The Personal Information Protection Act (PIPA) was enacted on 30th September 2011. The act establishes stringent rules that govern the collection, usage, disclosure, and other key processing of personal information by government authorities, private entities, and individuals. The recent amendments to the act came into force on 15th September 2023. Under the PIPA data protection law in South Korea, there are specified key requirements for handling personal information as integral to every step. Who must adhere to South Korea's data protection law?

Personal scope

This data privacy law applies to any personal information controller. This could be an individual, a public agency, or an organisation that handles the data subject's personal information either by themselves or a third party. Moreover, it applies to the processing of personal information. The word "processing" is defined as the collection, generation, recording, storage, retention, processing, editing, search, restoration, disclosure, or destruction of personal data or any other action that is similar to any of the above preceding.

Territorial scope

The PIPA does not define its territorial or extraterritorial scope. However, it considers various factors when determining whether a foreign entity is subject to this Act. For example, if the entity provides services targeted to the country's individuals or if the organisation generates revenue from doing business in South Korea, if any of the above conditions are met, the PIPA applies to that entity.

What are the obligations for organisations under PIPA?

Consent requirements

Under this data protection law in South Korea, a personal information controller must issue a notice when processing personal information. Personal information controllers are required to specify the following matter when seeking consent for the collection and usage of the data subject's personal information:

  • The purpose of the collection and use of personal data
  • The items of personal information to be collected or used
  • The period of retaining and using personal information
  • The data subject's right to refuse his/her consent and provide any disadvantages, if any, which may follow from such refusal.

Furthermore, personal information controllers are required to state the following matters when seeking permission from data subjects for the provision of personal information to third parties:

  • The name of the third-party recipient
  • Third-party recipients' purposes of use
  • Items of personal information to be shared
  • Period of retention and use by the third-party recipient
  • Right of the data subject to refuse his/her consent and outline any disadvantage, if any, that may follow

Security requirements

The country's data privacy law demands that personal information controllers maintain the security of personal data in their possession. They must avoid the risks of violation or breach of data subjects' privacy by taking administrative, technical, and other key measures necessary to ensure the security of their personal data.

Data breach requirements 

The PIPA mandates the personal information controller to notify a data subject whose data has been impacted by a breach. Moreover, it also requires a personal information controller to plan for and implement measures to reduce the risk of harm if the personal data is disclosed.

Chief policy officer (CPO) requirements 

The PIPA allows all personal information controllers to appoint certified officials as privacy officers. These privacy officers will take control of how personal information is handled. Remember that if a CPO is not designated, a maximum fine of KRW 10 million can be charged to the entity engaging in personal information processing.

Privacy policy requirements 

South Korea's PIPA outlines a set of rules for personal information processing that must be included in a privacy policy. Furthermore, the law instructs personal information controllers to publicly disclose their privacy policies to allow data subjects to completely check the terms of these privacy policies, including any changes made to them, at any time.

What are the data subject rights under PIPA?

The PIPA grants the following data subjects' rights:

Right to be informed 

The data subjects have the right to be informed of the storage, sharing and processing of their personal information. Personal information controllers are responsible for notifying the data subjects.

Right to access

This law allows data subjects to request access to his/her personal information that the personal information controller processes and with whom it is shared.

Right to rectification

This data privacy law allows data subjects to request the rectification of their data by the personal information controller if they have previously accessed their personal information. 

Right to erasure

Under the PIPA Act, data subjects who have previously accessed their personal data have the right to request the erasure of their information from the personal information controller.

Right to object or opt-out

This law allows data subjects to opt out of their consent to the processing of their personal information at any given time. Moreover, data subjects can request to suspend the processing of his/her personal information, and the personal information controller must respond to that request.

Consent

Under this data protection law in South Korea, the data subjects have the right to choose whether or not to give consent to the processing of their personal information.

Right to redressal

Data subjects have the right to reasonable remedies in case of any harm caused by the processing of their personal information. The recent amendment dictates that an immediate remedy must be provided through a privacy-related dispute resolution, and public and private institutions must participate in such proceedings.

Conclusion 

In this article, you have learned about the Personal Information Privacy Act (PIPA) and how it helps data subjects protect their personal information from any violations or threats. However, security threats are continuously evolving across the globe. Every organisation must prioritise proactive measures to reduce penalties from countries such as South Korea, maintain trust with their customers and return to business as usual after a breach occurs. However, to effectively manage your data, you will need an expert who can guide you through the intricacies of global data privacy regulations and deliver successful outcomes.