South Korea — Lawful Bases for Processing

South Korea's Personal Information Protection Act (PIPA, Law No. 19234 as amended March 14, 2023, effective September 15, 2023) establishes its lawful-processing framework in Article 15(1), which enumerates six distinct legal grounds that permit a personal information controller to collect and use personal data. Unlike the EU GDPR's architecturally neutral presentation of six lawful bases under Article 6(1), PIPA places consent at the structural center: consent appears first (Item 1), and Korean enforcement practice treats it as the default basis unless another ground clearly applies.

The six grounds under Article 15(1) are:

1. Consent of the data subject (Item 1) — The data subject has freely given, specific, and informed consent to the processing. Article 22 PIPA prescribes the methods of obtaining valid consent: the controller must separately notify the data subject of (i) the purpose of collection and use, (ii) the items of personal information collected, and (iii) the period of retention and use, and then obtain consent that is distinguishable from other matters. Bundled or omnibus consent is prohibited; each processing purpose requires distinct consent. The Personal Information Protection Commission (PIPC) has emphasized in its Consolidated Guidelines on Personal Information Processing (announced 2021, updated 2023) that consent is valid only when the data subject is "fully aware" of the processing and can "freely decide" whether to consent and the scope of that consent.

1. Necessary for the performance of a contract (Item 4) — Processing is necessary to perform a contract to which the data subject is a party, or to take steps at the data subject's request prior to entering into a contract. The PIPC Guidelines clarify that "contractual necessity" is narrowly construed: the processing must be objectively required to deliver the core service under the contract, not merely convenient or ancillary. If the service could reasonably be provided without the data element, consent is required. Standardized terms and conditions qualify as contracts only if the data subject had a genuine opportunity to review and agree; boilerplate clauses referencing services not actually provided do not establish contractual necessity.

1. Required by statute or treaty (Item 2) — Processing is mandated or specifically authorized by law or international agreement. The legal basis must be explicit and particularized; a general regulatory power is insufficient.

1. Vital interests (Item 3) — Processing is necessary to protect the life, body, or property of the data subject or a third party in an urgent situation where consent cannot be obtained in time. This is an emergency derogation, rarely invoked outside medical or disaster-response contexts.

1. Necessary for performance of a task carried out in the public interest (Item 5) — Processing is required for a public agency to perform its statutory functions. This ground is principally available to government entities and public institutions; private controllers cannot rely on it.

1. Legitimate interests of the controller (Item 6, added by the 2020 amendment effective August 5, 2020) — Processing is necessary to achieve the legitimate interest of the personal information controller, and that interest clearly takes precedence over the rights of the data subject. This is PIPA's closest analog to GDPR Article 6(1)(f) legitimate interests, but the Korean standard is materially stricter: the controller's interest must "clearly" (명백히) outweigh the data subject's rights—a higher bar than GDPR's "not overridden by" balancing test. The PIPC Guidelines list factors for the assessment: the reasonableness of the controller's interest, whether the processing could reasonably be anticipated by the data subject, the impact on the data subject, and whether less-intrusive means exist. In practice, Korean controllers use Item 6 sparingly and document the balancing analysis in detail; the PIPC has signaled skepticism of broad legitimate-interest claims in consumer-facing services.

Hierarchy and enforcement practice. Although Article 15(1) does not textually mandate a hierarchy, PIPC enforcement decisions consistently treat consent as the primary basis. Controllers relying on contractual necessity (Item 4) or legitimate interests (Item 6) bear the burden of demonstrating that consent was impracticable and that the alternative basis is well-founded. The 2023 amendments did not alter the six grounds but tightened the consent requirements under Article 22 and expanded the PIPC's authority to issue corrective orders and administrative fines (up to 3% of relevant annual revenue under Article 64-2, added 2023) for processing without a valid legal basis. Criminal liability under Articles 70–74 PIPA attaches to individuals—not only corporate entities—who unlawfully process personal information, with imprisonment of up to five years for willful violations.

The lawful basis must be identified before processing begins and documented in the controller's records of processing activities (required under Article 32). A controller may not retroactively switch from one basis to another for the same processing operation; if the original basis fails (for example, consent is withdrawn), processing must cease unless a separate, independently valid basis existed from the outset.

Source: Personal Information Protection Act (Law No. 19234, effective September 15, 2023) Source: Personal Information Protection Commission — PIPC

South Korea's Personal Information Protection Act imposes heightened consent requirements when a personal information controller seeks to process the personal information of a child under the age of 14 years. Article 22-2 PIPA (added by the 2020 amendment and expanded in scope by the 2023 amendment) mandates that when consent is the lawful basis for processing under Article 15(1) Item 1, the controller must obtain consent from the child's legal representative (법정대리인, typically a parent or court-appointed guardian) and verify that the legal representative has in fact given consent. This dual obligation—obtain + verify—applies to both online and offline controllers; the 2023 amendment eliminated the prior distinction that applied stricter rules only to online service providers.

Scope and trigger. The parental-consent rule is triggered whenever the controller is relying on consent as the lawful basis under Article 15(1) Item 1. If the controller is instead relying on one of the five alternative grounds enumerated in Article 15(1)—contractual necessity (Item 4), statutory mandate (Item 2), vital interests (Item 3), public-interest tasks (Item 5), or the controller's legitimate interests that clearly outweigh the child's rights (Item 6, discussed below)—parental consent under Article 22-2 is not required, although the controller must still satisfy the substantive conditions of that alternative basis and document the legal analysis. In practice, Korean controllers serving child users default to parental consent because the Personal Information Protection Commission (PIPC) has signaled that reliance on legitimate interests (Item 6) for children's data is difficult to sustain; the "clearly takes precedence" standard under Item 6 is inherently harder to meet when the data subject is a child with diminished capacity to anticipate and assess processing risks.

Verification methods — Enforcement Decree Article 17. Article 22-2 PIPA does not specify how a controller must verify that the person purporting to consent is actually the child's legal representative; the Enforcement Decree of the PIPA (Presidential Decree No. 34429, effective September 15, 2023) fills the gap in Article 17, which prescribes a menu of acceptable verification methods for both online and offline controllers:

1. Requiring the legal representative's own consent to collection of minimal personal information sufficient to verify identity (for example, name, date of birth, and contact information), then contacting the representative through a communication channel (email, SMS, telephone) that the child could not plausibly control.
2. Requesting a copy of the legal representative's identification (resident registration card, driver's license, or passport photocopy) and comparing the family-relationship data to confirm the representative's authority.
3. Using a third-party identity-verification service (본인확인기관) certified by the Korea Communications Commission under the Act on Promotion of Information and Communications Network Utilization and Information Protection, which cross-checks the representative's resident registration number or I-PIN (Internet Personal Identification Number) against government registries. This is the most common method for Korean online platforms because it is real-time, complies with the Know Your Customer (KYC) framework under financial and telecommunications law, and produces an audit trail.
4. Any other method providing an equivalent level of assurance, as long as the controller documents the verification logic and retains evidence. The PIPC has accepted methods such as in-person presentation of the family relation certificate (가족관계증명서) issued by a local government office, though this is practical only for offline or high-value transactions.

The controller must apply one of these methods before processing the child's personal information. Constructive or implied consent—such as assuming that an adult email address belongs to the legal representative without affirmative verification—is insufficient and has been the basis for PIPC enforcement actions.

Notification — plain-language and child-friendly formats. Article 22-2 further requires that when the controller notifies a child under 14 about the processing (for example, in a privacy policy or a consent banner), the controller must use easy-to-understand forms and clear, simple language tailored to the child's comprehension level. The 2023 Enforcement Decree does not mandate specific readability metrics, but the PIPC's Guidelines on the Protection of Personal Information of Children and Adolescents (issued July 2022, available in Korean at pipc.go.kr) recommend large fonts, visual icons, short sentences, and layered notice designs (a short summary followed by expandable detail) to comply with this duty. Violations of the plain-language requirement are enforceable separately under Article 75 PIPA, which authorizes corrective orders and administrative fines.

Minimal data exception. Article 22-2 permits a controller to collect, directly from the child and without prior parental consent, the minimal amount of personal information necessary to contact the legal representative and obtain the representative's consent. For example, a platform may ask the child for the parent's name, mobile phone number, and email address in order to send the verification request. Once the parent's identity is verified and consent is granted (or denied), the controller must delete or segregate the minimal contact data unless the parent has separately consented to its retention.

Enforcement and penalties. Failure to obtain parental consent, or failure to verify the legal representative's identity using one of the Article 17 Enforcement Decree methods, constitutes a violation of Article 22-2 PIPA. Under the 2023 amendments, such violations are now subject to administrative fines of up to 3% of the controller's relevant annual revenue (Article 64-2) or criminal fines of up to KRW 50 million (approximately USD 37,500) for willful or grossly negligent violations (Article 71). The PIPC may also issue a corrective order requiring the controller to cease processing, notify affected data subjects, and implement procedural safeguards; failure to comply with the corrective order triggers additional fines of up to KRW 30 million under Article 75.

A high-profile enforcement action illustrating the parental-consent rule is the ScatterLab case (PIPC Decision No. 2021-12-029, issued November 2021), in which the PIPC found that the developer of an AI chatbot service had collected personal information from more than 200,000 children under the age of 14 without obtaining parental consent or verifying the representatives' identities. The PIPC imposed corrective measures, including mandatory privacy-impact assessments and enhanced age-verification controls, and referred the matter for criminal investigation under Article 71. The case underscored that high user volume does not excuse procedural non-compliance; controllers operating at scale must design automated verification workflows that meet the Article 17 Enforcement Decree standards.

Interaction with the age-14 threshold in other Korean statutes. The age-14 cutoff in Article 22-2 PIPA aligns with the threshold in the Juvenile Protection Act and the Act on Promotion of Information and Communications Network Utilization and Information Protection (which previously governed online service providers before PIPA was amended to unify the rules). A person who is 14 years old or older is generally deemed capable of consenting on their own behalf under PIPA, subject to the controller's obligation to assess whether consent is truly informed and freely given. There is no separate "mature minor" exception below age 14; the parental-consent requirement is absolute for that cohort when consent is the chosen lawful basis.

Source: Personal Information Protection Act, Law No. 19234 (effective September 15, 2023), Article 22-2 Source: Enforcement Decree of the Personal Information Protection Act, Presidential Decree No. 34429 (effective September 15, 2023), Article 17 Source: Personal Information Protection Commission, Tasks Overview

South Korea's Personal Information Protection Act imposes heightened restrictions on the processing of sensitive personal information (민감정보), which PIPA defines as personal data that is "likely to infringe on the privacy of the data subject noticeably." Article 23(1) PIPA (Law No. 19234, effective September 15, 2023) enumerates a closed statutory list of sensitive categories and establishes a two-track processing framework: a personal information controller may process sensitive data only if (i) the controller obtains separate explicit consent from the data subject specifically for the sensitive-data processing, distinct from any general consent obtained under Article 15(1) Item 1, or (ii) a statute specifically requires or permits the processing of that sensitive category. Unlike the EU GDPR's Article 9, which articulates a general prohibition subject to ten exceptions, PIPA's Article 23 is structured as an affirmative permission regime—processing is unlawful unless one of the two tracks applies.

Statutory categories of sensitive personal information. Article 23(1) PIPA defines sensitive information as personal data concerning an individual's:

1. Ideology (사상) — political, philosophical, or religious beliefs that could be used to profile or discriminate against the data subject;
2. Faith (신념) — religious affiliation or spiritual beliefs;
3. Membership in a labor union or political party (노동조합·정당의 가입·탈퇴) — including both current membership and historical participation, withdrawal records, and union activities;
4. Political opinions (정치적 견해) — the data subject's expressed or inferred political views, voting preferences, or partisan affiliations;
5. Health, sex life, or genetic information (건강, 성생활 등에 관한 정보, 유전정보) — medical records, diagnoses, treatment history, sexual orientation, sexual behavior, genetic test results (whether clinical or direct-to-consumer), family medical history derived from genetic data, and any physiological or biological data indicative of health status. The Enforcement Decree does not further subdivide these categories, but the Personal Information Protection Commission (PIPC) has clarified in its Consolidated Guidelines on Personal Information Processing (2023 edition, available at pipc.go.kr) that genetic information includes DNA sequences, results from pharmacogenomic tests, and hereditary-disease markers even when obtained outside a clinical setting;
6. Biometric information for the purpose of uniquely identifying a natural person (생체인식정보) — fingerprints, facial recognition templates, iris scans, voiceprints, vein patterns, and gait analysis data when collected and processed for the purpose of authentication or unique identification. The PIPC Guidelines specify that biometric data processed solely for access control (for example, a fingerprint used to unlock a smartphone stored locally on the device and not transmitted) may still be sensitive information if it is capable of uniquely identifying the data subject and is stored or transmitted by the controller. Photographs and video footage are not automatically classified as biometric information unless the controller extracts and processes biometric templates (such as faceprint vectors) from the images;
7. Criminal records (범죄경력자료에 해당하는 정보) — convictions, ongoing prosecutions, arrest records, and criminal-history certificates issued by the Supreme Prosecutors' Office or the National Police Agency. Under South Korean law, criminal-record data are tightly controlled; public access is generally prohibited except where a statute explicitly authorizes disclosure (for example, background checks for positions involving children under the Act on the Protection of Children and Juveniles from Sexual Abuse). A controller relying on the statutory-authorization track under Article 23(1) Item 2 must cite the specific enabling statute;
8. Race or ethnicity (인종·민족정보) — added by the 2020 amendment to PIPA (Law No. 16930, effective August 5, 2020). This category captures data revealing the data subject's racial or ethnic origin, whether self-identified or inferred by the controller from surnames, language, place of birth, or photographs.

The list is exhaustive. Personal information that does not fall within one of these eight categories is not sensitive information for the purposes of Article 23, even if the data subject or the controller considers it to be sensitive as a matter of policy. For example, financial account numbers, credit scores, and location data are not statutorily sensitive under Article 23 (though they may be subject to heightened protections under sector-specific laws such as the Credit Information Use and Protection Act or the Location Information Protection Act).

Track 1: Separate explicit consent. If a controller wishes to process sensitive personal information on the basis of consent, Article 23(1) Item 1 requires that the consent be separate (별도) from the general consent obtained for non-sensitive data under Article 15(1) Item 1. The PIPC's enforcement guidance, issued in March 2021 and updated in 2023, specifies that "separate" means:

• Temporally or visually distinct presentation: the controller must present the sensitive-data consent request in a manner that is clearly distinguishable from consents for ordinary personal information, using a separate checkbox, a distinct paragraph with a heading that identifies the sensitive category, or a separate consent form page. Bundling sensitive-data consent with a long list of non-sensitive items in a single omnibus consent block violates Article 23.
• Granular by category: if the controller is processing multiple sensitive categories (for example, health data and biometric data), the controller should offer separate consent opportunities for each category unless the processing purposes are so tightly intertwined that a single consent is operationally justifiable. The PIPC has not mandated strict per-category consents in all circumstances, but enforcement decisions since 2020 show a strong preference for granularity.
• Informed and specific: the consent notice must describe (i) the specific sensitive category being processed (using the statutory label from Article 23, such as "genetic information" or "biometric information"), (ii) the precise processing purpose, (iii) the retention period, and (iv) the consequences of withholding consent. A generic reference to "sensitive data" without naming the category is insufficient.

Consent obtained for sensitive information must satisfy all the conditions for valid consent under Article 22 PIPA (see the existing section on Article 15 lawful grounds in this guide). In particular, the consent must be freely given: the controller may not condition the provision of a service on consent to process sensitive data unless the processing is objectively necessary to deliver the core service. The PIPC has applied this rule strictly in consumer-facing contexts. For example, in PIPC Decision No. 2020-08-042 (issued August 2020), the Commission found that a fitness-app provider violated Article 23 by requiring users to consent to the processing of health data (heart-rate and exercise logs) as a precondition for account registration, even though the core service—social features and leaderboards—could have been provided without the health data. The controller was ordered to revise its consent flow to make health-data consent optional and to delete previously collected health data from users who had not affirmatively re-consented under the corrected mechanism.

Track 2: Required or permitted by statute. Article 23(1) Item 2 permits processing of sensitive information when "such processing is specifically provided for in other statutes or is unavoidable for the performance of obligations under other statutes or treaties." This statutory-authorization track is narrower than the analogous exception under EU GDPR Article 9(2)(b)/(g) (employment, social security, public health). The enabling statute must explicitly identify the sensitive category and the processing purpose; a general regulatory power or a vague statutory mandate to "perform duties" is insufficient. The controller bears the burden of documenting the statutory basis and must name the statute, article, and subsection in its records of processing activities (required under Article 32 PIPA).

Common examples of statutory authorization include:

• Medical Services Act (Article 21) and Health and Medical Technology Promotion Act — authorize hospitals and clinics to process health and genetic information for diagnosis, treatment, and medical research without separate consent beyond the general medical-consent framework.
• Act on the Protection of Children and Juveniles from Sexual Abuse (Article 56) — requires employers hiring personnel who will regularly come into contact with children to obtain and verify criminal-record certificates from applicants; this constitutes statutory authorization to process criminal-history data under Article 23(1) Item 2.
• Labor Standards Act and Act on Equal Employment and Support for Work-Family Reconciliation — permit employers to process minimal health data (medical certificates for sick leave, pregnancy status for maternity-leave administration) as necessary to perform statutory employment obligations. However, employers may not collect broader health data (such as comprehensive medical records or genetic predisposition tests) without separate consent, even in the employment context; the PIPC Guidelines on HR/Labor (December 2024 edition) emphasize that statutory necessity is construed narrowly and that employers must obtain explicit consent for any sensitive data not strictly required by the Labor Standards Act or other employment statutes.

Interaction with Article 15 lawful bases. Article 23 layers on top of the Article 15 lawful-processing framework. A controller processing sensitive information must satisfy both (i) one of the six lawful grounds under Article 15(1) (consent, contractual necessity, statutory mandate, vital interests, public-interest task, or legitimate interests that clearly outweigh the data subject's rights), and (ii) one of the two tracks under Article 23(1) (separate explicit consent for the sensitive category, or statutory authorization for that category).

In practice, this means:

• If the controller is relying on consent under Article 15(1) Item 1, it must also obtain the heightened separate consent under Article 23(1) Item 1 for the sensitive category.
• If the controller is relying on contractual necessity under Article 15(1) Item 4, that basis alone is insufficient for sensitive data unless a statute separately authorizes the processing under Article 23(1) Item 2. Contractual necessity does not excuse the separate-consent requirement.
• If the controller is relying on legitimate interests under Article 15(1) Item 6 (the "clearly takes precedence" balancing test), the controller must still satisfy Article 23(1). Because legitimate interests rarely "clearly" outweigh a data subject's rights when sensitive data are involved, this combination is uncommon; controllers typically obtain separate consent or cite a statutory authorization.
• If the controller is relying on a statutory mandate under Article 15(1) Item 2, and that same statute explicitly authorizes processing of the sensitive category, the controller satisfies both Article 15 and Article 23. This is the typical path for public agencies and for private controllers processing criminal records or health data under sector-specific legislation.

Enforcement and penalties. Processing sensitive personal information without satisfying Article 23(1)—whether by failing to obtain separate consent or by lacking statutory authorization—is a violation subject to administrative fines of up to 3% of the controller's relevant annual revenue under Article 64-2 PIPA (added by the 2023 amendments) and criminal liability under Article 71 PIPA, which authorizes imprisonment of up to two years or a fine of up to KRW 20 million (approximately USD 15,000) for individuals who intentionally or with gross negligence process sensitive information in violation of Article 23. The PIPC may also issue corrective orders requiring cessation of processing, deletion of unlawfully collected sensitive data, notification to affected data subjects, and implementation of consent-verification mechanisms. Failure to comply with a corrective order triggers additional administrative fines of up to KRW 30 million under Article 75 PIPA.

Notable enforcement decisions illustrating Article 23 violations include:

• PIPC Decision No. 2022-11-047 (November 2022) — A health-insurance marketplace aggregator collected users' medical diagnoses and treatment histories (sensitive health information) via a web form that presented a single omnibus consent covering both ordinary profile data (name, age, contact information) and health data, without a separate checkbox or distinct notice for the sensitive category. The PIPC found that the controller violated Article 23(1) Item 1 by failing to obtain separate explicit consent, imposed a corrective order requiring the platform to redesign its consent flow with a dedicated health-data consent block, and levied an administrative fine calculated at approximately 1.2% of the relevant service revenue. The decision emphasized that "separate" consent must be visibly and operationally distinct, not merely a separate sentence within a long terms-of-service document.

• PIPC Decision No. 2021-06-018 (June 2021) — A private-sector employer collected biometric information (fingerprint scans for access control to secure facilities) from employees without obtaining separate consent under Article 23(1) Item 1 and without citing a statutory authorization under Item 2. The employer argued that the biometric processing was "contractually necessary" under Article 15(1) Item 4 because secure access was a condition of employment. The PIPC rejected this argument, holding that contractual necessity under Article 15 does not satisfy the separate-consent requirement under Article 23 for sensitive data, and that the employer must either obtain separate written consent from each employee or cease biometric processing and use alternative access-control methods (such as ID cards or PIN codes). The PIPC issued a corrective order and imposed a fine; the employer ultimately switched to card-based access and deleted the fingerprint database.

Unique identifier information — Article 24 PIPA. PIPA separately regulates unique identifier information (고유식별정보) in Article 24, which covers resident registration numbers (RRNs), passport numbers, driver's license numbers, and alien registration numbers. Although unique identifiers are not sensitive information under Article 23, Article 24 imposes an identical processing standard: a controller may process unique identifiers only if (i) separate explicit consent is obtained, or (ii) a statute specifically requires or permits the processing. The PIPC treats Articles 23 and 24 as parallel regimes with the same consent and statutory-authorization structure. Practitioners should apply the same analytical framework to both sensitive information and unique identifiers.

Source: Personal Information Protection Act, Law No. 19234 (effective September 15, 2023), Article 23 Source: Enforcement Decree of the Personal Information Protection Act, Presidential Decree No. 34429 (effective September 15, 2023) Source: Personal Information Protection Commission — PIPC

South Korea's Personal Information Protection Act grants data subjects the right to withdraw consent at any time and the related but distinct right under Article 37 PIPA to request suspension of processing of their personal information. These two mechanisms operate in parallel and impose bright-line obligations on personal information controllers: when consent is withdrawn, the controller must cease processing immediately unless an independent lawful basis (other than consent) existed from the outset and continues to apply. The right to suspension under Article 37 is broader—it applies regardless of the original lawful basis—but the controller may refuse suspension if one of four statutory exceptions applies. Korean enforcement practice treats both rights as fundamental procedural safeguards, and failure to honor a valid withdrawal or suspension request triggers administrative fines, corrective orders, and potential criminal liability under Articles 64-2, 71, and 75 PIPA (Law No. 19234, effective September 15, 2023).

## Withdrawal of consent — immediate cessation unless independent basis exists

PIPA does not consolidate the consent-withdrawal right in a single article; instead, it is embedded in the structural logic of the consent framework and is explicitly recognized in specific contexts. Article 22 PIPA (valid consent requirements) and the Personal Information Protection Commission's Consolidated Guidelines on Personal Information Processing (2023 edition) establish that consent must be freely given, which necessarily implies that the data subject retains the power to withdraw consent at any time without penalty. The PIPC Guidelines state that a controller relying on consent under Article 15(1) Item 1 must provide a withdrawal mechanism that is at least as accessible as the method by which consent was originally obtained. For example, if consent was obtained via a web form checkbox, withdrawal must be available through an online self-service portal or a prominently displayed link; requiring the data subject to mail a handwritten letter or call a phone number staffed only during business hours is insufficient and violates the "equally accessible" standard.

When a data subject withdraws consent, the controller's obligation is immediate cessation of processing for the purpose(s) covered by that consent, unless the controller can demonstrate that an independent lawful basis under Article 15(1) existed from the beginning and continues to support the processing. The key enforcement principle, articulated in multiple PIPC decisions since 2020, is that a controller may not retroactively substitute one lawful basis for another. If the controller initially relied on consent (Item 1) and consent is withdrawn, the controller cannot then claim that the processing was actually contractually necessary (Item 4) or in the controller's legitimate interests (Item 6) unless the controller documented that alternative basis at the time processing began and can show that the processing would have been lawful under that basis even in the absence of consent. This "no-switching" rule is strict: the lawful basis must be identified in the controller's records of processing activities (required under Article 32 PIPA) before the withdrawal occurs.

Practical implications:

• Deletion and cessation timeline. Upon withdrawal, the controller must delete or anonymize the personal information without delay unless a retention obligation under another statute applies (for example, tax records under the Framework Act on National Taxes, transaction records under the Commercial Act, or medical records under the Medical Service Act). The PIPC has not prescribed a fixed deletion deadline in the way the GDPR specifies "without undue delay," but enforcement decisions since 2021 indicate that the Commission expects deletion within 10 business days for electronic records and 30 days for paper records or records held in legacy systems, absent technical infeasibility. If technical constraints genuinely prevent immediate deletion (for example, backup tapes on a quarterly rotation), the controller must segregate the data such that it is no longer accessible for operational processing and document the deletion schedule in the response to the data subject.

• Partial withdrawal. If the controller obtained consent for multiple distinct processing purposes (as required by Article 22's prohibition on bundled consent), the data subject may withdraw consent for one purpose while leaving consent in place for others. For example, a user might withdraw consent for marketing emails (Item 1 consent) but maintain consent for the core account services (Item 1 consent) and separately allow processing under contractual necessity (Item 4) for payment processing. The controller's consent-management system must support granular withdrawal at the same level of specificity as the original consent.

• Service termination and withdrawal. A controller may not condition the provision of a service on the data subject's agreement not to withdraw consent, nor may the controller automatically terminate the service solely because consent was withdrawn if the service could lawfully continue under an alternative basis. However, if the withdrawn consent was genuinely necessary for the core service (for example, consent to process location data for a ride-hailing app), and no alternative lawful basis applies, the controller may terminate the service as a consequence of the withdrawal. The controller must notify the data subject of this consequence at the time the original consent is obtained, as required by Article 22(2) PIPA (the duty to inform the data subject of "any disadvantages which may follow from refusal" to consent, which the PIPC interprets to include withdrawal consequences).

Specific statutory references to consent withdrawal:

• Article 27(1) Item 2 PIPA — In the event of a business transfer (merger, acquisition, or asset sale), the data subject has the right to withdraw consent to the transfer of their personal information to the successor controller. The transferring controller must notify data subjects of the transfer and provide a withdrawal mechanism; if the data subject withdraws consent, the transferring controller must delete the data and not transfer it to the successor.

• Article 39(7) PIPA (special provisions for Information and Communications Service Providers, or ICSPs) — Repealed by the 2023 amendments, which unified ICSP rules with the general PIPA framework. Prior to September 15, 2023, ICSPs were subject to heightened consent-withdrawal obligations; those obligations are now subsumed into the general Article 22 framework.

## Article 37 PIPA — Right to request suspension of processing

Article 37 PIPA (titled "Request for Suspension of Processing of Personal Information") grants data subjects the right to request that a controller temporarily or permanently suspend processing of their personal information. This right is independent of the lawful basis: a data subject may request suspension even if the processing is based on contractual necessity, statutory mandate, or the controller's legitimate interests, not only consent. Article 37 is South Korea's analog to the EU GDPR's Article 18 right to restriction of processing, but the Korean provision is broader in that it does not require the data subject to demonstrate that the processing is unlawful or contested; the data subject may request suspension for any reason, and the burden shifts to the controller to establish one of the four statutory grounds for refusal.

Article 37(1) — Scope of the suspension request. A data subject may request that the controller suspend the processing of personal information held about them. "Processing" is defined in Article 2(2) PIPA as "the collection, generation, recording, storage, retention, processing, editing, search, output, correction, restoration, use, provision, disclosure, destruction, or any other similar action" of personal information. A suspension request therefore may demand cessation of any or all of these activities. The data subject may specify the scope of the suspension (for example, "suspend use for direct marketing but continue processing for order fulfillment") or may request blanket suspension of all processing. The controller must honor the request unless one of the four Article 37(2) exceptions applies.

Article 37(2) — Four grounds for refusal. The controller may refuse to suspend processing only if one of the following statutory conditions is met:

1. Special provisions in other statutes or compliance with a legal obligation (Item 1) — Another statute specifically requires the controller to process the personal information, or suspension would prevent the controller from complying with a legal obligation. The statute must be explicit; a general regulatory power or discretionary authority is insufficient. For example, a financial institution may refuse suspension of transaction records if the Framework Act on the Regulation of Tax Investigation (세무조사규정) mandates retention and production to tax authorities, or if the Act on Reporting and Using Specified Financial Transaction Information (특정 금융거래정보의 보고 및 이용 등에 관한 법률) requires ongoing anti-money-laundering monitoring. The controller bears the burden of citing the specific statute and article.

1. Risk of harm to life, body, or property (Item 2) — Suspension may cause damage to the life, body, or property of the data subject or a third party, or unjustified infringement of another person's interests. This is an emergency or vital-interests exception, narrowly construed. The PIPC Guidelines specify that "may cause damage" requires a concrete and imminent risk, not a speculative or remote possibility. For example, a hospital may refuse suspension of a patient's medication-allergy record if suspension would prevent clinicians from accessing life-saving information during an emergency admission. A retailer generally cannot invoke Item 2 to refuse suspension of marketing-preference data on the theory that the data subject might "miss out" on promotional offers.

1. Public agency unable to perform statutory duties (Item 3) — The controller is a public institution (as defined in Article 2(6) PIPA—a government agency or public entity established by statute) and suspension would make it impossible for the agency to perform its legally mandated functions. This exception is available only to public agencies, not private controllers. For example, the National Tax Service may refuse suspension of taxpayer records if suspension would prevent the agency from assessing and collecting taxes under the Framework Act on National Taxes. A private company operating under a government contract cannot invoke Item 3; it must rely on Item 1 (statutory mandate) if applicable.

1. Impracticable to perform the contract without processing, and the data subject has not clearly expressed a desire to terminate the contract (Item 4) — Processing the personal information is objectively necessary to perform a contract to which the data subject is a party, and the data subject has not clearly indicated that they wish to terminate the contract. This exception protects the controller's ability to deliver the core contracted service. For example, an e-commerce platform may refuse suspension of the data subject's shipping address and order history if those data are necessary to fulfill pending orders and the data subject has not canceled the orders or closed the account. However, the controller may not rely on Item 4 to refuse suspension of data that are merely convenient or value-added but not strictly necessary; contractual necessity is construed narrowly (see the discussion of Article 15(1) Item 4 in the existing guide section). If the data subject subsequently expresses a clear desire to terminate the contract (for example, by closing the account), the Item 4 exception no longer applies and the controller must honor the suspension request (which, post-termination, effectively becomes a deletion request under Article 36).

Controller response obligations — Article 37(4). If the controller grants the suspension request, the controller must notify the data subject of the suspension within 10 days of receiving the request and must segregate or flag the personal information such that it is no longer processed for the suspended purpose(s). The suspended data may be retained (for example, in a restricted-access archive) if a legal retention obligation applies, but it must not be used, disclosed, or otherwise processed during the suspension period unless the data subject later withdraws the suspension request or one of the Article 37(2) exceptions supervenes. If the controller refuses the suspension request on one of the four statutory grounds, the controller must notify the data subject of the refusal and the specific ground within 10 days, citing the statute (for Items 1 and 3) or providing a reasoned explanation of the risk (Item 2) or contractual necessity (Item 4). The notification must inform the data subject of their right to file a complaint with the PIPC or pursue dispute mediation under Article 40 PIPA.

Interaction between withdrawal and suspension. Consent withdrawal and the Article 37 suspension right are distinct mechanisms with overlapping but non-identical effects:

• Withdrawal applies when the lawful basis is consent (Article 15(1) Item 1) and results in permanent cessation (and typically deletion) unless an independent basis exists.
• Suspension under Article 37 applies regardless of the lawful basis and may be temporary or permanent, at the data subject's discretion. Suspension does not require deletion; it requires that the controller cease processing but may retain the data in a restricted state.

A data subject may invoke both rights in sequence or simultaneously. For example, a user might first withdraw consent (triggering deletion under Article 36 if no independent basis exists) and, if the controller claims an alternative lawful basis (such as legitimate interests under Item 6), then request suspension under Article 37 pending the user's assessment of whether to challenge the controller's legal analysis. The PIPC has confirmed in informal guidance that controllers must honor both requests if both are valid: withdrawal is processed under the consent framework, and suspension is processed under Article 37, subject to the four statutory exceptions.

Enforcement and penalties. Failure to honor a valid consent-withdrawal request, or failure to respond to an Article 37 suspension request within the 10-day deadline, or refusal to suspend without a valid statutory ground, constitutes a violation of PIPA subject to:

• Administrative fines of up to 3% of the controller's relevant annual revenue under Article 64-2 PIPA (added by the 2023 amendments).
• Corrective orders under Article 64 PIPA, requiring the controller to cease processing, delete data, implement withdrawal/suspension mechanisms, and notify affected data subjects.
• Criminal liability under Article 71 PIPA for willful or grossly negligent violations, with imprisonment of up to two years or a fine of up to KRW 20 million (approximately USD 15,000).
• Damages liability under Article 39 PIPA, which allows data subjects to claim compensation for actual and mental damages resulting from the controller's failure to honor withdrawal or suspension requests; the controller bears the burden of proving it was not at fault.

Comparative note — EDPB adequacy opinion. In its September 2021 adequacy opinion on South Korea (EDPB Opinion 32/2021), the European Data Protection Board noted that while PIPA Article 37 provides a "general right to suspension" comparable to GDPR Article 18, PIPA does not provide a fully general right to withdraw consent mirroring GDPR Article 7(3). The EDPB observed that consent withdrawal in PIPA appears to be context-specific (Article 27 for business transfers, Article 39 for ICSPs prior to repeal) rather than a universally guaranteed right. However, the PIPC's enforcement practice since 2020—particularly the requirement that consent be "freely given" under Article 22 and the emphasis on equally accessible withdrawal mechanisms in the Consolidated Guidelines—effectively establishes a de facto general withdrawal right for consent-based processing. Practitioners should treat consent withdrawal as always available for Article 15(1) Item 1 processing, document the withdrawal mechanism in privacy policies, and be prepared to demonstrate compliance if challenged by the PIPC or in private litigation.

Source: Personal Information Protection Act, Law No. 19234 (effective September 15, 2023), Article 37 Source: Personal Information Protection Commission — PIPC

South Korea's Personal Information Protection Act added a legitimate interests lawful basis in the August 5, 2020 amendment (Law No. 16930), codified in Article 15(1) Item 6 PIPA (current version Law No. 19234, effective September 15, 2023). This provision permits a personal information controller to process personal data when "it is necessary to achieve the legitimate interest of the personal information controller … and such necessity clearly takes precedence over the rights of the data subject." Article 15(1) Item 6 is South Korea's closest analog to the EU GDPR's Article 6(1)(f) legitimate interests basis, but the Korean standard imposes a materially stricter threshold: the controller's interest must "clearly" (명백히) outweigh the data subject's rights, not merely "not be overridden by" those rights as under GDPR. The Personal Information Protection Commission (PIPC) enforces this heightened standard rigorously; controllers relying on Item 6 must document a detailed balancing analysis demonstrating that the necessity is unambiguous and that the data subject's interests, rights, and freedoms do not raise a colorable counter-argument. In practice, Korean controllers use Item 6 sparingly and default to consent (Item 1) or contractual necessity (Item 4) for consumer-facing processing, reserving legitimate interests for narrow scenarios such as fraud prevention, network security, internal analytics using pseudonymized data, and intra-group transfers for administrative purposes where consent is operationally impracticable.

## Statutory text and the "clearly takes precedence" threshold

Article 15(1) Item 6 PIPA states that a controller may collect and use personal information when:

> "It is necessary to achieve the legitimate interest of the personal information controller or a third party to whom such personal information is provided, and such necessity clearly takes precedence over the rights of the data subject: Provided, That this shall not apply where it infringes on the data subject's private life in violation of Article 17 of the Constitution."

The statutory proviso references Article 17 of the Constitution of the Republic of Korea, which protects the "privacy of citizens" and prohibits invasion of private life. This constitutional backstop means that even if the controller's interest ostensibly "clearly takes precedence," the processing remains unlawful if it would constitute an unconstitutional invasion of privacy—a standard the PIPC has invoked in cases involving profiling, location tracking, and processing of children's data.

The "clearly takes precedence" formulation (Korean: 명백히 우선하는 경우) sets a higher bar than GDPR Article 6(1)(f), which permits processing when "necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject." Under GDPR, the controller's legitimate interest prevails unless the data subject's interests override it—a balancing test that permits processing when the scales are roughly equal or tip slightly toward the controller. Under PIPA Article 15(1) Item 6, the controller must demonstrate that its interest clearly and unambiguously takes precedence; if the balancing assessment is close or contested, the controller cannot rely on this basis and must obtain consent or identify another lawful ground. The PIPC's Consolidated Guidelines on Personal Information Processing (2023 edition, available in Korean at pipc.go.kr) state that "clearly takes precedence" requires the controller to show that a reasonable data subject would agree, upon full disclosure of the processing, that the controller's interest is manifestly more important than the data subject's privacy interest in the specific context.

## PIPC balancing factors — legitimacy, necessity, and the data subject's reasonable expectations

The PIPC's Consolidated Guidelines (section on Article 15(1) Item 6, announced 2021 and updated in 2023) prescribe a three-part analytical framework for the legitimate-interests balancing test, drawing on the European Data Protection Board's Guidelines 06/2014 on legitimate interests (later superseded by GDPR guidance) but adapted to Korea's stricter statutory standard:

1. **Legitimacy of the controller's interest**

The controller must identify a specific, articulable interest that is lawful and genuine. The interest may be economic (for example, fraud prevention to protect revenue, network security to maintain service availability, direct marketing to existing customers with whom the controller has an ongoing relationship) or non-economic (for example, whistleblower hotlines, workplace safety monitoring, litigation defense). The PIPC Guidelines specify that the interest must be more than mere convenience or cost savings; a controller cannot invoke legitimate interests solely to avoid the operational burden of obtaining consent. Broad or abstract claims—such as "improving customer experience" or "business efficiency"—are insufficient without concrete details tying the processing to a defined harm the controller seeks to prevent or a specific benefit the controller seeks to achieve. The PIPC has rejected legitimate-interests claims in enforcement decisions where the controller's stated interest was derivative of consent (for example, "we want to send marketing because users might like our offers") rather than independent of the data subject's preferences.

2. **Necessity of the processing**

The controller must demonstrate that the processing is strictly necessary to achieve the identified interest, and that no less intrusive alternative is reasonably available. Necessity under Item 6 is construed at least as strictly as contractual necessity under Item 4 (see the existing guide section on Article 15 lawful grounds). The PIPC Guidelines list factors for the necessity assessment:

• Proportionality: the volume, granularity, and retention period of the personal information must be the minimum required to achieve the interest. Processing more data than necessary, or retaining data after the interest has been satisfied, negates the necessity claim.
• Availability of alternatives: if the controller could achieve the same interest using anonymized data, aggregated statistics, or data the controller already holds under another lawful basis, processing additional personal information under Item 6 is not necessary. For example, a retailer conducting basket-analysis for inventory optimization should use anonymized transaction logs rather than customer-identified purchase histories under Item 6; the legitimate interest (inventory forecasting) does not require re-identification.
• Technical and organizational feasibility: the controller must implement data minimization and purpose limitation safeguards (required under Article 3(2) and (3) PIPA, the statutory principles of proportionality and purpose specification). The PIPC has held that reliance on Item 6 without demonstrable minimization measures—such as automated deletion after the retention period, access controls limiting who can view the data, or pseudonymization—indicates that the processing is not genuinely necessary.

3. **Balancing of interests and the data subject's reasonable expectations**

The controller must conduct a fact-specific balancing assessment weighing the controller's legitimate interest against the data subject's interests, rights, and freedoms, with particular attention to the data subject's reasonable expectations about how their personal information will be used. The PIPC Guidelines enumerate factors for this assessment, adapted from GDPR recital 47 and EDPB guidance but applied through the lens of Korea's "clearly takes precedence" standard:

• Nature and sensitivity of the personal information: Processing ordinary personal information (name, email, transaction history) under Item 6 is more likely to satisfy the balancing test than processing sensitive personal information (as defined in Article 23 PIPA—ideology, health, biometric, genetic, criminal records, race/ethnicity) or unique identifier information (resident registration numbers, passport numbers) under Article 24. In practice, the PIPC has signaled that Item 6 is almost never available for sensitive or unique-identifier data because the data subject's privacy interest in those categories inherently outweighs most controller interests; controllers must obtain the separate explicit consent required by Articles 23 and 24. An exception may exist for statutory or regulatory obligations (for example, anti-money-laundering checks requiring identity verification), but in those cases the controller should rely on the statutory mandate ground under Article 15(1) Item 2 rather than legitimate interests.

• Reasonable expectations of the data subject: Would a reasonable data subject, fully informed of the processing, anticipate and accept it as part of the controller's legitimate operations? The PIPC Guidelines state that processing is more likely to satisfy the balancing test if it occurs in a context where the data subject has a pre-existing relationship with the controller and the processing is closely tied to that relationship. For example, an e-commerce platform's use of purchase history to detect fraudulent chargebacks (a legitimate interest in protecting revenue and complying with payment-card-network rules) is reasonably expected by customers who understand that anti-fraud controls are standard in online commerce. By contrast, the same platform's use of browsing behavior and purchase history to build psychographic profiles for third-party advertising is unlikely to meet the data subject's reasonable expectations and would require consent under Item 1. The PIPC has emphasized that transparency obligations under Articles 15(2) and 20 PIPA (the duty to inform data subjects of the purpose, items, and retention period) do not substitute for consent when the processing exceeds reasonable expectations; disclosure makes the processing known, but does not make it clearly precedent over the data subject's rights under the Item 6 balancing test.

• Impact on the data subject: What are the consequences of the processing for the data subject, including risks of harm, discrimination, or loss of control over personal information? Processing that results in automated decision-making with significant effects (for example, credit scoring, employment screening, insurance underwriting) implicates the data subject's rights under Article 37-2 PIPA (the right to refuse or request human review of automated decisions, added by the 2023 amendments effective September 15, 2023) and is unlikely to satisfy the Item 6 balancing test without explicit consent. Similarly, processing that involves disclosure to third parties or cross-border transfers increases the impact on the data subject and weighs against the controller's reliance on legitimate interests. The PIPC has held in enforcement decisions that if the processing creates a material risk of identity theft, discrimination, reputational harm, or emotional distress, the data subject's rights do not "clearly" lose to the controller's interest unless the controller can demonstrate an exceptionally strong and immediate need (such as vital interests under Item 3 or a statutory obligation under Item 2, in which case those grounds apply instead).

• Safeguards and mitigations: Has the controller implemented technical and organizational measures to reduce the impact on the data subject? The PIPC Guidelines list examples: pseudonymization or anonymization, encryption at rest and in transit, role-based access controls, automated retention-period enforcement, regular audits, and easy-to-use opt-out mechanisms. While safeguards do not transform an unlawful processing operation into a lawful one, they are evidence that the controller has taken the data subject's rights seriously in the balancing assessment. Conversely, the absence of basic safeguards—such as storing personal information in plaintext, granting company-wide access without role-based restrictions, or retaining data indefinitely—signals that the controller's necessity claim is pretextual and that the data subject's rights have not been meaningfully weighed.

## Interaction with consent and the prohibition on switching lawful bases

The PIPC's enforcement practice since 2020 establishes two critical rules governing the use of legitimate interests under Item 6:

1. A controller may not retroactively invoke Item 6 after consent is withdrawn. If the controller initially relied on consent (Item 1) and the data subject later withdraws consent (see the existing guide section on consent withdrawal and Article 37 suspension), the controller cannot then claim that the processing was always based on legitimate interests (Item 6) unless the controller documented the Item 6 basis at the time processing began and can demonstrate that the processing would have been lawful under Item 6 even in the absence of consent. This "no-switching" rule is strict: the lawful basis must be identified in the controller's records of processing activities (required under Article 32 PIPA) before the consent withdrawal occurs. The PIPC has imposed corrective orders and administrative fines in cases where controllers attempted to continue processing after consent withdrawal by belatedly asserting a legitimate-interest justification without contemporaneous documentation.

1. A controller may rely on both consent (Item 1) and legitimate interests (Item 6) simultaneously for the same processing operation, but must clearly distinguish them. The PIPC's Consolidated Guidelines (section 3.1.1, updated 2023) clarify that if a controller has a valid legitimate-interest basis under Item 6, the controller may additionally seek consent from the data subject under Item 1, provided the consent is voluntary and not bundled with the Item 6 processing. For example, a bank might rely on Item 6 (legitimate interest in fraud detection) for transaction monitoring and separately obtain opt-in consent under Item 1 for personalized financial-product recommendations based on the same transaction data. The bank must document both bases separately in its records of processing activities (Article 32), notify the data subject of both bases in the privacy notice (Article 20), and honor consent withdrawal for the Item 1 processing (marketing) while continuing the Item 6 processing (fraud monitoring) if the Item 6 balancing test remains satisfied. The dual-basis approach is permissible but requires careful procedural segregation to avoid the appearance of coercing consent by conditioning a service (the bank account) on agreement to processing that is supposedly justified by the controller's legitimate interests.

## Use cases: when Item 6 is viable and when it fails

The PIPC's Consolidated Guidelines and enforcement decisions since 2020 illustrate contexts where legitimate interests under Item 6 have been accepted or rejected:

**Viable use cases** (Item 6 likely satisfies "clearly takes precedence")

• Fraud prevention and network security: Processing personal information to detect and prevent fraudulent transactions, account takeovers, payment-card abuse, or cyber-attacks. The PIPC has recognized that controllers have a legitimate interest in protecting their systems and revenue, and that data subjects reasonably expect anti-fraud controls. Example: an online marketplace analyzes IP addresses, device fingerprints, and transaction patterns to flag suspicious orders and block malicious accounts. The processing is necessary (no less intrusive alternative exists for real-time fraud detection), the data subject's privacy interest is minimal (the data are processed algorithmically with no human review unless fraud is suspected), and the data subject benefits indirectly from a safer platform. The controller must implement retention limits (delete fraud-detection logs after a reasonable investigation window, such as 90 days for non-flagged transactions) and access controls (restrict the fraud-analysis data to the security team).

• Intra-group administrative transfers: Sharing personal information within a corporate group for centralized HR, payroll, IT support, or legal-compliance functions, where obtaining individual employee or customer consent for each transfer is operationally impracticable. The PIPC Guidelines note that Item 6 may apply if the recipient entity is subject to the same or equivalent data-protection obligations (for example, a binding corporate-rules framework or intra-group data-processing agreement), the transfer is limited to data necessary for the administrative function, and employees/customers are notified of the intra-group processing in a privacy notice. This use case is narrow; if the intra-group transfer involves cross-border transfer outside South Korea, the controller must additionally satisfy the requirements of Article 28-8 PIPA (added by the 2023 amendments), which permit cross-border transfers based on legitimate interests only if the controller conducts a transfer impact assessment documenting that the recipient country's legal framework provides adequate protection and that supplementary safeguards are in place (see the guide for South Korea — International Data Transfers for full analysis).

• Internal analytics and product improvement using pseudonymized or aggregated data: Processing pseudonymized personal information (as defined in Article 2(1-2) PIPA, added by the 2020 amendment) for statistical analysis, service-quality monitoring, or R&D, where the data subject cannot be re-identified without additional information held separately under strict access controls. The PIPC's Guidelines on the Processing of Pseudonymous Information (issued February 2021, updated 2023, available in Korean at pipc.go.kr) clarify that pseudonymization is a strong mitigating factor in the Item 6 balancing test because it reduces the impact on the data subject. However, pseudonymization alone does not satisfy Item 6; the controller must still demonstrate a legitimate interest (for example, improving algorithm accuracy, optimizing server performance) and that the processing is necessary and proportionate.

• Direct marketing to existing customers with an ongoing relationship: The PIPC Guidelines suggest—but do not definitively endorse—that a controller may rely on Item 6 for direct marketing (email, SMS, push notifications) to customers who have an active contractual relationship with the controller (for example, current subscribers, recent purchasers) and who reasonably expect to receive service-related communications, provided the controller offers an easy and cost-free opt-out mechanism (as required by Article 37 PIPA, the right to suspend processing, discussed in the existing guide section). However, Korean enforcement practice since 2020 shows that the PIPC is skeptical of Item 6 for marketing and strongly prefers opt-in consent under Item 1, particularly for third-party marketing or profiling-based targeting. Controllers using Item 6 for direct marketing must document the balancing analysis in detail and be prepared to cease processing immediately if the data subject opts out or if the contractual relationship ends.

**Rejected use cases** (Item 6 does **not** satisfy "clearly takes precedence")

• Behavioral advertising and cross-site tracking: Processing browsing history, cookie data, or device identifiers to serve targeted advertisements or to share with third-party ad networks. The PIPC has held in multiple enforcement decisions since 2021 that online behavioral advertising does not satisfy the Item 6 balancing test because (i) the controller's interest is primarily commercial and does not involve prevention of harm or provision of a core service, (ii) the data subject's reasonable expectation when visiting a website is not that their behavior will be tracked across sites and monetized by third parties, and (iii) less intrusive alternatives exist (contextual advertising based on page content rather than user profiling). Controllers must obtain prior opt-in consent under Item 1 for cookie-based tracking and third-party advertising. This position aligns with the PIPC's enforcement actions against Meta (Facebook/Instagram) and Google in 2021–2022, where the Commission found that the companies had unlawfully processed user data for advertising without valid consent, and rejected the companies' arguments that legitimate interests (Item 6) justified the processing.

• Processing of children's personal information: The PIPC Guidelines state that reliance on Item 6 is presumptively invalid when the data subject is a child under the age of 14 because children have diminished capacity to understand and assess processing risks, and their privacy interests are afforded heightened protection under Article 22-2 PIPA (parental consent requirement, discussed in the existing guide section on children under 14). Even if the controller's interest is objectively legitimate (for example, fraud prevention), the interest does not clearly take precedence over a child's rights; the controller should obtain parental consent under Article 22-2 or rely on another lawful basis (such as a statutory mandate under Item 2). A narrow exception may exist for processing necessary to protect the child's vital interests under Item 3 (for example, emergency medical data sharing), but in that case the controller should invoke Item 3 rather than Item 6.

• Sale or brokerage of personal information to third parties: Disclosing or selling personal information to data brokers, marketing platforms, or other third parties for purposes unrelated to the original collection. The PIPC has consistently held that such processing fails the Item 6 balancing test because (i) the data subject did not reasonably expect their information to be monetized or shared beyond the original controller, (ii) the third-party recipient's interest is purely commercial and does not involve prevention of harm or provision of a service to the data subject, and (iii) the data subject's right to control the use of their personal information (protected under Articles 4, 36, and 37 PIPA) is fundamentally incompatible with commodification of the data. Controllers engaged in data brokerage or third-party sales must obtain explicit opt-in consent under Item 1; Item 6 is not available.

• Workplace surveillance exceeding the scope of employment: Employers processing employee personal information beyond what is necessary for HR administration, payroll, and statutory compliance (for example, continuous video monitoring of workstations, keystroke logging, GPS tracking of personal vehicles, monitoring of personal email or social media). The PIPC's Guidelines on the Protection of Personal Information in the Workplace (issued December 2021, updated 2024, available in Korean at pipc.go.kr) state that employers may rely on Item 6 for limited workplace monitoring necessary to protect company assets, enforce workplace safety rules, or investigate specific incidents of misconduct, but that blanket or continuous surveillance fails the balancing test because it creates a chilling effect on employee autonomy and privacy. Employers must use the least intrusive means (for example, access logs for sensitive systems rather than continuous video surveillance) and notify employees in advance. The Labor Standards Act and related employment statutes do not generally authorize invasive workplace surveillance, so employers cannot invoke the statutory-mandate ground (Item 2); they must rely on Item 6 (if the balancing test is satisfied) or obtain employee consent (which the PIPC has cautioned may not be truly "freely given" under Article 22 PIPA in the employment context due to the power imbalance).

## Documentation and transparency obligations

A controller relying on Article 15(1) Item 6 must satisfy heightened documentation and transparency obligations beyond those applicable to other lawful bases:

• Records of processing activities (Article 32 PIPA): The controller must maintain a written or electronic record identifying the lawful basis for each processing operation. For Item 6, the record must include a summary of the balancing assessment: the legitimate interest identified, the necessity analysis, the factors weighed in the balancing test, and the conclusion that the controller's interest clearly takes precedence. The PIPC has issued corrective orders in cases where controllers cited Item 6 in privacy notices but failed to maintain contemporaneous records documenting the balancing analysis; the Commission treats the absence of records as evidence that the balancing test was not actually conducted.

• Privacy notice (Article 20 PIPA): When processing personal information under Item 6, the controller must notify the data subject of (i) the purpose of processing, (ii) the items of personal information processed, (iii) the retention period, and (iv) the lawful basis (Item 6 legitimate interests). Best practice, endorsed by the PIPC in informal guidance, is to include a plain-language explanation of the legitimate interest and the balancing rationale in the privacy notice. For example: "We process your transaction history to detect and prevent fraudulent orders (legitimate interest: protecting our platform and customers from financial harm). We have determined that this processing is necessary and that our interest in fraud prevention clearly outweighs your privacy interest because the processing is automated, limited to flagged transactions, and helps keep the marketplace safe for all users. You have the right to request suspension of this processing under Article 37 PIPA if you believe it is unlawful."

• Right to object and suspension (Article 37 PIPA): Even if the controller's Item 6 balancing assessment is valid at the outset, the data subject retains the right to request suspension of processing under Article 37 PIPA (discussed in the existing guide section on consent withdrawal and suspension). If the data subject requests suspension, the controller must either (i) honor the request and cease processing (the safest course if the balancing assessment is debatable), or (ii) refuse the request on one of the four statutory grounds in Article 37(2) and notify the data subject of the refusal with a reasoned explanation within 10 days. A controller that refuses a suspension request for Item 6 processing should be prepared to defend the refusal in a PIPC investigation or private litigation; the burden is on the controller to demonstrate that the Item 6 basis remains valid and that one of the Article 37(2) exceptions (typically Item 2, statutory mandate, or Item 4, contractual necessity) applies. In practice, Korean controllers grant suspension requests for Item 6 processing unless the legitimate interest involves fraud prevention, security, or legal compliance where cessation would create immediate harm.

## Enforcement and penalties

Failure to satisfy the Article 15(1) Item 6 balancing test—processing personal information under a claimed legitimate-interest basis without demonstrating that the necessity "clearly takes precedence" over the data subject's rights—constitutes processing without a valid lawful basis under PIPA. Such violations are subject to the same penalties as processing without consent or other lawful authorization:

• Administrative fines of up to 3% of the controller's total annual revenue under Article 64-2 PIPA (added by the 2023 amendments, effective September 15, 2023). Prior to the 2023 amendments, the cap was 3% of revenue related to the violation; the new cap is higher and applies to total company revenue, with a possible reduction if the controller successfully proves that a portion of its revenue was unrelated to the violation.

• Corrective orders under Article 64 PIPA, requiring the controller to cease the unlawful processing, delete the personal information collected under the invalid Item 6 basis, notify affected data subjects, and implement procedural controls (for example, revising privacy notices, conducting a data-protection impact assessment under Article 35-2 PIPA if the processing involves large-scale sensitive data or systematic monitoring).

• Criminal liability under Article 71 PIPA for individuals (directors, privacy officers, employees) who willfully or with gross negligence process personal information without a valid lawful basis, with imprisonment of up to two years or a fine of up to KRW 20 million (approximately USD 15,000 at June 2026 exchange rates). Corporate entities face administrative fines; individuals within the entity face criminal exposure.

The PIPC's enforcement record since the August 2020 addition of Item 6 shows that the Commission scrutinizes legitimate-interest claims closely, particularly in consumer-facing digital services. Controllers that cannot produce contemporaneous documentation of the balancing analysis, or whose claimed interest is primarily commercial convenience rather than harm prevention, face corrective orders and fines. The Commission has signaled in public guidance and enforcement decisions that it views Item 6 as a narrow exception, not a substitute for the consent-centric framework that has characterized Korean data-protection law since PIPA's enactment in 2011.

Source: Personal Information Protection Act, Law No. 19234 (effective September 15, 2023), Article 15 Source: Personal Information Protection Commission — PIPC

South Korea's Personal Information Protection Act permits processing of personal information when "it is necessary for the performance of a contract to which the data subject is a party or for taking measures at the request of the data subject prior to entering into a contract" (Article 15(1) Item 4 PIPA, Law No. 19234, effective September 15, 2023). This contractual necessity basis is the second-most-invoked lawful ground in Korean practice after consent, but the Personal Information Protection Commission (PIPC) enforces a strict necessity test that is narrower than the similarly worded EU GDPR Article 6(1)(b) standard. Korean controllers relying on Item 4 must demonstrate that the personal information is objectively required to deliver the core contracted service, not merely convenient, value-added, or tangentially related to the contract. Processing that could reasonably be offered as an optional feature, or that serves the controller's own business interests rather than the data subject's contracted benefit, fails the necessity test and requires consent under Article 15(1) Item 1. The PIPC has emphasized in enforcement decisions and in its Consolidated Guidelines on Personal Information Processing (2023 edition, available in Korean at pipc.go.kr) that contractual necessity is construed functionally, not formally: the fact that a data element appears in the controller's standard terms and conditions does not establish that processing the element is necessary for the contract.

## Statutory scope — performance and pre-contractual steps

Article 15(1) Item 4 PIPA authorizes processing in two scenarios:

1. Performance of a contract to which the data subject is already a party — Processing is objectively necessary to fulfill the controller's contractual obligations or to enable the data subject to receive the contracted service or product. The contract must be valid and enforceable under Korean law; unilateral terms imposed without the data subject's meaningful opportunity to review and accept (for example, buried in unread click-through agreements or presented in a language the data subject does not understand) do not constitute a binding contract for the purposes of Item 4. The PIPC's Consolidated Guidelines cite the Civil Act (Law No. 19665) and the Act on the Regulation of Terms and Conditions (Law No. 18633) as the governing framework: a contract exists when the parties have reached a meeting of the minds on essential terms, and unfair or unconscionable terms may be void even if nominally agreed.

1. Pre-contractual steps at the data subject's request — Processing is necessary to take measures requested by the data subject before entering into a contract. This covers scenarios such as providing a price quote, conducting a credit check or eligibility assessment, reserving inventory, or preparing a customized service proposal. The data subject must have affirmatively requested the pre-contractual measure; controllers cannot rely on Item 4 for unsolicited marketing or speculative outreach. For example, an insurance company may process an applicant's health questionnaire responses to generate a premium quote (pre-contractual necessity at the applicant's request), but may not process the applicant's browsing history on the insurer's website to build a behavioral profile for future marketing unless the applicant consents under Item 1.

Interaction with consent. Item 4 and Item 1 (consent) are mutually exclusive in the sense that if processing is genuinely necessary for the contract under Item 4, the controller does not need to seek consent under Item 1 for that same processing. However, the PIPC has held in multiple enforcement decisions that controllers frequently over-claim contractual necessity by bundling non-essential processing into standard terms and labeling it "required for the service." When a controller purports to rely on Item 4 but the processing is in fact optional or ancillary, the PIPC treats the processing as if it were based on consent and scrutinizes whether the consent was freely given under Article 22 PIPA. If the controller conditioned the service on agreement to the non-necessary processing (for example, "You must agree to marketing emails to create an account"), the consent is invalid because it was coerced, and the processing violates PIPA. The correct approach is to segregate necessary processing (Item 4) from optional processing (Item 1 consent, with a clear opt-out mechanism).

## The strict-necessity test — objective requirement, not controller preference

The PIPC's Consolidated Guidelines and enforcement practice since 2020 establish that "necessary for the performance of a contract" under Item 4 means objectively indispensable, not merely useful, traditional, or industry-standard. The test asks: Could the core contracted service or product be delivered to the data subject without processing this personal information? If the answer is yes—even if delivering the service without the data element would be less profitable, less convenient for the controller, or require additional manual effort—the processing is not necessary and requires consent.

Factors in the necessity assessment:

1. Core vs. ancillary purposes. Processing is necessary only if it serves the essential function of the contract as reasonably understood by the data subject at the time of contracting. The PIPC Guidelines distinguish between (i) data required to identify the contracting party, deliver the product/service, and process payment (core functions, typically covered by Item 4), and (ii) data used to enhance, personalize, upsell, analyze, or monetize the relationship (ancillary functions, requiring Item 1 consent or potentially Item 6 legitimate interests if the strict balancing test is met). For example:

• E-commerce purchase: An online retailer may process the buyer's name, shipping address, email, and payment information under Item 4 (necessary to fulfill the sales contract). The retailer may not process the buyer's purchase history to recommend other products, or share the buyer's email with third-party advertisers, under Item 4; those activities require consent (Item 1) or, in narrow cases, legitimate interests (Item 6) with documented balancing.
• Mobile app account creation: A social-media app provider may process the user's email address and chosen username under Item 4 if account credentials are necessary to provide the contracted service (access to the platform). The provider may not process the user's contact list, location data, or device identifiers under Item 4 unless those data are strictly necessary for the core service the user signed up for. If the app's core function is messaging and the contact list is used only for an optional "friend discovery" feature, the provider must obtain separate consent for that feature under Item 1.

1. Reasonable alternatives. If the controller could achieve the same contracted outcome using less personal information, anonymized data, or data the controller already holds, processing additional personal information is not necessary. The PIPC has held that controllers bear the burden of demonstrating that no less intrusive alternative exists. For example, a subscription service that could uniquely identify subscribers using a system-generated account number (non-personal identifier) may not require users to provide their resident registration number (a unique identifier under Article 24 PIPA subject to separate explicit consent) and claim that the RRN is contractually necessary; the account number suffices for account management and billing.

1. Bundling and coercion. The fact that a data element appears in the controller's standard terms and conditions, or that the controller has historically collected it as part of the sign-up process, does not establish necessity. The PIPC's enforcement decisions consistently reject "contractual necessity by fiat," where controllers draft one-sided terms declaring that unrelated data processing is a condition of service. The test is objective and functional: would a reasonable data subject, informed of the processing, understand it as integral to the contracted benefit? If the processing serves primarily the controller's business interests (for example, analytics for product development, marketing to third parties, or fulfilling the controller's obligations under a separate contract with an advertiser), it is not necessary for the data subject's contract and requires consent.

1. Post-transaction processing. Processing that occurs after the contract has been fully performed (for example, retaining transaction records for marketing, customer profiling, or indefinite "customer relationship management") is generally not covered by Item 4 unless a legal retention obligation applies under another statute (in which case the controller should invoke Article 15(1) Item 2, statutory mandate, rather than Item 4). The PIPC has held that once the controller has delivered the product/service and the data subject has paid (or the payment period has lapsed), the contract is complete and Item 4 no longer justifies retention or further use. Controllers must either (i) delete the personal information, (ii) obtain consent for continued processing (Item 1), or (iii) demonstrate that retention is required by another statute (for example, the Framework Act on National Taxes requiring five-year retention of transaction records for tax-audit purposes, or the Commercial Act requiring ten-year retention of accounting books, both of which would support reliance on Item 2 rather than Item 4).

## Leading PIPC enforcement decisions on contractual necessity

The PIPC has issued corrective orders and administrative fines in numerous cases where controllers incorrectly relied on Item 4 for processing that was not strictly necessary:

• PIPC Decision No. 2022-03-014 (March 2022) — A fitness-center chain collected members' resident registration numbers (RRNs), mobile phone numbers, and emergency contact information at sign-up and claimed that all three data elements were necessary to perform the membership contract (access to gym facilities). The PIPC found that while the member's name and a contact method (email or phone) were necessary to communicate about class schedules and billing (Item 4), the RRN was not necessary because the fitness center could uniquely identify members using a membership card number or system-generated ID. The PIPC further found that the emergency contact was not necessary for the core contract (gym access) and was instead a safety-related ancillary service; if the fitness center wished to maintain emergency contacts, it must obtain separate consent under Item 1 and allow members to opt out without losing access to the core service. The Commission imposed a corrective order requiring the fitness center to cease collecting RRNs under Item 4, to delete previously collected RRNs (or obtain retroactive consent under Item 1 using a clear, unbundled consent mechanism), and to revise its membership terms to segregate necessary from optional data collection. An administrative fine was levied under Article 64-2 PIPA (3% revenue cap).

• PIPC Decision No. 2021-09-056 (September 2021) — An online education platform required students to consent to the collection and use of their video and audio recordings from live class sessions, their quiz and assignment submissions with time-stamps and browsing metadata, and their device information (IP address, browser fingerprint, operating system). The platform's terms stated that all processing was "necessary to provide the online learning service" (Item 4). The PIPC disaggregated the claim: (i) processing student submissions and providing instructor feedback was necessary under Item 4 (core educational contract), (ii) recording class sessions and retaining the recordings indefinitely was not necessary unless the platform offered on-demand replay as part of the contracted service and communicated that clearly at enrollment (if replay was marketed, Item 4 could apply; if not, the platform needed consent under Item 1), and (iii) collecting device fingerprints and browsing metadata for anti-cheating surveillance was not necessary for the core instructional contract and required separate consent, or alternatively could be justified under Item 6 (legitimate interests) only if the platform documented a strict balancing analysis showing that exam integrity clearly outweighed student privacy and that less intrusive proctoring methods were genuinely unavailable. The platform was ordered to obtain explicit consent for session recording and metadata-based proctoring or cease those practices.

• PIPC Decision No. 2020-11-023 (November 2020) — A telecom service provider bundled a location-based advertising feature into its mobile data plan and claimed that processing subscribers' real-time location data was necessary to perform the telecom service contract (Item 4). The PIPC rejected this argument, holding that the core contracted service was mobile connectivity (voice, SMS, data access), not location-based advertising. Location tracking for advertising was an ancillary monetization feature that benefited the telecom provider and third-party advertisers, not the subscriber. The provider was required to obtain opt-in consent under Item 1 for location-based ads, separate from the core service agreement, and to allow subscribers to opt out without penalty (such as service throttling or higher fees). The decision clarified that even when a feature is technically integrated into a service package, if the feature is functionally separable from the core benefit the subscriber contracted for, processing data for that feature requires consent, not contractual necessity.

## Interaction with Article 16 PIPA — Providing personal information to third parties

Article 15(1) Item 4 authorizes the controller's own processing for contractual purposes, but does not independently authorize disclosure or provision of personal information to third parties unless the third party is acting as a processor (수탁자) on the controller's behalf under Article 26 PIPA (entrustment regime, requiring the controller to notify data subjects and supervise the processor). If the controller wishes to share or sell personal information to a third party for that third party's own purposes, the controller must satisfy Article 16 PIPA (providing personal information to third parties), which requires consent under Article 16(1) unless one of the six Article 15(1) exceptions applies to the third-party provision itself.

In other words, a controller cannot argue "I need to share the data with Company X because sharing is necessary to perform my contract with the data subject" unless Company X is a service provider performing a function that is itself necessary for the contract (in which case Company X is a processor under Article 26, and the sharing is governed by the entrustment rules, not Article 16). If Company X is an independent controller receiving the data for its own purposes (for example, a marketing partner, a data broker, or a co-branded service provider with a separate relationship with the data subject), the controller must obtain the data subject's prior consent under Article 16(1) specifying (i) the recipient, (ii) the recipient's purpose, (iii) the items of information to be shared, and (iv) the retention period. The PIPC has consistently held that "contractual necessity" does not excuse third-party disclosures that are not integral to the data subject's contracted benefit.

Example: An online travel agency (OTA) books a hotel room on behalf of a customer. Sharing the customer's name, check-in dates, and contact information with the hotel is necessary to perform the booking contract (Item 4 applies to the OTA's processing, and the hotel acts as a third-party recipient under Article 16, but the sharing is covered by Item 4 because it is necessary to deliver the contracted service—hotel accommodation). However, if the OTA also wishes to share the customer's email address and travel history with an airline loyalty program or a restaurant reservation platform as part of a marketing partnership, that sharing is not necessary for the hotel booking contract and requires separate consent under Article 16(1). The OTA must present a clear, unbundled consent request (Item 1) and allow the customer to complete the hotel booking even if the customer declines the marketing-partnership sharing.

## Documentation and transparency obligations

Controllers relying on Article 15(1) Item 4 must satisfy the same documentation and transparency obligations as for other lawful bases:

• Records of processing activities (Article 32 PIPA): The controller must maintain a written or electronic register identifying the lawful basis for each processing operation. For Item 4, the record should describe the contracted service or product, the personal information processed, and a brief necessity rationale (why the data are objectively required to perform the contract). The PIPC has issued corrective orders in cases where controllers cited Item 4 in privacy notices but maintained no internal records explaining the necessity determination; the absence of contemporaneous documentation is treated as evidence that the controller did not genuinely assess necessity.

• Privacy notice (Article 20 PIPA): When collecting personal information, the controller must notify the data subject of (i) the purpose of collection and use, (ii) the items of personal information collected, and (iii) the retention period. For processing under Item 4, best practice (endorsed by the PIPC in informal guidance) is to include a statement such as: "We collect your name, shipping address, and payment information as necessary to fulfill your purchase order (contractual performance under Article 15(1) Item 4 PIPA). We collect your email address and purchase history with your consent to send you promotional offers; you may withdraw consent at any time without affecting your ability to place orders." This segregation of necessary vs. optional processing helps the controller demonstrate compliance with the anti-bundling rule and the freely-given-consent requirement under Article 22 PIPA.

• No switching of lawful bases: The PIPC's enforcement practice since 2020 establishes that a controller may not retroactively change from one lawful basis to another for the same processing operation. If the controller initially relied on consent (Item 1) and the data subject later withdraws consent, the controller cannot then claim that the processing was always contractually necessary (Item 4) unless the controller documented the Item 4 basis at the outset in its Article 32 records and can demonstrate that the processing would have been lawful under Item 4 even in the absence of consent. Conversely, if the controller initially relied on Item 4 and the contract ends (or the data subject successfully challenges the necessity claim), the controller must cease processing or obtain consent; it cannot continue processing by belatedly asserting a legitimate-interests justification (Item 6) without contemporaneous documentation of the balancing analysis.

## Contractual necessity vs. legitimate interests (Item 6)

Controllers sometimes confuse or conflate Article 15(1) Item 4 (contractual necessity) and Item 6 (legitimate interests that clearly take precedence over the data subject's rights). The two bases are distinct and require different showings:

• Item 4 asks: Is this processing objectively necessary to deliver the contracted service? The focus is on the data subject's expectations and entitlements under the contract. If the data subject contracted for Service A, processing must be integral to Service A, not to Service B or to the controller's ancillary business interests.

• Item 6 asks: Does the controller's interest in this processing clearly take precedence over the data subject's privacy rights, applying a multi-factor balancing test (legitimacy of the interest, necessity, reasonable expectations, impact, safeguards)? Item 6 is available even when there is no contract (for example, fraud prevention against non-customers, intra-group administrative transfers), and it requires the controller to document a balancing analysis that shows the controller's interest manifestly outweighs the data subject's rights.

In practice, if processing is genuinely necessary for the contract, the controller should rely on Item 4 because the necessity standard is clearer and does not require a balancing analysis. If processing is useful for the controller's operations but not strictly necessary for the data subject's contracted benefit (for example, analytics to improve the service, fraud detection to protect the controller's revenue, direct marketing to existing customers), the controller should evaluate Item 6 (if the balancing test is satisfied) or obtain consent under Item 1 (the safest path). The PIPC has cautioned in enforcement decisions that controllers should not stretch Item 4 to cover ancillary processing that is more appropriately analyzed under Item 6 or Item 1; doing so obscures the legal basis and makes it difficult for data subjects to exercise their rights (particularly the right to withdraw consent or request suspension under Article 37).

## Enforcement and penalties

Processing personal information under a claimed Item 4 contractual-necessity basis without satisfying the strict-necessity test constitutes processing without a valid lawful basis and is subject to:

• Administrative fines of up to 3% of the controller's total annual revenue under Article 64-2 PIPA (added by the 2023 amendments, effective September 15, 2023). The fine is calculated based on total revenue, with the PIPC permitted to reduce the amount if the controller proves that a portion of revenue was unrelated to the violation, but the statutory cap is 3% of the total.

• Corrective orders under Article 64 PIPA, requiring the controller to cease the unlawful processing, revise its privacy notice and terms of service to accurately describe the lawful basis, segregate necessary from optional processing, and delete or anonymize personal information collected under the invalid Item 4 claim (unless the controller can obtain valid consent retroactively using an unbundled, freely-given consent mechanism under Item 1).

• Criminal liability under Article 71 PIPA for individuals (directors, privacy officers, employees) who willfully or with gross negligence process personal information without a valid lawful basis, with imprisonment of up to two years or a fine of up to KRW 20 million (approximately USD 15,000 at June 2026 exchange rates). Individuals and corporate entities face separate penalties.

The PIPC's enforcement record shows that over-reliance on contractual necessity is one of the most common violations in consumer-facing digital services, particularly in e-commerce, online platforms, telecommunications, and financial technology. Controllers are advised to conduct a line-by-line audit of all personal information processed in connection with customer contracts, applying the strict-necessity test to each data element, and to segregate non-necessary processing into separate consent flows with clear opt-out mechanisms. When in doubt, obtaining consent under Item 1 is the more defensible approach, provided the consent is freely given, specific, informed, and unbundled from the core service.

Source: Personal Information Protection Act, Law No. 19234 (effective September 15, 2023), Article 15 Source: Personal Information Protection Commission — PIPC