South Korea PIPA: Data Protection Guide for International Companies

South Korea's Personal Information Protection Act (PIPA) is one of the strictest data protection laws in Asia and applies to any organization processing personal data of individuals in South Korea. PIPA mandates granular, affirmative consent for data collection and imposes specific formatting requirements on privacy policies, including separate consent for each processing purpose.

PIPA requires that privacy policies include detailed disclosures about the categories of personal data collected, the specific purpose of each processing activity, retention and destruction timelines, and third-party sharing arrangements. Notably, South Korea requires separate opt-in consent for marketing communications, collection of sensitive data, and provision of personal data to third parties — bundled consent is not permitted.

Cross-border data transfers under PIPA received significant updates with the 2023 amendments, which introduced GDPR-style adequacy decisions and Standard Contractual Clauses as transfer mechanisms. Previously, transfers required individual consent with detailed disclosures about the recipient, their country, and the purpose of transfer. Businesses must also conduct data protection impact assessments when processing large volumes of sensitive data.

For international companies, PIPA compliance requires appointing a domestic representative in South Korea if you process data of Korean residents without a local establishment. Your privacy policy should be available in Korean, clearly identify your Chief Privacy Officer, and provide accessible channels for data subjects to exercise their rights to access, correction, suspension, and deletion.