South Korea — DPO, ROPA & DPIAs

Universal designation duty. Article 31(1) of the Personal Information Protection Act (개인정보 보호법, PIPA) requires every personal information controller (개인정보처리자, meaning any government agency, local government, legal entity, organization, or individual that processes personal information for the operation of a personal information file, Art. 2(5) PIPA) to designate a Chief Privacy Officer (CPO, 개인정보 보호책임자). The CPO oversees and manages all personal information processing by the controller. Article 31(2) requires the CPO to be an employee or executive of the controller; there is no statutory nationality or residency restriction.

Failure to designate a CPO exposes the controller to an administrative fine under Article 75(2)(1) PIPA. The Personal Information Protection Commission (PIPC, 개인정보보호위원회) may impose a fine of up to KRW 10 million on a personal information controller that violates the designation duty.

Core CPO duties under Article 31(4). The March 2023 amendments to PIPA (Act No. 19234, effective September 15, 2023, with certain provisions delayed to March 15, 2024) significantly expanded the CPO's statutory responsibilities. Article 31(4) lists eleven duties:

1. Establishing and implementing plans for the protection of personal information;
2. Managing specialized personnel and securing necessary budgets for the protection of personal information;
3. Reporting the current status and key matters of personal information protection to the business owner or representative;
4. Performing periodic investigations and improving the status and practices of personal information processing;
5. Handling complaints and dealing with damage pertaining to personal information processing;
6. Establishing internal control systems for preventing leakage, misuse, and abuse of personal information;
7. Establishing and implementing training sessions for the protection of personal information;
8. Protecting, managing, and monitoring personal information files;
9. Establishing, amending, and implementing the privacy policy;
10. Managing materials concerning the protection of personal information; and
11. Other duties prescribed by Presidential Decree as necessary for the protection of personal information.

Enhanced qualification requirements — effective March 15, 2024. The Enforcement Decree of PIPA (Presidential Decree No. 34413, effective March 15, 2024) introduced qualification thresholds for larger controllers. Under Article 32-2(1) of the Enforcement Decree, personal information controllers that meet both of the following criteria in the immediately preceding year must designate a CPO meeting enhanced qualifications:

• Annual sales revenue or income of at least KRW 10 billion; and
• Storage and management of personal information of at least 1 million persons during the last three-month period of the preceding year.

Such controllers must appoint a CPO with (i) at least three years of experience in personal information protection, and (ii) a combined career of at least six years in personal information protection, data protection, and information technology (Art. 32-2(2), Enforcement Decree). Controllers that are micro-enterprises under the Framework Act on Micro-Enterprises are exempt from the CPO designation requirement (Art. 32-2(3), Enforcement Decree). Individuals already designated as CPOs as of March 15, 2024, were granted a grace period until March 14, 2026, to meet the enhanced qualification requirements (Addenda, Art. 3, Enforcement Decree No. 34413).

Board approval and PIPC reporting for large controllers. Article 31(3) PIPA (as amended March 2023) requires personal information controllers meeting thresholds prescribed by the Enforcement Decree to obtain board of directors approval for the appointment, change, or dismissal of the CPO, and to report such designation to the PIPC. Unable to confirm the precise revenue and data-subject thresholds triggering this heightened governance requirement from the Enforcement Decree as of 2026-05-29.

Independence safeguards. The Enforcement Decree requires controllers to establish a regular reporting system to ensure the CPO reports to the representative or board of directors, ensure the CPO's access to information on personal information processing, and provide the CPO with necessary human and material resources to fulfill statutory duties effectively.

Source: Personal Information Protection Act, Act No. 19234 Source: Enforcement Decree of the Personal Information Protection Act, Presidential Decree No. 34413 Source: Personal Information Protection Commission — Privacy Guidelines

Public-institution obligation; private-sector exemption. Article 33(1) of the Personal Information Protection Act (개인정보 보호법, PIPA) requires the head of a public institution that intends to establish or operate a personal information file meeting criteria prescribed by Presidential Decree to conduct a Privacy Impact Assessment (개인정보 영향평가, PIA) before establishing or operating the file. Public institutions covered by Article 33 are those defined in Article 2(6) PIPA and Article 2 of the Enforcement Decree: government agencies, local governments, and public organizations designated by Presidential Decree. Private-sector personal information controllers are not subject to the mandatory PIA obligation under Article 33 PIPA; the statute applies only to public institutions.

Statutory triggers under Article 35 of the Enforcement Decree. Article 35 of the Enforcement Decree of PIPA (Presidential Decree No. 34413) specifies three threshold-based triggers for mandatory PIAs when a public institution establishes, operates, or changes an electronically processable personal information file:

1. General large-scale files: Files containing personal information of at least 1 million data subjects (Art. 35(1), Enforcement Decree);
2. System-connection files: Files containing personal information of at least 500,000 data subjects when the file is created or operated by connecting internal and external systems—such as integrating databases across agencies or linking to external third-party systems (Art. 35(2), Enforcement Decree); or
3. Sensitive-category files: Files containing personal information of at least 500,000 data subjects when the file includes sensitive information such as ideology, beliefs, labor-union membership, political opinions, health, sex life, genetic or biometric data for unique identification, or criminal records—categories enumerated in Article 23 PIPA as requiring enhanced consent or separate lawful bases (Art. 35(3), Enforcement Decree).

A fourth trigger applies when the public institution changes the operating system of a personal information file—such as modifying the search, retrieval, or access mechanisms for an existing file—after the PIA has already been conducted on that file. Article 35(4) of the Enforcement Decree treats such system changes as new processing activities requiring re-assessment.

Ex-ante timing and designated assessment institutions. Article 33(1) PIPA requires the PIA to be conducted before the public institution establishes or operates the file. Article 33(4) requires the head of the public institution to request the assessment from a privacy impact assessment institution designated by the Personal Information Protection Commission (PIPC). Public institutions may not conduct the PIA in-house using only internal staff; the designated external institution prepares a written evaluation report, which the public institution must submit to the PIPC together with an implementation plan for recommended improvements (Art. 33(5) PIPA).

Required PIA content. Article 33(3) PIPA prescribes the minimum contents of a PIA:

1. Analysis of the legal basis for collecting, using, and providing the personal information;
2. Identification of matters requiring improvement to protect personal information and prevent infringement of data-subject rights;
3. Assessment of security measures necessary to ensure safe management of personal information under Articles 24 and 29 PIPA (technical, administrative, and physical safeguards); and
4. Other matters prescribed by Presidential Decree (Article 36 of the Enforcement Decree elaborates on required risk-factor analysis and improvement-measure documentation).

The PIPC publishes operational guidance (개인정보 영향평가 수행 안내서) specifying assessment methodologies, risk-scoring frameworks, and detailed procedures, though these guidelines are not binding law and serve as interpretive aids for the designated assessment institutions.

No administrative fine for PIA non-compliance; enforcement through PIPC supervision. Unlike the CPO designation duty (which carries an administrative fine of up to KRW 10 million under Article 75(2)(1) PIPA), Article 33 does not specify a direct monetary penalty for failure to conduct a PIA. The PIPC enforces PIA compliance through its general supervisory and corrective-order powers under Article 64 PIPA, which authorize the PIPC to order the public institution to suspend operation of the file, conduct the required PIA, or implement improvement measures. Persistent non-compliance may expose the head of the institution to disciplinary action or, in cases involving concurrent violations of Articles 15–18 PIPA (unlawful collection, use, or provision of personal information without a valid lawful basis), potential administrative fines under Articles 71 or 75 PIPA.

Comparison to GDPR Article 35 DPIA. South Korea's PIA regime is narrower in application than the GDPR's Data Protection Impact Assessment (DPIA) obligation (Regulation (EU) 2016/679, Article 35). GDPR Article 35 requires DPIAs for high-risk processing by any controller (public or private) when the processing is likely to result in a high risk to data-subject rights—covering systematic monitoring, large-scale processing of special categories of personal data, and automated decision-making with legal or similarly significant effects. South Korea's Article 33 PIA applies only to public institutions and uses bright-line numerical thresholds (1 million / 500,000 data subjects) rather than the GDPR's risk-based and context-dependent test. The substantive analysis required by Article 33—legal basis, necessity, security, data-subject rights—mirrors the GDPR's DPIA methodology in structure, reflecting alignment efforts recognized in the EU's adequacy decision for South Korea (Commission Implementing Decision (EU) 2021/2044 of 17 December 2021).

Transitional rule for existing files. Article 6 of the Addenda to the Enforcement Decree required public institutions operating personal information files covered by Article 35 as of the Decree's effective date to conduct a PIA and submit the result to the PIPC within five years from the date the Decree entered into force (September 29, 2011). Public institutions that registered their files before the Enforcement Decree took effect were exempt from this transitional requirement.

Source: Personal Information Protection Act, Act No. 19234, Article 33 Source: Enforcement Decree of the Personal Information Protection Act, Presidential Decree No. 34413, Article 35 Source: PIPC — Privacy Impact Assessment

Public-institution filing duty; private-sector exemption. Article 32(1) of the Personal Information Protection Act (개인정보 보호법, PIPA) requires the head of every public institution that operates a personal information file (개인정보파일) to register specified particulars of each file with the Personal Information Protection Commission (PIPC, 개인정보보호위원회). Public institutions covered by the registration duty are those defined in Article 2(6) PIPA: government agencies (중앙행정기관, 지방자치단체), local governments, and public organizations designated by Presidential Decree under Article 2 of the Enforcement Decree. Private-sector personal information controllers are not subject to the Article 32 registration requirement—the filing obligation applies exclusively to the public sector and serves as Korea's closest analogue to the GDPR Article 30 record-of-processing-activity (ROPA) obligation for public authorities, though Korea's regime is narrower in substantive detail and takes the form of a centralized registry rather than an internal controller-maintained record.

Required registration contents under Article 32(1). The Enforcement Decree specifies the information that must be registered for each personal information file. Article 34 of the Enforcement Decree of PIPA (Presidential Decree No. 34413, as amended through March 15, 2024) enumerates the following mandatory particulars:

1. Name of the personal information file and the file number assigned by the registering public institution;
2. Legal basis for operating the file (statutory authority, ordinance, or regulation permitting or requiring the processing);
3. Purpose of operating the personal information file (the specific administrative or public task for which the file is maintained);
4. Categories of personal information stored in the file, including whether the file contains sensitive information (Article 23 PIPA special-category data such as ideology, beliefs, health, sex life, biometric data for unique identification, or criminal records) or unique identification information (주민등록번호, resident registration numbers; passport numbers; driver's license numbers; or alien registration numbers);
5. Retention period for the personal information in the file;
6. Persons or institutions to whom the personal information may be provided, including the legal basis and purpose of such disclosure;
7. Entrustment (outsourcing) arrangements, if the public institution has consigned the processing of personal information in the file to a third-party processor (위탁), including the name of the consignee and the scope of entrusted processing; and
8. Name, department, and contact information of the Chief Privacy Officer (CPO) or the official responsible for managing the personal information file.

The registration functions as both an internal governance discipline—forcing public institutions to document the legal basis, purpose, retention, and disclosure practices for each file—and a transparency mechanism, as the PIPC makes the registry publicly accessible (discussed below under Article 32(4)).

Timing of registration and updates. Article 32(1) PIPA does not prescribe an explicit deadline for initial registration, but Addenda to the Enforcement Decree have historically imposed transitional filing windows. When the Enforcement Decree first entered into force on September 30, 2011, public institutions operating personal information files were required to register those files within 60 days (Addenda, Art. 5, Presidential Decree No. 23169). For newly established personal information files, the public institution must register the file before it begins operating the file, consistent with the ex-ante governance model that also governs the Privacy Impact Assessment (PIA) obligation under Article 33 PIPA. Article 32(2) requires the head of the public institution to amend the registration within 60 days whenever any of the registered particulars change—for example, when the retention period is extended, the legal basis is modified by statute, new consignees are engaged, or additional categories of personal information are added to the file.

Public disclosure of the registry. Article 32(4) PIPA requires the PIPC to make public the status of registered personal information files so that data subjects and the general public can access the inventory. The PIPC operates a centralized online portal (개인정보 보호 종합지원 포털, www.privacy.go.kr) where users may search the registry by institution name, file name, or category of personal information. This public-registry model contrasts with GDPR Article 30, which requires controllers and processors to maintain internal ROPAs and make them available to the supervisory authority upon request but does not mandate publication of the ROPA itself. South Korea's Article 32 regime prioritizes ex-ante transparency over post-hoc supervisory access, reflecting the public sector's heightened accountability to citizens under Korean administrative law.

Enforcement and penalties. Article 75(2)(1) PIPA authorizes the PIPC to impose an administrative fine of up to KRW 10 million on the head of a public institution who violates the Article 32 registration or amendment duty. This is the same fine tier that applies to failure to designate a Chief Privacy Officer under Article 31 PIPA. The fine is imposed on the institutional head (기관의 장) personally, though in practice the PIPC may issue a corrective order under Article 64 PIPA directing the institution to file the registration before escalating to a monetary penalty. Persistent non-compliance may also expose the head of the institution to disciplinary action under applicable public-service personnel laws.

Relationship to Privacy Impact Assessment (PIA). The Article 32 registration duty is independent of and broader in application than the Article 33 PIA obligation. Registration under Article 32 applies to all personal information files operated by public institutions, regardless of size or sensitivity, whereas Article 33 PIAs are triggered only when a public institution establishes or operates a file containing personal information of at least 1 million data subjects (or 500,000 data subjects when the file contains sensitive information or involves system connections, as specified in Article 35 of the Enforcement Decree). A public institution operating a file meeting the PIA thresholds must both (i) conduct the PIA under Article 33 and submit the evaluation report to the PIPC, and (ii) register the file under Article 32. The registration serves as the baseline inventory and transparency measure for all public-sector files; the PIA is an additional ex-ante risk-assessment requirement for high-impact files.

Comparison to GDPR Article 30 ROPA. The GDPR's Article 30 record-of-processing-activities obligation applies to both public and private controllers (and processors) processing personal data, requires the controller to maintain an internal written record containing the controller's name and contact details, purposes of processing, categories of data subjects and personal data, categories of recipients, international transfers, retention periods, and a general description of technical and organizational security measures. GDPR Article 30 exempts enterprises or organizations employing fewer than 250 persons unless the processing is likely to result in a risk to data-subject rights, involves special-category data, or is not occasional. South Korea's Article 32 registration is narrower in scope—it applies only to public institutions, not private controllers—but it is mandatory for all public-sector files without a size exemption, and it requires centralized public disclosure rather than internal record-keeping. Private-sector controllers in Korea have no statutory ROPA obligation under PIPA, though the PIPC's Standard Personal Information Protection Guidelines (표준 개인정보 보호지침, published under Article 12 PIPA) recommend that private controllers maintain an internal inventory of processing activities as a governance best practice. The EU's December 17, 2021, adequacy decision for South Korea (Commission Implementing Decision (EU) 2021/2044) did not flag the absence of a private-sector ROPA requirement as a gap, likely because the adequacy assessment focused on the substantive protections for EU data subjects' rights rather than controller-side documentation obligations.

Source: Personal Information Protection Act, Act No. 19234, Article 32 Source: Enforcement Decree of the Personal Information Protection Act, Presidential Decree No. 34413, Article 34 Source: PIPC — Personal Information File Registry (Korean portal)

No statutory record-of-processing-activities (ROPA) requirement for private controllers. The Personal Information Protection Act (개인정보 보호법, PIPA) does not impose a GDPR Article 30-style record-of-processing-activities (ROPA) obligation on private-sector personal information controllers. Article 32 PIPA's personal information file registration duty applies exclusively to public institutions (정부기관, 지방자치단체, and designated public organizations under Article 2(6) PIPA and Article 2 of the Enforcement Decree). Private-sector controllers—corporations, sole proprietorships, non-profit organizations, and other non-governmental entities—are not required by statute to register their personal information files with the Personal Information Protection Commission (PIPC, 개인정보보호위원회) or to maintain an internal written inventory of processing activities in the manner prescribed by GDPR Article 30 for EU controllers and processors.

This is a material divergence from the GDPR, which requires every controller and processor (subject to a narrow small-enterprise exemption for entities employing fewer than 250 persons, applicable only when processing is occasional and does not involve special-category data or pose a risk to data-subject rights) to maintain a written ROPA containing the controller's or processor's name and contact details, purposes of processing, categories of data subjects and personal data, categories of recipients, international transfers, envisaged retention periods, and a general description of technical and organizational security measures (Regulation (EU) 2016/679, Article 30). The EU Commission's December 17, 2021, adequacy decision for South Korea (Commission Implementing Decision (EU) 2021/2044) did not identify the absence of a private-sector ROPA obligation as a gap requiring remedial measures, likely because the adequacy assessment prioritized substantive protections for data-subject rights (access, erasure, restriction, portability under Articles 35–37 PIPA) and lawful-basis requirements (Articles 15–18 PIPA) over controller-side documentation discipline.

Article 30 privacy policy — mandatory public disclosure, not internal inventory. Article 30(1) PIPA requires every personal information controller (public or private) to establish and publicly disclose a privacy policy (개인정보 처리방침) containing nine mandatory elements:

1. Purpose of processing personal information (Art. 30(1)(1));
2. Categories of personal information processed, including retention periods (Art. 30(1)(2));
3. Provision of personal information to third parties, if applicable, specifying the recipient, purpose, and categories of personal information provided (Art. 30(1)(3));
4. Consignment (outsourcing) of personal information processing, if applicable, including the name of the consignee and the scope of consigned processing (Art. 30(1)(4));
5. Rights of data subjects under Articles 35–38 PIPA (access, correction, erasure, suspension of processing) and the procedures for exercising those rights (Art. 30(1)(5));
6. Items of personal information subject to automated collection, if the controller uses automatic collection devices such as cookies (Art. 30(1)(6));
7. Measures to ensure the security of personal information under Article 29 PIPA, including administrative, technical, and physical safeguards (Art. 30(1)(7));
8. Name and contact information of the Chief Privacy Officer (CPO) designated under Article 31 PIPA (Art. 30(1)(8)); and
9. Procedures for filing complaints related to personal information and contact details for the complaint-handling department (Art. 30(1)(9)).

Article 30(2) requires the controller to publicly disclose the privacy policy via the controller's website (if one exists) or, for controllers without an internet homepage, by posting the privacy policy in a conspicuous location at the controller's place of business where data subjects can easily review it. When the controller amends the privacy policy, Article 30(2) requires the controller to publicly announce the amendment at least seven days before the effective date (or at least 30 days' prior notice if the amendment is unfavorable to data subjects).

The Article 30 privacy policy functions as a transparency instrument for data subjects, analogous to GDPR Articles 13–14 (information to be provided when personal data are collected from or not obtained from the data subject) combined with GDPR Article 30's external-facing disclosure requirement in the public-authority context (GDPR Article 30(4) requires public authorities to make the ROPA available to the supervisory authority and, in certain member states, to the public). However, the Article 30 privacy policy is not an internal processing inventory—it does not require the controller to document the legal basis for each processing activity, map data flows between controllers and processors, or maintain versioned records of processing decisions for supervisory-authority inspection. The privacy policy must be updated whenever processing practices change, but PIPA does not mandate that the controller maintain an internal log or audit trail of past processing activities.

PIPC Standard Personal Information Protection Guidelines — best-practice recommendation to maintain internal processing records. The Personal Information Protection Commission publishes Standard Personal Information Protection Guidelines (표준 개인정보 보호지침) under Article 12 PIPA, which authorize the PIPC to recommend measures necessary for the protection of personal information and provide model forms, checklists, and governance frameworks for controllers. The PIPC's guidelines are not binding law—they serve as interpretive aids and governance best practices, and a controller's failure to follow a guideline recommendation does not, by itself, expose the controller to an administrative fine or corrective order under PIPA. However, the PIPC may cite a controller's deviation from the guidelines as evidence of inadequate security measures (Article 29 PIPA) or failure to fulfill the controller's duty to process personal information lawfully and transparently (Article 3 PIPA, general principles) in enforcement actions.

The PIPC's Standard Guidelines recommend that private-sector controllers maintain an internal inventory of personal information processing activities, including the categories of personal information processed, the legal basis for processing, retention periods, third-party recipients, consignees (processors), and security measures applied to each processing activity. This recommendation mirrors the GDPR Article 30 ROPA framework and reflects the PIPC's view that internal documentation is a necessary governance practice to enable the controller to respond to data-subject access requests under Article 35 PIPA, conduct internal audits of compliance with retention-period limits under Article 21 PIPA, and demonstrate compliance with security-safeguard requirements under Article 29 PIPA during a PIPC inspection. The guidelines also recommend that controllers document the CPO's oversight activities, maintain logs of data-subject rights requests and the controller's responses, and prepare written procedures for breach notification under Article 34 PIPA.

Practical consequence: voluntary adoption of ROPA-style documentation by multinational controllers. Because PIPA does not mandate an internal ROPA for private controllers, a purely domestic Korean company operating exclusively within South Korea and not subject to the GDPR, LGPD, or other regimes with statutory ROPA requirements could theoretically limit its documentation to the Article 30 public privacy policy and forego maintaining a detailed internal processing inventory. However, most multinational controllers operating in South Korea voluntarily maintain GDPR-style ROPAs for the following reasons:

• EU adequacy bridge. The EU Commission's adequacy decision for South Korea (Commission Implementing Decision (EU) 2021/2044 of December 17, 2021) permits transfers of EU personal data to Korean controllers without requiring Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), but only when the Korean controller processes the EU data in compliance with PIPA and demonstrates accountability mechanisms substantially equivalent to GDPR requirements. A controller that processes both Korean and EU personal data typically maintains a unified ROPA covering both data sets to satisfy GDPR Article 30 obligations for the EU data and to demonstrate governance maturity to the PIPC for the Korean data.

• PIPC enforcement posture. Although the PIPC cannot issue an administrative fine solely for failure to maintain an internal ROPA, the Commission has increasingly cited inadequate internal documentation as an aggravating factor in enforcement actions under Article 64 PIPA (corrective orders) and Article 75 PIPA (administrative fines). In high-profile breach investigations (including the 2020 enforcement actions against online service providers following large-scale credential-stuffing attacks), the PIPC has emphasized that controllers unable to produce contemporaneous records of processing decisions, security-measure implementation, and CPO oversight activities face heightened exposure to corrective orders and higher fine amounts under the proportionality analysis in Article 75(2) PIPA.

• Cross-border data transfer requirements. Article 17(3) PIPA (as amended in March 2023) requires controllers transferring personal information to foreign countries to obtain the data subject's separate consent after notifying the data subject of the receiving country, the transferee's name and contact information, the purpose and retention period of the cross-border transfer, and the fact that the data subject may refuse consent and the consequences of refusal. Controllers operating in multiple jurisdictions typically maintain an internal cross-border transfer inventory—functionally equivalent to a GDPR Article 30 ROPA section on international transfers—to enable the controller to provide accurate Article 17(3) notices and respond to PIPC inquiries during cross-border transfer compliance audits.

No penalty for lack of internal ROPA under PIPA. Article 75(2) PIPA, which enumerates administrative fines of up to KRW 10 million for specified violations, does not include failure to maintain an internal processing inventory among the fineable offenses. The only documentation-related fines under Article 75(2) are:

• KRW 10 million for failure to designate a Chief Privacy Officer under Article 31 PIPA (Art. 75(2)(1)); and
• KRW 10 million for public institutions' failure to register personal information files under Article 32 PIPA or to amend the registration within 60 days of a change (Art. 75(2)(1)).

Private-sector controllers that choose not to maintain an internal ROPA face no direct monetary penalty, though they may encounter operational difficulty demonstrating compliance during PIPC inspections, responding to data-subject access requests, or defending against allegations of unlawful processing under Articles 15–18 PIPA.

Comparison to peer regimes. South Korea's private-sector exemption from statutory ROPA requirements diverges from the GDPR (Article 30 mandatory ROPA for all controllers and processors, subject to the narrow <250-employee exemption), Brazil's LGPD (Art. 37 requires controllers to maintain records of processing operations, though the ANPD has not yet finalized the regulatory standard specifying the required contents), and China's PIPL (Article 54 requires controllers handling large volumes of personal information to designate a personal information protection officer and establish an independent oversight body, implicitly requiring documented processing inventories to enable oversight, though no explicit ROPA provision exists). The absence of a statutory ROPA obligation in South Korea reflects the statute's historical emphasis on ex-ante transparency to data subjects (Article 30 privacy policy, Article 15 collection notice) and ex-post supervisory-authority oversight (Article 64 PIPC inspection powers) rather than on continuous internal controller documentation. The adequacy decision's acceptance of this framework suggests that the EU Commission views the Article 30 privacy-policy requirement, combined with the PIPC's guideline-based encouragement of voluntary ROPA adoption and the Commission's enforcement posture rewarding documented governance, as functionally sufficient to protect EU data subjects transferred to South Korea under the adequacy bridge.

Source: Personal Information Protection Act, Act No. 19234, Articles 30–32 Source: Enforcement Decree of the Personal Information Protection Act, Presidential Decree No. 34413, Article 2 Source: PIPC — Privacy Guidelines

Foreign-entity obligation; extraterritorial enforcement mechanism. Article 31-2 of the Personal Information Protection Act (개인정보 보호법, PIPA), as amended in March 2023 and further expanded by amendments effective October 2, 2025, requires foreign personal information controllers (외국 개인정보처리자) that do not have a place of business (사업장) in South Korea to designate a domestic representative (국내대리인) when the foreign controller meets specified thresholds. The domestic representative acts as the foreign controller's local point of contact for the Personal Information Protection Commission (PIPC, 개인정보보호위원회), data subjects exercising their rights under Articles 35–38 PIPA (access, correction, erasure, suspension of processing), and regulatory enforcement actions. The requirement functions as South Korea's primary mechanism to enforce PIPA against foreign controllers processing personal information of Korean data subjects from outside Korean territory, analogous to the GDPR's Article 27 representative requirement for non-EU controllers and processors not subject to the GDPR's main establishment rules.

Statutory thresholds triggering the domestic-representative obligation under Article 31-2(1). The Enforcement Decree of PIPA (Presidential Decree No. 34413, as amended through October 2, 2025) specifies three alternative triggers for the domestic-representative designation requirement. A foreign controller must designate a domestic representative if the controller meets any one of the following criteria:

1. Revenue threshold: Total annual revenue or income of at least KRW 1 trillion (approximately USD 730 million at 2025 exchange rates) in the immediately preceding year;
2. Data-subject volume threshold: Processing of personal information of an average of at least 1 million data subjects per day during the last three months of the immediately preceding year; or
3. PIPC discretionary designation: The PIPC has requested the foreign controller to submit documents or materials under Article 63(1) PIPA (the PIPC's general investigation and document-request authority) and the PIPC determines that designation of a domestic representative is necessary for effective enforcement of PIPA.

The thresholds apply to foreign controllers processing personal information of Korean data subjects (individuals in South Korea or Korean nationals abroad) even when the controller does not have a physical office, subsidiary, or other place of business in South Korea. The PIPC's April 4, 2024, "Guidelines on Applying the Personal Information Protection Act to Foreign Business Operators" clarify that PIPA applies to foreign controllers in three situations: (i) when the controller provides goods or services to Korean data subjects; (ii) when the controller's processing of personal information has a direct and substantial impact on Korean data subjects (for example, collecting and disclosing personal information of Korean individuals on a public website); or (iii) when the controller maintains a local Korean entity that acts as the personal information controller for Korean data subjects. Foreign controllers meeting any of the Article 31-2 thresholds must comply with the domestic-representative designation requirement if they fall within one of these PIPA-applicability categories.

Mandatory designation from domestic subsidiary or affiliate — October 2, 2025 amendments. Article 31-2(2) PIPA, as amended effective October 2, 2025, imposes a priority-designation rule when the foreign controller has an existing Korean subsidiary or affiliate. If any of the following Korean entities exist, the foreign controller must designate the domestic representative from among these entities, rather than engaging an unaffiliated third-party service provider:

• A Korean entity established by the foreign controller (예를 들어, a wholly owned subsidiary incorporated under Korean law); or
• A Korean entity over which the foreign controller exercises dominant influence (지배적 영향력), which the Enforcement Decree defines to include board representation, capital ties, or other structural arrangements that give the foreign controller the ability to determine the Korean entity's business decisions.

This priority-designation rule reflects the PIPC's enforcement posture that foreign controllers with existing Korean operations should use those local entities as domestic representatives to ensure accountability, institutional knowledge of Korean law, and effective response to data-subject requests and PIPC investigations. The October 2025 amendments to the Enforcement Decree further require the foreign controller to provide annual training to the domestic representative on its duties and responsibilities, and to conduct periodic inspections confirming that the representative has formulated a plan for performing its duties and is implementing that plan. The foreign controller remains fully liable under PIPA for all actions and omissions of the domestic representative, including the representative's failure to respond to data-subject rights requests, breach-notification obligations, or PIPC document requests.

Duties of the domestic representative under Article 31-2(3) and the Enforcement Decree. Article 31-2(3) PIPA enumerates the domestic representative's statutory duties:

1. Data-subject rights handling: Responding to data subjects' requests to exercise their rights under Articles 35–38 PIPA (access, correction, erasure, suspension of processing), including verifying the identity of the requesting data subject, locating the requested personal information, and providing the foreign controller's response within the statutory deadlines (generally 10 days from receipt of the request, with one 10-day extension permitted under Article 35(5) PIPA);
2. Breach notification: Notifying both affected data subjects and the PIPC in the event of a personal information breach under Article 34 PIPA, within the applicable timelines (generally within 72 hours of the foreign controller becoming aware of the breach, though the threshold for notifiability differs between information and communications service providers (ICSPs) covered by the Network Act and non-ICSP controllers covered only by PIPA);
3. PIPC cooperation: Submitting documents or materials requested by the PIPC under Article 63(1) PIPA during investigations, audits, or compliance reviews, and responding to PIPC inquiries regarding the foreign controller's processing activities, legal basis, security measures, and data-subject-rights procedures; and
4. Other duties prescribed by Presidential Decree, which the Enforcement Decree elaborates to include maintaining accurate contact information (Korean address, telephone number, email address capable of receiving communications in Korean) and ensuring that the foreign controller's privacy policy under Article 30 PIPA discloses the domestic representative's name, address, and contact details in a manner accessible to Korean data subjects.

The domestic representative does not assume substantive decision-making authority over the foreign controller's processing activities — it is a liaison and compliance agent, not a joint controller or independent processor. The foreign controller retains all Article 15–18 PIPA obligations (lawful basis for collection, use, and provision of personal information; data minimization; purpose limitation) and Article 29 PIPA security-safeguard obligations (technical, administrative, and physical measures to prevent unauthorized access, loss, theft, leakage, alteration, or damage). The domestic representative's role is to enable the PIPC and data subjects to enforce those obligations against a foreign controller that lacks a Korean presence.

Disclosure requirement in the privacy policy under Article 30 PIPA. Article 30(1) PIPA requires every personal information controller (domestic or foreign) to establish and publicly disclose a privacy policy containing nine mandatory elements, including the name and contact information of the Chief Privacy Officer (CPO) designated under Article 31 PIPA. The PIPC's April 2024 Guidelines clarify that foreign controllers subject to the Article 31-2 domestic-representative requirement must additionally disclose the domestic representative's name, Korean address, and telephone number in the privacy policy made available to Korean data subjects. The privacy policy must be accessible in Korean and must identify the domestic representative as the designated contact for data-subject rights requests and PIPC inquiries. Foreign controllers that fail to disclose the domestic representative's contact details in the privacy policy may be subject to corrective orders under Article 64 PIPA and administrative fines under Article 75(2) PIPA (up to KRW 10 million for failure to comply with the Article 30 privacy-policy disclosure obligation).

Enforcement and penalties. Article 75(2) PIPA authorizes the PIPC to impose administrative fines for violations of the domestic-representative designation and disclosure obligations. The statute does not specify a dedicated fine tier for Article 31-2 non-compliance, but the PIPC interprets failure to designate a domestic representative (when required) as a violation of the controller's general duty to process personal information lawfully and to cooperate with PIPC oversight under Article 3 PIPA (general principles), exposing the foreign controller to corrective orders under Article 64 PIPA and administrative fines under Article 64-2 PIPA. Article 64-2(2) PIPA, as amended in March 2023, permits administrative fines of up to 3 percent of the foreign controller's total revenue (excluding revenue unrelated to the PIPA violation) when the controller fails to take appropriate measures to ensure the security of personal information under Article 29 PIPA or fails to establish and implement an internal management plan. The PIPC's enforcement practice since the October 2025 amendments has emphasized that foreign controllers failing to designate a domestic representative face heightened exposure to fines in the event of a subsequent breach or data-subject complaint, because the absence of a domestic representative impedes the PIPC's ability to investigate and the data subject's ability to exercise rights, aggravating the harm under the PIPC's proportionality analysis.

Historical context and EU adequacy alignment. The domestic-representative requirement originated in the Act on Promotion of Information and Communications Network Utilization and Information Protection (통신망법, the "Network Act"), which first required information and communications service providers (ICSPs) operating from outside Korea to designate a domestic representative in 2020. The March 2023 amendments to PIPA extended the requirement to all foreign personal information controllers (not just ICSPs) meeting the specified thresholds, effective September 15, 2023, with the priority-designation rule for subsidiaries and affiliates added by the October 2, 2025 amendments. The domestic-representative mechanism was a key element in the EU Commission's December 17, 2021, adequacy decision for South Korea (Commission Implementing Decision (EU) 2021/2044), which permits transfers of EU personal data to Korean controllers without Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs). The adequacy decision noted that Article 31-2 PIPA, combined with the PIPC's broad extraterritorial enforcement authority under Article 63 PIPA, provides effective mechanisms to ensure that foreign controllers processing Korean personal data (including EU personal data transferred under the adequacy bridge) remain subject to PIPC oversight and data-subject enforcement comparable to the protections available under GDPR Articles 77–79 (right to lodge a complaint with a supervisory authority, right to an effective judicial remedy against a supervisory authority, and right to an effective remedy against a controller or processor).

Comparison to GDPR Article 27 representative requirement. South Korea's Article 31-2 domestic-representative obligation is narrower in application but substantively similar to the GDPR's Article 27 requirement that controllers and processors not established in the EU but subject to the GDPR under Article 3(2) (offering goods or services to EU data subjects or monitoring their behavior) must designate a representative in the Union. Both regimes require the representative to be a local point of contact for supervisory authorities and data subjects, to respond to data-subject rights requests, and to cooperate with enforcement investigations. Key differences include:

• Thresholds: GDPR Article 27 applies to all non-EU controllers and processors subject to Article 3(2) GDPR, with narrow exceptions for occasional processing, public authorities, and controllers whose main establishment is in a third country with an adequacy decision. South Korea's Article 31-2 applies only to foreign controllers meeting the KRW 1 trillion revenue threshold, the 1 million data-subjects-per-day threshold, or the PIPC's discretionary designation, leaving smaller foreign controllers outside the mandatory-designation regime (though the PIPC may still exercise enforcement jurisdiction under Article 63 PIPA).
• Priority designation from local entities: GDPR Article 27 permits the controller to designate any natural or legal person established in the EU as the representative. South Korea's Article 31-2(2), as amended in 2025, requires designation from a Korean subsidiary or affiliate when one exists, limiting the controller's choice of representative.
• Representative liability: GDPR Article 27(4) states that designation of a representative "shall be without prejudice to legal actions which could be initiated against the controller or processor themselves," but does not make the controller strictly liable for the representative's actions. South Korea's Article 31-2 framework, as interpreted by the PIPC, imposes full controller liability for the representative's failures, treating the representative as an agent whose acts and omissions are attributed to the foreign controller for PIPA enforcement purposes.

The substantive similarity reflects Korea's alignment strategy documented in the adequacy decision: PIPA Article 31-2 was designed to provide EU data subjects transferred to Korean controllers under the adequacy bridge with a local enforcement contact functionally equivalent to the GDPR Article 27 representative, ensuring that cross-border transfers to Korea do not dilute data-subject rights or supervisory-authority oversight.

Source: Personal Information Protection Act, Act No. 19234, Article 31-2 Source: Enforcement Decree of the Personal Information Protection Act, Presidential Decree No. 34413 Source: PIPC — Guidelines on Applying the Personal Information Protection Act to Foreign Business Operators (April 4, 2024)