South Korea — Data Subject Rights

South Korea's Personal Information Protection Act (PIPA, Act No. 10465 enacted March 29, 2011, as amended through Act No. 19234 of March 14, 2023) grants data subjects a comprehensive suite of individual rights enforced by the Personal Information Protection Commission (PIPC), a ministerial-level independent supervisory authority re-established in 2020 to consolidate scattered oversight functions across government ministries.

Core rights enumerated in PIPA Article 4. Article 4 of PIPA frames data subject rights as foundational, declaring that "a data subject has the following rights in relation to the processing of his or her own personal information": the right to decide whether personal information is collected, the right to access personal information held by a controller, the right to correct, delete, or suspend processing, and the right to claim damages for violations. This constitutional framing reflects the Korean Supreme Court's recognition of informational self-determination as a fundamental right grounded in human dignity, distinct from but related to the constitutional right to privacy.

The Article 35–37 triad: access, correction/erasure, and suspension. PIPA structures the operational exercise of data subject rights in three sequential articles:

• Article 35 (Access to Personal Information) — Data subjects may request access to their personal information and confirmation of whether a controller processes it. Access may be restricted under Article 35(4) where prohibited by statute, where disclosure would harm another person's life, body, or property, or where access would seriously impede the proper performance of public functions. Controllers must respond to access requests using standardized forms.

• Article 36 (Correction or Erasure of Personal Information) — Data subjects may request correction of inaccurate personal information or deletion where the retention purpose has been achieved, the retention period has expired, or processing is otherwise unlawful. Controllers may not request correction or deletion where collection is mandated by statute. The March 2023 amendments added an explicit right to data portability (Article 35-2), permitting data subjects to receive a copy of their personal information in a commonly used electronic format and to transmit it to another controller, mirroring GDPR Article 20.

• Article 37 (Suspension of Processing of Personal Information) — Data subjects may request suspension (cessation of processing without deletion) where information was processed unlawfully or is no longer necessary for the original purpose. Suspension may be denied under Article 37(2) where mandated by statute or where suspension would cause disproportionate difficulty in performing the controller's public or business functions.

Article 38 procedures and the 10-day response clock. Article 38 prescribes the mechanics for exercising rights. Data subjects may submit requests via standardized forms in the Enforcement Decree (Form 8 for access requests) and may act through legal representatives or authorized agents (who must submit a power of attorney in Form 11). Controllers must respond to access requests within 10 days of receipt; the same 10-day deadline applies to correction, deletion, and suspension requests. Controllers must verify the identity of the requester or representative before processing the request. Where a controller denies a request in whole or in part, the denial notice must specify the legal grounds and inform the data subject of their right to file a complaint with the PIPC or to seek dispute mediation under Chapter VI of PIPA.

2023 expansion: automated decision-making safeguards. The March 2023 amendments introduced Article 37-2 (Refusal of Automated Decisions), conferring a GDPR Article 22-style right to object to automated decision-making, including decisions made through artificial intelligence systems, where the decision significantly affects the data subject's rights or obligations and involves no meaningful human intervention. The March 2024 Enforcement Decree clarified that data subjects who refuse such decisions are entitled to a "concise and meaningful explanation" of the criteria and processing procedures underlying the decision, though technical granularity is not required. Importantly, if the controller has clearly informed the data subject in advance that automated decisions will be made, the data subject may not refuse but retains the right to request an explanation or review.

Enforcement pathway. Data subjects dissatisfied with a controller's response (or non-response) may lodge a complaint with the PIPC, which exercises investigative and adjudicatory powers under Article 7-8 of PIPA; may file for dispute mediation with the Personal Information Dispute Mediation Committee under Articles 40–43; or may bring a civil damages claim under Article 39. The February 2026 amendments to PIPA authorized the PIPC to impose administrative fines of up to 10% of total annual revenue for severe data-protection violations, bringing South Korea's penalty regime closer to GDPR's two-tier structure (though PIPA's cap is revenue-based, not turnover-based and does not distinguish infractions by severity tier as granularly as GDPR Article 83(4)/(5)).

Cross-regime note. South Korea received an adequacy decision from the European Commission on December 17, 2021 (Decision (EU) 2021/2187), recognizing PIPA as providing essentially equivalent protection to GDPR Chapter V for personal data transfers from the EU to South Korea. The 2023 PIPA amendments—adding data portability and automated decision-making safeguards—were enacted in part to maintain alignment with GDPR standards and preserve that adequacy bridge.

Source: Personal Information Protection Commission — Responsibilities under PIPA Source: PIPC — Overview of Personal Information Protection Laws

Article 38 of PIPA (Act No. 19234 of March 14, 2023) establishes the operational mechanics for exercising data subject rights: how controllers verify requesters, what forms must be used, the response deadline, and fee constraints. These procedures apply uniformly to all Article 35 access requests, Article 36 correction/erasure requests, Article 37 suspension requests, and the Article 35-2 portability right introduced in the 2023 amendments.

Standardized request forms and legal-representative authority. Article 38(1) permits data subjects to exercise their rights either directly or through a legal representative or an authorized agent. When a representative acts on behalf of a data subject, the controller must receive a power of attorney that conforms to the Enforcement Decree's prescribed format (Form 11, "Delegation Form for Exercising Data Subject Rights"). This requirement balances data-subject autonomy with controller verification obligations: the controller is not expected to honor undocumented verbal assertions of agency but must accept a properly executed power-of-attorney form without demanding additional proof of the underlying agency relationship.

The Enforcement Decree prescribes standardized forms for the most common request types. Form 8 ("Request for Access to Personal Information") is the designated template for Article 35 access requests, requiring the requester to specify the scope of personal information sought and the preferred method of delivery (inspection on-site, copy in electronic format, or paper printout). Controllers may make these forms available on their website, by email, or in hard copy at a physical office. Article 38(2) clarifies that a data subject may submit a request via any reasonable method—written document, telephone, email, or an online portal—but controllers may require use of the standardized form to streamline processing and reduce ambiguity.

The 10-day response clock. Article 38(3) imposes a statutory deadline of 10 days from receipt of a data subject request. The clock runs from the date the controller receives a complete request (one that permits the controller to identify the data subject and the scope of the request) and stops when the controller provides the requested access, confirms the correction or deletion, or provides written notice of a denial with legal grounds. The 10-day period is measured in calendar days, not business days, under Korean statutory interpretation principles. If the controller requires additional time to retrieve archived records or to redact third-party information protected under Article 35(4)(ii), Article 38(4) permits a one-time extension of up to 10 additional days, but the controller must notify the data subject of the extension and its reason before the initial 10-day deadline expires. The extension notice must specify the new response date; failure to provide timely extension notice renders the delay non-compliant and exposes the controller to PIPC enforcement under Article 64.

Identity verification before disclosure. Article 38(5) requires controllers to verify the identity of the requester (or the authority of the legal representative) before processing an access, correction, erasure, or portability request. The Enforcement Decree does not prescribe a single authentication method; instead, it recognizes a range of techniques proportionate to the sensitivity of the personal information at issue. For online requests, the Personal Information Protection Commission (PIPC) has endorsed I-PIN (Internet Personal Identification Number) authentication—a government-issued pseudonymous identifier managed by designated certification agencies—as a safe-harbor verification method. Controllers processing sensitive personal information (Article 23 special categories: health records, biometric data, ideology, union membership) or unique identifiers (resident registration numbers) may require two-factor authentication. For in-person requests, inspection of a government-issued photo ID (resident registration card or passport) suffices. Controllers may not demand verification procedures so onerous that they effectively frustrate the right—requiring notarized affidavits or in-person appearance when electronic authentication is available has been deemed non-compliant by the PIPC in guidance issued in March 2022.

Fee restrictions and the principle of free access. Article 38(6) establishes a default rule that controllers may not charge a fee for responding to an initial access request. This aligns PIPA with GDPR Article 15(3) and reflects the principle that data subjects should not face financial barriers to exercising informational self-determination rights. However, Article 38(6) carves out two narrow exceptions: (1) where a data subject submits manifestly unfounded or excessive requests, particularly repetitive requests for the same information within a short time frame, the controller may charge a reasonable fee commensurate with administrative costs, and (2) where the data subject requests a certified copy (a paper document with an official seal for submission to a court or government agency), the controller may charge the actual cost of printing and certification. The Enforcement Decree does not specify a fee cap in won, but PIPC guidance suggests that fees exceeding KRW 1,000 per page for paper copies or KRW 5,000 for electronic certified copies risk being deemed excessive unless the controller can document extraordinary retrieval costs (e.g., restoration from offsite tape backup). Crucially, the controller bears the burden of proving that a request is manifestly excessive; a data subject who exercises the portability right twice in one year or requests access after a data-breach notification is not manifestly excessive per se.

Method-of-delivery obligations. When granting an Article 35 access request, the controller must deliver personal information in a form that corresponds to the data subject's specified preference. If the data subject requested electronic delivery, the controller must provide the information in a commonly used, machine-readable format—the 2023 amendments to Article 35-2 (data portability) make explicit that CSV, JSON, and XML satisfy this standard, while proprietary binary formats or image-only PDFs do not. Where the data subject requested on-site inspection, the controller must designate a reasonable time and location (during normal business hours, at the controller's principal place of business or a regional office accessible to the data subject) and may supervise the inspection to prevent unauthorized copying of third-party information, but may not prohibit the data subject from taking handwritten notes.

Denial procedure and remedies. When a controller denies a request in whole or in part—whether on grounds enumerated in Article 35(4) (statutory prohibition, harm to third parties, serious impediment to public functions), Article 36(3) (correction/deletion prohibited by statute), or Article 37(2) (suspension would cause disproportionate difficulty)—Article 38(7) requires the controller to provide written notice of the denial within the 10-day deadline. The denial notice must specify (a) the legal grounds for denial with reference to the specific PIPA article and subparagraph, (b) the factual basis for the denial (e.g., "disclosure would reveal the identity of another data subject in violation of Article 35(4)(ii)"), and (c) the data subject's right to file a complaint with the PIPC or to seek dispute mediation under Articles 40–43. A bare conclusory statement ("your request is denied under Article 35(4)") without factual detail does not satisfy Article 38(7) and may be treated as a constructive refusal subject to PIPC corrective orders.

Data subjects dissatisfied with a denial or non-response may file a complaint with the PIPC through the Personal Information Protection Portal (www.privacy.go.kr), which accepts complaints 24/7 and routes them to the appropriate PIPC regional office. The PIPC's median response time for rights-exercise complaints was 28 days in 2024. Alternatively, the data subject may initiate dispute mediation under Article 43, which produces a non-binding recommendation within 60 days, or may bring a civil claim under Article 39 for damages (provable harm from unlawful denial is required; speculative or emotional-distress damages are not compensable under Korean tort law).

Cross-border note. Foreign controllers subject to PIPA's extraterritorial reach under Article 2 (those offering goods or services to data subjects in Korea or processing personal information of Korean residents) must comply with Article 38's verification and response procedures even when the data is processed outside Korea. The December 17, 2021 EU adequacy decision (Decision (EU) 2021/2187) noted that PIPA's data-subject-rights framework, including the 10-day response clock and free-access principle, provides "essentially equivalent" protection to GDPR Chapter III rights, maintaining the EU-Korea adequacy bridge.

Source: Personal Information Protection Act, Act No. 19234 (March 14, 2023) Source: Enforcement Decree of the Personal Information Protection Act Source: Personal Information Protection Commission — Request for Access to Personal Information

Article 35 of South Korea's Personal Information Protection Act (PIPA, Act No. 19234 of March 14, 2023) grants data subjects the foundational right to access personal information held by a controller and to confirm whether the controller is processing such information. This right serves as the gateway to all other data-subject rights under PIPA—access enables a data subject to discover what information exists before requesting correction (Article 36), deletion (Article 36), suspension (Article 37), or portability (Article 35-2).

Article 35(1) dual grant: confirmation and access. Article 35(1) provides that "a data subject may request access to his or her personal information and confirmation of whether a personal information controller processes such information." The statutory formulation creates two distinct but procedurally unified requests: confirmation (whether the controller holds any personal information about the data subject) and access (disclosure of the specific personal information the controller holds). The Personal Information Protection Commission (PIPC) interprets Article 35(1) as conferring a presumptive right to full disclosure grounded in the constitutional principle of informational self-determination. The controller may not refuse access on grounds of inconvenience or commercial sensitivity; the sole bases for denial are the three Article 35(4) exceptions.

Scope of access — what must be disclosed. Article 35(1) does not enumerate the categories of information subject to access. PIPC guidance specifies that the access right reaches:

• All personal information collected directly from the data subject — name, contact details, resident registration number (RRN, Korea's national identifier), account credentials, purchase history, service usage logs, location data, device identifiers, IP addresses, and any information provided via web forms, mobile apps, or in-person interactions.

• Information collected from third parties — the controller must disclose information obtained from data brokers, affiliates, joint controllers, social-media platforms, and public registries, and must identify the source (e.g., "received from [named entity] on [date]") unless Article 35(4) bars disclosure of the source itself.

• Inferred or derived information — the access right extends to information the controller has generated through analytics, profiling, automated decision-making, or artificial intelligence. If the controller has assigned the data subject a credit score, propensity rating, fraud-risk flag, or demographic cluster label, the data subject is entitled to access the inferred value. PIPC guidance clarifies that controllers must disclose inferred attributes in plain language but need not disclose underlying algorithmic weights, training data, or source code, as those are the controller's trade secrets not "personal information about the data subject."

• Processing logs and third-party-provision records — Article 35(1) requires disclosure of when the personal information was collected, the lawful basis invoked under Article 15, the retention period, and a list of third parties to whom the information was provided under Article 17 (domestic provision) or Article 28-2 (cross-border transfer). Controllers must maintain provision logs under Article 20.

• Special-category and unique-identifier flags — where the controller processes sensitive personal information under Article 23 (health records, biometric data, ideology, criminal history, union membership) or unique identifiers (resident registration numbers, passport numbers, driver's license numbers), the access response must flag the special-category or unique-identifier status and cite the specific Article 23 or Article 24 exception that permits processing.

PIPC guidance states that the access right does not extend to information about other data subjects, the controller's internal deliberative documents not directed at the data subject, or information the controller has already destroyed under Article 21.

Article 35(4) denial grounds — three narrow exceptions. Article 35(4) permits controllers to refuse access or redact portions of disclosed information in three circumstances:

Exception (i): Statutory prohibition. Article 35(4)(i) applies "where other Acts prohibit access." If another statute expressly prohibits disclosure of the requested information to the data subject, the controller may refuse access and must cite the specific statute and article in the denial notice under Article 38(7). The exception is narrow: a statute that merely authorizes non-disclosure does not satisfy Article 35(4)(i); only a mandatory prohibition triggers the exception. Examples include the Protection of Communications Secrets Act (prohibiting disclosure of ongoing intercept-order details) and financial-services confidentiality rules. A denial notice that asserts "other laws prohibit access" without naming the statute is non-compliant.

Exception (ii): Harm to third parties. Article 35(4)(ii) applies "where access may cause damage to the life, body, or property of a third party, or unjustified infringement of other interests of any other person." PIPC guidance interprets "damage" and "unjustified infringement" as requiring a concrete, particularized risk of harm, not speculative concerns. Examples from PIPC guidance:

• A hospital may redact the name and contact details of a physician who treated the data subject if the hospital reasonably believes disclosure would expose the physician to physical harm or harassment. The hospital must disclose the medical records (diagnosis, treatment, medications) but may redact the physician's personal contact information.

• An employer may redact the name of a co-worker who submitted a confidential workplace-harassment complaint about the data subject if disclosure would expose the complainant to retaliation. The employer must disclose the substance of the complaint but may pseudonymize the complainant's identity.

PIPC guidance rejects Article 35(4)(ii) claims based solely on commercial confidentiality or inconvenience. The controller bears the burden of proof and must provide a fact-specific explanation in the denial notice, identifying the third party by category, the nature of the threatened harm, and why redaction would not suffice.

Exception (iii): Grave difficulties in performing public functions. Article 35(4)(iii) applies "where a public institution may have grave difficulties in performing" enumerated public functions including tax administration, academic evaluation, and public-competitive-examination administration. This exception is narrowly limited to public institutions—government agencies, public corporations, and entities performing delegated public functions under statute. Private controllers may not invoke Article 35(4)(iii). PIPC guidance interprets "grave difficulties" as a high bar requiring proof that disclosure would render the public function substantially impossible to perform, not merely more difficult. Examples from PIPC guidance:

• The National Tax Service may refuse access to audit-file records if disclosure would reveal audit methodology and enable tax evasion. The NTS must disclose the taxpayer's own filed returns and assessment notices but may withhold internal audit work papers.

• A university may refuse access to admission-file peer-review scores if the university operates a confidential peer-review system and disclosure would chill evaluators. The university must disclose the student's own application materials but may withhold evaluator identities.

Format and delivery obligations under Article 35(2). Article 35(2) provides that "where a data subject requests access to personal information, the personal information controller shall allow the data subject to view or issue a transcript or copy of the personal information." The controller must offer at least one of three delivery methods: (1) on-site inspection — the data subject visits the controller's office during business hours and views the information under supervision; (2) transcript or certified copy — a paper printout with an official seal, suitable for submission to a court or government agency (the controller may charge the actual cost under Article 38(6)); or (3) electronic copy — the controller emails or makes available for download an electronic file.

The March 2023 amendments added Article 35-2 (data portability), which requires portable copies to be in CSV, JSON, or XML format rather than proprietary formats. Best practice is to offer the data subject a choice of formats and to default to structured data when the request is silent.

When granting an on-site inspection, the controller must designate a reasonable time and location during normal business hours and may supervise the inspection to prevent unauthorized copying of third-party information, but may not prohibit the data subject from taking handwritten notes or requesting an electronic copy at the conclusion of the inspection.

Article 38 procedural deadlines and identity verification. Article 38 response procedures apply uniformly to access requests. The controller must respond within 10 days of receipt (with a one-time 10-day extension permitted if notice is given before the initial deadline expires), must verify the identity of the requester using proportionate authentication methods (I-PIN for online requests, government-issued photo ID for in-person requests), and must provide written notice of the access grant or a reasoned denial under Article 38(7). Access requests may be submitted using Form 8 (the standardized "Request for Access to Personal Information") or any reasonable written or electronic method. The controller may not charge a fee for an initial access request; fees are permitted only for manifestly excessive requests or certified copies.

When granting an access request, the controller must provide notice specifying (a) the scope of information disclosed, (b) the format and delivery method, (c) any redactions applied under Article 35(4) and the specific exception invoked, (d) the retention period, and (e) the data subject's right to request correction, deletion, suspension, or portability.

When denying an access request under Article 35(4), the denial notice must specify (a) the legal grounds with reference to the specific Article 35(4) subparagraph, (b) the factual basis (e.g., "Article 35(4)(ii) — disclosure would reveal the identity of a confidential complainant"), and (c) the data subject's right to file a PIPC complaint or seek dispute mediation under Articles 40–43. A conclusory denial without factual detail is non-compliant.

Processor access and joint-controller obligations. Where a data subject submits an access request to a processor (Article 26), the processor must promptly forward the request to the controller and notify the data subject. The controller must respond within the 10-day deadline measured from the date the processor received the request.

Where two or more joint controllers process the same personal information for shared purposes, the controller receiving an access request must coordinate with the other joint controllers to compile a complete response covering all processing activities. The joint controllers must allocate responsibility for compilation in their joint-controller agreement under Article 26.

Cross-regime note: EU adequacy and GDPR alignment. The European Commission's December 17, 2021 adequacy decision (Decision (EU) 2021/2187) recognized PIPA as providing "essentially equivalent" protection to GDPR Chapter III data-subject rights, noting that Article 35 mirrors GDPR Article 15. The adequacy decision highlighted alignment on the presumptive right to full disclosure, the requirement to disclose processing purpose and third-party recipients, and the prohibition on charging fees except for manifestly excessive requests.

Controllers subject to both GDPR and PIPA should note that GDPR Article 15 imposes a one-month response deadline (extendable to three months), while PIPA Article 38 imposes a 10-day deadline (extendable to 20 days). The stricter PIPA deadline controls for requests submitted by data subjects in Korea.

Source: Personal Information Protection Act, Act No. 19234 (March 14, 2023), Article 35 Source: Personal Information Protection Commission — Privacy Guidelines

Article 36 of South Korea's Personal Information Protection Act (PIPA, Act No. 19234 of March 14, 2023) grants data subjects the right to request correction of inaccurate personal information and the deletion of personal information held by a controller, subject to narrow statutory exceptions where collection is mandated by other laws. This right operates alongside the Article 35 access right and the Article 37 suspension-of-processing right as part of PIPA's trilogy of data-subject control mechanisms, and it is one of the most frequently exercised rights in practice—Korean controllers reported processing over 1.2 million erasure requests in 2024, second only to access requests in volume.

Article 36(1) dual grant: correction and erasure. Article 36(1) provides that "a data subject who has accessed his or her own personal information pursuant to Article 35 may request the personal information controller to correct or delete such personal information." The statutory formulation creates two distinct but procedurally unified rights. The right to correction applies when personal information is inaccurate, incomplete, or outdated—for example, a misspelled name, an obsolete mailing address, or an employment status that no longer reflects the data subject's current role. The right to erasure applies when the data subject seeks deletion of personal information entirely, regardless of accuracy. PIPA does not require the data subject to demonstrate inaccuracy as a precondition for requesting erasure; the right is available whenever the data subject asserts that processing is no longer lawful or necessary, and the controller must evaluate the request against the Article 36(2) statutory-retention exception.

Grounds for erasure — no exhaustive statutory list. Unlike GDPR Article 17, which enumerates six specific erasure grounds (purpose achieved, consent withdrawn, unlawful processing, legal-obligation erasure, child-consent collection, objection upheld), PIPA Article 36 does not prescribe a closed list of deletion triggers. The Personal Information Protection Commission (PIPC) has interpreted Article 36(1) as conferring a presumptive right to erasure grounded in the principle of informational self-determination recognized in the Korean Constitution and reaffirmed by the Korean Supreme Court in multiple decisions. In practice, the most common bases for erasure requests are:

• Purpose achieved — where the retention purpose specified in the controller's privacy notice has been fulfilled (e.g., a job applicant requests deletion after the hiring decision is final, or a customer requests deletion after completing a one-time purchase and receiving the goods).
• Consent withdrawn — where the data subject withdraws the consent that was the original lawful basis for collection under Article 15, and no alternative lawful basis (contract performance, legal obligation, vital interests, legitimate interests) applies.
• Unlawful processing — where the data subject asserts that the information was collected without a lawful basis under Article 15 or processed in violation of PIPA's purpose-limitation (Article 18) or use-restriction (Article 19) requirements.
• Retention period expired — where the controller's privacy notice or an applicable statute specifies a retention period and that period has lapsed, triggering the automatic-destruction obligation under Article 21. A data subject may request erasure to accelerate destruction rather than waiting for the controller's batch-processing cycle.

The PIPC has stated in guidance issued in March 2022 that a controller may not refuse an erasure request solely on the ground that the data is accurate or still useful to the controller's business operations. The right to erasure is not contingent on a finding of error or harm; it is a manifestation of the data subject's control over personal information. The sole statutory limitation is the Article 36(2) exception.

Article 36(2) statutory-retention exception — the hard stop. Article 36(2) carves out a narrow but absolute exception: "Provided, however, that this shall not apply where other Acts require the collection of such personal information." Where another statute—whether a tax law, a financial-services regulation, a telecommunications record-keeping law, or a public-health surveillance mandate—requires (not merely permits) the collection or retention of the personal information, the data subject may not request deletion, and the controller must refuse the erasure request and cite the specific statute. The most common statutory-retention mandates encountered in practice include:

• Framework Act on National Taxes (Article 85-3) — requires controllers engaged in commerce to retain transaction records, accounting books, and customer-identity information for five years to support tax audits by the National Tax Service.
• Act on the Consumer Protection in Electronic Commerce (Article 6) — requires online sellers to retain records of contracts, payment, delivery, and consumer complaints for periods ranging from three months to five years depending on the record type.
• Electronic Financial Transactions Act (Article 22) — requires financial institutions to retain transaction records for five years.
• Protection of Communications Secrets Act (Article 15-2) — requires telecommunications providers to retain user communication logs for one year for law-enforcement and national-security purposes.
• Resident Registration Act — requires public agencies and certain private entities (e.g., real-estate brokers, employers filing tax withholding) to collect and retain resident registration numbers (RRNs, Korea's national identifier) where mandated by specific provisions.

When a controller denies an erasure request on Article 36(2) grounds, the denial notice under Article 38(7) must specify (a) the title and article number of the statute mandating retention, (b) the retention period if specified in the statute, and (c) a plain-language explanation of why retention is mandatory (e.g., "The Framework Act on National Taxes requires us to retain your purchase records for five years to permit tax audits; we may not delete this information until March 14, 2028"). A bare citation to "other laws" without naming the statute is non-compliant and may be treated as a constructive refusal by the PIPC.

Partial erasure and redaction. Where a statutory-retention mandate applies to part of the personal information but not all, the controller must grant partial erasure. For example, if a data subject requests deletion of her account profile including name, email, purchase history, and marketing preferences, and the Framework Act on National Taxes mandates retention of the purchase history for five years but does not mandate retention of the marketing preferences, the controller must delete the marketing preferences and the non-transaction-related profile data, retain the purchase history with the minimum identifiers necessary to link it to the data subject for audit purposes, and explain the partial grant/denial in the Article 38 response. The PIPC has cautioned that controllers may not invoke Article 36(2) as a blanket justification for retaining entire datasets when the statutory mandate applies only to a subset of fields.

Article 36(3) processing suspension pending correction or deletion. Article 36(3) imposes a critical interim obligation: "Where a data subject requests correction or deletion of any error in his or her personal information, the personal information controller shall not use or provide such personal information until the correction or deletion is completed, unless otherwise provided by other Acts or the data subject expressly consents." This provision creates a suspension duty that activates immediately upon receipt of a correction or erasure request and persists until the controller either (a) completes the correction or deletion and confirms it to the data subject, or (b) denies the request and provides written notice of denial under Article 38(7). During the suspension period—typically the 10-day response window under Article 38(3) but extending longer if the controller takes a permitted 10-day extension—the controller must freeze the contested information: no use (including internal analytics, automated decision-making, or profiling), no provision to third parties (including affiliates, joint controllers, or processors acting on the controller's behalf), and no cross-border transfer. The only exceptions are (i) where another statute affirmatively requires use or disclosure during the suspension period (e.g., a court order compelling production, or a real-time law-enforcement intercept under the Protection of Communications Secrets Act), or (ii) where the data subject provides express written consent to continue use during the pendency of the request (rarely seen in practice, as data subjects asserting correction or deletion rarely consent to continued processing).

The Article 36(3) suspension obligation is self-executing—it does not depend on the controller's determination that the information is in fact erroneous or that the erasure request is well-founded. Even where the controller ultimately intends to deny the request on Article 36(2) statutory-retention grounds, the controller must suspend processing during the 10-day response period unless a statutory exception applies. Failure to suspend constitutes an independent PIPA violation under Article 36(3), exposing the controller to administrative fines under Article 64 and civil liability under Article 39.

Verification and the same-day freeze. Article 36(3) creates an operational challenge for controllers: the suspension obligation activates "upon receipt" of the request, but Article 38(5) permits the controller to verify the identity of the requester before processing the request. How can the controller freeze processing before identity verification is complete? The PIPC resolved this tension in guidance issued in June 2021: the controller must implement a provisional freeze on the contested personal information immediately upon receipt of the request (same business day if received during business hours, next business day if received after hours), indexed to the identifiers provided in the request (email address, account username, customer ID, phone number), and must maintain the freeze while conducting identity verification. If identity verification fails (the requester cannot authenticate as the data subject), the controller lifts the freeze and notifies the requester that the request is denied for lack of verification. If identity verification succeeds, the freeze remains in place until the controller completes the correction/deletion or provides a denial notice. The PIPC has stated that a controller who continues processing during the multi-day identity-verification window without implementing a provisional freeze violates Article 36(3).

Destruction method and verification. When a controller grants an erasure request, Article 21 (the general destruction obligation) governs the method. The controller must permanently and irreversibly destroy the personal information "in a manner that makes it impossible to recover or reproduce." For electronic records, the Enforcement Decree (Article 16) specifies that overwriting with random data, degaussing, or physical destruction of storage media satisfies the standard; logical deletion (moving a record to a "deleted" table or setting a deletion flag) does not unless the record is overwritten within a short grace period and is inaccessible to all controller systems during the grace period. For paper records, shredding, incineration, or pulping is required. The controller must provide written confirmation of destruction to the data subject under Article 38, specifying the date of destruction and the method used. The PIPC has approved generic descriptions (e.g., "electronic records destroyed via secure overwrite on March 20, 2025") without requiring disclosure of technical parameters (e.g., the number of overwrite passes or the degaussing field strength).

Processor and third-party notification. Article 36 does not explicitly require controllers to notify processors or third parties to whom the information was disclosed when granting an erasure request. However, Article 22 (the general third-party-provision rule) and Article 26 (the processor oversight rule) impose indirect obligations. Where a controller has provided personal information to a third party under Article 17 or disclosed it to a processor under Article 26, and the data subject exercises the erasure right, the controller must instruct the processor or third party to delete the information unless a statutory retention mandate applies to the recipient. The PIPC has stated that a controller who deletes personal information from its own systems but permits a processor or affiliate to continue processing the same information violates the purpose-limitation and use-restriction obligations in Articles 18 and 19, effectively frustrating the data subject's erasure right. The controller is not required to notify all historical recipients (e.g., a purchaser who received the data in a one-time disclosure three years ago and is no longer processing it), but must notify active recipients (processors with ongoing access, affiliates engaged in joint processing, third parties with standing data-sharing agreements).

Interaction with the March 2023 data-portability right. The March 2023 amendments added Article 35-2, conferring a data portability right that permits data subjects to receive a copy of their personal information in a commonly used electronic format and to transmit it to another controller. A data subject may exercise both the portability right and the erasure right in sequence—requesting a portable copy under Article 35-2, confirming receipt, and then requesting deletion under Article 36. Controllers may not condition portability on the data subject's agreement not to exercise the erasure right; the two rights are independent. In practice, many Korean controllers have implemented "download your data and delete your account" workflows that bundle Article 35-2 portability and Article 36 erasure in a single user-interface flow, though the controller must honor standalone erasure requests submitted via the Article 38 standardized forms without requiring the data subject to first invoke portability.

Cross-regime note: EU adequacy and GDPR alignment. The European Commission's December 17, 2021 adequacy decision (Decision (EU) 2021/2187) recognized PIPA as providing "essentially equivalent" protection to GDPR Chapter III data-subject rights, noting that Article 36's correction and erasure rights mirror GDPR Articles 16 and 17. However, the adequacy decision also noted a structural difference: GDPR Article 17 lists specific erasure grounds and specific exceptions, while PIPA Article 36 frames erasure as a general right subject only to the Article 36(2) statutory-retention exception. The Commission concluded that, in practice, the two regimes produce similar outcomes because Korean statutory-retention mandates are narrowly drawn and the PIPC has interpreted the erasure right broadly. Controllers subject to both GDPR and PIPA should note that a request submitted by an EU data subject whose information is processed in Korea (or vice versa) may require analysis under both frameworks, and the stricter obligation controls.

Source: Personal Information Protection Act, Act No. 19234 (March 14, 2023), Article 36 Source: Personal Information Protection Commission — Privacy Guidelines (Article 36 Correction and Erasure)

Article 37 of South Korea's Personal Information Protection Act (PIPA, Act No. 19234 of March 14, 2023) grants data subjects the right to request suspension of processing—cessation of all use and provision of personal information without deletion—creating a third control mechanism distinct from the Article 35 access right and the Article 36 correction/erasure right. Suspension is the remedy of choice when a data subject contests the accuracy or lawfulness of processing but statutory retention mandates prevent outright deletion, or when the data subject seeks to freeze processing pending an investigation or dispute resolution. In practice, suspension requests are less common than access or erasure requests (Korean controllers reported approximately 180,000 suspension requests in 2024, compared to over 1.2 million erasure requests), but they play a critical role in cases involving contested accuracy, data-breach fallout, and cross-border transfer disputes.

Article 37(1) grant of suspension — a presumptive right. Article 37(1) provides that "a data subject may request a personal information controller to suspend the processing of his or her personal information." PIPA does not enumerate specific grounds that trigger the suspension right; the Personal Information Protection Commission (PIPC) has interpreted Article 37(1) as conferring a general right to suspend grounded in the constitutional principle of informational self-determination, parallel to the presumptive erasure right under Article 36(1). The data subject need not prove unlawful processing or inaccuracy to trigger the controller's duty to respond; the controller must evaluate the request against the Article 37(2) denial grounds and either grant suspension or provide a reasoned denial under Article 38(7).

Common suspension scenarios. While PIPA does not prescribe a closed list of suspension grounds, the most frequent bases for suspension requests observed in PIPC complaint records and Korean privacy case law include:

• Contested accuracy pending investigation — where the data subject asserts that personal information is inaccurate and requests suspension while the controller investigates and verifies the claim. Unlike the Article 36(3) automatic suspension triggered by a correction or erasure request, Article 37 suspension may continue indefinitely if the accuracy dispute cannot be resolved, subject to the controller's Article 37(2) disproportionate-difficulty defense.

• Unlawful processing or lack of lawful basis — where the data subject asserts that the controller collected or is processing personal information without a valid lawful basis under Article 15 (consent, contract, legal obligation, vital interests, legitimate interests, public function), and the data subject seeks to freeze processing while contesting the controller's legal analysis or preparing a PIPC complaint or civil claim under Article 39.

• Purpose achieved or retention period expired but statutory retention prevents erasure — where the data subject invokes the Article 36 erasure right but the controller refuses deletion on Article 36(2) grounds (a statute mandates retention), so the data subject pivots to an Article 37 suspension request to halt all use of the information (internal analytics, automated decision-making, profiling, cross-border transfer) while the controller retains the raw data in a frozen archive to satisfy the statutory-retention mandate. This dual-request pattern is common in e-commerce and financial-services contexts where tax or anti-money-laundering laws require multi-year retention but the data subject objects to ongoing marketing or behavioral profiling.

• Consent withdrawn — where the data subject withdraws consent that was the original lawful basis under Article 15(1)(i), but the controller asserts an alternative basis (e.g., legitimate interests under Article 15(1)(vi) for fraud prevention or contract performance under Article 15(1)(ii) for fulfilling a pre-paid service obligation), and the data subject disputes the availability of that alternative basis. The data subject may request suspension under Article 37 pending PIPC adjudication of whether the alternative basis is valid.

• Data breach or security incident — where the data subject receives a breach notification under Article 34 and requests suspension of all processing (particularly cross-border transfers or third-party provision under Articles 17 and 28-2) until the controller remediates the vulnerability. The PIPC has endorsed suspension as an appropriate interim safeguard in breach contexts, particularly where the breach involved unauthorized access to sensitive personal information (Article 23 special categories: health records, biometric data, ideology, union membership).

Article 37(2) denial grounds — the disproportionate-difficulty exception. Article 37(2) permits controllers to refuse suspension requests in two circumstances: "Provided, however, that this shall not apply where there are special provisions in other Acts, or where suspension of processing is likely to cause considerable difficulty in performing public functions or the controller's services." This two-pronged exception mirrors the Article 36(2) statutory-retention exception for erasure but adds a proportionality balancing test not present in Article 36.

Prong 1: Special provisions in other Acts. Where a statute affirmatively requires (not merely permits) the controller to process the personal information—whether for tax audits (Framework Act on National Taxes Article 85-3, five-year transaction-record retention), financial regulation (Electronic Financial Transactions Act Article 22, five-year retention), telecommunications logging (Protection of Communications Secrets Act Article 15-2, one-year retention), or real-time law-enforcement monitoring (Communications Secrets Act intercept orders)—the controller may refuse suspension and must cite the specific statute in the denial notice under Article 38(7). This prong is narrower than it first appears: a statute that merely authorizes processing (e.g., "a controller may collect resident registration numbers for identity verification") does not defeat the suspension right; only a statute that mandates active processing triggers the exception.

Prong 2: Considerable difficulty in performing functions or services. The second prong introduces a proportionality test unique to Article 37 (not present in Article 36 erasure or Article 35 access). The controller may refuse suspension where granting the request would cause "considerable difficulty" in performing (a) public functions prescribed by law, or (b) the controller's services. The PIPC has interpreted "considerable difficulty" as a high bar—mere inconvenience, increased administrative cost, or degradation of analytics quality does not suffice. The controller must demonstrate that suspension would render a core public function or contractual service obligation substantially impossible to perform.

The PIPC issued detailed guidance on the "considerable difficulty" standard in March 2022, drawing on Korean Supreme Court precedent on proportionality in administrative law. Examples where the PIPC has endorsed refusal:

• A telecommunications provider may refuse suspension of call-detail records where suspension would prevent the provider from fulfilling its statutory obligation under the Telecommunications Business Act to maintain network security and investigate service outages, and where the call-detail records are the only source of diagnostic data for the data subject's own service complaints.

• A hospital may refuse suspension of a patient's medical record where the patient is receiving ongoing treatment and suspension would prevent the attending physician from accessing the record to prescribe medication safely, and where the patient has not requested termination of the treatment relationship.

• An employer may refuse suspension of an employee's payroll and tax-withholding records where suspension would prevent the employer from filing mandatory tax returns under the Income Tax Act and the data subject remains an active employee receiving wages.

Examples where the PIPC has rejected "considerable difficulty" claims as pretextual:

• A data broker may not refuse suspension of a consumer profile on the ground that suspension would reduce the accuracy of its recommendation engine or degrade the personalization experience for other users; the controller's commercial analytics interest does not constitute a public function, and the service obligation owed to the requesting data subject (if any) does not depend on profiling that data subject.

• An online retailer may not refuse suspension of a customer's purchase history on the ground that the history feeds fraud-detection models; the controller may freeze the contested data and continue fraud detection using non-suspended data, and the incremental value of one customer's record does not rise to "considerable difficulty."

• A social-media platform may not refuse suspension of a user's activity log on the ground that suspension would make it impossible to deliver targeted advertising to that user; advertising is a revenue model, not a service obligation owed to the data subject.

In each denial based on Article 37(2), the controller bears the burden of proof and must provide a fact-specific explanation in the denial notice under Article 38(7), identifying the public function or service that would be impaired, the causal link between suspension and the impairment, and why no reasonable alternative (e.g., pseudonymization, air-gapping the suspended data, or partial suspension) would avoid the difficulty.

Partial suspension. Where the controller can suspend some but not all processing activities without triggering considerable difficulty, the controller must grant partial suspension. For example, if a data subject requests suspension of her account profile (name, email, purchase history, marketing preferences, behavioral analytics), and the controller asserts that suspension of the purchase history would prevent it from fulfilling a statutory tax-audit obligation but the marketing preferences and behavioral analytics are not covered by any statutory mandate, the controller must suspend the non-mandated processing (marketing, analytics, third-party provision) and continue processing only the purchase history in a restricted, non-use state (retention-only archive accessible solely for tax-audit production). The PIPC has cautioned that controllers may not invoke Article 37(2) as a blanket refusal when partial suspension would satisfy the data subject's core concern.

Operational meaning of suspension — freeze-in-place, no use, no provision. When a controller grants an Article 37 suspension request, PIPA requires the controller to cease all processing of the suspended personal information except for retention. The PIPC's March 2022 guidance defines "suspension" as a freeze-in-place state:

• No use — the controller may not use the suspended information for any purpose, including internal analytics, automated decision-making, profiling, service personalization, marketing, fraud detection, or research. The information must be logically or physically segregated from active processing systems and flagged as suspended in the controller's records of processing activities (ROPA).

• No provision to third parties — the controller may not provide (Article 17), disclose, sell, or transfer the suspended information to any third party, including affiliates, joint controllers, processors, or cross-border recipients, except where a statute affirmatively requires disclosure (e.g., a court order compelling production, a tax-audit summons from the National Tax Service, or a real-time law-enforcement intercept).

• Retention permitted — the controller may continue to retain the suspended information in a secure, offline archive to satisfy statutory-retention mandates (e.g., the five-year transaction-record retention under the Framework Act on National Taxes) or to preserve evidence for pending litigation or regulatory investigation. Retention alone—storing the data without accessing, analyzing, or disclosing it—does not violate the suspension obligation.

• Resumption only with data-subject consent or statutory trigger — the controller may resume processing suspended information only if (a) the data subject provides written consent to lift the suspension, (b) a statute affirmatively mandates processing (e.g., a court order), or (c) the original suspension trigger resolves (e.g., the accuracy dispute is resolved in favor of the controller, or the contested lawful-basis analysis is validated by a PIPC decision).

The PIPC has emphasized that suspension is not pseudonymization or de-identification under Article 58-2 (which permits continued use of de-identified data for analytics). Suspension means no use, regardless of whether the controller could technically process the data in a privacy-preserving form. A controller who "suspends" personal information by pseudonymizing it and feeding it into a fraud-detection model violates Article 37.

Article 38 procedural obligations — 10-day response clock and verification. The Article 38 response procedures apply uniformly to suspension requests. The controller must respond within 10 days of receipt (with a one-time 10-day extension permitted if notice is given before the initial deadline expires), must verify the identity of the requester using proportionate authentication methods (I-PIN for online requests, government-issued photo ID for in-person requests), and must provide written notice of the suspension or a reasoned denial under Article 38(7). Suspension requests may be submitted using Form 8 (the standardized "Request for Access to Personal Information" form, which the Enforcement Decree clarified also covers suspension requests) or any reasonable written or electronic method. The controller may not charge a fee for processing a suspension request; the Article 38(6) free-access principle applies.

When granting a suspension request, the controller must provide written confirmation specifying (a) the personal information that has been suspended (by field or data category), (b) the date suspension took effect, (c) the processing activities that have been halted (use, provision, cross-border transfer), and (d) the conditions under which suspension will be lifted (data-subject consent, resolution of the accuracy or lawfulness dispute, or statutory obligation to resume processing). The PIPC recommends that controllers include a plain-language explanation: "Your purchase history has been suspended as of March 15, 2025. We will continue to retain this information to comply with tax law but will not use it for marketing, analytics, or any other purpose. Suspension will remain in effect until you provide written consent to resume processing or until the five-year tax-retention period expires on March 15, 2030, at which point the information will be destroyed under Article 21."

Interaction with Article 36(3) automatic suspension during erasure/correction requests. Article 36(3) imposes a mandatory interim suspension during the pendency of a correction or erasure request (the 10-day Article 38 response window), while Article 37 creates a standalone, indefinite suspension right that persists beyond the response period. A common sequence: (1) data subject submits an Article 36 erasure request; (2) Article 36(3) triggers automatic suspension on receipt; (3) within 10 days, controller denies erasure on Article 36(2) statutory-retention grounds; (4) the Article 36(3) automatic suspension lifts upon the denial; (5) data subject immediately submits an Article 37 suspension request to freeze processing during the statutory retention period; (6) controller must evaluate the Article 37 request against the Article 37(2) denial grounds (special statutory provisions or considerable difficulty) and may not simply re-assert the Article 36(2) retention mandate as a blanket defense (retention is permitted under Article 37, but use is not, unless the statute affirmatively mandates active processing or suspension causes considerable difficulty).

Enforcement and remedies. Data subjects dissatisfied with a denial or non-response may file a complaint with the PIPC through the Personal Information Protection Portal (www.privacy.go.kr), which routes complaints to the appropriate PIPC regional office. The PIPC exercises investigative powers under Article 7-8 and may issue corrective orders under Article 64, including orders to suspend processing and administrative fines for non-compliance. The February 2026 amendments expanded the PIPC's fine authority to up to 10% of total annual revenue for severe violations, bringing South Korea's penalty regime closer to GDPR's two-tier structure. Data subjects may also seek dispute mediation under Articles 40–43 (non-binding recommendation within 60 days) or bring a civil damages claim under Article 39 (provable harm required; Korean tort law does not recognize speculative or emotional-distress damages, so suspension-right violations typically support damages claims only when unlawful continued processing causes tangible financial harm, reputational injury, or exposure to identity theft).

Cross-border and GDPR alignment. The European Commission's December 17, 2021 adequacy decision (Decision (EU) 2021/2187) recognized PIPA as providing "essentially equivalent" protection to GDPR Chapter III data-subject rights. The adequacy decision noted that PIPA Article 37 suspension aligns with GDPR Article 18 (right to restriction of processing), though GDPR Article 18 enumerates four specific grounds (contested accuracy, unlawful processing but objection to erasure, controller no longer needs the data but data subject needs it for legal claims, pending verification of legitimate grounds for objection) while PIPA frames suspension as a general right subject to the Article 37(2) denial exceptions. In practice, the two regimes produce convergent outcomes: GDPR Article 18(2) permits retention during restriction (mirroring PIPA's freeze-in-place model), and both regimes require data-subject notification before lifting the restriction/suspension.

Controllers subject to both GDPR and PIPA should note that a suspension request submitted by a data subject whose information is processed in both the EU and Korea may require analysis under both frameworks, with the stricter obligation controlling. For example, if a Korean data subject whose information is also processed by an EU establishment requests suspension, and GDPR Article 18 would require restriction but PIPA Article 37(2) permits denial on considerable-difficulty grounds, the controller must apply GDPR Article 18 (the stricter rule) and grant restriction/suspension. Conversely, if a PIPA statutory-retention mandate applies (Article 37(2), prong 1) but GDPR has no equivalent legal-obligation basis, the controller may refuse suspension under PIPA but must still comply with GDPR Article 18 for the EU-processed copy of the data.

Source: Personal Information Protection Act, Act No. 19234 (March 14, 2023), Article 37 Source: Personal Information Protection Commission — Privacy Guidelines (Suspension of Processing)

Article 35 of South Korea's Personal Information Protection Act (PIPA, Act No. 19234 of March 14, 2023) grants data subjects the foundational right to access personal information held by a controller and to receive confirmation of whether their information is being processed. This right serves as the prerequisite for exercising the Article 36 correction/erasure right and the Article 37 suspension right, and it is the most frequently invoked data-subject right in practice—Korean controllers reported processing over 2.1 million access requests in 2024, accounting for nearly 60% of all rights-exercise requests submitted under PIPA. The access right reflects the constitutional principle of informational self-determination recognized by the Korean Supreme Court as a fundamental right grounded in human dignity (Article 10 of the Korean Constitution) and distinct from but complementary to the constitutional right to privacy.

Article 35(1) dual grant: access and confirmation. Article 35(1) provides that "a data subject may request access to his or her personal information and confirmation of whether a controller processes it." This statutory formulation creates two analytically distinct but procedurally unified rights. The right to confirmation permits a data subject to ask whether the controller processes any personal information about the data subject at all—useful when the data subject suspects processing but is uncertain (e.g., after a data breach notification involving a third-party processor, or when the data subject receives targeted advertising from a controller with whom she has no direct relationship). The right to access permits the data subject to inspect, review, or obtain a copy of the specific personal information the controller holds, including metadata such as the retention period, the purpose of processing, and the categories of recipients to whom the information has been disclosed.

The Personal Information Protection Commission (PIPC) has interpreted Article 35(1) as conferring a presumptive right to access that does not depend on the data subject demonstrating a specific need, lawful interest, or harm. The right exists because the personal information belongs, in a constitutional sense, to the data subject, and the controller holds it only on the basis of a lawful processing ground under Article 15 (consent, contract, legal obligation, vital interests, legitimate interests, or public function). Controllers may not refuse access requests solely on the ground that disclosure would be burdensome, expensive, or detrimental to the controller's business model; the sole permissible grounds for denial are the three statutory exceptions enumerated in Article 35(4).

Scope of accessible information — the personal-information definition. Article 35 access applies to all "personal information" as defined in Article 2(1) of PIPA: "information relating to a living individual that makes it possible to identify the individual by name, resident registration number [RRN, Korea's national identifier], image, biometric data, address, telephone number, or other description, whether alone or in combination with other information." The PIPC has clarified that the access right extends not only to information the controller collected directly from the data subject but also to information collected from third parties (joint controllers, processors, affiliates, data brokers, publicly available sources), information derived or inferred through analytics or profiling (e.g., creditworthiness scores, behavioral profiles, automated decision outputs), and information that was originally pseudonymized under Article 28-2 but can be re-identified when combined with additional information the controller holds.

Importantly, Article 35 access does not extend to fully anonymized data under Article 58-2 (information that has been irreversibly de-identified such that re-identification is impossible even when combined with other information). Once information is anonymized under the PIPC's technical standards, it ceases to be "personal information" and falls outside the scope of all PIPA rights, including access. Controllers asserting that requested information has been anonymized bear the burden of demonstrating compliance with Article 58-2's irreversibility standard, and the PIPC has stated that controllers may not evade access obligations by applying weak or reversible pseudonymization and claiming the result is "anonymized."

Article 35(4) statutory restrictions — a closed list of three denial grounds. Article 35(4) permits controllers to refuse access requests only in three narrowly defined circumstances:

1. Where disclosure is prohibited by statute (Article 35(4)(i)). This exception applies when another law—whether a criminal procedure statute, a national-security law, an intelligence-gathering authorization, or a sector-specific confidentiality rule—expressly prohibits the controller from disclosing the personal information to the data subject. The most common statutory prohibitions encountered in practice include:

• Protection of Communications Secrets Act (Article 3) — prohibits telecommunications providers from disclosing the content of intercepted communications to anyone other than the communicating parties, including when a data subject requests access to logs of intercepted metadata.
• Financial Information Analysis Act (Articles 4, 5) — prohibits financial institutions from disclosing suspicious-transaction reports (STRs) filed with the Korea Financial Intelligence Unit (KoFIU) for anti-money-laundering purposes; a customer may not access the fact that an STR was filed or the contents of the report.
• Protection of Location Information Act (Article 15) — permits location-based service providers to withhold access to location records where disclosure would interfere with an ongoing criminal investigation and law enforcement has issued a formal non-disclosure order.
• Criminal Procedure Act (Article 198) — prohibits investigative agencies from disclosing personal information obtained during a pending investigation where disclosure would compromise the investigation; this prohibition extends to controllers (e.g., telecommunications providers, financial institutions) compelled to provide information to law enforcement under Article 199.

When a controller denies an access request on Article 35(4)(i) grounds, the denial notice under Article 38(7) must cite the specific statute and article number that prohibits disclosure and provide a plain-language explanation of why the prohibition applies to the requested information. A bare citation to "legal obligations" or "statutory confidentiality" without naming the statute is non-compliant and may be treated as a constructive refusal by the PIPC.

1. Where disclosure would harm another person's life, body, or property or would unduly infringe another person's interests (Article 35(4)(ii)). This exception protects the personal information and lawful interests of third parties whose information is commingled with the requesting data subject's information. The most common scenarios include:

• Mixed records containing third-party personal information — A hospital patient requests access to her medical record, which includes the name, medical license number, and clinical notes of the attending physician (the physician is a third party whose personal information would be disclosed). The controller must either redact the third-party information and provide partial access, or provide full access with the third party's consent.
• Witness or complainant identity in investigation files — An employee subject to a workplace harassment investigation requests access to the investigation file, which includes the identity and statements of the complainant and witnesses (third parties who may face retaliation if disclosed). The controller may refuse access to the portions of the file that would reveal third-party identities, but must provide access to the employee's own statements and to the findings insofar as they can be disclosed without unmasking witnesses.
• Trade secrets or confidential business information of another entity — A customer requests access to a contract that includes pricing terms or technical specifications that constitute the trade secrets of a supplier (a third party). The controller may redact the third-party trade secrets and provide partial access.

The Article 35(4)(ii) exception is conjunctive: the controller must demonstrate that disclosure would cause actual harm (threat to life, body, or property) or undue infringement (a legally protected interest, not mere inconvenience or competitive disadvantage). The PIPC has stated that controllers may not invoke this exception preemptively based on speculative or generalized fears of harm; the denial notice must specify the concrete risk and the third party whose interests are at stake.

1. Where access would seriously impede the proper performance of public functions (Article 35(4)(iii)). This exception applies only to public agencies (government ministries, local governments, public corporations performing statutory functions) and only when disclosure would cause a serious impediment to a specifically enumerated public function. Article 35(4)(iii) lists five categories:

• Tax assessment, collection, or refund (subparagraph (a)) — The National Tax Service may refuse access to a taxpayer's audit workpapers, third-party information reports, or ongoing tax-fraud investigation files where disclosure would tip off the taxpayer and compromise the investigation.
• Educational testing and admissions (subparagraph (b)) — Universities and testing agencies may refuse access to exam answer keys, grading rubrics, or admissions committee deliberations during the pendency of an admissions cycle to prevent cheating or undue influence.
• Certification and licensing examinations (subparagraph (c)) — Professional licensing boards may refuse access to exam questions, model answers, or individual examiner scoring sheets during the grading period to preserve exam security and grading integrity.
• Ongoing evaluations for benefits, compensation, or remedies (subparagraph (d)) — A public agency adjudicating a disability-benefit claim may refuse access to internal evaluation memos or external medical expert opinions while the adjudication is pending, to prevent ex parte lobbying or premature disclosure of tentative findings.
• Audits and investigations mandated by statute (subparagraph (e)) — The Board of Audit and Inspection may refuse access to audit workpapers, witness interview transcripts, or preliminary findings during an ongoing audit of a public agency, to prevent destruction of evidence or witness tampering.

The Article 35(4)(iii) exception is narrow and temporary. The PIPC has emphasized that the exception applies only during the pendency of the enumerated public function (e.g., while the tax audit is ongoing, while the exam is being graded, while the investigation is active) and only to information whose disclosure would seriously impede that function. Once the public function concludes (the audit closes, the exam results are finalized, the investigation ends), the exception lapses and the controller must grant access. Public agencies asserting this exception must provide a fact-specific explanation in the denial notice, identifying the enumerated function under Article 35(4)(iii), the stage of the process, and why disclosure now (rather than after completion) would cause serious impediment.

Redaction and partial access — the proportionality obligation. Where a statutory restriction under Article 35(4) applies to part but not all of the requested information, the controller must grant partial access by redacting the restricted portions and disclosing the remainder. For example, if a data subject requests access to an investigation file and Article 35(4)(ii) protects the identity of third-party witnesses but does not protect the data subject's own statements, the controller must redact witness names and provide the data subject's statements. The PIPC has stated that controllers may not invoke Article 35(4) as a blanket justification for wholesale denial when partial access is feasible. The denial notice under Article 38(7) must specify which portions were withheld, the legal ground for each withholding, and confirm that all non-restricted information was disclosed.

Method of access — inspection, copy, or electronic delivery. When granting an Article 35 access request, the controller must deliver the information in the form specified by the data subject in the request. Article 35(2) provides that access may be granted through (a) on-site inspection (the data subject visits the controller's office during business hours, reviews paper or electronic records under supervision, and may take handwritten notes but may not photocopy or photograph without the controller's consent), (b) provision of a copy (the controller provides a photocopy or printout of paper records, or a PDF/image file of electronic records, delivered by mail, email, or secure download), or (c) electronic transmission in a commonly used, machine-readable format (CSV, JSON, XML, or another structured format that permits the data subject to import the information into her own systems for review or further use).

The Enforcement Decree clarifies that the data subject's preference controls: if the data subject requests electronic delivery and the information is stored electronically, the controller must provide electronic access and may not require the data subject to appear in person for inspection. Conversely, if the data subject requests on-site inspection (e.g., to review voluminous records or to verify the completeness of electronic copies), the controller must accommodate the request during normal business hours at a location reasonably accessible to the data subject (the controller's principal place of business or a regional office). The controller may supervise the inspection to prevent unauthorized copying of third-party information protected under Article 35(4)(ii), but may not prohibit note-taking or impose unreasonable time limits (e.g., limiting inspection to 30 minutes when the records span hundreds of pages).

Article 38 procedural integration — 10-day response clock, identity verification, and fee restrictions. Article 35 access requests are subject to the uniform procedural framework in Article 38. The controller must respond within 10 days of receiving a complete request (one that permits the controller to identify the data subject and the scope of the requested information), with a one-time 10-day extension permitted if notice is given before the initial deadline expires. The controller must verify the identity of the requester using proportionate authentication methods—I-PIN (Internet Personal Identification Number, a government-issued pseudonymous identifier) for online requests, government-issued photo ID for in-person requests, two-factor authentication for sensitive personal information (Article 23 special categories). The controller may not charge a fee for responding to an initial access request; Article 38(6) establishes a default rule of free access, with narrow exceptions for manifestly excessive or repetitive requests and for certified copies (paper documents with an official seal for submission to courts or government agencies, where the controller may charge actual printing and certification costs).

Access requests may be submitted using the standardized Form 8 ("Request for Access to Personal Information" prescribed by the Enforcement Decree) or any reasonable method—written document, telephone, email, or online portal. When granting an access request, the controller must provide written confirmation specifying the personal information disclosed, the method of delivery, and the date of delivery. When denying a request in whole or in part, the controller must provide a reasoned denial notice under Article 38(7) within the 10-day deadline, citing the specific Article 35(4) exception, the factual basis for denial, and the data subject's right to file a complaint with the PIPC or seek dispute mediation under Articles 40–43.

Distinction from Article 35-2 data portability. The March 2023 amendments to PIPA added Article 35-2, conferring a data portability right that permits data subjects to receive a copy of their personal information in a commonly used electronic format and to transmit it directly to another controller or to a designated MyData institution (a government-certified data intermediary). Article 35-2 is analytically distinct from Article 35 access in two respects: (1) format obligation — Article 35-2 mandates that the controller provide information in a machine-readable, interoperable format (CSV, JSON, XML) suitable for automated transmission, while Article 35 permits delivery in any reasonable format including PDFs or image files; and (2) transmissibility — Article 35-2 permits the data subject to direct the controller to transmit the information directly to a third party (another controller or a MyData institution), while Article 35 only requires delivery to the data subject herself.

However, Article 35-2 was enacted with a delayed effective date to be determined by the Enforcement Decree, between 12 and 24 months after the March 14, 2023 promulgation. As of June 2026, the effective date of Article 35-2 has not been officially announced by the PIPC, and controllers are not yet obligated to honor portability requests under Article 35-2. Data subjects seeking electronic copies in machine-readable formats may still invoke Article 35(2) and request electronic transmission, but the controller is not required to provide direct transmission to a third party or to use the interoperable formats mandated by Article 35-2 until that provision takes effect. The PIPC has stated that controllers who voluntarily implement early portability functionality (e.g., as part of a MyData pilot program in the financial sector under the Credit Information Act) will be deemed compliant with Article 35 access obligations even if the portability mechanism exceeds the minimum requirements.

Cross-border data flows and the EU adequacy decision. The European Commission's December 17, 2021 adequacy decision (Decision (EU) 2021/2187) recognized PIPA as providing "essentially equivalent" protection to GDPR Chapter III data-subject rights, noting that Article 35 access aligns with GDPR Article 15. The adequacy decision observed that both regimes confer a presumptive right to access without requiring the data subject to demonstrate a specific interest, both impose short response deadlines (10 days under PIPA Article 38, one month under GDPR Article 12(3) with two-month extension permitted), and both restrict fees to manifestly excessive requests. The adequacy decision also noted that PIPA's Article 35(4) statutory restrictions are narrower than GDPR Article 15(4), which permits Member States to adopt additional legislative restrictions on access for national-security, defense, or criminal-procedure purposes; PIPA's three-prong restriction framework is exhaustive and does not delegate restriction authority to implementing regulations or ministerial guidance.

Controllers subject to both GDPR and PIPA should note that an access request submitted by a data subject whose information is processed in both the EU and Korea may require analysis under both frameworks, with the stricter obligation controlling. For example, if GDPR Article 15 would require disclosure of certain information but PIPA Article 35(4) permits refusal, the controller must apply GDPR Article 15 (the stricter rule) and grant access to the extent required by GDPR, even if PIPA would permit denial. Conversely, if PIPA requires disclosure within 10 days but GDPR permits up to three months (one-month baseline plus two-month extension), the controller must comply with PIPA's 10-day deadline for the Korea-processed data.

Enforcement pathway. Data subjects dissatisfied with a denial or non-response may file a complaint with the PIPC through the Personal Information Protection Portal (www.privacy.go.kr), which accepts complaints 24/7 and routes them to the appropriate PIPC regional office for investigation. The PIPC exercises investigative powers under Article 7-8 and may issue corrective orders under Article 64, including orders to grant access and administrative fines for non-compliance. The February 2026 amendments expanded the PIPC's fine authority to up to 10% of total annual revenue for severe violations, bringing South Korea's penalty regime closer to GDPR's two-tier structure. Data subjects may also seek dispute mediation under Articles 40–43 (non-binding recommendation within 60 days) or bring a civil damages claim under Article 39 (provable harm required; Korean tort law does not recognize speculative or emotional-distress damages, so access-right violations typically support damages claims only when denial causes tangible harm such as inability to correct inaccurate information used in an adverse decision).

Source: Personal Information Protection Act, Act No. 19234 (March 14, 2023), Article 35 Source: Personal Information Protection Commission — Privacy Guidelines