South Korea Personal Information Protection Act | South Korea PIPA

The PIPA sets out eight key principles that apply to data handlers

Pointer

The data handler shall explicitly specify the purposes for which personal information is processed, and shall collect personal data lawfully and fairly to the minimum extent necessary for such purposes.

Pointer

The data handler shall process personal data in an appropriate manner necessary for the purposes for which the personal data is processed, and shall not use it beyond such purposes.

Pointer

The data handler shall ensure personal data is accurate, complete, and up to date to the extent necessary in relation to the purposes for which the personal data is processed.

Pointer

The data handler shall manage personal data safely according to the processing methods, types, etc. of personal data, taking into account the possibility of infringement on the data subject's rights and the severity of the relevant risks.

Pointer

The data handler shall disclose its privacy policy and other matters related to personal data processing, and shall guarantee the data subject's rights, such as the right to access their personal data.

Pointer

The data handler shall process personal data in a manner to minimize the possibility of infringing the privacy of a data subject.

Pointer

If it is still possible to fulfill the purposes of collecting personal data by processing anonymised or pseudonymised personal data, the data handler shall process personal data through anonymisation, where anonymisation is possible, or through pseudonymisation, if it is impossible to fulfill the purposes of collecting personal data through anonymisation.

Pointer

The data handler shall endeavor to obtain the trust of data subjects by observing and performing such duties and responsibilities as provided for in the PIPA and other related statutes.

The Trust Challenge

Key obligations and consequences

Pointer

Applicability:The PIPA applies to the handling of personal data. Handling under the law is defined as the 'collection, generation, recording, storage, retention, processing, editing, search, outputting, rectification, restoration, use, provision, disclosure, or destruction of personal data or any other action similar to any of the preceding.

Pointer

The PIPA does not explicitly define its territorial or extraterritorial scope. Nonetheless, PIPA does consider several factors when determining if a foreign entity is subject to the PIPA (for instance, whether the entity provides services targeted at Koreans or whether the company generates revenue from doing business in South Korea).

Pointer

Consent Requirement:Data handlers must provide notice when processing personal data. Explicit consent is generally required prior to the collection, use, and provision to third parties of personal information, subject to certain exceptions.

For your reference, the PIPC guidelines provide that data handlers should

  • Provide notice, in a clear and easily understandable manner, of information on the items of personal data collected and the reasons for such collection when obtaining consent from users.
  • Obtain 'explicit consent' because they are required to obtain consent in accordance with Article 22 of the PIPA (which, among other things, prohibits data handlers from obtaining blanket consent for all types of processing, requires data controllers to provide notice of material information and the scope of consent, and requires data handlers to differentiate between required/optional consent (e.g. for marketing/promotional purposes).
  • In addition, the PIPC guidelines provide that consent for the collection and use of personal data which is required by the PIPA should be voluntary opt-in consent (via written signature, oral confirmation, or an online checkbox) and be clearly verifiable.
The Trust Challenge

Key Challenges in brief:

Under the PIPA, only public institutions are obligated to conduct a Data Protection Impact Assessment ('DPIA') (Article 33(8) of PIPA). Specifically, in cases where there is a risk of an infringement with respect to the personal data of data subjects due to the operation of personal data files meeting certain criteria, the head of a public institution shall conduct an assessment to analyze risk factors and improve them and submit the results thereof to the PIPC.

The PIPA does not require organizations to maintain a record of processing activities. However, the PIPA does require data handlers to manage and store log-in records which document the access to a data processing system by 'personal data handlers' (i.e. officers, employees, workers, etc. who process personal data under the direction and supervision of the data handler) for at least one year. Such log-in records shall contain the facts of access, including ID, date and time of access, information to identify the person of access, and tasks performed by the personal data handler while connected to the processing system.

A data handler must provide notice to affected data subjects without delay when he/she becomes aware of a breach of personal data, pursuant to the PIPA. Further, where there is a data breach involving 1,000 data subjects or more, the data handler must, in addition to individual notices to data subjects, report the data breach to the PIPC or a specialist institution designated under the PIPA, and also disclose the prescribed information on its internet homepage, or at noticeable places in its business place if it does not operate an internet homepage, for at least seven days.

The basic principles applicable to data retention include.

  • The principle of fair and legitimate collection of the minimum necessary personal data to the extent necessary for the explicitly stated and consented purposes.
  • The principle that such personal data must be handled only to the extent necessary for the explicitly stated and consented purposes.
  • If the retention of personal data is required by South Korean law or regulations beyond the retention period notified to, and consented by, data subjects, such personal data will need to be kept separate from any other personal data.

The PIPA grants data subjects the following rights.

  • Right to be informed: Under the PIPA, data subjects have the right to be informed of the storage, processing, and sharing of their personal data. Personal information controllers and ICSPs are responsible for informing the data subjects.
  • Right to access: PIPA enables a data subject to request access to his/her personal data that is processed by the personal information controller and with whom it is shared.
  • Right to rectification: The PIPA enables data subjects the right to request the rectification of their information by the relevant personal information controller if they have previously accessed their personal information. Data subjects who may have been denied access to their personal data may not exercise their right to request rectification of their personal data.
  • Right to erasure: Under the PIPA, data subjects that have previously accessed their personal information have the right to request the erasure of their personal information from the relevant personal information controller.
  • Right to object/opt-out: Under the PIPA, personal information controllers who are ICSPs are required to allow data subjects to opt-out their consent to the data processing of their personal information at any given time. In addition, personal information controllers must also respond to a data subject's request if they wish further to suspend the processing of his/her personal information.
  • Consent: The data subjects have the right to choose whether or not to consent to the processing of their personal data, as well as the scope of that consent.
  • Right to Redressal: The data subjects have the right to choose whether or not to consent to the processing of their personal data, as well as the scope of that consent.
Win-Win Situation

Solutions

Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments. TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

With TurtleShield RTBF (Right to Be Forgotten) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.

The Trust Challenge

Key Obligations & Consequences

Pointer

Applicability:The PIPA applies to the handling of personal data. Handling under the law is defined as the 'collection, generation, recording, storage, retention, processing, editing, search, outputting, rectification, restoration, use, provision, disclosure, or destruction of personal data or any other action similar to any of the preceding.

Pointer

The PIPA does not explicitly define its territorial or extraterritorial scope. Nonetheless, PIPA does consider several factors when determining if a foreign entity is subject to the PIPA (for instance, whether the entity provides services targeted at Koreans or whether the company generates revenue from doing business in South Korea).

Pointer

Consent Requirement:Data handlers must provide notice when processing personal data. Explicit consent is generally required prior to the collection, use, and provision to third parties of personal information, subject to certain exceptions.

For your reference, the PIPC guidelines provide that data handlers should

  • Provide notice, in a clear and easily understandable manner, of information on the items of personal data collected and the reasons for such collection when obtaining consent from users.
  • Obtain 'explicit consent' because they are required to obtain consent in accordance with Article 22 of the PIPA (which, among other things, prohibits data handlers from obtaining blanket consent for all types of processing, requires data controllers to provide notice of material information and the scope of consent, and requires data handlers to differentiate between required/optional consent (e.g. for marketing/promotional purposes).
  • In addition, the PIPC guidelines provide that consent for the collection and use of personal data which is required by the PIPA should be voluntary opt-in consent (via written signature, oral confirmation, or an online checkbox) and be clearly verifiable.
The Trust Challenge

Key Challenges in brief:

Pointer

Data protection impact assessment

Under the PIPA, only public institutions are obligated to conduct a Data Protection Impact Assessment ('DPIA') (Article 33(8) of PIPA). Specifically, in cases where there is a risk of an infringement with respect to the personal data of data subjects due to the operation of personal data files meeting certain criteria, the head of a public institution shall conduct an assessment to analyze risk factors and improve them and submit the results thereof to the PIPC.

Pointer

Data processing records

The PIPA does not require organizations to maintain a record of processing activities. However, the PIPA does require data handlers to manage and store log-in records which document the access to a data processing system by 'personal data handlers' (i.e. officers, employees, workers, etc. who process personal data under the direction and supervision of the data handler) for at least one year. Such log-in records shall contain the facts of access, including ID, date and time of access, information to identify the person of access, and tasks performed by the personal data handler while connected to the processing system.

Pointer

Data breach notification

A data handler must provide notice to affected data subjects without delay when he/she becomes aware of a breach of personal data, pursuant to the PIPA. Further, where there is a data breach involving 1,000 data subjects or more, the data handler must, in addition to individual notices to data subjects, report the data breach to the PIPC or a specialist institution designated under the PIPA, and also disclose the prescribed information on its internet homepage, or at noticeable places in its business place if it does not operate an internet homepage, for at least seven days.

Pointer

Data retention

The basic principles applicable to data retention include.

  • The principle of fair and legitimate collection of the minimum necessary personal data to the extent necessary for the explicitly stated and consented purposes
  • The principle that such personal data must be handled only to the extent necessary for the explicitly stated and consented purposes.
  • If the retention of personal data is required by South Korean law or regulations beyond the retention period notified to, and consented by, data subjects, such personal data will need to be kept separate from any other personal data.
Pointer

Data Subject Rights

The PIPA grants data subjects the following rights.

  • Right to be informed: Under the PIPA, data subjects have the right to be informed of the storage, processing, and sharing of their personal data. Personal information controllers and ICSPs are responsible for informing the data subjects.
  • Right to access: PIPA enables a data subject to request access to his/her personal data that is processed by the personal information controller and with whom it is shared.
  • Right to rectification: The PIPA enables data subjects the right to request the rectification of their information by the relevant personal information controller if they have previously accessed their personal information. Data subjects who may have been denied access to their personal data may not exercise their right to request rectification of their personal data.
  • Right to erasure: Under the PIPA, data subjects that have previously accessed their personal information have the right to request the erasure of their personal information from the relevant personal information controller.
  • Right to object/opt-out: Under the PIPA, personal information controllers who are ICSPs are required to allow data subjects to opt-out their consent to the data processing of their personal information at any given time. In addition, personal information controllers must also respond to a data subject's request if they wish further to suspend the processing of his/her personal information.
  • Consent: The data subjects have the right to choose whether or not to consent to the processing of their personal data, as well as the scope of that consent.
  • Right to Redressal: The data subjects have the right to choose whether or not to consent to the processing of their personal data, as well as the scope of that consent.
Win-Win Situation

Solutions

Pointer

Data discovery, inventory and mapping: Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments.
TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Pointer

Third party Privacy Intelligence (monitors third party sharing): Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

Pointer

Data Minimization: TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

Pointer

Right to be Forgotten (RTBF) with Assured Deletion: With TurtleShield RTBF (Right to Be Forgotten) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Pointer

Enable Data subject rights with cost savings and compliance in totality: Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.

Featured News & Blogs

Be the first to catch our latest updates,
happenings and more.

Follow us