South Korea — Breach Notification

South Korea's Personal Information Protection Act (PIPA, Law No. 10465) imposes a dual breach notification obligation on personal information controllers (data controllers) under Article 34: a duty to notify affected data subjects promptly, and a separate duty to report qualifying breaches to the Personal Information Protection Commission (PIPC) or the Korean Internet & Security Agency (KISA) within 72 hours of becoming aware of the incident.

Notification to data subjects — Article 34(1) PIPA Personal information controllers must notify affected data subjects "without delay" when personal information has been lost, stolen, leaked, forged, altered, or damaged. This expanded definition of notifiable events — which now includes forgery, alteration, and damage in addition to the traditional loss/theft/leakage triad — took effect with the 2020 and 2023 PIPA amendments. The March 2026 amendment further requires notification to data subjects upon becoming aware of a possibility of a breach, moving the notification trigger to an earlier investigative stage before conclusive confirmation of an incident.

Controllers must notify data subjects unless they do not possess contact information for the affected individuals, in which case alternative measures prescribed in the Enforcement Decree apply (Article 34(1) PIPA). The notification must include: (1) the items of personal information subject to the breach; (2) the time and manner of the breach; (3) measures data subjects can take to minimize harm; (4) the controller's response measures; and (5) contact information for inquiries. The March 2026 amendment adds two new mandatory items: information concerning data subjects' legal rights and available methods of exercising them (including claims for damages and statutory damages arising from the breach), and other matters prescribed by Enforcement Decree.

Reporting to PIPC or KISA — Article 34(4) PIPA and Enforcement Decree Article 39 Personal information controllers must report to the PIPC or KISA within 72 hours of becoming aware of a breach if the scale exceeds thresholds set in the Enforcement Decree. Article 39 of the Enforcement Decree requires reporting when: • Personal information of 1,000 or more data subjects has been lost, stolen, or leaked; • Sensitive information (as defined in PIPA Article 23) or unique identification information (resident registration numbers, passport numbers, driver's license numbers, or foreign registration numbers per PIPA Article 24) has been breached, regardless of the number of affected individuals; or • The breach involves personal information processed by an information and communications service provider designated by Presidential Decree under PIPA Article 39-4 (though the 2023 amendment deleted the special 24-hour rule for online service providers and unified reporting under Article 34).

The 72-hour clock starts when the controller "becomes aware of" the breach. Controllers must provide all available details of the breach when reporting to PIPC/KISA, even if preliminary; the obligation is to report promptly with the information at hand rather than to delay until a full investigation is complete. Foreign operators processing personal information of data subjects in Korea are subject to the same 72-hour reporting requirement under April 2024 PIPC Guidelines on Applying the PIPA to Foreign Business Operators.

Processors (persons entrusted) — Article 26(8) read with Article 34 PIPA PIPA distinguishes between "persons entrusted" (data processors bound by a written contract with the controller) and "personal information handlers" (employees or staff of the controller or processor). The breach notification obligations of Article 34 apply mutatis mutandis to persons entrusted — meaning processors bear the same dual duty to notify data subjects and report to PIPC/KISA when they become aware of a breach in the course of processing on behalf of the controller.

Enforcement and penalties Failure to notify data subjects or report to PIPC/KISA within the statutory timeframe may result in an administrative fine of up to KRW 30 million (approximately USD 22,000). Under the March 2026 amendment, controllers can face administrative penalties of up to 3% of total revenue for breach notification violations; this cap rises to 10% of total revenue for repeat violations involving willful misconduct or gross negligence within a three-year period, violations affecting 10 million or more data subjects, or failure to comply with a PIPC corrective order. Data subjects may claim statutory damages of up to KRW 3 million per individual without proving actual financial harm under PIPA Article 39-2, and punitive damages of up to five times actual damages where the controller violated statutory obligations with intent or gross negligence (PIPA Article 39(3), raised from three times to five times in 2023). The PIPC imposed a KRW 7.5 billion (USD 5.2 million) administrative penalty on Golfzon in May 2024 following a data breach — the largest penalty on a domestic company to that date.

Source: Personal Information Protection Act (PIPA), Law No. 10465, Article 34 (as amended) Source: Enforcement Decree of the Personal Information Protection Act, Articles 39–40 Source: PIPC Guidelines on Applying the PIPA to Foreign Business Operators (April 2024)

South Korea's Personal Information Protection Act (PIPA) Article 34(1) prescribes seven mandatory content categories that controllers must include when notifying affected data subjects of a personal information breach. The March 2026 amendment (Law No. 19234, effective September 11, 2026) expanded the list from five to seven items, adding two new disclosure requirements focused on data subject remedies and legal rights.

Pre-amendment five content items (effective through September 10, 2026) Under PIPA Article 34(1) as amended in 2020, controllers must notify affected data subjects of:

1. Categories of personal information subject to the breach ("the items of personal information that have been lost, stolen, leaked, forged, altered, or damaged");
2. Time and circumstances of the breach ("the time of the leakage, etc., and its circumstances");
3. Measures data subjects can take to minimize harm ("information on measures that data subjects can take to minimize the damage that may occur due to the leakage, etc.");
4. Controller's response measures and remedial procedures ("countermeasures taken by the personal information controller and remedial procedures"); and
5. Contact information for data subject inquiries ("department and contact information for reporting damage to data subjects").

The PIPC has interpreted "categories of personal information" to require specificity: controllers should identify the data fields breached (e.g., "name, email address, resident registration number") rather than generic labels like "account information." The "time and circumstances" element requires disclosure of the breach discovery date, the estimated date range of unauthorized access or exfiltration if known, and a brief description of the attack vector (e.g., "unauthorized access via compromised administrator credentials," "phishing attack targeting employees"). Where forensic analysis is ongoing, controllers must disclose the information available at the time of notification and update data subjects as new facts emerge; PIPA does not permit controllers to delay the "without delay" notification obligation pending completion of a full investigation.

March 2026 amendment — two additional mandatory items (effective September 11, 2026) Law No. 19234, enacted March 12, 2026, adds two further content requirements to Article 34(1):

1. Information concerning data subjects' legal rights and available methods of exercising such rights, including claims for damages and statutory damages arising from the breach (PIPA Article 34(1)(6) as amended); and
2. Other matters prescribed by Enforcement Decree (PIPA Article 34(1)(7) as amended).

The new Item 6 represents a significant shift in notification philosophy: controllers must now affirmatively inform breach victims that they have statutory rights to claim damages under PIPA Article 39 (compensatory damages with rebuttable presumption of controller fault), statutory damages of up to KRW 3 million per individual under PIPA Article 39-2 (claimable without proving actual financial loss), and punitive damages of up to five times actual damages under PIPA Article 39(3) where the breach resulted from the controller's intent or gross negligence. Controllers must also describe the procedural mechanisms for exercising these rights, including the PIPC's dispute mediation process under PIPA Article 43 and the option to file a civil claim in court. As of May 30, 2026, the Enforcement Decree has not yet specified the "other matters" under Item 7; PIPC guidance is expected before the September 11, 2026 effective date.

Notification delivery methods — Article 34(1) PIPA PIPA Article 34(1) requires notification "without delay" but does not prescribe a specific delivery method. PIPC guidance and enforcement practice accept email, SMS, mobile push notification, postal mail, or in-app notification, provided the method is reasonably likely to reach the affected individual. Controllers that do not possess contact information for affected data subjects—because the information was not collected, was deleted pursuant to a retention-period policy, or was itself part of the breached data—must use alternative notification methods prescribed in Enforcement Decree Article 40. Those alternatives include posting a notice on the controller's homepage for at least 30 days and, if the number of affected individuals exceeds 1,000, publishing a notice in at least one daily newspaper with nationwide circulation. The March 2026 amendment to Article 34(2) separately requires controllers to notify data subjects upon becoming aware of a possibility of a breach (before conclusive confirmation), using the same content and delivery-method standards; the Enforcement Decree will define "possibility" with reference to the type of personal information, the level of risk, and the potential impact on data subjects.

Cross-reference to regulatory reporting — Article 34(4) and Enforcement Decree Article 39 The content requirements for notifications to data subjects under Article 34(1) differ from the content requirements for breach reports to the PIPC or KISA under Article 34(4). Controllers subject to the 72-hour regulatory reporting duty (breaches affecting 1,000+ individuals, or any breach of sensitive information, unique identification information, or systems subject to illegal external access per Enforcement Decree Article 40) must file a separate report using the PIPC/KISA prescribed form, which includes additional forensic and technical details not disclosed to data subjects (e.g., server logs, intrusion detection system outputs, estimated number of records exfiltrated by the attacker). Both notification streams—to data subjects and to the regulator—run concurrently under the "without delay" / 72-hour timelines; compliance with one does not satisfy the other.

Source: Personal Information Protection Act (PIPA), Law No. 10465, Article 34 (as amended by Law No. 19234, March 12, 2026) Source: Enforcement Decree of the Personal Information Protection Act, Articles 39–40

South Korea's Personal Information Protection Act (PIPA) Article 34 imposes dual breach notification obligations on personal information controllers: a duty to notify affected data subjects "without delay," and a duty to report qualifying breaches to the Personal Information Protection Commission (PIPC) or Korean Internet & Security Agency (KISA) within 72 hours. However, Article 28(7) PIPA creates an express exemption from these notification duties when the breached personal information is pseudonymized data processed for the purposes of statistics, scientific research, or archiving in the public interest.

Pseudonymization under PIPA — Article 2(1-c) definition PIPA Article 2(1-c) defines "pseudonymized information" (가명정보, gamyeong jeongbo) as personal information processed in such a way that the information cannot identify a specific individual without the use of additional information, where such additional information is managed separately and is subject to technical and administrative measures to prevent re-identification. This definition aligns conceptually with GDPR Article 4(5), though Korean regulators and courts apply it within the specific statutory framework established by the 2020 PIPA amendments that introduced pseudonymization provisions into Korean law for the first time.

Controllers may process pseudonymized information without the consent of data subjects for the purposes of statistical compilation, scientific research, or archiving in the public interest, provided the processing is conducted in accordance with Article 28-2 PIPA (which prescribes security safeguards, prohibition on combining pseudonymized datasets for the purpose of identifying individuals, and recordkeeping obligations). When pseudonymized information is processed under these limited statutory purposes, Article 28(7) provides that "Articles 34, 35, and 39-2 shall not apply." Article 34 encompasses the entire breach notification and reporting regime; Articles 35 and 39-2 govern data subject access rights and statutory damages, respectively. The legislative intent is to encourage the use of pseudonymized data for public-interest research and statistical purposes by reducing compliance burdens where re-identification risk has been mitigated through technical and organizational controls.

Scope and limits of the Article 28(7) exemption The exemption is narrow and conditional. It applies only when:

1. The breached data is pseudonymized information as defined in Article 2(1-c) — not merely de-identified or anonymized under a subjective standard, but processed in accordance with the specific separation-of-linkage-data and technical-safeguard requirements prescribed in PIPA;
2. The pseudonymized information is being processed for one of the three statutory purposes enumerated in Article 28-2(1): statistical compilation, scientific research, or archiving in the public interest (the Enforcement Decree does not further define these categories, leaving interpretation to PIPC guidance and case law); and
3. The controller has complied with the substantive safeguards in Article 28-2, including the prohibition on combining pseudonymized information with other information for the purpose of identifying a specific individual (Article 28-2(3)), the obligation to destroy pseudonymized information when the processing purpose is achieved or the retention period expires (Article 28-2(5)), and the requirement to keep records of pseudonymized information processing activities (Article 28-4).

The exemption does not apply if the breach involved:

• Non-pseudonymized personal information processed alongside the pseudonymized data in the same system or dataset;
• Pseudonymized information processed for purposes outside the Article 28-2(1) safe harbor — for example, marketing analytics, fraud detection, or operational optimization, even if the data is technically pseudonymized; or
• Pseudonymized information that was re-identified or is reasonably capable of re-identification due to inadequate separation of the linkage key or weak technical controls, such that it does not meet the Article 2(1-c) definition at the time of the breach.

EDPB concerns and adequacy-decision context The European Data Protection Board (EDPB), in its September 2021 Opinion 32/2021 on the EU Commission's draft adequacy decision for South Korea, expressed concern about the "wide reaching exemptions for pseudonymised information" under Article 28(7) PIPA. The EDPB noted that exempting pseudonymized-data breaches from notification duties could undermine data subject rights, particularly where pseudonymization does not eliminate re-identification risk entirely and additional information held by third parties or available from public sources could allow linkage back to individuals. The EDPB invited the European Commission to "assess further the derogations contained in Article 28(7) PIPA" and to monitor their application to ensure that the essential level of data protection guaranteed under the EU-Korea adequacy decision (Commission Implementing Decision (EU) 2021/2256 of 17 December 2021) is maintained.

The PIPC has not published detailed guidance on when the Article 28(7) exemption applies post-breach. In practice, controllers relying on the exemption bear the burden of demonstrating that the breached data met the pseudonymization standard at the time of the incident, that processing fell within the statutory purposes, and that technical safeguards remained in place. Where forensic analysis reveals that the breach involved exfiltration of both pseudonymized data and the separate linkage-key dataset, or that attackers accessed credentials that would allow re-identification, the exemption is unlikely to apply and the full Article 34 notification and reporting duties are triggered.

Interaction with the March 2026 amendment — "possibility of a breach" trigger The March 2026 PIPA amendment (Law No. 19234, effective September 11, 2026) requires controllers to notify data subjects upon becoming aware of a "possibility" of a breach, moving the notification trigger to an earlier investigative stage before conclusive confirmation. Article 28(7) exempts pseudonymized-data processing from Article 34 in its entirety; the exemption therefore applies equally to the new "possibility" notification obligation. However, the Enforcement Decree implementing the March 2026 amendment has not yet clarified whether controllers must make an initial determination of whether the breached data is pseudonymized before invoking the exemption at the "possibility" stage, or whether they may delay that assessment until the full scope of the breach is confirmed. Until PIPC guidance is published, conservative practice is to assume the exemption is available only after the controller has confirmed that the breached dataset meets all Article 2(1-c) and Article 28-2 requirements.

Cross-reference: general breach notification framework For breaches involving non-pseudonymized personal information, or pseudonymized information processed outside the Article 28-2 safe harbor, controllers must comply with the dual notification duties under Article 34: notification to data subjects "without delay" per Article 34(1), and reporting to PIPC/KISA within 72 hours if the breach exceeds the thresholds in Enforcement Decree Article 39 (1,000+ affected individuals, or any breach of sensitive information, unique identification information, or information systems subject to illegal external access). See the section "Article 34 PIPA — dual notification duty to data subjects and PIPC" in this guide for the full framework.

Source: Personal Information Protection Act (PIPA), Law No. 10465, Articles 2(1-c), 28-2, 28-4, 28(7), and 34 (as amended) Source: European Data Protection Board Opinion 32/2021 on the European Commission Draft Implementing Decision on the adequate protection of personal data by the Republic of Korea (adopted September 24, 2021), paras. 108–111

South Korea's Personal Information Protection Act (PIPA) Article 34(5) imposes a statutory recordkeeping obligation on personal information controllers who experience a personal information breach. Controllers must create and maintain records of every breach incident for a minimum of three years from the date of the breach, regardless of whether the breach triggered the notification-to-data-subjects duty under Article 34(1) or the regulatory-reporting duty to the Personal Information Protection Commission (PIPC) or Korean Internet & Security Agency (KISA) under Article 34(4). This recordkeeping obligation is independent and universal: it applies to all breaches, including those below the 1,000-individual reporting threshold in Enforcement Decree Article 39, those involving only non-sensitive personal information, and those for which the controller invoked the pseudonymized-data exemption under Article 28(7) PIPA.

Statutory text — Article 34(5) PIPA Article 34(5) PIPA (as amended by Law No. 19234, March 12, 2026, effective September 11, 2026) provides:

> "A personal information controller shall prepare and keep a record of cases of the leakage, etc. of personal information pursuant to the conditions as prescribed by Presidential Decree."

The March 2026 amendment did not change the substance of Article 34(5), but it renumbered the provision (previously Article 34(4) before the insertion of the new "possibility of a breach" notification trigger). The "conditions as prescribed by Presidential Decree" refers to the content and retention-period requirements set forth in Enforcement Decree Article 41.

Enforcement Decree Article 41 — mandatory record content Enforcement Decree Article 41 (Preparation and Retention of Records on Leakage, etc. of Personal Information) prescribes seven mandatory content items that controllers must include in breach records:

1. Scope and scale of the breach — the categories of personal information subject to the breach (e.g., name, resident registration number, email address, payment card number) and the number of affected data subjects, broken down by category where feasible;
2. Circumstances of the breach — the date and time the breach occurred or was discovered, the attack vector or incident cause (e.g., unauthorized external access, employee error, system misconfiguration, malware infection), and the location or system component affected;
3. Measures taken to notify affected data subjects — the method and timing of data-subject notification under Article 34(1), the content of the notification, and evidence of delivery (e.g., email transmission logs, SMS gateway receipts, postal mail tracking). If data-subject notification was not required (e.g., because the breach fell below actionable thresholds or the controller lacked contact information and used alternative publication methods), the record must document the legal basis for non-notification or the alternative measures employed under Enforcement Decree Article 40;
4. Measures taken to report to PIPC or KISA — the date and time of regulatory reporting under Article 34(4), the method of submission (controllers report via the KISA portal at https://privacy.kisa.or.kr), and a copy of the filed report or the KISA-assigned case reference number. If the breach did not trigger the 72-hour reporting duty (e.g., fewer than 1,000 affected individuals and no sensitive or unique identification information involved), the record must explain why reporting was not required;
5. Response and remedial measures implemented by the controller — technical and organizational steps taken to contain the breach, prevent further unauthorized access, and mitigate harm to data subjects. Examples include password resets for affected accounts, revocation of compromised API keys, deployment of security patches, enhanced monitoring, forensic investigation engagement, and credit-monitoring services offered to affected individuals;
6. Measures taken to prevent recurrence — systemic improvements and corrective actions implemented post-breach, such as revised access-control policies, enhanced encryption standards, employee re-training, third-party security audits, or changes to data-retention practices. The PIPC reviews these measures during post-breach inspections under PIPA Article 24-2 (on-site inspections) and Article 62 (corrective orders); inadequate remediation can trigger administrative penalties or a formal PIPC corrective order;
7. Other matters prescribed by the PIPC — the Enforcement Decree delegates authority to the PIPC to specify additional recordkeeping items by regulation or guideline. As of June 1, 2026, the PIPC has not published supplementary recordkeeping requirements under this delegation, but controllers should monitor PIPC notices and guidance for future obligations.

Three-year retention period Enforcement Decree Article 41 requires controllers to retain breach records for three years from the date the breach occurred. The three-year clock starts on the date of the incident itself — not the date of discovery, notification, or reporting. Where the exact date of the breach cannot be determined through forensic analysis (for example, in cases of prolonged unauthorized access spanning multiple months), the retention period runs from the earliest date on which the breach may have commenced, as documented in the controller's forensic investigation report.

The three-year retention requirement is a minimum floor, not a ceiling. Controllers may elect to retain breach records for longer periods to support potential civil litigation under PIPA Article 39 (damages claims subject to a three-year statute of limitations under Korean Civil Act Article 766), internal compliance audits, or PIPC follow-up investigations. Breach records are personal information to the extent they identify or describe affected data subjects by name, resident registration number, or other identifiers; controllers must therefore apply PIPA's security safeguards under Article 29 (technical and administrative protection measures) and access-control obligations under Article 28 (access limitation to authorized personnel) to the breach records themselves.

Interaction with PIPC inspection powers — Article 24-2 and Article 62 PIPA PIPC inspectors exercise statutory authority under Article 24-2 PIPA to conduct on-site or remote inspections of controllers' personal information processing activities, including breach-response practices and recordkeeping compliance. During a post-breach inspection, the PIPC routinely requests production of the Article 34(5) breach records to verify:

• Timeliness and completeness of data-subject notification and regulatory reporting;
• Adequacy of remedial and recurrence-prevention measures;
• Compliance with forensic evidence-preservation standards; and
• Whether the controller accurately reported the breach scale and affected data categories to KISA.

Failure to maintain breach records for three years, or gaps and inconsistencies in the documented timeline, can independently support a finding of non-compliance and trigger administrative penalties under PIPA Article 75 (administrative fines of up to KRW 30 million) or Article 34-2 (administrative penalties of up to 3% of total revenue, escalating to 10% for repeat violations or breaches affecting 10 million or more data subjects, per the March 2026 amendment). Where the PIPC determines that inadequate recordkeeping impeded its investigation or prevented accurate assessment of the breach's impact, it may issue a corrective order under Article 62 requiring enhanced recordkeeping procedures, third-party audit engagement, or submission of quarterly compliance reports for a specified period.

Processors (persons entrusted) — parallel recordkeeping duty PIPA Article 26(8) applies the breach notification obligations of Article 34 mutatis mutandis to "persons entrusted" (data processors operating under a written contract with the controller). Consequently, processors bear the same Article 34(5) recordkeeping duty when they experience a breach in the course of processing personal information on behalf of the controller. In practice, the controller typically requires the processor to deliver a copy of the breach records to the controller as part of the contractual accountability obligations under Article 26 PIPA, but both parties maintain separate records for the statutory three-year period. Where the processor reports a breach to KISA under Article 34(4), the processor files the report in its own name and retains the KISA case reference and submission confirmation in its own breach records; the controller separately documents its oversight of the processor's response in the controller's own Article 34(5) records.

Cross-reference to notification and reporting duties The Article 34(5) recordkeeping obligation is one component of the comprehensive breach-response framework under PIPA Article 34:

• Article 34(1) — duty to notify affected data subjects "without delay," expanded by the March 2026 amendment to include notification upon becoming aware of a "possibility" of a breach before conclusive confirmation (see the section "Article 34(1) PIPA — mandatory content items for data subject notifications" in this guide);
• Article 34(4) — duty to report to PIPC or KISA within 72 hours if the breach exceeds thresholds in Enforcement Decree Article 39 (1,000+ affected individuals, or any breach of sensitive information, unique identification information, or systems subject to illegal external access) (see the section "Article 34 PIPA — dual notification duty to data subjects and PIPC" in this guide);
• Article 34(5) — duty to create and retain breach records for three years (this section); and
• Article 28(7) — exemption from Article 34 notification and reporting duties for pseudonymized data processed for statistical, research, or archiving purposes, though the exemption's scope and application to the recordkeeping duty under Article 34(5) remain unsettled in PIPC guidance (see the section "Article 28(7) PIPA — pseudonymized data exemption from breach notification duties" in this guide).

Compliance with one duty does not satisfy the others. A controller that properly notifies data subjects and reports to KISA but fails to maintain three-year records violates Article 34(5); conversely, a controller that meticulously documents a below-threshold breach but fails to notify the (fewer than 1,000) affected individuals violates Article 34(1).

Source: Personal Information Protection Act (PIPA), Law No. 10465, Article 34 (as amended by Law No. 19234, March 12, 2026) Source: Enforcement Decree of the Personal Information Protection Act, Article 41 (Preparation and Retention of Records on Leakage, etc. of Personal Information)

Personal information controllers subject to the 72-hour regulatory reporting duty under PIPA Article 34(4) and Enforcement Decree Article 39 must file their breach reports through the Korean Internet & Security Agency (KISA) online portal at https://privacy.kisa.or.kr. The Personal Information Protection Commission (PIPC) designated KISA as the operating agency to receive breach reports under PIPA Article 34, and the KISA portal is the exclusive submission channel for all controllers—domestic and foreign—processing personal information of data subjects in Korea.

Reporting obligation triggers — Enforcement Decree Article 39 Controllers must report to KISA within 72 hours of becoming aware of a breach if one or more of the following thresholds is exceeded:

1. 1,000 or more data subjects affected — the breach involves loss, theft, leakage, forgery, alteration, or damage to personal information of 1,000 or more individuals, regardless of the categories of personal information involved (Enforcement Decree Article 39(1)(1));
2. Sensitive information or unique identification information breached — any breach, regardless of scale, involving sensitive information as defined in PIPA Article 23 (race, ethnicity, ideology, political opinions, health, sexual behavior, genetic information, biometric information, or criminal history) or unique identification information under PIPA Article 24 (resident registration numbers, passport numbers, driver's license numbers, or foreign registration numbers) (Enforcement Decree Article 39(1)(2)); or
3. Illegal external access to information systems — unauthorized external intrusion into the controller's information systems, databases, or networks, regardless of whether personal information was actually exfiltrated or the number of affected individuals (Enforcement Decree Article 40(3), added by Presidential Decree No. 33107 in December 2022, effective January 1, 2023).

The 72-hour clock starts when the controller "becomes aware of" the breach—not the date of the incident itself. PIPC guidance interprets "becomes aware" as the point at which the controller has sufficient evidence to conclude that a breach occurred, even if the full scope, attack vector, and affected data categories remain under forensic investigation. Controllers must report within 72 hours with the information available at the time; the obligation is to file a preliminary report promptly rather than to delay until a comprehensive post-incident investigation is complete. Controllers may supplement or amend their initial KISA report as new facts emerge during forensic analysis.

KISA portal registration and authentication The KISA breach reporting portal (https://privacy.kisa.or.kr) requires user registration and authentication via Korean mobile phone verification or an authorized digital certificate (공인인증서, gongin injeungseo) issued by a Korean certificate authority. This authentication mechanism creates a compliance barrier for foreign controllers without a Korean establishment, as they typically do not possess Korean mobile phone numbers or Korean digital certificates.

The PIPC addressed this issue in its April 2024 Guidelines on Applying the PIPA to Foreign Business Operators, confirming that foreign operators processing personal information of data subjects in Korea are subject to the same 72-hour reporting requirement but may face "difficulties in using the online reporting system due to lack of domestic mobile phone authentication." The Guidelines instruct foreign operators to submit breach reports by email to breach@kisa.or.kr if they cannot access the online portal, and to include in the email subject line the controller's name, country of incorporation, and the phrase "Personal Information Breach Report" (개인정보 유출신고). The email must attach a completed breach report form containing all content items required under the portal submission process (see below). KISA assigns a case reference number and confirmation receipt via return email, which the foreign controller must retain as evidence of timely filing for PIPC audit purposes.

As of June 2026, the PIPC has not published a streamlined portal-access procedure for foreign operators, and the mobile-phone / digital-certificate gate remains in place. Foreign operators that establish a Korean subsidiary or designate a Korean representative under PIPA Article 39-14 (domestic representative designation duty for foreign controllers processing personal information of 10,000 or more Korean data subjects annually, effective from March 2024) typically register the Korean entity's or representative's credentials on the KISA portal to enable direct online reporting.

Required content for KISA breach reports — Enforcement Decree Article 40 Enforcement Decree Article 40 (Matters to be Reported on Divulgence, etc. of Personal Information) prescribes seven mandatory content categories for KISA reports, overlapping with but distinct from the data-subject notification content requirements under PIPA Article 34(1):

1. Controller identification — the controller's legal name, business registration number (for Korean entities) or foreign registration number, registered address, contact telephone and email, and the name and contact information of the controller's personal information protection officer (if designated under PIPA Article 31) or the person responsible for breach response;
2. Date and time the breach occurred or was discovered — the estimated date and time range of the incident (unauthorized access, exfiltration, or loss), and the date and time the controller first became aware of the breach through internal monitoring, user complaint, forensic alert, or third-party notification;
3. Circumstances and cause of the breach — a description of the attack vector or incident cause (e.g., phishing attack, SQL injection, ransomware, misconfigured cloud storage bucket, employee error, lost USB drive, unauthorized third-party access), the affected systems or databases, and whether the breach resulted from illegal external access per Enforcement Decree Article 40(3);
4. Scope and scale of the breach — the categories of personal information subject to loss, theft, leakage, forgery, alteration, or damage (name, email, resident registration number, payment card number, health records, etc.), the number of affected data subjects (if known at the time of filing, or a reasonable estimate if the exact count is pending forensic analysis), and whether the breach involved sensitive information (PIPA Article 23) or unique identification information (PIPA Article 24);
5. Measures taken to notify affected data subjects — the method and timing of data-subject notification under PIPA Article 34(1) (email, SMS, postal mail, homepage posting), or an explanation of why data-subject notification was not yet completed at the time of the KISA report (e.g., contact information not available, alternative publication methods under Enforcement Decree Article 40 in progress);
6. Controller's response and remedial measures — technical and organizational steps taken to contain the breach, prevent further unauthorized access, and mitigate harm to data subjects (password resets, system patches, enhanced monitoring, forensic investigation engagement, credit-monitoring services offered to affected individuals); and
7. Measures to prevent recurrence — systemic improvements and corrective actions implemented or planned post-breach (revised access-control policies, encryption upgrades, employee re-training, third-party security audits, changes to data-retention practices).

The KISA portal presents a structured web form with fields corresponding to each content category. Controllers must upload supporting documentation, including forensic analysis reports (if available), data-subject notification templates or evidence of delivery, and logs or screenshots demonstrating the breach timeline. Where forensic investigation is ongoing and certain facts remain unknown (e.g., precise number of affected individuals, exact exfiltration date), the controller should state "under investigation" in the relevant field and indicate the expected timeline for supplemental filing.

Penalties for non-reporting or late reporting Failure to report a qualifying breach to KISA within 72 hours, or filing a materially incomplete or inaccurate report, constitutes a violation of PIPA Article 34(4) and triggers administrative penalties. Under the March 2026 amendment (Law No. 19234, effective September 11, 2026), the PIPC may impose administrative penalties of up to 3% of the controller's total revenue for breach notification violations, including late or non-reporting (PIPA Article 34-2(1)). This cap escalates to 10% of total revenue for repeat violations involving willful misconduct or gross negligence within a three-year period, violations affecting 10 million or more data subjects, or failure to comply with a PIPC corrective order following the initial penalty (PIPA Article 34-2(2)). Additionally, controllers that fail to report face administrative fines of up to KRW 30 million (approximately USD 22,000) under PIPA Article 75(2)(18).

The PIPC has applied these penalties in enforcement actions post-breach. In May 2024, the PIPC imposed a KRW 7.5 billion (USD 5.2 million) administrative penalty on Golfzon Co., Ltd. following a data breach affecting approximately 17.8 million users; the penalty was based in part on Golfzon's delayed reporting to KISA and inadequate initial notification to data subjects. The PIPC emphasized that the 72-hour reporting clock is strict and non-extendable, and that controllers bear the burden of establishing timely filing through KISA case reference numbers and email confirmation receipts.

Interaction with the March 2026 "possibility" trigger The March 2026 PIPA amendment (Law No. 19234) introduces a new notification trigger requiring controllers to notify data subjects upon becoming aware of a "possibility" of a breach, before conclusive confirmation (PIPA Article 34(2) as amended). As of June 2026, the Enforcement Decree has not yet specified whether the "possibility" trigger also activates the 72-hour KISA reporting duty, or whether the reporting obligation continues to run from the point of confirmed breach. PIPC guidance is expected before the September 11, 2026 effective date. Conservative practice is to assume that once a controller notifies data subjects of a "possibility" of breach under Article 34(2), the controller must file a preliminary KISA report within 72 hours if the suspected breach meets the thresholds in Enforcement Decree Article 39, and supplement the report when the breach is confirmed or ruled out through investigation.

Cross-reference to data-subject notification and recordkeeping duties The KISA reporting obligation under Article 34(4) runs in parallel with—but does not substitute for—the duty to notify affected data subjects "without delay" under Article 34(1) and the duty to create and retain breach records for three years under Article 34(5). Compliance with one obligation does not satisfy the others. A controller that timely files a KISA report but fails to notify data subjects violates Article 34(1); conversely, a controller that notifies data subjects but misses the 72-hour KISA deadline violates Article 34(4). See the sections "Article 34 PIPA — dual notification duty to data subjects and PIPC," "Article 34(1) PIPA — mandatory content items for data subject notifications," and "Article 34(5) PIPA — three-year breach recordkeeping obligation" in this guide for the full framework.

Source: Personal Information Protection Act (PIPA), Law No. 10465, Article 34 (as amended by Law No. 19234, March 12, 2026) Source: Enforcement Decree of the Personal Information Protection Act, Articles 39–40 Source: PIPC, Reporting on Divulgence of Personal Information (KISA designated as operating agency) Source: PIPC Guidelines on Applying the PIPA to Foreign Business Operators (April 2024)