South Korea — International Data Transfers

South Korea's cross-border data transfer regime is governed by Article 17 of the Personal Information Protection Act (PIPA), enacted in 2011 and substantially amended in 2020 when the Personal Information Protection Commission (PIPC) was elevated to central administrative-agency status. The PIPC is the supervisory authority responsible for enforcement.

Article 17 uses the term "provision to a third party in a foreign country" rather than "transfer" — the same conceptual framework as domestic third-party disclosure under Article 17, but with heightened consent and transparency requirements when the recipient is located outside South Korea. A cross-border provision occurs when a personal information controller (정보처리자) transfers personal information to any natural or legal person located in a foreign jurisdiction, whether that recipient acts as an independent controller or as a processor on behalf of the Korean controller.

Consent-based transfers — Article 17(1) and (2)

Article 17(1) permits overseas provision only when the data subject has been separately informed of specific details and has given consent. The required disclosure elements under Article 17(2) are:

1. The recipient and contact details of the person receiving the information in the foreign country;
2. The country to which the information will be transferred;
3. The purpose for which the recipient will use the information;
4. The items of personal information to be provided;
5. The period during which the recipient will retain and use the information; and
6. The fact that the data subject has the right to refuse consent, and any disadvantages that may result from refusal.

This consent obligation is separate from and in addition to the general consent requirements under Articles 15 and 22 for collection and third-party provision. In practice, a Korean controller must layer consents: initial collection consent under Article 15, domestic third-party provision consent under Article 17 (if applicable), and then the heightened overseas-provision consent under Article 17(1)–(2).

Exceptions under Article 17(3)

Article 17(3) creates narrow exceptions mirroring those in Article 17(1) for domestic third-party disclosure, including where overseas provision is necessary for performance of a contract to which the data subject is party, or where required by statute or treaty obligation. These exceptions are construed strictly by the PIPC — contractual necessity is read functionally (the specific data element must be objectively required for contract performance), not as a blanket waiver.

No adequacy framework or standard contractual clauses

Unlike the GDPR Chapter V regime, PIPA does not recognize adequacy decisions or pre-approved standard contractual clauses (SCCs) as standalone transfer mechanisms. Every cross-border provision to a non-adequate jurisdiction requires individualized data-subject consent under Article 17(1)–(2) unless a statutory exception applies. Korea is a member of the APEC Cross-Border Privacy Rules (CBPR) system, but CBPR certification does not substitute for Article 17 compliance — it is a supplementary accountability signal, not a legal basis.

The Enforcement Decree of PIPA (Presidential Decree) implements Article 17 by specifying recordkeeping obligations and security safeguards for overseas provision, codified in Articles 48-10 and related provisions. Controllers must document each cross-border transfer, the legal basis, and the safeguards applied, similar to GDPR Article 30 records of processing activity (ROPA) but focused specifically on outbound transfers.

The PIPC enforces Article 17 through administrative fines up to 3% of revenue or KRW 300 million (approximately USD 220,000) under Article 34-2 of PIPA, and criminal penalties under Article 71 for egregious or intentional violations. Leading enforcement actions have targeted e-commerce platforms and cloud-service providers that embedded overseas data flows in general terms of service without the Article 17(2)-compliant layered disclosures.

Source: Personal Information Protection Act (Act No. 16930, as amended), Article 17

Source: Enforcement Decree of the Personal Information Protection Act (Presidential Decree), Articles 48-10 et seq.

The March 2023 amendment to PIPA (Act No. 19234, effective September 15, 2023) introduced two new pathways for cross-border personal-information transfers that do not require individualized data-subject consent under Article 17(1)–(2): adequacy recognition for countries with equivalent data-protection regimes, and PIPC certification for individual foreign recipients that meet prescribed standards. These mechanisms represent Korea's first movement toward a transfer framework resembling GDPR Chapter V, though consent remains the default and most widely used legal basis.

Adequacy recognition — Article 17(3), subparagraph 1

Article 17(3), subparagraph 1 permits transfers to a foreign country or international organization that the PIPC has formally recognized as maintaining "an equivalent level of data protection to that required under [PIPA]." This provision is modeled on GDPR adequacy decisions under Article 45, but as of May 2026 the PIPC has not published any adequacy determinations or the procedural framework for assessment.

The statutory text does not define "equivalent level." Secondary PIPC guidance (when published) is expected to evaluate foreign jurisdictions on criteria including: comprehensive data-protection statute with controller/processor obligations and data-subject rights; independent supervisory authority with enforcement powers; restrictions on onward transfers to third countries; and effective judicial remedies for data subjects. The analysis mirrors the European Commission's adequacy-decision framework under Recital 104 and Article 45(2) GDPR, adapted to PIPA's terminology (e.g., "personal information controller" rather than "data controller").

A cross-border provision to a recognized-adequate jurisdiction requires no separate consent under Article 17(1), but the controller must still satisfy the general third-party-provision notice requirements under Article 17 (domestic provision) and document the adequacy determination in its records of processing activity. The controller remains subject to PIPA security obligations under Article 29 and must verify that the recipient's jurisdiction remains on the PIPC adequacy list at the time of transfer.

PIPC certification of foreign recipients — Article 17(3), subparagraph 2

Article 17(3), subparagraph 2 permits transfers to a foreign natural or legal person that "has been certified by the [PIPC]" as meeting prescribed data-protection standards. This mechanism is conceptual equivalent to Binding Corporate Rules (BCRs) under GDPR Article 47 or to an entity-level certification scheme, but the implementing regulations specifying the certification criteria, application procedure, audit standards, and renewal cycle have not yet been promulgated by the PIPC.

The statutory text authorizes the PIPC to issue certifications to foreign recipients — whether acting as independent controllers or as processors on behalf of Korean controllers — on a case-by-case basis. The certification is expected to verify that the foreign recipient implements technical, administrative, and physical security measures equivalent to those required of Korean controllers under PIPA Article 29 and the Enforcement Decree, and that the recipient grants data subjects enforceable rights (access, rectification, erasure, objection) equivalent to Articles 35–38 of PIPA.

Once certified, the foreign recipient may receive personal information from any Korean controller without requiring Article 17(1)–(2) consent, provided the controller documents the certification number and validity period in its records and verifies that the certification remains in force. The PIPC retains authority under Article 17(4) to suspend or revoke the certification if the foreign recipient fails to maintain the prescribed safeguards or violates PIPA obligations, and to order the suspension of ongoing cross-border transfers to that recipient.

Practical status and limitations (May 2026)

As of May 2026, neither adequacy nor certification pathway is operationalized. The PIPC has not published:

• A list of adequate jurisdictions (no country has been recognized);
• Application forms, fees, or procedural timelines for entity certification;
• Audit standards or security benchmarks for certification eligibility; or
• Guidance on evidentiary requirements for demonstrating "equivalent" protection.

In practice, Article 17(1)–(2) individualized consent remains the predominant legal basis for cross-border transfers from Korea. Controllers relying on the contractual-necessity exception under Article 17(3), subparagraph 5 (mirroring the general exception in Article 15(1) subparagraph 2) must apply strict functional necessity — the specific data element must be objectively required for contract performance, not merely convenient. The PIPC enforces this narrowly: embedding a cross-border data flow in general terms of service does not satisfy the exception.

Korea is a member of the APEC Cross-Border Privacy Rules (CBPR) system, but CBPR certification is not recognized as a standalone legal basis under Article 17(3). A foreign recipient holding APEC CBPR certification must still either (a) obtain individualized data-subject consent under Article 17(1)–(2), (b) qualify for a statutory exception under Article 17(3), or (c) wait for the PIPC to operationalize the certification pathway and issue a Korea-specific certification.

The Enforcement Decree (Presidential Decree No. 35343, as amended February 25, 2025) implements Article 17 by requiring controllers to document each cross-border transfer in records of processing activity (Article 48-10), but does not yet contain the delegated rulemaking for adequacy or certification procedures. Controllers should monitor PIPC notices and enforcement-decree amendments for operationalization of these mechanisms.

The PIPC enforces Article 17 violations through administrative fines up to 3% of revenue or KRW 300 million (approximately USD 220,000) under Article 34-2, and criminal penalties under Article 71 for intentional or egregious violations. The PIPC's authority to suspend cross-border transfers under Article 17(4) applies to all transfer mechanisms, including adequacy and certification pathways once operational — if the PIPC determines that the foreign recipient or jurisdiction no longer satisfies the prescribed safeguards, it may order immediate suspension of ongoing transfers pending remediation or revocation.

Source: Personal Information Protection Act, Article 17(3) (Act No. 19234, effective September 15, 2023)

Source: Enforcement Decree of the Personal Information Protection Act, Article 48-10 (Presidential Decree No. 35343, February 25, 2025)

South Korean controllers transferring personal information to foreign jurisdictions must meet heightened transparency and disclosure obligations under Article 30 of the Personal Information Protection Act (PIPA) and the PIPC's Guidelines on Applying the Personal Information Protection Act to Foreign Business Operators (issued April 4, 2024). These requirements layer onto the separate-consent framework under Article 17 (renumbered Article 28-8 in some amendments), ensuring that data subjects can locate and understand cross-border transfer details before consenting.

Privacy policy — Article 30(1) general obligation

Article 30(1) of PIPA requires every personal information controller to "establish and publicly disclose a privacy policy" that informs data subjects of how their personal information is collected, used, and provided to third parties. For cross-border transfers, the privacy policy must include the specific elements mandated by Article 17(2) (or Article 28-8, depending on the statutory version in force):

1. The recipient's identity and contact details — the name of the foreign natural or legal person receiving the personal information, plus a contact address or email where the data subject can reach that recipient directly;
2. The destination country — the name of the foreign jurisdiction to which the information will be transferred (e.g., "United States," "Singapore");
3. Purpose of use by the recipient — the specific processing purposes for which the foreign recipient will use the information (general statements such as "business operations" are insufficient; the PIPC expects functional specificity, e.g., "cloud storage and backup," "customer-support ticket processing");
4. Items of personal information — an enumeration of the data elements being transferred (name, email, payment-card number, IP address, etc.);
5. Retention period — how long the foreign recipient will retain and use the information; and
6. Right to refuse consent and consequences — a statement that the data subject has the right to refuse consent for the overseas provision, and a disclosure of any disadvantages that may result from refusal (e.g., inability to use a particular service feature).

These six elements are mandatory for every cross-border transfer that relies on data-subject consent under Article 17(1)–(2). Controllers that fail to include them in the privacy policy—or that bury them in general terms of service without clear labeling—face administrative fines under Article 34-2 of PIPA (up to 3% of revenue or KRW 300 million, approximately USD 220,000).

PIPC Guidelines on Foreign Business Operators — April 2024 clarifications

The PIPC's April 2024 Guidelines impose additional specificity for foreign controllers operating in or targeting Korea:

• Korean-language disclosure: The privacy policy must be written in Korean and "specifically formulated to comply with PIPA." A global privacy policy written in English and merely translated does not satisfy this standard if it omits Korea-specific transfer details or uses GDPR terminology (e.g., "adequacy," "SCCs") without explaining the PIPA legal basis.
• Separate cross-border section: The Guidelines recommend that cross-border transfer details be disclosed in a separate, clearly labeled section of the privacy policy—labeled "Overseas Provision of Personal Information" (개인정보의 국외 이전) or similar—rather than folded into a general "third-party provision" clause. This separation ensures data subjects can locate transfer-specific information without reading the entire policy.
• Consolidation on a single page: If the controller discloses additional Korea-specific provisions beyond the global policy (e.g., PIPC certification status, Korea-only retention periods), those provisions should be consolidated on one web page accessible via the main privacy-policy link, not scattered across multiple sub-pages or annexes.
• Prior-version accessibility and change-highlighting: The privacy policy must remain accessible in its prior versions, and substantive changes (including new cross-border transfer destinations or recipients) must be highlighted for easy identification by returning users. The PIPC enforces this through its "transparency and accessibility" principle—data subjects must be able to see what has changed since their last consent.

Article 30 vs. Article 17 consent layer

The Article 30 privacy-policy disclosure is not a substitute for the Article 17(1)–(2) individualized consent. Article 30 imposes a passive transparency obligation—the controller must publish the transfer details in a publicly accessible document. Article 17 imposes an active consent obligation—the controller must affirmatively inform the data subject of the six elements at the point of transfer and obtain separate opt-in consent.

In practice, controllers typically satisfy both obligations by:

1. Publishing the cross-border transfer details in the Article 30 privacy policy (general transparency);
2. Displaying a layered consent interface at the point of collection or transfer that reproduces the Article 17(2) elements in a checkbox or modal dialog and requires the data subject to opt in before the transfer occurs; and
3. Logging the consent event (timestamp, IP address, consent string) in a records-of-processing-activity (ROPA) system that can be produced during a PIPC audit.

Enforcement focus — e-commerce and cloud-service providers

The PIPC has prioritized enforcement against e-commerce platforms and cloud-service providers that embed cross-border data flows in general terms of service without the Article 17(2)-compliant layered disclosures. Leading enforcement actions have targeted controllers that:

• Listed "global partners" in the privacy policy without naming the specific foreign recipients or destination countries;
• Used boilerplate language such as "we may transfer your information to our affiliates worldwide" without enumerating which countries or entities;
• Pre-checked a consent box for overseas provision, or bundled overseas-provision consent with general terms-of-service acceptance, violating the separate-consent requirement; or
• Failed to disclose the retention period or the consequences of refusal.

Penalties in these cases have included administrative fines, mandatory corrective orders (requiring the controller to re-obtain compliant consent from all affected data subjects), and public disclosure of the violation on the PIPC website.

Recordkeeping and audit obligations

Controllers must document each cross-border transfer in their internal records of processing activity, as required by Article 48-10 of the Enforcement Decree of PIPA (Presidential Decree No. 35343, as amended February 25, 2025). The records must include:

• The legal basis for the transfer (Article 17(1) consent, Article 17(3) exception, or—once operational—adequacy or PIPC certification);
• The date and time of the transfer;
• The identity of the foreign recipient and the destination country;
• The data categories transferred; and
• Evidence of the data subject's consent (for Article 17(1) transfers) or documentation of the applicable exception (for Article 17(3) transfers).

The PIPC audits these records during inspections and can impose fines for inadequate documentation even if the underlying transfer was lawful. Controllers should retain transfer records for at least three years from the date of the transfer, consistent with general PIPA recordkeeping standards, though sector-specific regulations (e.g., financial services, telecommunications) may impose longer retention periods.

Interplay with APEC CBPR and adequacy

Korea is a member of the APEC Cross-Border Privacy Rules (CBPR) system, but CBPR certification of a foreign recipient does not reduce the Article 30 disclosure obligations or the Article 17(1) separate-consent requirement. A controller transferring personal information to a CBPR-certified processor in Singapore must still:

• Disclose the processor's identity, Singapore as the destination country, the purpose, the data items, and the retention period in the Article 30 privacy policy; and
• Obtain individualized data-subject consent under Article 17(1)–(2).

CBPR certification is a supplementary accountability signal that may inform the controller's due-diligence assessment of the foreign recipient, but it is not recognized by PIPA as a standalone legal basis for transfer.

Similarly, when the PIPC operationalizes the adequacy recognition pathway under the March 2023 amendment (Article 17(3), subparagraph 1), transfers to recognized-adequate jurisdictions will still require Article 30 privacy-policy disclosure of the recipient, destination country, purpose, data items, and retention period—consent under Article 17(1) will no longer be required, but transparency under Article 30 remains mandatory.

Practical compliance steps

To satisfy Article 30 and the April 2024 PIPC Guidelines, controllers should:

1. Audit existing privacy policies for completeness of the six Article 17(2) elements for every cross-border transfer relationship;
2. Create a dedicated "Overseas Provision" section in the Korean-language privacy policy, listing each foreign recipient by name, destination country, purpose, data items, and retention period in a table or enumerated list;
3. Implement layered consent at the point of transfer, reproducing the six elements in a modal dialog or checkbox interface separate from general terms-of-service acceptance;
4. Log consent events with timestamp, IP address, and consent string, and retain logs for at least three years;
5. Update the privacy policy whenever a new cross-border transfer relationship is established, and highlight the change prominently on the policy page; and
6. Train compliance personnel on the distinction between Article 30 transparency (passive, policy-based) and Article 17 consent (active, opt-in).

Failure to meet these disclosure and transparency obligations is a leading cause of PIPC enforcement actions, even when the underlying transfer is otherwise lawful and secured by contract.

Source: Personal Information Protection Act, Article 30 (Act No. 19234, effective September 15, 2023)

Source: Enforcement Decree of the Personal Information Protection Act, Article 48-10 (Presidential Decree No. 35343, February 25, 2025)

When a foreign recipient of Korean personal information subsequently transfers that data to a third country (an "onward transfer" or "sub-transfer"), South Korean law applies the same cross-border transfer safeguards to the second-leg transfer as it did to the initial outbound transfer from Korea. This onward-transfer rule is codified in Article 28-11 of the Personal Information Protection Act (PIPA), enacted in the March 2023 amendment (Act No. 19234, effective September 15, 2023), and ensures that Korean data subjects' rights travel with their data regardless of how many jurisdictions it crosses after leaving Korea.

Article 28-11 statutory text and scope

Article 28-11 PIPA states:

> "When a recipient of personal information in a foreign country further provides such personal information to a third country or international organization, the provisions of this Act relating to cross-border transfers of personal information shall apply accordingly."

The provision imposes a chain-of-custody obligation: each subsequent transfer in the chain must comply with PIPA's cross-border transfer rules (Articles 28-8 through 28-10) as if the sub-recipient were receiving the data directly from the original Korean controller. This means:

1. Consent or statutory exception required for each onward leg — If the initial transfer from Korea to Country A was authorized by data-subject consent under Article 28-8(1)(1) (the separate-consent pathway with the six disclosure elements under Article 28-8(2)), the onward transfer from Country A to Country B must also be authorized by either:

• Fresh data-subject consent under Article 28-8(1)(1) and (2), disclosing the Country B recipient's identity, destination, purpose, data items, retention period, and right to refuse; or
• One of the Article 28-8(1) exceptions (contractual necessity under subparagraph 2, PIPC certification under subparagraph 3, adequacy recognition under subparagraph 5, or treaty/law under subparagraph 6).

1. Security safeguards under Article 48-10 of the Enforcement Decree — Each onward transfer must implement the security measures, complaint-handling mechanisms, and data-subject rights guarantees prescribed by Article 48-10 of the Enforcement Decree (Presidential Decree No. 35343, as amended February 25, 2025). The European Commission's adequacy decision for Korea (Commission Implementing Decision (EU) 2022/254, February 17, 2022) describes this obligation: "For each transfer, specific safeguards must be put in place with respect to security, the handling of complaints and disputes, as well as other measures necessary to protect users' information" (Recital 113).

1. Controller liability and supervision obligations — Article 28-11 does not relieve the original Korean controller of its Article 26 supervision and education obligations over the foreign recipient. If the foreign recipient onward-transfers to a sub-recipient without satisfying Article 28-11, the Korean controller remains vicariously liable under Article 26(6) PIPA, which deems the foreign recipient (and any sub-recipient in the onward-transfer chain) to be employees of the Korean controller for purposes of compensation liability under Article 39.

Practical application — multi-hop cross-border data flows

Article 28-11 is triggered in three common scenarios:

A. Cloud subprocessors and nested entrustment

A Korean e-commerce platform (Controller) transfers customer data to a US cloud-infrastructure provider (Recipient 1, acting as processor) under the Article 28-8(1)(2) contractual-necessity exception (entrustment or storage necessary for contract performance, disclosed in the privacy policy). Recipient 1 uses a subprocessor in Singapore (Recipient 2) for database replication.

• The Korea → US transfer is lawful under Article 28-8(1)(2) if the platform disclosed the US provider's identity, destination (United States), purpose, data items, and retention period in its privacy policy or via email to data subjects, and the transfer is objectively necessary for performance of the customer's service contract.
• The US → Singapore onward transfer triggers Article 28-11. Under Article 28-11, the US provider must ensure that the Singapore subprocessor transfer complies with Article 28-8. Because the original legal basis was Article 28-8(1)(2) (contractual necessity), the onward transfer to Singapore must also be necessary for contract performance and disclosed to the data subjects. If the Singapore subprocessor is not necessary for the customer's contract (e.g., it is purely a cost optimization by the US provider), the onward transfer fails Article 28-11 and the Korean controller is liable.
• The Korean controller must document the entire chain (US → Singapore) in its records of processing activity under Article 48-10 of the Enforcement Decree, including the legal basis for each hop and the security safeguards applied by both the US provider and the Singapore subprocessor.

B. Corporate group data-sharing and adequacy bridges

A Korean subsidiary (Controller) transfers employee HR data to its German parent company (Recipient 1) under Article 28-8(1)(5) (adequacy recognition — the EU was formally recognized by the PIPC on September 16, 2025, as having equivalent protection under Article 28-8(1)(5), per PIPC Notice). The German parent subsequently transfers the data to a subsidiary in India (Recipient 2) for payroll processing.

• The Korea → Germany transfer is lawful under Article 28-8(1)(5) because Germany is in the EU/EEA adequacy zone recognized by the PIPC. No separate data-subject consent is required under Article 28-8(1)(1).
• The Germany → India onward transfer triggers Article 28-11. India is not recognized as adequate by the PIPC (as of June 2026, only the EU/EEA has been recognized). Therefore, the German parent must either:
• Obtain fresh data-subject consent from the Korean employees under Article 28-8(1)(1) and (2), disclosing the India recipient, or
• Rely on another Article 28-8(1) exception (e.g., contractual necessity under subparagraph 2 if the India payroll processing is necessary for the employees' employment contracts and disclosed in the privacy policy).
• If the German parent onward-transfers to India without satisfying Article 28-11, the Korean subsidiary is liable under Article 26(6) even though the violation occurred in Germany, because the German parent was acting as a "trustee" (processor/recipient) in the onward-transfer chain.

C. Cross-border M&A and change-of-control transfers

A Korean fintech startup (Controller) transfers customer financial data to a US SaaS provider (Recipient 1, processor) under Article 28-8(1)(1) consent. The US provider is acquired by a Chinese technology company (Recipient 2), and the data is migrated to servers in China as part of the acquisition.

• The Korea → US transfer was lawful under Article 28-8(1)(1) consent initially.
• The US → China onward transfer (triggered by the acquisition) is a new cross-border transfer under Article 28-11. The Korean fintech must ensure that the China recipient complies with Article 28-8. Because China is not recognized as adequate by the PIPC (and does not hold a PIPC certification as of June 2026), the fintech must:
• Obtain fresh consent from each Korean customer under Article 28-8(1)(1) and (2), disclosing the China recipient's identity, the People's Republic of China as the destination, the purpose, data items, retention period, and right to refuse; or
• Cease the onward transfer to China and migrate the data back to a jurisdiction for which it holds a valid legal basis.
• Failure to obtain fresh consent before the China migration constitutes an Article 28-11 violation, exposing the Korean fintech to PIPC administrative fines under Article 64-2 (up to 3% of revenue or KRW 300 million, approximately USD 220,000) and potential criminal liability under Article 71 for intentional violations.

Interaction with EU adequacy bridge and mutual recognition

The PIPC and the European Commission formally recognized each other's frameworks as equivalent in 2025 (EU adequacy decision for Korea adopted February 17, 2022, as Commission Implementing Decision (EU) 2022/254; Korea adequacy recognition for EU/EEA adopted September 16, 2025, per PIPC Notice). Both adequacy decisions incorporate onward-transfer safeguards to maintain continuity of protection.

Under the EU-Korea adequacy bridge:

• A transfer from Korea to Germany (EU member state) under Article 28-8(1)(5) adequacy is lawful without consent.
• A subsequent transfer from Germany to the United States (a third country outside the EU/EEA adequacy zone) must comply with both GDPR Chapter V (the EU controller in Germany must use SCCs, BCRs, or another GDPR transfer mechanism) and PIPA Article 28-11 (the Korean controller must ensure the US recipient satisfies Article 28-8).
• The EU adequacy decision for Korea explicitly contemplates this dual compliance: "To maintain continuity in personal data protection during onward transfers, the PIPC and the European Commission have agreed to mutually inform each other of developments concerning the operation of their respective cross-border transfer systems, including new recognitions of equivalence or adequacy decisions" (Commission Implementing Decision (EU) 2022/254, Recital 24, as cited in secondary sources).

PIPC enforcement and suspension authority under Article 28-9

The PIPC has statutory authority under Article 28-9 PIPA to order the suspension of cross-border transfers, including onward transfers under Article 28-11, if:

1. The transfer violates Article 28-8 (e.g., no valid legal basis, insufficient disclosure, coerced consent); or
2. The foreign recipient or sub-recipient fails to implement the prescribed security safeguards under Article 48-10 of the Enforcement Decree.

The Enforcement Decree (Article 29-14) specifies that the PIPC must consider factors including the severity of the violation, the volume and sensitivity of the data, the harm to data subjects, and whether the controller/recipient has taken corrective action. The controller may object to a suspension order within seven days of receipt, and the PIPC must respond within 30 days (Enforcement Decree Article 29-14(3)).

Once a suspension order is issued, the Korean controller must immediately cease the onward-transfer relationship and either:

• Migrate the data back to Korea or to a jurisdiction for which it holds a valid Article 28-8 legal basis;
• Obtain fresh data-subject consent or PIPC certification to re-authorize the transfer; or
• Delete the data under Article 21 PIPA if continued processing is no longer lawful.

Failure to comply with a suspension order is a separate violation under Article 75(3) PIPA, punishable by imprisonment of up to two years or a fine of up to KRW 20 million (approximately USD 15,000).

Recordkeeping and documentation obligations

Controllers must document the entire onward-transfer chain in their records of processing activity under Article 48-10 of the Enforcement Decree. The records must include, for each hop in the chain:

• The identity and contact details of the foreign recipient and each sub-recipient;
• The destination country for each transfer;
• The purpose, data categories, and retention period at each stage;
• The legal basis under Article 28-8(1) for each transfer (consent, contractual necessity, certification, adequacy, treaty);
• Evidence of data-subject consent (timestamp, IP, consent string) if Article 28-8(1)(1) was the basis;
• Documentation of the security safeguards, complaint-handling procedures, and data-subject rights mechanisms implemented by each recipient in the chain; and
• Contracts with each foreign recipient and sub-recipient specifying the Article 26 supervision, education, and vicarious-liability obligations.

These records must be retained for at least three years from the date of the last transfer and must be produced to the PIPC upon request during an audit or investigation. Controllers that fail to maintain adequate onward-transfer documentation face administrative fines under Article 75(2) PIPA even if the underlying transfers were lawful.

Cross-border controller-to-controller onward transfers

Article 28-11 applies not only to processor-to-subprocessor transfers (entrustment chains under Article 26) but also to controller-to-controller onward transfers. If the foreign recipient acts as an independent controller (e.g., a data broker, marketing platform, or analytics provider that uses the data for its own business purposes), and that foreign controller subsequently shares the data with a third controller in another jurisdiction, Article 28-11 requires the original Korean controller to ensure that the second-leg transfer complies with Article 28-8.

In practice, this imposes a contractual due-diligence obligation: the Korean controller must include a clause in the data-transfer agreement requiring the foreign controller to:

1. Notify the Korean controller of any planned onward transfers to third countries before they occur;
2. Obtain the Korean controller's prior written approval for each onward transfer;
3. Ensure that the third-country recipient satisfies Article 28-8 (consent, contractual necessity, certification, adequacy, or treaty); and
4. Flow down the same onward-transfer restrictions to the third-country recipient in a written contract.

If the foreign controller onward-transfers without the Korean controller's approval or in violation of Article 28-11, the Korean controller is jointly and severally liable with the foreign controller under Article 39 PIPA for any damages to the data subjects, unless the Korean controller proves it exercised reasonable supervision and had no knowledge of the violation.

APEC CBPR and Article 28-11 compliance

Korea is a member of the APEC Cross-Border Privacy Rules (CBPR) system, but CBPR certification of a foreign recipient or sub-recipient does not satisfy Article 28-11 as a standalone legal basis. A Korean controller transferring data to a CBPR-certified processor in Japan must still:

• Rely on one of the Article 28-8(1) legal bases (consent, contractual necessity, etc.); and
• Ensure that any onward transfer by the Japanese processor to a sub-recipient in another APEC economy (e.g., Singapore) complies with Article 28-11.

CBPR certification is a supplementary accountability signal that may inform the controller's due-diligence assessment of the foreign processor's data-protection capabilities, but it does not substitute for the Article 28-8 legal-basis requirement or the Article 48-10 security-safeguard obligations. The PIPC has not published guidance recognizing CBPR as a substitute for PIPC certification under Article 28-8(1)(3), and controllers should not rely on CBPR alone to authorize onward transfers.

Comparison to GDPR onward-transfer regime

Article 28-11's onward-transfer framework resembles GDPR Article 44 (general principle that all Chapter V transfer rules apply to onward transfers from a third country) but is more restrictive in practice because:

1. PIPA does not recognize standard contractual clauses (SCCs) as a standalone transfer mechanism — every onward transfer requires either individualized consent, contractual necessity (narrowly construed), PIPC certification (not yet operationalized as of June 2026), or adequacy (only EU/EEA recognized).
2. GDPR permits onward transfers from an adequate third country (e.g., UK → US) using SCCs or BCRs without returning to the original EU controller for fresh consent; PIPA Article 28-11 requires the Korean controller to document and verify that each onward leg satisfies Article 28-8, even if the first-leg recipient is in an adequate jurisdiction.
3. PIPA's vicarious liability rule under Article 26(6) makes the Korean controller strictly liable for onward-transfer violations by any recipient in the chain, whereas GDPR liability is more nuanced and depends on the controller-processor relationship and the adequacy of the contract.

Controllers accustomed to GDPR compliance should not assume that a GDPR-compliant onward-transfer chain (e.g., EU SCC → UK Addendum → US SCC) automatically satisfies PIPA Article 28-11. Each onward leg must be separately analyzed under Korean law, and the Korean controller must retain documentation demonstrating compliance.

Source: Personal Information Protection Act, Article 28-11 (Act No. 19234, effective September 15, 2023)

Source: Enforcement Decree of the Personal Information Protection Act, Article 48-10 (Presidential Decree No. 35343, February 25, 2025)

Source: Commission Implementing Decision (EU) 2022/254 of 17 December 2021 on the adequate protection of personal data by the Republic of Korea

South Korean controllers transferring personal information to foreign jurisdictions must implement specific technical, organizational, and contractual safeguards prescribed by Article 48-10 of the Enforcement Decree of PIPA (Presidential Decree No. 35343, as amended February 25, 2025). These requirements go beyond the Article 28-8 legal-basis determination (consent, contractual necessity, adequacy, or certification) and impose affirmative obligations on the controller to secure the data, handle complaints, and guarantee data-subject rights throughout the transfer relationship. Article 48-10 is the operational backbone of cross-border transfer compliance — satisfying the legal basis is necessary but not sufficient; controllers must also document and maintain the prescribed safeguards for each transfer.

Article 48-10 statutory mandate and scope

Article 48-10 of the Enforcement Decree states that for each cross-border transfer of personal information, the controller must put in place specific safeguards with respect to:

1. Security measures to protect the data during transmission, storage, and processing by the foreign recipient;
2. Complaint-handling and dispute-resolution mechanisms that allow Korean data subjects to lodge complaints and obtain remedies for violations; and
3. Other measures necessary to protect users' information, including ongoing supervision of the foreign recipient and contractual obligations that flow down PIPA requirements.

This obligation applies to every cross-border transfer, regardless of the legal basis. A transfer authorized by data-subject consent under Article 28-8(1)(1), a transfer relying on the contractual-necessity exception under Article 28-8(1)(2), a transfer to an adequate jurisdiction under Article 28-8(1)(5), and a transfer to a PIPC-certified recipient under Article 28-8(1)(3) (once operationalized) all trigger the Article 48-10 safeguard requirement. The only distinction is evidentiary: transfers relying on consent or contractual necessity require the controller to document the safeguards proactively and produce them during a PIPC audit, whereas transfers to adequate jurisdictions or certified recipients benefit from a rebuttable presumption that the safeguards are in place (because adequacy and certification assessments incorporate Article 48-10 compliance as a condition).

The European Commission's adequacy decision for Korea (Commission Implementing Decision (EU) 2022/254, adopted February 17, 2022) describes the Article 48-10 obligation as follows: "For each transfer, specific safeguards must be put in place with respect to security, the handling of complaints and disputes, as well as other measures necessary to protect users' information" (Recital 113). The adequacy decision recognizes Article 48-10 as a core element of Korea's transfer framework, ensuring continuity of protection when personal information leaves Korean territory.

Security measures — technical and organizational safeguards

The security component of Article 48-10 requires controllers to implement and verify that the foreign recipient maintains technical and organizational measures equivalent to those prescribed for domestic processing under Article 29 PIPA and Article 48-2 of the Enforcement Decree. These include:

• Encryption of personal information during transmission (TLS 1.2 or higher for data in transit) and at rest (AES-256 or equivalent for databases and backups storing personal information);
• Access controls limiting the number of employees and systems that can access the personal information, with role-based access control (RBAC) and logging of all access events;
• Intrusion detection and malware protection using software and network monitoring to detect and block unauthorized access attempts;
• Physical security for data centers and server rooms, including restricted access, surveillance, and environmental controls;
• Secure deletion and destruction protocols when the retention period expires or the legal basis for processing ends, with documented destruction logs; and
• Internal management plans specifying the controller's and foreign recipient's respective security responsibilities, the technical measures in place, and the audit schedule.

The controller must document these safeguards in writing, typically through a data processing agreement (DPA) or data transfer addendum with the foreign recipient. The DPA should enumerate the specific security measures the foreign recipient has implemented, including certifications (ISO/IEC 27001, ISMS-P, SOC 2 Type II), the encryption algorithms in use, the access-control policies, and the frequency of security audits. The controller retains ongoing supervision obligations under Article 26 PIPA (trustee supervision), meaning the controller must periodically verify that the foreign recipient continues to maintain the prescribed safeguards — annual or biannual audits, security questionnaires, or third-party attestations are common evidence.

Complaint-handling and dispute-resolution mechanisms

Article 48-10 requires the controller to establish accessible mechanisms for Korean data subjects to lodge complaints about the foreign recipient's processing of their personal information and to obtain remedies. This obligation ensures that cross-border transfers do not dilute data subjects' rights — the fact that the data is in a foreign jurisdiction must not prevent the data subject from exercising the rights guaranteed by PIPA (access, rectification, erasure, objection under Articles 35–38).

In practice, controllers satisfy the complaint-handling requirement through contractual clauses in the DPA requiring the foreign recipient to:

1. Accept complaints directly from Korean data subjects in Korean language (or provide translation services) via email, web form, or mail;
2. Respond to complaints within the timelines prescribed by PIPA — typically within 10 business days for acknowledgment and 30 days for substantive response, consistent with the Article 35 access-request timeline;
3. Cooperate with the Korean controller in investigating and resolving the complaint, including producing records of processing activity, access logs, and consent documentation;
4. Escalate unresolved disputes to the Korean controller for final resolution, or to the Personal Information Dispute Mediation Committee under Article 43 PIPA if the data subject elects statutory mediation; and
5. Indemnify the Korean controller for damages awarded to the data subject under Article 39 PIPA if the violation was caused by the foreign recipient's failure to comply with PIPA obligations.

The DPA should also specify the governing law and jurisdiction for disputes. While the foreign recipient may be subject to the laws of its home jurisdiction for general commercial disputes, the DPA should explicitly state that PIPA governs the processing of Korean personal information and that the Korean controller (or the data subject) may bring enforcement actions in Korean courts or before the PIPC. This ensures that Korean data subjects retain access to Korean remedies even when the recipient is abroad.

Some controllers implement a centralized complaint portal on their Korean-language website where data subjects can submit complaints about any recipient in the cross-border transfer chain. The controller then routes the complaint to the responsible foreign recipient and monitors resolution. This model satisfies the Article 48-10 complaint-handling requirement and simplifies the data subject's experience, but it increases the controller's operational burden and vicarious liability exposure under Article 26(6).

Contractual measures — data processing agreements and flow-down obligations

The "other measures necessary to protect users' information" language in Article 48-10 is a catch-all requiring controllers to impose contractual obligations on foreign recipients that mirror the controller's own PIPA obligations. The contractual measures must address:

A. Scope and purpose limitation

The DPA must specify the categories of personal information being transferred, the processing purposes authorized, and the prohibition on use for any other purpose. The foreign recipient may not repurpose the data for its own business objectives (e.g., marketing, analytics, AI training) unless it obtains separate data-subject consent or qualifies for a PIPA exception. This mirrors the Article 15 purpose-limitation principle.

B. Retention and deletion obligations

The DPA must state the retention period for the personal information — the maximum duration the foreign recipient may retain the data before it must be securely deleted or returned to the Korean controller. The retention period must align with the period disclosed to the data subject under Article 28-8(2)(5) (the sixth element of the cross-border transfer consent disclosure). Once the retention period expires, the foreign recipient must delete the data within a specified timeframe (commonly 30 or 60 days) and provide a written certification of deletion to the Korean controller.

C. Subprocessor and onward-transfer restrictions

The DPA must require the foreign recipient to obtain the Korean controller's prior written approval before engaging a subprocessor or onward-transferring the data to a third country. This implements the Article 28-11 onward-transfer rule, which requires each subsequent transfer in the chain to satisfy Article 28-8. The DPA should specify the approval process (e.g., 30-day notice period, list of pre-approved subprocessors, right of the controller to object) and require the foreign recipient to impose equivalent contractual obligations on any subprocessor ("flow-down" clauses).

D. Data-subject rights support

The DPA must obligate the foreign recipient to assist the Korean controller in responding to data-subject rights requests (access, rectification, erasure, restriction, portability, objection under Articles 35–38). Because the data subject's contractual relationship is with the Korean controller, not the foreign recipient, the foreign recipient must provide the controller with the information and tools needed to satisfy the request. Common contractual provisions include:

• A commitment to respond to the controller's requests for data extracts, deletion confirmations, or processing logs within 10 business days;
• Technical integrations (APIs, data portability formats) that enable the controller to retrieve the data subject's information from the foreign recipient's systems; and
• A prohibition on charging fees to the controller for rights-support services (the foreign recipient may not monetize its PIPA compliance obligations).

E. Breach notification obligations

The DPA must require the foreign recipient to notify the Korean controller immediately (and in any event within 24 hours) of any personal-information breach affecting the transferred data. This enables the controller to meet its own 72-hour breach-notification obligation to the PIPC and affected data subjects under Article 34 PIPA. The DPA should specify the information the foreign recipient must include in the breach notice: the nature and scope of the breach, the categories and volume of affected data, the root cause, remediation steps, and whether the breach triggered notification obligations in the foreign recipient's jurisdiction.

F. Audit and inspection rights

The DPA must grant the Korean controller (or a third-party auditor designated by the controller) the right to audit the foreign recipient's security measures, complaint-handling procedures, and PIPA compliance documentation at reasonable intervals (annually or upon reasonable suspicion of a violation). The audit may be conducted remotely (document review, questionnaire) or on-site at the foreign recipient's data center. The foreign recipient must cooperate with the audit, produce requested records, and remediate any deficiencies identified by the auditor within a specified cure period (commonly 30 or 60 days).

G. Indemnification and liability allocation

The DPA should allocate liability for PIPA violations and data-subject damages. Under Article 26(6) PIPA, the Korean controller is vicariously liable for violations by the foreign recipient (the recipient is deemed an "employee" of the controller for purposes of Article 39 compensation liability). The DPA typically includes an indemnification clause requiring the foreign recipient to indemnify and hold harmless the Korean controller for any damages, fines, or penalties arising from the recipient's breach of PIPA obligations. This does not eliminate the controller's primary liability to the data subject or the PIPC, but it allows the controller to seek reimbursement from the foreign recipient after satisfying the claim.

Recordkeeping and production during PIPC audits

Controllers must retain written evidence of the Article 48-10 safeguards for at least three years from the date of the transfer, consistent with the general PIPA recordkeeping standard. The records must be produced to the PIPC upon request during an audit or investigation. Required documentation includes:

• The executed DPA or data transfer addendum with the foreign recipient, including all amendments and addenda;
• Evidence of the foreign recipient's security certifications (ISO 27001 certificate, ISMS-P certification, SOC 2 Type II report) current at the time of the transfer;
• Records of ongoing supervision activities: audit reports, security questionnaires, breach notifications, and remediation logs;
• Complaint logs showing data-subject complaints about the foreign recipient's processing and the resolution;
• Deletion certificates or return-of-data confirmations when the retention period expires;
• Documentation of the legal basis for each transfer (consent records, contractual-necessity analysis, adequacy determination, PIPC certification number); and
• Internal management plans specifying the roles and responsibilities of the controller and the foreign recipient for maintaining the Article 48-10 safeguards.

Failure to maintain adequate records is a separate violation under Article 75(2) PIPA, punishable by administrative fines, even if the underlying transfers were lawful and secured.

PIPC enforcement focus — AliExpress and contractual-safeguard failures

The PIPC has prioritized enforcement of Article 48-10 safeguards in recent years, particularly against cross-border e-commerce platforms and cloud-service providers that transfer Korean customer data abroad without implementing the prescribed contractual and security measures. A leading enforcement action involved AliExpress, a China-based online marketplace, which the PIPC sanctioned in July 2024 for multiple violations including:

• Unlawful cross-border data practices — transferring Korean customer data to China without adequate safeguards under Article 48-10;
• Transparency failures — failing to disclose the transfer details (recipient, destination country, purpose, retention period) in the privacy policy as required by Article 30;
• Missing contract clauses — no DPA with the Chinese data processors specifying security measures, complaint-handling, or data-subject rights support; and
• Barriers to user rights — an English-only account-deletion page that hindered Korean data subjects from exercising their Article 36 erasure right.

The PIPC imposed administrative fines and issued a corrective order requiring AliExpress to implement Article 48-10-compliant DPAs with all Chinese recipients, establish a Korean-language complaint portal, and re-obtain consent from all affected Korean users with the required Article 28-8(2) disclosures. The enforcement action underscores that contractual safeguards are not optional — the PIPC views the absence of a compliant DPA as a per se violation of Article 48-10, regardless of whether the foreign recipient's actual security practices are adequate.

Interaction with adequacy and PIPC certification

When the PIPC operationalizes the adequacy recognition pathway under Article 28-8(1)(5) (EU/EEA recognized in September 2025), transfers to adequate jurisdictions will still require Article 48-10 safeguards, but the evidentiary burden shifts. The adequacy determination itself incorporates an assessment of whether the foreign jurisdiction's legal framework ensures security, complaint-handling, and data-subject rights equivalent to PIPA. Therefore, a controller transferring data to an adequate jurisdiction satisfies Article 48-10 by documenting the adequacy determination and implementing a baseline DPA that references the foreign jurisdiction's data-protection law (e.g., GDPR for EU transfers) as the governing safeguard framework.

Similarly, when the PIPC issues entity-level certifications under Article 28-8(1)(3), the certification will verify that the foreign recipient has implemented Article 48-10-compliant security measures, complaint-handling procedures, and data-subject rights mechanisms. A controller transferring data to a PIPC-certified recipient may rely on the certification as evidence of Article 48-10 compliance, but the controller must still execute a DPA specifying the scope, purpose, retention period, and onward-transfer restrictions, and must verify that the certification remains in force at the time of each transfer.

Cross-border controller-to-controller vs. controller-to-processor safeguards

Article 48-10 applies to both controller-to-processor transfers (entrustment under Article 26) and controller-to-controller transfers (third-party provision under Article 17). The required safeguards differ slightly:

• For processor relationships (cloud storage, payroll processing, customer-support outsourcing), the DPA focuses on processing instructions, security measures, subprocessor controls, and return-or-deletion obligations. The Korean controller retains full control over the processing purposes and means; the foreign processor acts solely on the controller's documented instructions.

• For controller-to-controller transfers (data sharing with affiliates, marketing platforms, analytics providers), the DPA must specify the independent processing purposes of the foreign controller, obtain data-subject consent for those purposes (or rely on another Article 28-8 exception), and impose onward-transfer restrictions. The Korean controller has less supervisory authority but retains joint liability under Article 39 for violations by the foreign controller.

In both cases, the security, complaint-handling, and contractual measures prescribed by Article 48-10 apply in full.

Practical compliance checklist

To satisfy Article 48-10 for cross-border transfers, controllers should:

1. Execute a written DPA or data transfer addendum with every foreign recipient before the first transfer occurs, covering security measures, complaint-handling, data-subject rights support, breach notification, audit rights, and indemnification.

1. Document the foreign recipient's security posture — obtain current copies of ISO 27001, ISMS-P, SOC 2, or equivalent certifications, and enumerate the encryption standards, access controls, and physical safeguards in the DPA.

1. Establish a Korean-language complaint channel on the privacy-policy page or customer-support portal, with clear instructions for data subjects to lodge complaints about foreign recipients' processing.

1. Implement ongoing supervision — schedule annual security questionnaires, third-party audits, or on-site inspections of foreign recipients, and document the results in compliance logs.

1. Track retention periods and deletion deadlines — maintain a calendar of when each transfer's retention period expires, and obtain written deletion certificates from foreign recipients within 60 days of expiry.

1. Train privacy personnel on the distinction between legal basis (Article 28-8) and safeguards (Article 48-10), and ensure that both are documented for every cross-border transfer in the records of processing activity.

1. Prepare for PIPC audits — consolidate all DPAs, security certifications, audit reports, complaint logs, deletion certificates, and consent records in a centralized compliance repository accessible during an investigation.

Failure to implement Article 48-10 safeguards exposes the controller to administrative fines under Article 64-2 (up to 3% of revenue or KRW 300 million, approximately USD 220,000), corrective orders requiring suspension of the transfer relationship until safeguards are implemented, and vicarious liability under Article 39 for any damages caused to data subjects by the foreign recipient's violations.

Source: Enforcement Decree of the Personal Information Protection Act, Article 48-10 (Presidential Decree No. 35343, February 25, 2025)

Source: Commission Implementing Decision (EU) 2022/254 of 17 December 2021 on the adequate protection of personal data by the Republic of Korea, Recital 113

Source: Personal Information Protection Act, Article 26 (trustee supervision), Article 29 (security measures), Articles 35–38 (data subject rights), Article 39 (damages), Article 64-2 (administrative fines) (Act No. 19234, effective September 15, 2023)

When a Korean controller transfers personal information to a foreign processor (an "entrustee" in PIPA terminology) under the contractual-necessity pathway of Article 28-8(1)(2) — or under any cross-border entrustment arrangement — the controller must impose specific security safeguards and contractual obligations on that foreign processor under Article 26 of the Personal Information Protection Act (PIPA) and Article 28 of the Enforcement Decree of PIPA (Presidential Decree No. 35343, as amended February 25, 2025). These requirements are mandatory; failure to include them in the data-processing agreement exposes the controller to administrative fines and vicarious liability for the processor's conduct.

Article 26 PIPA — Supervision and education of entrustees

Article 26(1) PIPA requires every personal information controller that entrusts the processing of personal information to a third party (whether domestic or foreign) to "supervise the trustee to ensure that the personal information is safely managed." This supervision obligation is non-delegable — the controller remains accountable for the processor's security practices and must implement oversight measures proportionate to the volume, sensitivity, and risk profile of the data being processed.

Article 26(2) imposes a disclosure obligation: the controller must inform data subjects of the identity of the entrustee and the scope of the entrusted work. For cross-border entrustments, this disclosure must appear in the controller's privacy policy under Article 30, listing the processor's name, the destination country, and the processing activities the processor performs on the controller's behalf. This disclosure is separate from the Article 28-8(2) consent disclosures required for overseas provision under the consent pathway; controllers relying on the Article 28-8(1)(2) contractual-necessity exception must still disclose the entrustment relationship in the privacy policy even though individualized consent is not required.

Article 26(3) mandates that the controller include prescribed matters in a written document (the entrustment contract) and retain that contract for the duration of the entrustment relationship. The specific contract clauses are set forth in Article 28 of the Enforcement Decree.

Article 28 Enforcement Decree — Mandatory contract clauses

Article 28(1) of the Enforcement Decree enumerates eight mandatory clauses that must appear in every entrustment contract, whether the processor is domestic or foreign:

1. Prohibition on processing personal information for purposes other than the entrustment — The processor may not use the entrusted personal information for any purpose beyond performing the specific tasks delegated by the controller. This clause must be explicit and must preclude the processor from using the data for its own business purposes, including internal analytics, product development, or marketing, unless the controller has separately authorized such use in writing.

1. Technical, administrative, and physical measures to ensure the security of personal information — The contract must specify the security safeguards the processor will implement to prevent loss, theft, leakage, alteration, or damage of the entrusted personal information. These safeguards must satisfy Article 29 PIPA (the controller's general security-obligation provision) and Articles 30 through 32 of the Enforcement Decree (which prescribe minimum technical measures including access controls, encryption of sensitive data, logging and monitoring, and regular security audits). For cross-border entrustments, the contract should reference the specific encryption standards (e.g., AES-256 for data at rest and in transit), the authentication mechanisms (e.g., multi-factor authentication for administrative access), and the breach-detection systems the foreign processor will deploy.

1. Restrictions on re-entrustment (subprocessor appointment) — The contract must state whether the processor is permitted to re-entrust the processing to a subprocessor (a "sub-entrustee" in PIPA terminology), and if so, under what conditions. Article 26(4) PIPA requires the controller's prior written consent before the processor may appoint any subprocessor. The contract must include a mechanism for the processor to notify the controller of any planned subprocessor appointment, provide the controller with sufficient information to assess the subprocessor's security and compliance posture (identity, destination country, scope of work, security measures), and obtain the controller's approval before the subprocessor begins processing. If the controller withholds consent, the processor must not engage the subprocessor. For cross-border entrustments, this clause is critical under Article 28-11 PIPA (the onward-transfer rule) — each subprocessor appointment triggers a new cross-border transfer, and the controller must ensure that the subprocessor leg satisfies Article 28-8 (consent, contractual necessity, adequacy, or certification).

1. Supervision of the entrustee's personal information processing — The contract must grant the controller the right to audit and supervise the processor's compliance with the entrustment contract and PIPA. This includes on-site inspections of the processor's facilities (whether physical or remote virtual audits for foreign processors), review of the processor's security logs and incident reports, and testing of the processor's access controls and breach-response procedures. The PIPC expects controllers to exercise this supervision right at least annually for high-volume or sensitive data processing, and more frequently (quarterly or semi-annually) for processors handling special categories of personal information such as health data, financial records, or biometric identifiers.

1. Liability for damages in cases where the entrustee violates PIPA or the entrustment contract — The contract must allocate liability for harm to data subjects resulting from the processor's breach of PIPA or the contract. Article 26(6) PIPA imposes vicarious liability on the controller: "An entrustee who processes personal information entrusted by a personal information controller shall be deemed an employee of the personal information controller for the purpose of applying the compensation-for-damages provisions under Article 39." In practice, this means the controller is jointly and severally liable with the processor for any damages awarded to data subjects, and the controller cannot disclaim this liability through the contract. However, the contract should include an indemnification clause requiring the processor to indemnify the controller for damages, fines, and legal costs arising from the processor's breach, so that the controller can seek reimbursement after satisfying a judgment or settlement.

1. Period of entrustment — The contract must specify the start date and end date of the entrustment relationship, or describe the triggering events for commencement and termination (e.g., "commences upon execution of this Agreement and continues until the earlier of (a) completion of the Project or (b) termination by either party upon 30 days' written notice"). Open-ended entrustment contracts with no termination mechanism are disfavored by the PIPC.

1. Return or destruction of personal information upon termination — The contract must require the processor to either return all entrusted personal information to the controller or securely destroy it upon termination of the entrustment, and must prohibit the processor from retaining copies except as required by law. The return/destruction obligation must include a certification process: the processor must provide written certification to the controller within a specified timeframe (e.g., 30 days of termination) confirming that all personal information has been returned or destroyed, including all backup copies, archival copies, and copies held by any subprocessors. For cross-border entrustments, the controller should specify the destruction method (e.g., cryptographic erasure of encryption keys, physical shredding of media, DoD 5220.22-M wipe standard for electronic storage) to ensure compliance with PIPA's security standards under Article 21 (the obligation to destroy personal information without delay when retention is no longer necessary).

1. Remedies in case of breach of the entrustment contract — The contract must specify the consequences of the processor's breach, including the controller's right to suspend or terminate the entrustment, demand corrective action, and seek damages. This clause should also address the processor's obligation to notify the controller immediately upon discovering any security incident, data breach, unauthorized access, or regulatory investigation involving the entrusted personal information. For cross-border entrustments, the notification deadline should be short (e.g., 24 hours of discovery) to enable the controller to meet its own breach-notification obligations under Article 34 PIPA (which requires notification to the PIPC and affected data subjects "without delay" and in most cases within 24 hours of becoming aware of a breach that meets the statutory threshold).

Cross-border-specific considerations — Article 48-10 Enforcement Decree

Article 48-10 of the Enforcement Decree (added by Presidential Decree No. 35343, effective February 25, 2025) imposes additional documentation and safeguard requirements specifically for cross-border transfers, including entrustment to foreign processors. Controllers must:

• Document each cross-border entrustment relationship in records of processing activity, including the processor's identity and contact details, the destination country, the categories of personal information being processed, the purpose of the entrustment, the retention period, the security safeguards implemented by the processor, and the legal basis under Article 28-8 (contractual necessity, adequacy, certification, consent, or treaty).

• Implement supplementary security measures when the destination country does not provide an adequate level of data protection comparable to PIPA. The European Commission's adequacy decision for Korea (Commission Implementing Decision (EU) 2022/254, February 17, 2022) describes this requirement: "For each transfer, specific safeguards must be put in place with respect to security, the handling of complaints and disputes, as well as other measures necessary to protect users' information" (Recital 113). These supplementary measures may include contractual obligations requiring the foreign processor to encrypt all personal information at rest and in transit, to notify the controller of any government access requests or data-localization orders, and to contest overly broad government demands where feasible.

• Establish a complaint-handling mechanism accessible to Korean data subjects, either by requiring the foreign processor to designate a Korean-language contact point or by maintaining a controller-operated helpdesk that fields complaints about the processor's conduct. Article 35 PIPA grants data subjects the right to request access, rectification, erasure, and suspension of processing; these rights must be enforceable against the foreign processor through the entrustment contract, and the controller is responsible for ensuring the processor honors data-subject requests within the PIPA-prescribed timelines (10 days for access requests under Article 35(1), without delay for erasure requests under Article 36(1)).

PIPC enforcement and inspection authority

The PIPC has statutory authority under Article 24 PIPA to inspect controllers' entrustment contracts and assess whether they satisfy Article 26 and Article 28 Enforcement Decree requirements. During audits, the PIPC reviews:

• Whether the eight mandatory clauses appear in the contract;
• Whether the security measures specified in clause 2 are sufficiently detailed and aligned with Article 29 PIPA and the Enforcement Decree security standards;
• Whether the controller has documented the subprocessor approval process and obtained written consent before each subprocessor appointment (clause 3);
• Whether the controller has exercised the supervision right in clause 4 and retained audit reports, inspection records, or security-assessment documentation; and
• Whether the return/destruction certification in clause 7 has been completed for terminated entrustment relationships.

Controllers that use boilerplate GDPR data-processing agreements without adapting them to PIPA's specific requirements are a frequent PIPC enforcement target. Common deficiencies include:

• GDPR DPAs that permit the processor to appoint subprocessors with only general written authorization and subsequent notification to the controller, rather than requiring prior written consent for each specific subprocessor as PIPA Article 26(4) mandates;
• GDPR DPAs that allocate liability based on the "responsibility for the damage" under GDPR Article 82, rather than the strict vicarious liability under PIPA Article 26(6);
• GDPR DPAs that reference EU Standard Contractual Clauses (SCCs) as the transfer mechanism, which PIPA does not recognize as a standalone legal basis — the Korean controller must separately document the Article 28-8 legal basis (adequacy, certification, contractual necessity, or consent) and ensure the contract reflects that basis.

Practical compliance steps

To satisfy Article 26 and Article 28 Enforcement Decree for cross-border entrustment relationships, Korean controllers should:

1. Use a Korea-specific data-processing agreement addendum that layers onto the GDPR DPA or other global contract template, explicitly incorporating the eight Article 28 clauses and the PIPA-specific supervision, subprocessor-approval, and return/destruction obligations.

1. Document the Article 28-8 legal basis in the contract preamble or recitals — if relying on Article 28-8(1)(2) contractual necessity, state that the entrustment is "necessary for the performance of the contract between the Controller and the data subject" and identify which service features depend on the foreign processor's participation.

1. Specify security measures in an annex or schedule to the contract, listing the encryption algorithms, access-control mechanisms, logging systems, breach-detection tools, and audit protocols the processor will deploy. Reference industry standards (e.g., ISO/IEC 27001, SOC 2 Type II, NIST Cybersecurity Framework) and require the processor to maintain current certifications.

1. Implement a subprocessor governance process that requires the processor to submit a subprocessor notice at least 30 days before engaging any new subprocessor, providing the subprocessor's name, destination country, scope of work, and security measures, and requiring the controller's affirmative written approval before the subprocessor begins processing. Maintain a subprocessor register documenting each approval decision and the date consent was granted.

1. Conduct annual audits of the foreign processor's compliance with the entrustment contract, either through on-site inspections (for major processors), third-party SOC 2 Type II reports, or virtual security assessments, and retain the audit documentation in the records of processing activity for production to the PIPC upon request.

1. Include a PIPC-compliant breach-notification clause requiring the processor to notify the controller within 12 hours of discovering any security incident that may constitute a breach under Article 34 PIPA (i.e., an incident that may harm the rights and interests of data subjects), and to cooperate with the controller's breach-investigation and PIPC-notification processes.

1. Plan the data-return/destruction process at contract inception, specifying the format for return (e.g., encrypted USB, SFTP transfer to controller-designated server), the destruction method (e.g., cryptographic key deletion, NIST 800-88 media sanitization), and the certification deliverable (written statement signed by the processor's Chief Privacy Officer or equivalent, listing the data categories destroyed, the destruction date, and the method used).

Interaction with APEC CBPR and adequacy regimes

Korea is a member of the APEC Cross-Border Privacy Rules (CBPR) system, but CBPR certification of a foreign processor does not substitute for compliance with Article 26 and Article 28 Enforcement Decree contractual requirements. A Korean controller entrusting data to a CBPR-certified processor in Singapore or Japan must still include all eight mandatory clauses in the entrustment contract, conduct supervision and audits, and document the Article 28-8 legal basis. CBPR certification is a supplementary accountability signal that may inform the controller's due-diligence assessment of the processor's security posture, but it does not reduce the contractual-clause obligation or the vicarious-liability rule under Article 26(6).

Similarly, when the PIPC operationalizes the adequacy recognition pathway under Article 28-8(1)(5) (recognizing the EU/EEA as of September 16, 2025), transfers to processors in adequate jurisdictions will still require Article 26 entrustment contracts with all eight mandatory clauses. Adequacy recognition eliminates the consent requirement under Article 28-8(1)(1) but does not waive the supervision and contractual-safeguard obligations under Article 26.

Comparison to GDPR controller-processor obligations

PIPA's Article 26 entrustment framework resembles GDPR Article 28 (processor obligations) but diverges in several critical respects:

1. Subprocessor authorization — GDPR Article 28(2) permits controllers to grant processors general written authorization to appoint subprocessors, subject to notification and objection rights. PIPA Article 26(4) requires specific prior written consent for each individual subprocessor. Korean controllers cannot use the GDPR general-authorization model.

1. Vicarious liability — GDPR Article 82 allocates liability based on responsibility for the damage and whether each party complied with its obligations. PIPA Article 26(6) deems the processor to be the controller's employee for compensation purposes, making the controller strictly liable for the processor's conduct. Korean controllers bear greater liability exposure than EU controllers.

1. Mandatory contract clauses — GDPR Article 28(3) requires the contract to address subject matter, duration, processing activities, data-subject rights, and deletion, but does not prescribe the exact wording. PIPA Article 28 Enforcement Decree enumerates eight specific clauses that must appear verbatim or in equivalent form. Korean entrustment contracts are more prescriptive.

1. Security-safeguard specificity — GDPR Article 28(3)(c) requires the processor to implement "appropriate technical and organisational measures" but leaves the details to the controller's discretion. PIPA Article 28 Enforcement Decree clause 2 requires the contract to specify the technical, administrative, and physical measures, and those measures must satisfy Articles 30–32 Enforcement Decree (encryption standards, access logging, audit frequency). Korean contracts must be more detailed.

Controllers accustomed to GDPR compliance should not assume their GDPR DPAs are PIPA-compliant. A separate Korea addendum or schedule is typically required to satisfy Article 26 and Article 28 Enforcement Decree.

Source: Personal Information Protection Act, Article 26 (Act No. 19234, effective September 15, 2023)

Source: Enforcement Decree of the Personal Information Protection Act, Article 28 (Presidential Decree No. 35343, February 25, 2025)