South Korea — Scope & Applicability

The Personal Information Protection Act (PIPA, Act No. 10465, enacted March 29, 2011, entered into force September 30, 2011) is South Korea's comprehensive data-protection statute. PIPA applies to any "personal information controller" — a natural person, legal entity, public institution, or organization that processes personal information for business purposes (Art. 2(5) PIPA). The Personal Information Protection Commission (PIPC), established as an independent central administrative agency under the Prime Minister by the 2020 amendments (effective August 5, 2020), is the supervisory authority with investigation, adjudication, and fine-imposition powers (Arts. 7–8 PIPA).

No express territorial clause — extraterritorial application asserted in practice

Unlike GDPR Article 3, PIPA does not codify an express territorial or extraterritorial scope provision. Article 2 defines covered entities and activities but is silent on geographic reach. In practice, PIPC applies PIPA to foreign operators when their processing activities directly and substantially affect Korean data subjects. The Commission examines factors including whether the entity provides goods or services targeted at individuals in South Korea, whether the entity generates revenue from Korean users, whether Korean-language interfaces or Korean payment methods are offered, and whether the entity monitors the behavior of Korean residents.

PIPC Guidelines on Foreign Business Operators (2024)

In July 2024 PIPC published "Guidelines on Applying the Personal Information Protection Act to Foreign Business Operators" to clarify when foreign entities must comply. The Guidelines state that PIPA may apply to an overseas business if:

• The entity provides goods or services globally, including to Korean data subjects;
• The entity's processing of personal information substantially affects Korean data subjects, regardless of whether services are explicitly targeted at Korea; or
• The entity has an establishment in Korean territory where personal information is processed.

Impact on Korean data subjects is assessed case-by-case. For example, PIPC enforced PIPA against an overseas social-media platform that collected behavioral information through user identifiers targeting Korean subscribers even though the platform had no physical presence in Korea. The Commission also imposed penalties on Google and Meta in September 2022 (Google fined KRW 69.2 billion / approximately USD 50 million; Meta fined KRW 30.8 billion / approximately USD 22 million) for violations affecting Korean users.

Material scope — personal information controllers and processors

PIPA governs the collection, use, provision, and destruction of "personal information" — information relating to a living individual that identifies that person directly (e.g., name, resident registration number, image) or indirectly when combined with other information (Art. 2(1) PIPA). Both automated and manual processing fall within scope if the data form part of a "personal information file" — a systematically organized dataset searchable by specific criteria (Art. 2(4) PIPA).

The Act applies to public institutions (central government ministries, local governments, public schools, and designated public agencies under Art. 2(6)) and private-sector controllers without distinction, though certain obligations (e.g., registration of personal-information files under Art. 32, mandatory data-protection impact assessments under Art. 33) apply only to public institutions. PIPA exempts processing for purely personal or household purposes (the "household exception" under Art. 58(4)), provided the data are not used for commercial activity.

EU adequacy decision confirms scope alignment

On December 17, 2021, the European Commission adopted an adequacy decision under GDPR Article 45 recognizing South Korea's data-protection framework (Commission Implementing Decision (EU) 2021/2254). The decision confirms that PIPA's material scope — covering automated and manual processing of structured data sets — aligns with GDPR Article 2(1), and that Korea applies its law extraterritorially based on substantial effect, paralleling GDPR's targeting standard under Article 3(2).

2023 amendments — enhanced penalties and cross-border obligations

Amendments enacted February 27, 2023 (most provisions effective September 15, 2023) expanded PIPC's enforcement powers and tightened cross-border transfer requirements. Article 17(3) now mandates separate consent for overseas transfers unless covered by statute, international agreement, PIPC-certified recipient status, or PIPC adequacy recognition. The 2023 amendments also raised maximum administrative fines to 10% of total revenue for intentional or grossly negligent repeated violations affecting 10 million or more individuals, or for failures to comply with PIPC corrective orders that result in a breach (Art. 64-2 PIPA as amended).

Source: Personal Information Protection Act (law.go.kr English translation page) Source: PIPC official site Source: Commission Implementing Decision (EU) 2021/2254 of 17 December 2021 on adequacy (EUR-Lex)

PIPA regulates the processing of "personal information" — information relating to a living individual that identifies that person directly (e.g., name, resident registration number, image) or indirectly when combined with other information (Art. 2(1) PIPA). Both automated and manual processing fall within scope if the data form part of a "personal information file," defined as a systematically organized dataset searchable by specific criteria (Art. 2(4) PIPA). Cookies, log files, and IP addresses may also constitute personal information when, combined with other information, they enable identification of an individual.

Sensitive information — Article 23 separate-consent requirement

PIPA establishes a two-tier data-protection framework. Article 23 imposes heightened obligations on "sensitive information" (민감정보, minsangjongbo) — personal information the processing of which may seriously infringe privacy. Unless another statute expressly permits processing, controllers must obtain separate, explicit consent from the data subject to process sensitive information (Art. 23(1) PIPA).

Article 23 defines sensitive information as information concerning:

• Ideology or beliefs;
• Membership in or withdrawal from a labor union or political party;
• Political opinions;
• Health or sex life;
• Genetic information;
• Criminal history;
• Biometric data used for identification purposes; and
• Race or ethnicity.

The Enforcement Decree may prescribe additional categories by Presidential Decree. PIPC has emphasized in enforcement decisions that "separate consent" means consent obtained independently of general consent for ordinary personal information, ensuring the data subject is specifically aware of the collection and use of sensitive data. The Google and Meta enforcement decisions of September 2022 — fining Google KRW 69.2 billion (approximately USD 50 million) and Meta KRW 30.8 billion (approximately USD 22 million) — centered on failures to inform users adequately about the collection and processing of sensitive information (specifically, behavioral data inferred to reflect political opinions, beliefs, and interests).

Unique identification information — Article 24 parallel regime

Article 24(1) PIPA establishes a parallel heightened-consent regime for "unique identification information" (고유식별정보, goyusikbyoljongbo) — government-assigned identifiers that uniquely identify an individual across datasets. Controllers may not process unique identification information unless permitted by statute or Presidential Decree, or when necessary to prevent imminent danger to life, body, or property where the data subject cannot provide consent.

Article 19 of the Enforcement Decree specifies the following as unique identification information:

1. Resident registration number (주민등록번호);
2. Passport number;
3. Driver's license number;
4. Alien registration number (for foreign residents).

Article 24-2 further restricts processing of resident registration numbers specifically. Controllers may collect or permanently store resident registration numbers only when required by statute or when processing is unavoidable for verifying identity in connection with a contract (Art. 24-2(1) PIPA). Where feasible, controllers must offer alternative means of identification (e.g., I-PIN, a public Internet pseudonym number system administered by Korea Internet & Security Agency).

Enhanced security and notification obligations

Controllers processing sensitive information or unique identification information face additional security obligations. Article 20(2) PIPA and Article 15-2 of the Enforcement Decree require controllers processing sensitive information or unique identifiers for 50,000 or more data subjects to disclose in their privacy policy:

• The statutory authority or lawful basis for processing the information;
• The specific categories of sensitive or unique-identifier data processed;
• The purpose and retention period; and
• Whether the information is provided to third parties, and if so, the recipients and purpose.

Breach notification obligations under Article 34 apply to all personal information, but breaches involving sensitive information or unique identifiers typically trigger the "high risk" threshold requiring notification to affected data subjects in addition to the PIPC report.

Comparison with GDPR Article 9 special categories

PIPA's sensitive-information regime parallels GDPR Article 9 special-category data but is consent-centric rather than offering a multi-basis framework. GDPR Article 9(2) permits processing of special-category data on ten distinct grounds (explicit consent, employment law, vital interests, legitimate activities of foundations, manifestly public data, legal claims, substantial public interest, health/social care, public health, archiving/research). PIPA's Article 23(1) requires separate consent unless another statute expressly permits processing, effectively channeling most private-sector sensitive-data processing through consent. This design aligns with Korea's broader privacy posture: consent is the default lawful basis for all personal-information processing under Article 15 PIPA, and sensitive categories layer a second, explicit consent requirement on top.

Source: Personal Information Protection Act, Act No. 10465 (law.go.kr English translation) Source: Enforcement Decree of the Personal Information Protection Act (law.go.kr) Source: Personal Information Protection Commission (PIPC) official website

PIPA establishes comprehensive obligations for personal information controllers across Articles 15 through 57, but Article 58 carves out four categories of partial exemptions and one narrow household exception. These exemptions do not create blanket immunity; even when an exemption applies, controllers remain subject to residual data minimization, security, and individual-complaint obligations under Article 58(4) PIPA.

Article 58(1) PIPA — four partial exemptions from core obligations

Article 58(1) PIPA exempts four categories of personal information processing from most substantive obligations in Articles 15–57 (consent requirements, notice obligations, data-subject rights, privacy-policy publication, privacy-officer appointment, and breach notification). The exemptions cover:

1. Statistics collection under the Statistics Act — Personal information collected and processed by public institutions pursuant to the Statistics Act for statistical purposes. Article 33 Statistics Act requires public institutions to protect respondent information and prohibits use for any purpose other than compiling statistics.

1. National security purposes — Personal information collected or requested for data analysis related to national security matters. This exemption applies only during the national security situation justifying the processing; once that situation has ended, the exemption terminates and full PIPA compliance obligations resume (Recital 196, Commission Implementing Decision (EU) 2021/2254). Article 37(2) of the Korean Constitution requires that any restriction on fundamental rights for national security must not violate the essential aspect of that right.

1. Journalism, academic research, and artistic purposes — Personal information processed in the course of journalism, academic or artistic expression, and other expressive activities protected under freedom of speech and expression. This exemption recognizes the constitutional balance between privacy and freedom of expression under Article 21 of the Korean Constitution.

1. Unavoidable governmental processing — Personal information processing that is unavoidable for a governmental agency or public institution to perform its statutory duties as set out in any Act or subordinate statute (Art. 58(1)(3), (4) PIPA and Art. 15(3), 17(3) PIPA). This covers emergency situations where processing is clearly necessary to preserve life, avoid bodily injury, or prevent property damage or loss, and the data subject is unable to provide consent (Arts. 15(5), 17(5) PIPA).

Article 58(3) PIPA — partial exemption for social groups and hobby clubs

Article 58(3) PIPA exempts processing of personal information to operate groups or associations for friendship (e.g., hobby clubs) from three specific obligations: Article 15 (collection and use requirements), Article 30 (public privacy-policy obligation), and Article 31 (privacy-officer appointment). Because such groups are considered purely personal in nature with no connection to professional or commercial activity, no specific lawful basis such as consent is required to collect and use member information in this context (Recital 40, Commission Implementing Decision (EU) 2021/2254).

Critical limitation: all other PIPA provisions—data minimization, purpose limitation, lawfulness of processing, security, and individual rights under Articles 4, 35–38—continue to apply. Moreover, any processing of personal information beyond the purpose of establishing and operating the social group loses the exemption entirely. For example, a hobby club that sells member lists to third parties or uses member data for commercial marketing cannot rely on the Article 58(3) exception.

Article 58(4) PIPA — residual obligations binding all exempt processing

Even when a partial exemption under Article 58(1) or (3) applies, controllers remain subject to four core obligations:

• Data minimization — Process personal information only to the minimum extent necessary to attain the intended purpose;
• Limited retention — Process the information for a minimum period consistent with the purpose;
• Security safeguards — Implement technical, managerial, and physical safeguards for safe management and appropriate processing; and
• Individual complaints — Maintain measures to ensure proper treatment of individual complaints.

These residual obligations apply without exception to all four categories of exempt processing under Article 58(1) and to social-group processing under Article 58(3) (Recital 40, Commission Implementing Decision (EU) 2021/2254). Controllers relying on an Article 58 exemption must document compliance with these baseline obligations.

No general household exception — contrast with GDPR Article 2(2)(c)

Unlike GDPR Article 2(2)(c), which broadly excludes "purely personal or household activities" from scope, PIPA does not establish a general household exception. Article 58(3) provides a narrow carve-out for social clubs and friendship groups, but commercial use or processing outside the group context triggers full PIPA compliance. Personal or household processing that does not fall within a social-group structure (e.g., an individual maintaining a personal contact database) is technically within PIPA's material scope, though enforcement against purely personal non-commercial processing is rare.

Enforcement context — exemptions construed narrowly

PIPC applies Article 58 exemptions narrowly. In the September 2022 enforcement actions against Google (KRW 69.2 billion fine) and Meta (KRW 30.8 billion fine), both companies argued that behavioral tracking constituted research or product improvement exempt under Article 58(1). PIPC rejected the argument, holding that commercial monetization of inferred political opinions and beliefs through targeted advertising fell outside the journalism/research exemption and required separate consent under Article 23 PIPA's sensitive-information regime. The decisions confirm that partial exemptions do not apply when processing serves primarily commercial purposes, even if incidentally producing research insights.

Cross-border transfers and Article 58 exemptions

The 2023 PIPA amendments (effective September 15, 2023) tightened cross-border transfer requirements under Article 17(3), mandating separate consent for overseas transfers unless covered by statute, international agreement, PIPC-certified recipient status, or PIPC adequacy recognition. Exempt processing under Article 58(1) does not automatically exempt cross-border transfers; controllers relying on an Article 58(1) exemption must still comply with Article 17(3) separate-consent or alternative-mechanism requirements when transferring personal information outside Korea, unless the transfer itself is expressly authorized by the same statute granting the Article 58(1) exemption.

Source: Personal Information Protection Act, Act No. 10465 (law.go.kr English translation) Source: Commission Implementing Decision (EU) 2021/2254 of 17 December 2021 on the adequate protection of personal data by the Republic of Korea (EUR-Lex)

PIPA distinguishes between two primary data-handling roles: the personal information controller (개인정보처리자, gaeininjeongbocheorija) and the personal information processor (수탁자, sutakja, also translated as "entrusted entity" or "consignee"). The controller bears ultimate responsibility for compliance; the processor acts under the controller's instructions. This framework parallels the GDPR Article 4(7)/(8) controller-processor distinction but uses different statutory language and imposes joint-and-several liability in certain breach scenarios.

Personal information controller — Article 2(5) PIPA

Article 2(5) PIPA defines a "personal information controller" as a public institution, legal entity, organization, or individual that processes personal information files directly or through another person for the purpose of operating the files as part of its business activities. A "personal information file" means a set of personal information systematically arranged or organized according to certain rules for easy retrieval (Art. 2(4) PIPA). The controller determines the purposes and means of processing and is subject to the full suite of PIPA obligations: obtaining consent or establishing another lawful basis under Article 15, implementing security safeguards under Article 29, appointing a Chief Privacy Officer under Article 31, publishing a privacy policy under Article 30, honoring data-subject rights under Articles 35–38, notifying breaches under Article 34, and complying with cross-border transfer requirements under Article 17.

The controller definition is functional rather than formal. An entity that decides why and how personal information is processed qualifies as a controller regardless of whether it labels itself differently. For example, a foreign platform operator targeting Korean users is a personal information controller under PIPA even if it has no physical establishment in Korea and processes data on overseas servers, as confirmed in the July 2024 PIPC Guidelines on Applying PIPA to Foreign Business Operators and in the September 2022 enforcement decisions against Google and Meta.

Personal information processor (entrusted entity) — Article 2(6) and Articles 26–27 PIPA

Article 2(6) PIPA defines a "personal information processor" as a person or entity that has been entrusted by a personal information controller with the task of processing personal information. The processor acts on behalf of and under the instruction of the controller. Common processor relationships include cloud-hosting providers storing personal information for a controller, payroll-service providers processing employee data on behalf of an employer, and marketing agencies sending emails to customer lists provided by the controller.

PIPA does not use the term "data processor" directly; instead, the law refers to entrustment (위탁, wittak). Articles 26 and 27 PIPA govern entrustment arrangements and impose mandatory requirements on both controller and processor.

Article 26 PIPA — controller duties when entrusting processing

When a personal information controller entrusts the processing of personal information to a third party, Article 26 PIPA mandates the following:

1. Written contract or equivalent documentation — The entrustment arrangement must be documented in writing (or in electronic form equivalent to a written document under the Framework Act on Electronic Documents and Transactions). The contract must specify at a minimum: (a) the prohibition on processing personal information for purposes other than the entrusted task, (b) technical and managerial safeguards for protecting personal information, (c) restrictions on re-entrustment (sub-processing), (d) supervision and inspection by the controller, (e) liability for damages, and (f) return or destruction of personal information upon termination of the entrustment (Art. 26(2) and Art. 28 Enforcement Decree PIPA).

1. Public disclosure of processor identity and scope — The controller must disclose to data subjects, in a manner easily accessible (typically in the privacy policy published under Article 30 PIPA), the identity of the entrusted processor and the scope of work entrusted. If the processor identity or scope changes, the controller must update the disclosure (Art. 26(1) PIPA).

1. Supervision of processor — The controller must supervise the processor to ensure the processor handles personal information safely and does not use it for unauthorized purposes. Supervision includes periodic audits, contract-compliance monitoring, and directing corrective action when deficiencies are identified (Art. 26(3) PIPA).

1. Education and training — The controller must provide or ensure the processor receives education on personal-information protection (Art. 26(4) PIPA).

Failure to comply with Article 26 entrustment requirements exposes the controller to administrative fines under Article 75 PIPA and potential civil liability under Article 39 PIPA if a data subject suffers damages.

Article 27 PIPA — processor (entrusted entity) duties and joint liability

Article 27 PIPA imposes two critical rules on processors:

1. Processor treated as controller's employee for liability purposes — If a processor violates PIPA while processing personal information on behalf of a controller, the processor is deemed an employee of the controller for purposes of the controller's liability under Article 39 PIPA. This creates joint-and-several liability: a data subject injured by the processor's breach can sue the controller, the processor, or both, and recover the full amount of damages from either. The controller may then seek indemnification from the processor based on the entrustment contract, but the data subject need not prove which party was primarily at fault (Art. 27 PIPA).

1. Processor bound by PIPA security and confidentiality obligations — The processor must comply with PIPA's security requirements (Art. 29 technical, managerial, and physical safeguards), purpose-limitation rules (Art. 3(2)), and must not use the entrusted personal information for any purpose other than the entrusted task. Processors processing personal information for 100,000 or more data subjects in the preceding year must designate their own Chief Privacy Officer (Art. 31(2) PIPA as amended in 2023).

Re-entrustment (sub-processing) restrictions

Article 26(5) PIPA permits a processor to re-entrust the processing to a sub-processor only with the prior consent of the original controller. The controller's privacy policy must disclose any re-entrustment arrangements. If a sub-processor is engaged, the original processor becomes a controller vis-à-vis the sub-processor and must comply with Article 26 entrustment obligations (written contract, supervision, education). The chain of liability under Article 27 extends through the sub-processing relationship: the original controller remains jointly and severally liable for breaches by the sub-processor.

Distinction from GDPR controller-processor framework

PIPA's entrustment model differs from GDPR Articles 28 and 82 in two key respects:

• Joint-and-several liability is the default — GDPR Article 82(2)–(5) permits a processor to limit liability by proving it was not responsible for the event giving rise to damage or that it acted outside or contrary to lawful instructions. PIPA's Article 27 deems the processor the controller's employee, channeling liability to the controller automatically and leaving allocation of fault to private indemnification between the parties. This increases the controller's exposure and incentivizes rigorous processor due diligence.

• No standalone processor obligations chapter — GDPR Article 28 imposes direct obligations on processors (maintain records of processing, cooperate with supervisory authorities, implement security measures) enforceable by the supervisory authority against the processor. PIPA embeds processor security obligations in Article 29 and relies on the controller's Article 26 supervision duty to ensure processor compliance. PIPC enforcement actions typically name the controller as the primary respondent, though processors may face direct penalties for gross negligence or intentional breaches under Article 71 (criminal sanctions for unlawful provision or theft of personal information).

Cross-border entrustment — interaction with Article 17 transfer requirements

When a Korean controller entrusts processing to a processor located outside Korea, the entrustment constitutes a cross-border transfer subject to Article 17(3) PIPA. The 2023 amendments (effective September 15, 2023) require the controller to obtain separate consent for overseas transfers unless an exception applies (statutory authorization, international agreement, PIPC-certified recipient, or PIPC adequacy recognition). The controller must inform data subjects of: (a) the recipient's identity and contact information, (b) the country of transfer, (c) the date and method of transfer, (d) the purpose of the recipient's processing, and (e) the retention period (Art. 17(4) PIPA). On September 16, 2025, PIPC recognized the European Union as providing adequate protection, allowing transfers to EU-based processors without separate consent (except for resident registration numbers and personal credit information covered by the Credit Information Use and Protection Act).

Controllers relying on overseas processors must document the Article 26 entrustment contract and the Article 17 transfer consent or alternative legal mechanism in tandem. Non-compliance with either exposes the controller to administrative fines of up to 3% of revenue (for transfer violations under Art. 64-2 PIPA) and private damages claims under Article 39.

Practical identification — when you are a controller vs. a processor under PIPA

A practitioner determining role under PIPA should apply the following tests:

• Controller: You decide the purpose for which personal information is collected, the categories of data collected, the retention period, whether to provide the data to third parties, and the legal basis (consent, contract, legal obligation, etc.). Example: an e-commerce platform collecting customer names, addresses, and payment information to fulfill orders.

• Processor: You process personal information solely to perform a service for another entity according to that entity's instructions, and you do not use the data for your own independent business purposes. Example: a cloud-infrastructure provider hosting database servers for the e-commerce platform, with no access to or use of the stored personal information except to maintain server uptime and security as instructed by the platform.

When in doubt, classify conservatively: if you exercise any discretion over purposes or means, you are likely a controller. Dual roles are possible — an entity may be a controller for its own customer data and simultaneously a processor for personal information entrusted by a separate controller.

Source: Personal Information Protection Act, Act No. 10465 (law.go.kr English translation) Source: Enforcement Decree of the Personal Information Protection Act (law.go.kr) Source: Commission Implementing Decision (EU) 2021/2254 of 17 December 2021 on the adequate protection of personal data by the Republic of Korea (EUR-Lex) Source: Personal Information Protection Commission (PIPC) official website

PIPA imposes heightened obligations when controllers process personal information of children under the age of 14 years. Article 22 PIPA requires controllers to obtain consent from the child's legal representative (typically a parent or court-appointed guardian) and to verify that the legal representative actually provided that consent. The age threshold is a bright-line rule: on the day a child turns 14, processing moves from the parental-consent regime to the standard consent framework under Article 15 PIPA.

Article 22 PIPA — legal-representative consent requirement

Article 22(1) PIPA provides that when a personal information controller must obtain consent under PIPA to collect, use, or provide the personal information of a child under 14, the controller must obtain consent from the child's legal representative in addition to informing the child. Consent from the legal representative is not merely advisable or recommended; it is a statutory prerequisite to lawful processing. The controller must also verify that the person providing consent is in fact the legal representative with parental authority over the child.

The verification requirement distinguishes PIPA's children's-data regime from GDPR Article 8, which permits member states to adopt verification mechanisms "taking into consideration available technology" but does not mandate verification in all cases. PIPA Article 22 makes verification compulsory. Controllers must implement technical or procedural measures to confirm the identity of the legal representative before relying on the consent. Acceptable verification methods are specified in the Enforcement Decree and include:

• Government-issued identity verification services (e.g., I-PIN public Internet pseudonym number system, mobile-phone certification linked to a resident registration number, or financial-institution certificate services);
• Submission of a scanned or photographed identity document (e.g., resident registration card, driver's license, or passport) accompanied by a signed consent form;
• Video-call verification confirming the legal representative's identity; or
• Other equivalent means designated by the Personal Information Protection Commission (PIPC).

Self-certification (e.g., a checkbox stating "I am the parent") without independent verification does not satisfy Article 22. Controllers that collect children's personal information without obtaining verified parental consent face administrative fines under Article 75 PIPA and potential criminal liability under Article 71 if the collection is willful and involves providing the information to third parties.

Article 22-2 PIPA — child-friendly notice requirement

When notifying a child under 14 about the processing of personal information, Article 22-2 PIPA requires the controller to use an easy-to-understand format and clear, simple language tailored to the child's comprehension level. This obligation applies in addition to the standard notice requirements under Articles 15 and 30 PIPA. The child-friendly notice must explain:

• What personal information is being collected;
• Why the controller needs it (purpose of processing);
• Who will have access to the information (third-party recipients, if any);
• How long the information will be kept (retention period); and
• The child's and the legal representative's rights, including the right to withdraw consent.

PIPC enforcement practice expects age-appropriate design: large fonts, visual icons or illustrations, short sentences, and avoidance of legal jargon. A privacy policy written for adults and presented unchanged to a child does not comply with Article 22-2. Controllers operating services primarily targeting children (e.g., online games, educational apps, children's social networks) should design separate child-facing notice flows distinct from the adult privacy policy.

Scope of the parental-consent requirement — when Article 22 applies

Article 22 applies whenever processing requires consent under Article 15 PIPA and the data subject is under 14 at the time of collection. The parental-consent rule does not apply when processing relies on a non-consent lawful basis under Article 15 — for example, when processing is necessary to perform a contract with the legal representative (e.g., a parent purchasing goods for the child), when required by statute, or when necessary to protect the child's vital interests in an emergency. However, reliance on non-consent bases for children's data is narrow. PIPC has stated that the legitimate-interests basis under Article 15(1)(6) PIPA should be invoked rarely for children's data because children generally cannot weigh privacy trade-offs as adults do, and the controller's interest is unlikely to "clearly supersede" the child's rights when the child is under 14.

Article 22 parental consent is cumulative with the Article 23 separate-consent requirement for sensitive information and the Article 24 statutory-authorization requirement for unique identification information. For example, a health app collecting a 12-year-old's biometric data (fingerprints for login) must obtain: (1) verified parental consent under Article 22, (2) separate explicit consent for the sensitive biometric data under Article 23, and (3) statutory authorization or a Presidential Decree exception under Article 24. In practice, controllers should present a single combined consent flow that satisfies all three requirements and documents each independently.

PIPC Guidelines on the Protection of Personal Information of Children and Adolescents (July 2022)

In July 2022 PIPC published comprehensive Guidelines on the Protection of Personal Information of Children and Adolescents to clarify controllers' obligations when processing data of children (under 14) and adolescents (14 to under 18). The Guidelines address the full lifecycle of children's data: planning and designing services with privacy-by-design principles, collection and consent procedures, use and disclosure restrictions, secure storage, and destruction upon request or when the purpose ends.

Key guidance from the 2022 Guidelines includes:

• Age-gating at the point of collection — Controllers should determine the user's age before collecting personal information, using age-declaration mechanisms or government-certified age-verification services. If the user is under 14, the controller must immediately transition to the parental-consent flow.

• Separate parental-consent interface — The parental-consent request must be delivered to the legal representative separately from the child's interaction. Acceptable delivery methods include email to the parent's verified email address, SMS to the parent's mobile phone, or mailed paper consent forms. The consent request should include a child-friendly summary of what the service does and a detailed privacy notice for the parent.

• Prohibition on conditioning service access on non-essential data — Controllers may not refuse to provide a service to a child (or the child's legal representative) solely because the representative refused consent for the collection of personal information that is not essential to providing the service. Article 22(3) PIPA extends to children the same bundling prohibition that Article 16 PIPA imposes on adults: if the information is not necessary for the core service, the controller must offer the service without it.

• Enhanced security for children's data — The Guidelines recommend heightened technical safeguards for personal information files containing children's data, including encryption at rest and in transit, access logging, and limitation of employee access on a need-to-know basis. Breach-notification obligations under Article 34 PIPA apply with special urgency when children's data are involved, and PIPC expects controllers to notify affected legal representatives promptly in language they can understand.

The Guidelines are not legally binding as independent authority but represent PIPC's interpretation of Articles 22 and 22-2 and are given substantial weight in enforcement proceedings.

Enforcement precedent — ScatterLab and chatbot collection without parental consent

PIPC has enforced Article 22 rigorously. A prominent example is the 2021 enforcement action against ScatterLab Inc., developer of the AI chatbot "Luda." PIPC found that ScatterLab's chatbot service collected and processed personal information — including conversation logs, relationship details, and behavioral data — from more than 200,000 children under the age of 14 without obtaining verified consent from their legal representatives. The Commission imposed administrative fines and ordered ScatterLab to delete all unlawfully collected children's data and to implement age-verification and parental-consent mechanisms before resuming service to minors. The decision underscores that automated data collection (e.g., via APIs or user-uploaded content scraped from messaging platforms) does not excuse compliance with Article 22; if the controller knows or should know that data subjects include children under 14, parental consent is mandatory.

Cross-border implications — parental consent for foreign operators

Foreign operators subject to PIPA's extraterritorial application (see the territorial-scope section of this guide) must comply with Article 22 when processing personal information of Korean children under 14. The July 2024 PIPC Guidelines on Applying PIPA to Foreign Business Operators explicitly list "obtaining parental consent for children under the age of 14 (Article 22-2)" as a key compliance obligation for foreign controllers. Verification mechanisms must be adapted to the Korean context: acceptable methods include Korea-specific identity services (I-PIN, mobile-phone certification) or equivalent international identity-verification services that PIPC has approved. A foreign platform cannot avoid Article 22 by arguing that its home jurisdiction has a different age threshold (e.g., GDPR's member-state flexibility permitting ages 13–16, or COPPA's 13-year threshold in the United States). When the data subject is in Korea and under 14, PIPA Article 22 governs.

Interaction with the EU adequacy decision

The European Commission's December 2021 adequacy decision recognizing South Korea under GDPR Article 45 (Commission Implementing Decision (EU) 2021/2254) notes Korea's heightened protection for children's personal information under Article 22 PIPA as a factor supporting adequacy. Recital 129 of the adequacy decision observes that PIPA's requirement for verified parental consent for children under 14 aligns with — and in some respects exceeds — GDPR Article 8's framework, which permits member states to set the age of digital consent between 13 and 16 and does not uniformly require verification. Controllers transferring children's data from the EU to Korean processors should document that the Korean recipient's Article 22 compliance satisfies GDPR Article 8 obligations.

Practical compliance steps for controllers processing children's data

Controllers subject to Article 22 should implement the following measures:

1. Age determination at collection — Prompt users to declare their age or use a certified age-verification service before collecting any personal information. Do not infer age from behavioral signals alone.

1. Parental-consent workflow — If the user is under 14, halt data collection and request verified consent from the legal representative. Use government-certified identity verification (I-PIN, mobile-phone cert, financial cert) or an equivalent PIPC-approved method.

1. Child-friendly notice — Present a separate, age-appropriate notice to the child in simple language with visual aids explaining why their information is needed, what will happen to it, and how they (and their parent) can withdraw consent.

1. Separate detailed notice to parent — Provide the legal representative with a comprehensive privacy notice meeting Article 15 requirements, including purposes, retention periods, third-party recipients, and cross-border transfer details.

1. Document consent separately — Maintain records showing (a) the child's age at collection, (b) the legal representative's verified identity, (c) the date and method of consent, and (d) the scope of information covered. If consent is later withdrawn, stop processing and delete the data unless another lawful basis applies.

1. Do not condition access on non-essential data — Offer the service with only the minimum personal information necessary. If a child's legal representative refuses consent for optional data (e.g., location tracking for a feature that is not core to the service), provide the core service without that feature.

1. Enhanced breach response — If a breach involves children's data, notify PIPC within 72 hours under Article 34 and notify affected legal representatives in plain language, with guidance on protective steps they can take.

Comparison with GDPR Article 8 and COPPA

PIPA Article 22's framework differs from both GDPR and U.S. COPPA in key respects:

• Age threshold: PIPA sets a uniform 14-year threshold. GDPR Article 8 permits member states to choose any age from 13 to 16 (resulting in a patchwork: 13 in some states, 16 in Germany, 15 in France). COPPA applies to children under 13.

• Verification mandate: PIPA requires verification of parental consent in all cases. GDPR Article 8(2) requires controllers to "make reasonable efforts to verify" parental consent "taking into consideration available technology," leaving room for risk-based approaches. COPPA requires verifiable parental consent but permits email-plus-confirmation for low-risk uses. PIPA's verification requirement is absolute.

• Scope: PIPA Article 22 applies to all personal information processing of children under 14 when consent is the lawful basis, regardless of the service type (online or offline, commercial or non-commercial). COPPA applies only to online services directed at children under 13 or with actual knowledge of under-13 users. GDPR Article 8 applies only to "information society services offered directly to a child."

Controllers operating across multiple jurisdictions should design consent systems to satisfy the strictest applicable rule — in practice, PIPA Article 22's verified-parental-consent requirement often sets the compliance floor for services accessible in Korea.

Source: Personal Information Protection Act, Act No. 10465 (law.go.kr English translation) Source: Enforcement Decree of the Personal Information Protection Act (law.go.kr) Source: Personal Information Protection Commission (PIPC) official website Source: Commission Implementing Decision (EU) 2021/2254 of 17 December 2021 on the adequate protection of personal data by the Republic of Korea (EUR-Lex)

PIPA is fundamentally consent-centric: Article 15(1)(i) establishes consent as the primary lawful basis for collecting and using personal information, and Article 17(1)(i) requires consent for providing personal information to third parties. Unlike GDPR's multi-basis framework under Articles 6 and 9, PIPA channels most private-sector processing through consent unless an alternative statutory basis applies (contract performance under Article 15(1)(iv), legal obligation under Article 15(1)(i)–(iii), vital interests under Article 15(1)(v), or legitimate interests under Article 15(1)(vi), though the legitimate-interests basis is narrowly construed and less developed than GDPR Article 6(1)(f)).

Article 22 PIPA sets out the method and requirements for obtaining valid consent. Consent must be freely given, specific, informed, and unambiguous — standards that parallel GDPR Article 4(11) and recital 32. The European Commission's December 2021 adequacy decision on South Korea (Commission Implementing Decision (EU) 2021/2254) confirms that PIPA's consent requirements align with GDPR standards for valid consent.

Article 22(1) PIPA — explicit recognition and segregation of matters requiring consent

When a personal information controller seeks consent for processing personal information, Article 22(1) PIPA mandates that the controller "notify the data subjects of the fact by separating the matters requiring consent and helping the data subjects to recognize it explicitly, and obtain their consent thereof, respectively." This imposes two core obligations:

1. Segregation: The controller must separate items requiring consent from other matters (e.g., general terms of service, marketing materials, or informational disclosures) so that the data subject can distinguish what they are consenting to. Consent requests must not be bundled with unrelated contract clauses or buried in lengthy terms.

1. Explicit recognition: The controller must present the consent request "in an explicitly recognisable manner" that ensures the data subject is specifically aware they are providing consent for personal-information processing. This typically requires opt-in checkboxes, affirmative action buttons, or written signature. Pre-ticked boxes, deemed consent, or implied consent from silence or inactivity do not satisfy Article 22(1). The requirement for an affirmative act aligns with GDPR Article 4(11)'s "clear affirmative action" standard.

Article 17(3) of the PIPA Enforcement Decree specifies acceptable consent methods: written consent bearing the data subject's signature or seal; consent by email, fax, or telephone with a recorded confirmation; consent via website or mobile application using a clearly labeled opt-in mechanism; and other equivalent methods that permit verification of the data subject's identity and consent.

Article 22(2) PIPA — mandatory separate consent for optional processing

Article 22(2) PIPA requires controllers to segregate personal information processing that requires consent into two categories and obtain separate consent for each:

• Required consent: Personal information processing that is essential for providing the service or performing the contract (e.g., collecting name and delivery address to ship a purchased item). The controller may condition service provision on obtaining this consent.

• Optional consent: Personal information processing that is not essential (e.g., collecting phone number for marketing purposes, or behavioral tracking for product recommendation). Under Article 22(5) PIPA, controllers are prohibited from denying goods or services to a data subject based solely on the data subject's refusal to provide optional consent. Violation of this prohibition triggers an administrative fine of up to KRW 30 million (approximately USD 22,000) under Article 75(2)(vii) PIPA.

In practice, this means consent forms must clearly distinguish required fields from optional fields, label them as such, and permit the data subject to decline optional processing while still accessing the core service. The PIPC has emphasized this principle in enforcement decisions and in its March 2022 "Easy-to-Understand Handbook on Consent for Personal Data Processing."

Article 22(3) PIPA — separate consent for marketing and solicitation

Article 22(3) PIPA (formerly numbered 22(1)(vii) before the 2023 amendments renumbered the subsections) mandates separate consent for processing personal information for the purpose of promoting or soliciting the sale of goods or services. Marketing consent must be obtained independently of consent for core service provision, and the controller must clearly inform the data subject that the consent is for advertising purposes. Failure to obtain separate marketing consent triggers an administrative fine of up to KRW 10 million (approximately USD 7,500) under Article 75(2)(vi) PIPA.

The separate-marketing-consent requirement interacts with the Act on Promotion of Information and Communications Network Utilization and Information Protection (Network Act), which imposes additional opt-in consent requirements for electronic commercial messages (email, SMS, push notifications). Controllers engaging in electronic marketing must comply with both PIPA Article 22(3) and the Network Act's "spam consent" rules, and document both consents separately.

Article 22(4) PIPA — notice requirements when seeking consent

To ensure consent is informed, Article 22(4) PIPA (cross-referencing Articles 15(2), 17(2), and 24(3)) requires the controller to notify the data subject of specific information before obtaining consent:

• The purpose of collecting and using the personal information;
• The categories of personal information to be collected;
• The retention period for the personal information;
• The fact that the data subject has the right to refuse consent and any disadvantages that may result from refusal (e.g., inability to access a service if the consent is required for service provision).

If the controller intends to provide the personal information to a third party (Article 17), additional mandatory disclosures include: the identity of the recipient, the recipient's purpose for using the information, the categories of information to be provided, and the recipient's retention period. For cross-border transfers under Article 17(3), controllers must also disclose the country to which the information will be transferred, the date and method of transfer, and the recipient's contact information.

Withdrawal of consent — Article 37(2) PIPA right to suspension

PIPA does not establish a standalone "right to withdraw consent" as GDPR Article 7(3) does. Instead, Article 37 PIPA grants data subjects a right to request suspension of processing of their personal information. When a data subject exercises the right to suspension, the controller must cease processing the information and, if the original consent was the sole lawful basis, delete the information unless another legal ground for retention exists (e.g., statutory record-keeping obligation under Article 15(3)). The European Commission's adequacy decision (recital 78) confirms that Article 37's suspension right functions equivalently to GDPR's withdrawal of consent, leading to termination of processing and deletion.

Controllers must provide data subjects with an easy mechanism to withdraw consent (or request suspension) that is "as easy as the method used to provide consent" (a principle articulated in PIPC guidelines and enforcement decisions, though not codified in statute). For example, if consent was obtained via a one-click checkbox on a website, the controller should provide a one-click opt-out button or account settings page permitting immediate withdrawal. Requiring data subjects to send written requests by post or fax when consent was obtained electronically violates the spirit of Article 22's freely-given standard and may expose the controller to PIPC corrective orders under Article 64 PIPA.

Free consent and power imbalances

Article 22(1) PIPA's requirement that consent be obtained "by separating the matters requiring consent" implies that consent must be freely given — i.e., not coerced, bundled with unrelated obligations, or obtained under circumstances where the data subject has no genuine choice. PIPC has indicated increasing scrutiny of consent obtained in situations where the controller holds significant bargaining power over the data subject (e.g., employer-employee relationships, landlord-tenant, essential public services). The Proposed Amendment to the PIPA Enforcement Decree (legislative notice August 2023) introduced provisions requiring controllers in dominant positions to take additional measures to ensure consent is genuinely voluntary, such as offering clear alternative service paths that do not require optional consent.

Children's consent — Article 22-2 PIPA parental consent requirement

Article 22-2 PIPA (added by the 2020 amendments) imposes a parental consent requirement for children under the age of 14 years. When a controller processes personal information of a child under 14, the controller must obtain consent from the child's legal representative (parent or guardian). The controller must verify the identity of the legal representative and document the consent. In the September 2022 enforcement action against ScatterLab (an AI chatbot operator), PIPC fined the company for collecting personal information from over 200,000 children under age 14 without obtaining parental consent, underscoring strict enforcement of Article 22-2.

Enforcement context — Google and Meta 2022 enforcement decisions

The September 2022 PIPC enforcement actions against Google (KRW 69.2 billion fine, approximately USD 50 million) and Meta (KRW 30.8 billion fine, approximately USD 22 million) illustrate the practical application of Article 22 consent standards. PIPC found that both companies failed to obtain separate, explicit consent under Article 23 PIPA (sensitive information) when they inferred users' political opinions, beliefs, and interests from behavioral tracking data and used that information for targeted advertising. The companies argued that users had consented to "personalized advertising" in general terms, but PIPC held that consent forms must specifically identify sensitive-data processing and obtain separate opt-in consent, not rely on blanket clauses. The decisions confirm that consent must be granular and specific to the category and purpose of processing, particularly for sensitive information and marketing.

Comparison with GDPR Article 7 consent conditions

PIPA's Article 22 consent framework parallels GDPR Article 7 in requiring consent to be freely given, specific, informed, and unambiguous. Key differences:

• Separate consent for marketing is a statutory mandate under PIPA Article 22(3), whereas GDPR requires unbundling of consent but does not codify a separate marketing-consent rule at the same level of specificity.
• PIPA's prohibition on service denial for optional consent (Article 22(5)) is more prescriptive than GDPR Article 7(4)'s "freely given" condition, which requires case-by-case assessment of whether refusal to consent would result in detriment.
• Withdrawal mechanism parity — GDPR Article 7(3) codifies that withdrawal must be "as easy as to give consent"; PIPA embeds this principle in PIPC enforcement practice and guidelines but does not state it explicitly in statute.

Both regimes converge on the principle that valid consent requires affirmative action, clear information, and genuine choice, and both reject pre-ticked boxes, deemed consent, or bundling of unrelated obligations.

Source: Personal Information Protection Act, Act No. 10465 (law.go.kr English translation) Source: Enforcement Decree of the Personal Information Protection Act (law.go.kr) Source: Commission Implementing Decision (EU) 2021/2254 of 17 December 2021 on the adequate protection of personal data by the Republic of Korea (EUR-Lex) Source: Personal Information Protection Commission (PIPC) official website

PIPA imposes regulatory obligations on all personal information controllers, but several key compliance requirements scale with the size of the controller's operations, measured by number of data subjects, revenue, or institutional character. Understanding these thresholds is essential for scoping PIPA compliance at the outset and for identifying when enhanced obligations trigger as operations grow.

Chief Privacy Officer appointment — Article 31 PIPA universal requirement

Article 31(1) PIPA requires every personal information controller — public or private, regardless of size — to designate a Chief Privacy Officer (CPO, also translated as "personal information protection officer"). The CPO must be appointed from among the controller's employees, executives, or representative. Unlike GDPR Article 37, which limits DPO appointment requirements to public authorities and controllers engaged in large-scale processing of special-category data, PIPA's Article 31 CPO obligation is universal and applies even to small businesses and sole proprietorships processing personal information.

The CPO's statutory duties under Article 31(4) PIPA include: (a) formulating and implementing a personal-information protection plan; (b) reviewing and improving the controller's personal-information processing operations; (c) training employees and handling complaints; (d) overseeing security safeguards; and (e) performing other duties necessary to protect personal information as prescribed by the Enforcement Decree. Failure to appoint a CPO exposes the controller to criminal fines of up to KRW 10 million under Article 73 PIPA.

Processors — 100,000 data-subject threshold for mandatory CPO designation

Article 31(2) PIPA, as amended in 2023, extends the CPO appointment obligation to personal information processors (entrusted entities, sutakja) that process personal information for 100,000 or more data subjects in the preceding year. Below this threshold, a processor is not legally required to designate a CPO, though the controller's Article 26 supervision duty may contractually require the processor to appoint a privacy contact. The 100,000 threshold is counted per processor entity, not per entrustment contract — a processor handling data for multiple controllers aggregates the total data-subject count across all entrustment relationships to determine whether the threshold is met.

Enhanced CPO governance for large controllers — 2026 amendments (thresholds pending)

The February 2026 amendments to PIPA (promulgated March 10, 2026, effective September 11, 2026) introduced new Article 31(3) requirements for large controllers meeting thresholds "to be prescribed by the Enforcement Decree and based on factors such as turnover and scale of personal data processing." For controllers meeting these thresholds, the appointment, replacement, or dismissal of the CPO must be approved by a resolution of the board of directors, and such appointment or dismissal must be reported to PIPC. The amendments also establish a new Article 30-3 expressly designating the representative director (or business owner in the case of a sole proprietorship) as bearing ultimate responsibility for data protection, reinforcing that privacy is a board-level governance matter for large organizations.

Unable to confirm as of 2026-06-01.

(The specific turnover and data-subject-count thresholds triggering Article 31(3) board approval and PIPC reporting have not yet been published in the Enforcement Decree as of this writing.)

Enhanced security and disclosure obligations — 50,000 data-subject threshold

Article 20(2) PIPA and Article 15-2 of the Enforcement Decree require controllers processing sensitive information (Art. 23 PIPA — information concerning ideology, beliefs, labor-union membership, political opinions, health, sex life, genetic information, criminal history, biometric identification data, race, or ethnicity) or unique identification information (Art. 24 PIPA — resident registration numbers, passport numbers, driver's license numbers, alien registration numbers) for 50,000 or more data subjects to disclose in their privacy policy:

• The statutory authority or lawful basis for processing the information;
• The specific categories of sensitive or unique-identifier data processed;
• The purpose and retention period; and
• Whether the information is provided to third parties, and if so, the recipients and purpose.

This enhanced disclosure obligation supplements the general Article 30 privacy-policy requirement and ensures heightened transparency when processing large volumes of high-risk data. Controllers below the 50,000 threshold must still comply with Article 23 separate-consent requirements for sensitive information and Article 24 restrictions on unique identifiers, but are not subject to the enhanced privacy-policy disclosure under Article 20(2).

Data protection impact assessments — Article 33 mandatory for public institutions

Article 33 PIPA mandates that public institutions (as defined in Art. 2(6) PIPA — central government ministries, local governments, public schools, and designated public agencies) conduct a data protection impact assessment (DPIA) prior to:

1. Installing video-surveillance (CCTV) equipment or similar devices in publicly accessible areas;
2. Processing personal information that is likely to infringe significantly upon the privacy of data subjects, as prescribed by Presidential Decree; or
3. Establishing or changing a personal information file containing unique identification information (resident registration numbers, passport numbers, driver's license numbers, alien registration numbers) or sensitive information (Art. 23 categories).

Article 33 does not apply to private-sector controllers — it is a public-sector-only obligation. Private controllers are not statutorily required to conduct DPIAs under PIPA, though best practice (and alignment with GDPR Article 35 for controllers subject to both GDPR and PIPA) may recommend DPIA-equivalent privacy impact assessments for high-risk processing. The public-institution DPIA must be submitted to PIPC, which reviews the assessment and may issue recommendations.

Insurance or reserve requirement — 10,000 users + KRW 1 billion revenue threshold

Article 39-7 PIPA, added by the 2023 amendments and clarified by the March 2024 Enforcement Decree amendment, requires data controllers (both online and offline service providers) meeting specific criteria to maintain insurance coverage, join a mutual aid organization, or accumulate reserves sufficient to compensate data subjects for damages resulting from the controller's PIPA violations. The 2024 Enforcement Decree sets the threshold at controllers with:

• 10,000 or more users; AND
• Annual sales of KRW 1 billion (approximately USD 750,000) or more.

Previously (prior to March 2024), only online service providers with 1,000 users and KRW 50 million annual sales were subject to the insurance requirement; the 2024 expansion broadened scope to offline controllers and raised the revenue threshold while increasing the user threshold tenfold. Controllers meeting the criteria must carry liability insurance or equivalent financial assurance sufficient to cover potential statutory and punitive damages under Article 39 PIPA.

ISMS-P mandatory certification — thresholds to be prescribed (2026 amendments)

The February 2026 PIPA amendments introduced a new mandatory Personal Information & Information Security Management System (ISMS-P) certification requirement for certain data controllers. ISMS-P builds upon the existing ISMS certification framework required for certain entities under the Act on Promotion of Information and Communications Network Utilization and Information Protection, incorporating additional requirements relating to personal data protection. Prior to the 2026 amendments, ISMS-P certification was voluntary for most private-sector controllers; the amendments make it mandatory for controllers meeting "prescribed thresholds."

Unable to confirm as of 2026-06-01.

(The specific criteria triggering mandatory ISMS-P certification — likely based on revenue, number of data subjects, or sector — are to be prescribed by the Enforcement Decree but have not yet been published in English as of this writing.)

Practical threshold matrix for scoping compliance

A controller assessing PIPA compliance should map its operations against the following thresholds:

| Threshold | Obligation triggered | Legal basis | |---|---|---| | Any processing (1+ data subject) | Appoint Chief Privacy Officer | Art. 31(1) PIPA | | 50,000+ data subjects processing sensitive info or unique identifiers | Enhanced privacy-policy disclosure | Art. 20(2) PIPA, Art. 15-2 Decree | | 10,000+ users AND KRW 1B+ revenue | Insurance / mutual aid / reserves | Art. 39-7 PIPA, 2024 Decree | | 100,000+ data subjects (processor only) | Processor must appoint CPO | Art. 31(2) PIPA | | Public institution | DPIA for CCTV, sensitive info files, unique-ID files | Art. 33 PIPA | | Large controller (thresholds TBD) | CPO appointment requires board approval + PIPC reporting | Art. 31(3) PIPA (2026 amendments) | | Large controller (thresholds TBD) | Mandatory ISMS-P certification | 2026 amendments |

Thresholds are cumulative — a controller processing sensitive information for 100,000 data subjects with KRW 5 billion revenue must comply with all applicable obligations (universal CPO appointment, enhanced privacy-policy disclosure, insurance requirement, and if a processor, processor CPO appointment). Controllers should reassess threshold compliance annually as operations scale, particularly when crossing the 50,000 and 100,000 data-subject marks or the KRW 1 billion revenue threshold.

Cross-border application of thresholds

Foreign controllers subject to PIPA under the extraterritorial application principles described in the territorial-scope section must comply with the same size-based thresholds. A U.S. platform operator targeting Korean users and processing personal information for 80,000 Korean data subjects must appoint a CPO under Article 31(1) and comply with the Article 20(2) enhanced privacy-policy disclosure for sensitive information (if applicable), even if it has no physical establishment in Korea. PIPC has applied Article 31 CPO requirements extraterritorially in enforcement actions against foreign platforms, including the September 2022 Google and Meta decisions.

Source: Personal Information Protection Act, Act No. 10465 (law.go.kr English translation) Source: Enforcement Decree of the Personal Information Protection Act (law.go.kr) Source: Commission Implementing Decision (EU) 2021/2254 of 17 December 2021 on the adequate protection of personal data by the Republic of Korea (EUR-Lex)