Logo Logo
Cookiebot

Try our free compliance test to check if your website’s use of cookies and online tracking is GDPR/ePR compliant.
The test also shows what data your website collects and which third parties it shares with, a requirement under the CCPA.

PIPA in South Korea Cookiebot CMP

Published July 15, 2021.


South Korea’s wide-ranging Personal Information Protection Act (PIPA) was passed on September 30, 2011, making the country one the world’s strictest privacy regimes.

Like many other comprehensive data privacy laws, its purpose is to protect the privacy rights of the data subject and it applies to most organisations, including government entities. Not only is it strict and very applicable, but the penalties for breaking the PIPA are being enforced devotedly. Penalties include everything from fines to imprisonment.

In this blogpost, we will break down South Korea’s PIPA, so you know what it means for your website’s use of cookies – and how you can become compliant.


PIPA in South Korea, quick summary


Personal Information Protection Act Korea, condensed

South Korea’s Personal Information Protection Act (PIPA) was passed in September 2011 and became one of the strictest data privacy laws in the world.

Just like it is the case with many other data privacy laws, the purpose of the PIPA in South Korea is to protect the privacy rights of the data subject. This protection applies to most organisations, including government entities. This is one of the reasons why it is so comprehensive.

The PIPA in South Korea provides very prescriptive and specific requirements throughout the lifecycle of the handling of personal data. This includes requirements like prior notification, opt-in consent and heavy sanctions prescribed by law, which makes it one of the strictest data protection laws in the world.

Regarding the scope of application, the South Korean PIPA is applicable to a data handler. In the South Korean PIPA, a data handler in considered to be a person that, by itself or through a third party, handles personal data to make use of any operation on a personal data file in the course of its business activities.

It doesn’t matter if the person is an individual, public agency, organisation or juridical person, and personal data means data that is systematically organised in accordance with certain rules for easy search or use of such personal data.

‘Handling of personal data’ is defined in the South Korea Personal Information Protection Act as “processing, storage, retention, search, outputting, restoration, rectification, use, collection, generation, recording, provision, disclosure or destruction of personal data or any other action similar to any of the foregoing.


Scan your website for free to see all cookies and trackers in use


The PIPA in South Korea differs from the GDPR by not demanding explicit, written consent from the data subject.

The PIPA in South Korea specifies that when obtaining consent from the data subjects, the personal information processor needs to notify the data subjects of the fact by separating the matters requiring consent from the ones who does not require consent. Additionally, you are expected to help the data subject with recognising it explicitly.

This means that when obtaining consent for processing reasons, the personal information that requires consent needs to be segregated from the personal information not requiring consent. Therefore, the personal information processor should not deny goods and services because the data subjects did not consent to specific processing.

Lastly, while the territorial scope is not specified in the law, it is worth noticing that the standard for enforcement of South Korea’s data privacy law is similar to the EU’s GDPR

This means, that companies established in South Korea are subject to the law, while foreign companies that target South Korean users are likely to be affected by the law as well.

PIPA in South Korea Cookiebot CMP

The PIPA in South Korea is very comprehensive due to it applying to most organisations including government entities.



PIPA in Korea - timeline




See the draft South Korea adequacy decision by the European Commission

Scan your website for free to see all cookies and trackers in use

Try Cookiebot CMP free for 30 days – or forever if you have a small website.



PIPA in Korea - quick breakdown




Scan your website to discover what cookies and trackers are in use on your website

Try Cookiebot consent management platform (CMP) for free



PIPA South Korea compliance with Cookiebot CMP


Cookiebot consent management platform (CMP) is a world-leading solution that helps you provide transparency and control over all the cookies – and similar tracking – on your website.

This guarantees you that your website complies with all the main data privacy laws around the world. This includes South Korea’s PIPA, Thailand’s PDPA, Brazil’s LGPD, South Africa’s POPIA, EU’s GDPR, UK’s GDPR and California’s CCPA.

The PIPA in Korea will, like many laws before it, require consent from the users in South Korea, before you can use cookies and trackers as an integral part of your website.

Even though the South Korean PIPA does not ask for a consent as explicit as other data privacy laws ask for from its’ users, it is still a good idea to make sure that your users know what they consent to.

Our unrivaled website scanner detects all cookies and trackers while delivering an exhaustive report on all personal data processing on your website.

For that reason, among others, Cookiebot CMP is considered an optimal solution, for making your domain fully compliant without the need for you to get into any complicated technical implementation.

Consent is not an explicit requirement under the South Korean PIPA, but Cookiebot CMP will provide you with an optimal solution for making your website compliant


What is Cookiebot CMP?

You might wonder, what is Cookiebot CMP? Simply put, Cookiebot CMP is a plug-and-play compliance solution that helps automate the complete PIPA compliance procedure. This includes everything, from automatically detecting all the cookies on your website and thereby controlling them, to actually collecting consents from end-users.

Cookiebot CMP offers you a detailed scan report including details about your website’s cookies such as purpose, provider, duration and what third parties it shared end-user data with.

Finally, Cookiebot CMP helps you to safely store all end-user consents, and to renew them on a regular basis.

Cookiebot CMP works to make end-user privacy protection an integrated part of each individual website, and by offering you a comprehensive overview of all cookies on your website, Cookiebot CMP ensures compliance with the PIPA in South Korea along with many other data privacy regulations around the world.

Scan your website to discover what cookies and trackers are in use on your website

Try Cookiebot CMP for PIPA compliance in South Korea


Consent banner by Cookiebot CMP for PIPA compliance in South Korea


PIPA - South Korea’s Personal Information Protection Act, in detail


Hopefully you’ve now gotten a quick overview of the South Korean PIPA, and what it means to you and your website.

If you’re looking for a more detailed breakdown, read on as we go look up close at South Korea’s data privacy law’s key characteristics.

Scope of application of the PIPA in Korea

When it comes to the scope of application, the PIPA in South Korea is applicable to a data handler.

In South Korea’s PIPA, a data handler is considered to be a person that by itself or through a third party handles personal data to make use of any operation on a personal data file in the course of its business activities.

South Korea’s PIPA does not differentiate between the data handler being an individual, a public agency, a juridical person or an organisation.

You might wonder, what is a personal data file? And what does it mean ‘to handle personal data’?

First of all, a personal data file is a collection of data that has systematically been organised in accordance with certain rules to make it easily accessible, either if you are searching for it or using it (personal data will be explained more thoroughly later on in the blog post).

Handling of personal data, on the other hand, is defined in South Korea’s PIPA as “processing, storage, retention, search, outputting, restoration, rectification, use, collection, generation, recording, provision, disclosure or destruction of personal data or any other action similar to any of the foregoing”.

Data handler is responsible under the PIPA in South Korea

The South Korean PIPA is applicable to a data handler.



The PIPC’s responsibilities

The Personal Information Protection Commission (PIPC) is in their own words the central administrative body with the primary task of protecting and supervising personal information.

In their mission statement they present three primary tasks, which include:

  1. Solid protection of personal information
  2. Safe use of personal information while increasing its value
  3. Fair balance between protection and use.

The PIPC is accompanied by the KCC, the FSC and the Korea Internet & Security Agency. The PIPC, however, are the ones in charge of enforcing South Korea’s PIPA, which is why we will only focus on them at this point.

The main powers of the PIPC include:


Scan your website to discover what cookies and trackers are in use on your website

Try Cookiebot CMP free for 30 days – or forever if you have a small website


PIPA South Korea - key definitions

South Korea’s Personal Information Protection Act (PIPA) operates with a set of key definitions, like many of the data privacy laws around the world that it resembles. They are important to familiarize yourself with to get the full understanding of the PIPA.

The five key definitions of South Korea’s PIPA are –

  1. Personal Data
  2. Sensitive data
  3. Data controller
  4. Data processor
  5. Anonymized information

Personal Data is defined in South Korea’s PIPA as data that can be related to a living natural person. Its definition of personal data is very broad, resulting in three subcategories of personal data:

Sensitive data is personal information regarding an individual’s faith, health, sexual orientation, genetic information, criminal records, political views, ideology and so on. It is information that could potentially cause a material breach of privacy.

A Data controller, or data handler, is a ‘public institution, corporate body, organization or individual, who handles the data by, collecting, generating, connecting, interlocking, recording, storing, retaining, processing, editing, searching, outputting, correcting, restoring, using, providing, disclosing, destroying or otherwise handling personal data’. The concept of a data controller under the PIPA is very similar to the concept under the GDPR.

A Data processor is someone who process personal data and personal information. The data processor is often a third party, since the data controller often outsource this job.

Anonymized information is any information which cannot be used to identify a specific individual. This includes instances where the information is combined with other information and is not subject to the PIPA.

Data can come in many forms and shapes, but the PIPA South Korea has them alle covered



Rights and responsibilities

As mentioned above, we differentiate between a data processor and a data controller. The responsibilities they have and the rights they possess will be explained in detail here.

The data controller has a number of obligations under the PIPA in South Korea. These obligations include handling personal data in a way that minimizes any potential infringement upon the privacy of data subjects and anonymizing or pseudonymizing the data before processing.

More specifically, data controllers must maintain the security of personal data, while taking into account the risk of a breach of the data subjects’ privacy.

Data controllers are required to take the technical, physical and administrative actions required to ensure the security of personal data.

Data controllers also need to provide notice whenever they process personal data. The consent for a provision must be obtained separately from the consent for the collection and use of personal data, while consent for sensitive data must be obtained separately from each other as well.

There are only a few exceptions to the above-mentioned requirements under South Korean law, but in accordance with the 2020 amendments, personal data may be used without the data subject’s consent.

This only applies when it is within the scope reasonably related to the original purpose of the collection. These are some of the things Cookiebot CMP can help you take care of.

Since data processors regularly are treated in the same way as data controllers, they will, commonly, be subject to the same legal responsibilities as those related to data handlers.

In a case where an outsourced service provider function as a data processor and violates the PIPA in South Korea, the data processor will be deemed as an employee of the data controller. In that case, the data controller will have vicarious liability, meaning they are being held partly responsible for the unlawful actions of the outsources service provider.

Data subjects

The data subjects have some rights. They can exercise their rights of access, correction, suspension of use and removal of their personal data.

Regarding this, the PIPA also possesses prescriptive rules for the procedure with the purpose of ensuring data subject’s exercise of the before mentioned rights.

Sanctions

The penalties for breaching South Korea’s Personal Information Protection Act (PIPA) vary.

You could face various administrative sanctions such as corrective orders, fines and penalty surcharges. Also, public prosecutors may investigate any violations which are also subject to criminal punishment. Finally, data handlers could potentially become civilly liable to data subjects who suffer damages as a result of the violations of the data handler.


Scan your website to discover what cookies and trackers are in use on your website

Try Cookiebot CMP for PIPA compliance in South Korea


South Korea’s PIPA vs GDPR


South Korea’s Personal Information Protection Act (PIPA) and the EU’s General Data Protection Regulation (GDPR) are similar and different in a number of ways, e.g. key requirements and how they view data privacy.

This section of the blog post will primarily focus on the differences between the two laws, but if you want to know more about the EU’s GDPR you can read about it here.


Scan your website to see all cookies and trackers in use

Try Cookiebot CMP free for 30 days – or forever if you have a small website.


EU and South Korea share a lot of similarities, but also differ in a number of ways



South Korea’s EU adequacy decision

As mentioned in the section above, the EU’s GDPR allows for transfer of personal information to an overseas country without the data subject’s approval, if there is an adequacy decision or appropriate safeguards.

Adequacy means, under the GDPR, that a non-EU country ensures a level of personal data protection equivalent to that of the EU itself.

In January 2017, the EU launched a dialogue with South Korea with the goal of reaching an adequacy decision, ensuring a free flow of data between the two. Such a decision would complement the Free Trade Agreement in place since July 2011.

In March 2021, the EU and South Korea concluded the adequacy talks with the two parties showing a high degree of convergence in the area of data protection. The amendments to South Korea’s PIPA and the strengthening of the powers of the Personal Information Protection Commission greatly influenced the outcome.

In June 2021, the EU launched the process towards adoption of the adequacy decision. The process will cover transfers of personal data to South Korea’s commercial operators as well as public authorities.

The benefits of this adequacy decision, if adopted, is that it would provide Europeans with a strong protection of their personal data when transferred to South Korea, while at the same time boosting cooperation between the two leading digital powers.

The European Commission is currently awaiting the opinion of the European Data Protection Board (EDPB), while seeking approval from a committee composed of representatives of the EU member states. Once these two steps have been completed, the EU can proceed to adopt South Korea’s adequacy decision.


Summary of PIPA, South Korea’s Personal Information Protection Act (PIPA)


South Korea’s Personal Information Protection Act (PIPA) is one of the world’s many data privacy laws. Not unlike many other data privacy laws its purpose is to protect the privacy rights of the data subject, while at the same making sure that entities like companies or organisations do not abuse the data they receive about their users.

South Korea’s PIPA was first approved in March 2011, went into effect in September 2011 and has since been amended. In 2021 talks about adequacy with the EU’s GDPR concluded and are currently awaiting adoption.

Cookiebot CMP enables compliance with most of the world’s major data privacy laws, including South Korea’s PIPA.


Try Cookiebot CMP for PIPA compliance


FAQ


What is South Korea’s PIPA?

The South Korean Personal Information Protection Act (PIPA) is a data privacy law. Just like the EU’s GDPR, its purpose is to protect the privacy right of the data subject. By making sure that companies or organizations do not abuse data about their users, the PIPA helps ensure that this works successfully.

Learn more about South Korea’s PIPA


How can my website be in compliance with South Korea’s PIPA?

Even though it is not stated explicitly in the law, if you want to comply with South Korea’s PIPA on your website it is a good idea to get consent from your South Korean users before processing any of their personal data.

Additionally, it would be a good idea to notify them about what you collect, what it is going to be used for and who you share it with, while enabling them to access their personal data.

Try our free website scanner for compliance with South Korea’s PIPA


Who does South Korea’s PIPA apply to?

The PIPA is applicable to a data handler. In the PIPA a data handler in considered to be a person that by itself or through a third party handles personal data to make use of any operation on a personal data file in the course of its business activities.

It doesn’t matter if the person is an individual, public agency, organization or juridical person.

Try our free website scanner to see if the South Korean PIPA applies to you.


What is the timeline for South Korea to obtain adequacy status in the EU?

There is no clear timeline yet. The European Commission is now waiting for the opinion of the EDPB and will seek the approval from a committee composed of representatives of the EU Member States. Only once these two steps are completed, the Commission will be able to proceed to adopt the adequacy decision.

Learn more about the relation between PIPA and GDPR


What is the penalty for breaching the South Korean PIPA?

There are different penalties for breaching the South Korean PIPA. These include administrative sanctions such as fines, penalty surcharges or corrective orders.

Additionally, if data subjects suffer damages as a result of the violations of a data handler, the latter could become civilly liable.

Don’t want to breach the PIPA? Try our free website scanner


How can I scan my website for cookies and trackers?

By using a consent management platform like Cookiebot CMP you can reveal all cookies and trackers that currently process personal information on your website. It also shows you where in the world your domain sends data to.

Try the Cookiebot CMP website scanner for free


Resources


See the full South Korean Personal Information Protection Act law text (In English)


Learn more about the EU’s GDPR and consent


Learn more about the differences between PIPA and GDPR


Get started with Cookiebot CMP and Google Consent Mode


Learn more about the conclusion of the adequacy talks


Learn more about the PIPC and their responsibilities

New: Cookiebot™ for Partners 

Deliver automated cookie compliance at scale with Cookiebot™ for Partners.

Make your website’s use of cookies and online tracking compliant today

Try for free