processing unique identification information or personal credit information cannot be located outside Korea in the course of using cloud computing services; and
• the Cloud Computing Act stipulates that data processed by Korean government organisations and public institutions must be located in Korea.

There are no “blocking” statutes that protect Korean companies from the effect of extraterritorial sanctions.

As outlined in 5.1 Restrictions on International Data Transfers, one of the legal bases for transferring personal information internationally is when the PIPC acknowledges that the destination country provides an adequate level of privacy protection. In September 2025, the PIPC announced its first adequacy decision for the EU as well as its plans to expand this to countries such as the UK and Japan through future adequacy review. For countries such as the USA, where privacy frameworks differ significantly despite high data transfer needs, the PIPC plans to develop customised overseas transfer mechanisms.

Moreover, the PIPC plans to broaden the available mechanisms for the secure and seamless overseas transfer of personal information by amending the PIPA in the first half of 2026. These mechanisms may include the Standard Contractual Clauses prepared by the PIPC or Binding Corporate Rules of multinational companies approved by the PIPC. The PIPC also plans to introduce the Overseas Transfer Impact Assessment System for self-evaluating risks in large-scale overseas transfers of highly sensitive data, alongside an Overseas Transfer Pre-Review System tailored for M&A activities.