Just like it is the case with many other data privacy laws<\/a>, the purpose of the PIPA in South Korea is to protect the privacy rights of the data subject<\/strong>. This protection applies to most organisations, including government entities. This is one of the reasons why it is so comprehensive.<\/p>\n\n\n\n The PIPA in South Korea provides very prescriptive and specific requirements throughout the lifecycle of the handling of personal data. This includes requirements like prior notification, opt-in consent and heavy sanctions<\/strong> prescribed by law, which makes it one of the strictest data protection laws in the world.<\/p>\n\n\n\n Regarding the scope of application, the South Korean PIPA is applicable to a data handler<\/strong>. In the South Korean PIPA, a data handler in considered to be a person that, by itself or through a third party, handles personal data to make use of any operation on a personal data file in the course of its business activities.<\/p>\n\n\n\n It doesn\u2019t matter if the person is an individual, public agency, organisation or juridical person, and personal data means data that is systematically <\/strong>organised<\/strong> in accordance with certain rules for easy search or use of such personal data.<\/p>\n\n\n\n \u2018Handling of personal data\u2019<\/strong> is defined in the South Korea Personal Information Protection Act as \u201cprocessing, storage, retention, search, outputting, restoration, rectification, use, collection, generation, recording, provision, disclosure or destruction of personal data or any other action similar to any of the foregoing.<\/p>\n\n\n\n Scan your website for free to see all cookies and trackers in use<\/a><\/p>\n\n\n\n The PIPA in South Korea differs from the GDPR by not demanding explicit, written consent from the data subject.<\/strong><\/p>\n\n\n\n The PIPA in South Korea specifies that when obtaining consent from the data subjects, the personal information processor needs to notify the data subjects<\/strong> of the fact by separating the matters requiring consent from the ones who does not require consent. Additionally, you are expected to help the data subject with recognising it explicitly.<\/p>\n\n\n\n This means that when obtaining consent for processing reasons, the personal information that requires consent needs to be segregated from the personal information not requiring consent<\/strong>. Therefore, the personal information processor should not deny goods and services because the data subjects did not consent to specific processing.<\/p>\n\n\n\n Lastly, while the territorial scope is not specified in the law, it is worth noticing that the standard for enforcement of South Korea\u2019s data privacy law is similar to the EU\u2019s GDPR<\/a><\/p>\n\n\n\n This means, that companies established in South Korea are subject to the law<\/strong>, while foreign companies that target South Korean users are likely to be affected by the law as well.<\/p>\n\n\n\n See the draft South Korea adequacy decision by the European Commission<\/a><\/p>\n\n\n\n Scan your website for free to see all cookies and trackers in use<\/a><\/p>\n\n\n\n Try Cookiebot CMP free for 14 days \u2013 or forever if you have a small website.<\/a><\/p>\n\n\n\n Scan your website to discover what cookies and trackers are in use on your website<\/a><\/p>\n\n\n\n Try Cookiebot consent management platform (CMP) for free<\/a><\/p>\n\n\n\n Cookiebot consent management platform (CMP<\/a>) is a world-leading solution that helps you provide transparency and control over all the cookies \u2013 and similar tracking \u2013 on your website.<\/strong><\/p>\n\n\n\n This guarantees you that your website complies with all the main data privacy laws around the world. This includes South Korea\u2019s PIPA<\/strong>, Thailand\u2019s PDPA<\/a>, Brazil\u2019s LGPD<\/a>, South Africa\u2019s POPIA<\/a>, EU\u2019s GDPR<\/a>, UK\u2019s GDPR<\/a> and California\u2019s CCPA<\/a>.<\/p>\n\n\n\n The PIPA in Korea will, like many laws before it, require consent from the users in South Korea, before you can use cookies and trackers as an integral part of your website.<\/strong><\/p>\n\n\n\n Even though the South Korean PIPA<\/strong> does not ask for a consent as explicit as other data privacy laws ask for from its\u2019 users, it is still a good idea to make sure that your users know what they consent to.<\/p>\n\n\n\n Our unrivaled website scanner detects all cookies and trackers while delivering an exhaustive report on all personal data processing on your website.<\/p>\n\n\n\n For that reason, among others, Cookiebot CMP<\/a> is considered an optimal solution, for making your domain fully compliant without the need for you to get into any complicated technical implementation.<\/p>\n\n\n\n You might wonder, what is Cookiebot CMP<\/a>? Simply put, Cookiebot CMP<\/a> is a plug-and-play compliance solution that helps automate the complete PIPA compliance procedure. This includes everything, from automatically detecting all the cookies on your website and thereby controlling them, to actually collecting consents from end-users.<\/p>\n\n\n\n Cookiebot CMP<\/a> offers you a detailed scan report including details about your website\u2019s cookies such as purpose, provider, duration and what third parties it shared end-user data with.<\/p>\n\n\n\n Finally, Cookiebot CMP<\/a> helps you to safely store all end-user consents, and to renew them on a regular basis.<\/p>\n\n\n\n Cookiebot CMP<\/a> works to make end-user privacy protection an integrated part of each individual website, and by offering you a comprehensive overview of all cookies on your website, Cookiebot CMP<\/a> ensures compliance with the PIPA in South Korea along with many other data privacy regulations around the world.<\/p>\n\n\n\n Scan your website to discover what cookies and trackers are in use on your website<\/a><\/p>\n\n\n\n Try Cookiebot CMP for PIPA compliance in South Korea<\/a><\/p>\n\n\n\n Hopefully you\u2019ve now gotten a quick overview of the South Korean PIPA, and what it means to you and your website.<\/p>\n\n\n\n If you\u2019re looking for a more detailed breakdown, read on as we go look up close at South Korea\u2019s data privacy law\u2019s key characteristics.<\/p>\n\n\n\n When it comes to the scope of application, the PIPA in South Korea is applicable to a data handler.<\/p>\n\n\n\n In South Korea\u2019s PIPA, a data handler is considered to be a person that by itself or through a third party handles personal data<\/strong> to make use of any operation on a personal data file in the course of its business activities.<\/p>\n\n\n\n South Korea\u2019s PIPA does not differentiate between the data handler being an individual, a public agency, a juridical person or an organisation.<\/p>\n\n\n\n You might wonder, what is a personal data file? And what does it mean \u2018to handle personal data\u2019?<\/p>\n\n\n\n First of all, a personal data file is a collection of data that has systematically been organised in accordance with certain rules to make it easily accessible<\/strong>, either if you are searching for it or using it (personal data will be explained more thoroughly later on in the blog post).<\/p>\n\n\n\n Handling of personal data, on the other hand, is defined in South Korea\u2019s PIPA as \u201cprocessing, storage, retention, search, outputting, restoration, rectification, use, collection, generation, recording, provision, disclosure or destruction of personal data or any other action similar to any of the foregoing<\/em>\u201d.<\/p>\n\n\n\n The Personal Information Protection Commission (PIPC)<\/a> is in their own words the central administrative body with the primary task of protecting and supervising personal information.<\/p>\n\n\n\n In their mission statement they present three primary tasks, which include:<\/p>\n\n\n\n The PIPC is accompanied by the KCC, the FSC and the Korea Internet & Security Agency. The PIPC, however, are the ones in charge of enforcing South Korea\u2019s PIPA, which is why we will only focus on them at this point.<\/p>\n\n\n\n The main powers of the PIPC include:<\/p>\n\n\n\n Scan your website to discover what cookies and trackers are in use on your website<\/a><\/p>\n\n\n\n Try Cookiebot CMP free for 14 days \u2013 or forever if you have a small website<\/a><\/p>\n\n\n\n South Korea\u2019s Personal Information Protection Act (PIPA) operates with a set of key definitions, like many of the data privacy laws around the world that it resembles. They are important to familiarize yourself with to get the full understanding of the PIPA.<\/p>\n\n\n\n The five key definitions of South Korea\u2019s PIPA are \u2013<\/p>\n\n\n\n Personal Data<\/strong> is defined in South Korea\u2019s PIPA as data that can be related to a living natural person. Its definition of personal data is very broad, resulting in three subcategories of personal data:<\/p>\n\n\n\n Sensitive data<\/strong> is personal information regarding an individual\u2019s faith, health, sexual orientation, genetic information, criminal records, political views, ideology and so on. It is information that could potentially cause a material breach of privacy.<\/p>\n\n\n\n A Data controller<\/strong>, or data handler, is a \u2018public institution, corporate body, organization or individual, who handles the data by, collecting, generating, connecting, interlocking, recording, storing, retaining, processing, editing, searching, outputting, correcting, restoring, using, providing, disclosing, destroying or otherwise handling personal data\u2019. The concept of a data controller under the PIPA is very similar to the concept under the GDPR.<\/p>\n\n\n\n A Data processor<\/strong> is someone who process personal data and personal information. The data processor is often a third party, since the data controller often outsource this job.<\/p>\n\n\n\n Anonymized information<\/strong> is any information which cannot be used to identify a specific individual. This includes instances where the information is combined with other information and is not subject to the PIPA.<\/p>\n\n\n\n As mentioned above, we differentiate between a data processor and a data controller. The responsibilities they have and the rights they possess will be explained in detail here.<\/p>\n\n\n\n The data controlle<\/strong>r has a number of obligations under the PIPA in South Korea. These obligations include handling personal data in a way that minimizes any potential infringement upon the privacy of data subjects and anonymizing or pseudonymizing the data before processing.<\/p>\n\n\n\n More specifically, data controllers must maintain the security of personal data<\/strong>, while taking into account the risk of a breach of the data subjects\u2019 privacy.<\/p>\n\n\n\n Data controllers are required to take the technical, physical and administrative actions required to ensure the security of personal data.<\/p>\n\n\n\n Data controllers also need to provide notice whenever they process personal data<\/strong>. The consent for a provision must be obtained separately from the consent for the collection and use of personal data, while consent for sensitive data must be obtained separately from each other as well.<\/p>\n\n\n\n There are only a few exceptions to the above-mentioned requirements under South Korean law, but in accordance with the 2020 amendments<\/a>, personal data may be used without the data subject\u2019s consent.<\/p>\n\n\n\n This only applies when it is within the scope reasonably related to the original purpose of the collection. These are some of the things Cookiebot CMP<\/a> can help you take care of.<\/p>\n\n\n\n Since data processors<\/strong> regularly are treated in the same way as data controllers, they will, commonly, be subject to the same legal responsibilities as those related to data handlers.<\/p>\n\n\n\n In a case where an outsourced service provider function as a data processor and violates the PIPA in South Korea, the data processor will be deemed as an employee of the data controller. In that case, the data controller will have vicarious liability, meaning they are being held partly responsible for the unlawful actions of the outsources service provider.<\/p>\n\n\n\n The data subjects have some rights. They can exercise their rights of access, correction, suspension of use and removal of their personal data.<\/p>\n\n\n\n Regarding this, the PIPA also possesses prescriptive rules for the procedure with the purpose of ensuring data subject\u2019s exercise of the before mentioned rights.<\/p>\n\n\n\n The penalties for breaching South Korea\u2019s Personal Information Protection Act (PIPA) vary.<\/p>\n\n\n\n You could face various administrative sanctions such as corrective orders, fines and penalty surcharges. Also, public prosecutors may investigate any violations which are also subject to criminal punishment. Finally, data handlers could potentially become civilly liable to data subjects who suffer damages as a result of the violations of the data handler.<\/p>\n\n\n\n Scan your website to discover what cookies and trackers are in use on your website<\/a><\/p>\n\n\n\n Try Cookiebot CMP for PIPA compliance in South Korea<\/a><\/p>\n\n\n\n South Korea\u2019s Personal Information Protection Act (PIPA) and the EU\u2019s General Data Protection Regulation (GDPR)<\/a> are similar and different in a number of ways, e.g. key requirements and how they view data privacy.<\/p>\n\n\n\n This section of the blog post will primarily focus on the differences between the two laws, but if you want to know more about the EU\u2019s GDPR<\/a> you can read about it here<\/a>.<\/p>\n\n\n\n Scan your website to see all cookies and trackers in use<\/a><\/p>\n\n\n\n Try Cookiebot CMP free for 14 days \u2013 or forever if you have a small website.<\/a><\/p>\n\n\n\n As mentioned in the section above, the EU\u2019s GDPR allows for transfer of personal information to an overseas country without the data subject\u2019s approval, if there is an adequacy decision or appropriate safeguards.<\/p>\n\n\n\n Adequacy<\/em> means, under the GDPR, that a non-EU country ensures a level of personal data protection equivalent to that of the EU itself.<\/p>\n\n\n\n In January 2017, the EU launched a dialogue with South Korea with the goal of reaching an adequacy decision, ensuring a free flow of data between the two. Such a decision would complement the Free Trade Agreement<\/a> in place since July 2011.<\/p>\n\n\n\n In March 2021, the EU and South Korea concluded the adequacy talks with the two parties showing a high degree of convergence in the area of data protection. The amendments to South Korea\u2019s PIPA and the strengthening of the powers of the Personal Information Protection Commission<\/a> greatly influenced the outcome.<\/p>\n\n\n\n In June 2021, the EU launched the process<\/a> towards adoption of the adequacy decision. The process will cover transfers of personal data to South Korea\u2019s commercial operators as well as public authorities.<\/p>\n\n\n\n The benefits of this adequacy decision, if adopted, is that it would provide Europeans with a strong protection of their personal data when transferred to South Korea, while at the same time boosting cooperation between the two leading digital powers.<\/p>\n\n\n\n The European Commission<\/a> is currently awaiting the opinion of the European Data Protection Board (EDPB)<\/a>, while seeking approval from a committee composed of representatives of the EU member states. Once these two steps have been completed, the EU can proceed to adopt South Korea\u2019s adequacy decision.<\/p>\n\n\n\n South Korea\u2019s Personal Information Protection Act (PIPA) is one of the world\u2019s many data privacy laws. Not unlike many other data privacy laws its purpose is to protect the privacy rights of the data subject, while at the same making sure that entities like companies or organisations do not abuse the data they receive about their users.<\/p>\n\n\n\n South Korea\u2019s PIPA was first approved in March 2011, went into effect in September 2011 and has since been amended. In 2021 talks about adequacy with the EU\u2019s GDPR concluded and are currently awaiting adoption.<\/p>\n\n\n\n![\"Illustration](\"\/media\/4194\/hero.jpeg?width=450&&mode=max\")
PIPA in Korea - timeline<\/h2>\n\n\n\n
\n
PIPA in Korea - quick breakdown<\/h2>\n\n\n\n
\n
PIPA South Korea compliance with Cookiebot CMP<\/h2>\n\n\n\n
![\"Illustration](\"\/media\/4197\/petals-consent.jpeg?width=450&&mode=max\")
What is Cookiebot CMP?<\/h3>\n\n\n\n
![\"Cookieboot](\"\/media\/4333\/consent_en.png?width=500&\")
PIPA - South Korea\u2019s Personal Information Protection Act, in detail<\/h2>\n\n\n\n
Scope of application of the PIPA in Korea<\/h3>\n\n\n\n
![\"Illustration](\"\/media\/4193\/data-handler.jpeg?width=450&&mode=max\")
The PIPC\u2019s responsibilities<\/h3>\n\n\n\n
\n
\n
PIPA South Korea - key definitions<\/h3>\n\n\n\n
\n
\n
![\"Illustration](\"\/media\/4196\/personal-files.jpeg?width=450&&mode=max\")
Rights and responsibilities<\/h3>\n\n\n\n
Data subjects<\/h3>\n\n\n\n
Sanctions<\/h3>\n\n\n\n
South Korea\u2019s PIPA vs GDPR<\/h2>\n\n\n\n
\n
![\"Illustration](\"\/media\/4198\/korea-eu-adequacy.jpeg?width=450&;mode=max\")
South Korea\u2019s EU adequacy decision<\/h3>\n\n\n\n
Summary of PIPA, South Korea\u2019s Personal Information Protection Act (PIPA)<\/h2>\n\n\n\n