SOUTH KOREA LAW AND PRACTICE Contributed by: Tehyok Daniel Yi, Gun Kim, Kyu Hyun Kim, Sun Hee Kim, Yong Whan Choi, Yong Min Lee, Jung Woo Lee and Hyeon Jeong, Yulchon LLC
Role and Authority of the Data Protection Agencies The Personal Information Protection Commission (PIPC) oversees and enforces the PIPA. The Financial Supervisory Service (FSS) oversees and enforces the Credit Information Act, and the KCC and the Ministry of Science and ICT (MSIT) oversee matters under the Network Act. The PIPC covers general data protec - tion issues under the PIPA. The PIPC has enforcement authority, including issuing corrective orders and/or imposing administrative fines in the event of viola - tions. The Korea Internet & Security Agency (KISA) also conducts on-site inspections and preliminary investigations of data protection compliance and security incidents based on the authority delegated Under the PIPA, a data controller must be equipped with legal grounds to process the data subject’s per - sonal information, with “consent” being the most fun - damental legal basis. A data controller must obtain explicit and specific consent from each data subject before processing their personal information, follow - ing an explanation of essential details such as the purpose of processing, specific items processed and retention period. When transferring personal information to third par - ties, it is important to distinguish between: by the PIPC, KCC and/or MSIT. Key Characteristics of the PIPA • provision of personal data to third parties; and • entrustment of the processing of personal data to third parties. A provision occurs when the personal data is trans - ferred from a data controller (transferor) to a third-par - ty recipient (transferee) for the benefit and business purpose of the third-party recipient, beyond the origi - nal purposes of collecting and using personal data. In contrast, the entrustment of processing is when personal data is transferred from a data controller (entrustor) to a third-party processor (entrustee) for the benefit and business purpose of the data control - ler. While the provision of personal data to a third party requires the data subject’s consent, as a general rule, entrustment does not require separate consent, as long as the necessary information is disclosed in the privacy policy of the data controller.
Key Developments Under the Amended PIPA The PIPA was significantly amended in March 2023, and those amendments came into effect in Septem - ber 2023. Thereafter, the PIPC issued an Enforcement Decree, detailing specific aspects of the revisions as well as providing various guidelines to clarify the obli - gations and interpretation of the updated PIPA. Some of the key developments are as follows. Voluntary consent Under the amended PIPA, personal data necessary for executing a contract can be collected and used with - out prior consent from the data subject (previously, an exception based on contractual necessity was very limited). At the same time, the principle of voluntary consent has been reinforced, which requires data con - trollers to clearly differentiate between mandatory and optional consent items. Data controllers must ensure that optional consent items are not included in the mandatory consent section, as doing so could consti - tute a breach of the voluntary consent principle. Mobile visual data processing devices Article 25-2 of the amended PIPA establishes a legal basis for recording videos of identifiable individuals (personal visual data) in public spaces for business purposes using mobile visual data processing devic - es, such as autonomous vehicles, robots, drones and body cameras (collectively, mobile visual devices). The PIPC also announced the release of the Guideline on the Protection and Use of Personal Visual Data for Mobile Visual Data Processing Devices. The guide - line was issued to address regulatory uncertainties related to the above provisions, promote the safe use of mobile visual devices and support the development of related industries and technologies. Strengthened qualifications for chief privacy officers (CPOs) Under the amended PIPA, CPOs of data controllers exceeding specified thresholds must possess a mini - mum of four years of professional experience in data privacy and security. Cross-border transfer mechanisms Article 28-8 of the amended PIPA introduced PIPC’s adequacy decision as a legal basis for the overseas data transfer from Korea. On 16 September 2025, the
574 CHAMBERS.COM
Powered by FlippingBook