For foreign companies operating in South Korea, simply translating a global privacy policy into Korean is often insufficient. The Personal Information Protection Act (PIPA) mandates a strict set of disclosures that must be presented in a specific format.

The Personal Information Protection Commission (PIPC) expects the policy to be written in Korean so domestic users can easily understand it. It must not be a mere translation of a policy based on foreign laws; it should be specifically formulated to meet PIPA’s unique distinctions - especially the difference between “third-party provision” and “entrustment” (outsourcing).

If you are still assessing whether your organization is in scope, start with our checklist on whether South Korea’s PIPA applies to your business, which explains common “targeting” and “impact” triggers used by regulators.

1. The Basics: Language and Accessibility

  • Language: The policy must be in Korean.
  • Labeling: The link on your website should be clearly labeled “Privacy Policy” (typically 개인정보 처리방침 in Korean). It should use font sizes or colors that distinguish it from other notices such as Terms of Service.
  • Placement: It must be permanently posted on the website. If a website is not available, it should be posted in the workplace or published through other means (e.g., a newsletter or contract).

2. Mandatory Disclosures (The Checklist)

Article 30 of PIPA and relevant PIPC guidance require specific items to be included in your Privacy Policy. The sections below are the disclosures most commonly expected for Korea-facing services and products.

A. Purpose of Processing

You must clearly state why you are collecting personal data.

  • Example: “Member management, provision of services, grievance handling, and marketing.”

B. Retention and Usage Period

You must specify how long personal data is kept.

  • Requirement: State the retention period for each type of information. If Korean laws require preservation (e.g., e-commerce transaction logs), cite the applicable law and the required period.

C. Third-Party Provision vs. Entrustment (Critical Distinction)

In many Western jurisdictions, “sharing” may cover both vendors and partners. Under Korean privacy compliance, you must clearly separate these concepts:

  • 1) Third-Party Provision (제3자 제공): When you provide data to another entity for their benefit (e.g., a partner company). You should list the recipient, purpose, and specific data items.
  • 2) Entrustment / Outsourcing (위탁): When vendors process data on your behalf (e.g., cloud hosting, payroll processing, delivery/logistics). You should disclose the vendor name and the scope of entrusted work.

For additional context on how these obligations fit into the broader South Korea PIPA framework, see our main overview article.

D. Destruction Procedures

Explain how and when personal data is destroyed.

  • Requirement: Describe the procedure (e.g., “deleted immediately after the retention period expires”) and the method (e.g., “permanently deleting electronic files” or “shredding paper documents”).

E. Rights of Data Subjects and How to Exercise Them

You must state that users can request access, correction, deletion, or suspension of processing.

  • Actionable detail: Provide a clear method to exercise these rights (e.g., “Submit a request via email to [email protected] or call 02-XXX-XXXX”). The method should be no more difficult than the method used to collect the data.

F. Contact Information (Privacy Officer)

You must list contact details for the Chief Privacy Officer (CPO) or the department responsible for privacy.

  • Include: Name, department, and contact information (phone number or email).

G. Automatic Collection Tools (Cookies)

If you use cookies or similar tracking technologies, you must disclose:

  • How they are installed/operated.
  • How users can refuse or block them (e.g., browser settings instructions).

3. Requirements Specific to Foreign Companies

A. Domestic Agent (Local Representative)

If your company must appoint a Domestic Agent (because you have no Korean office and meet applicable sales/user thresholds), you should disclose the agent’s details in the Privacy Policy. If you need a practical explanation of when the appointment obligation applies and what the agent does, see our guide on Korea PIPA Domestic Agent requirements for foreign companies.

Required fields:

  • Name (or representative name if the agent is a corporation).
  • Address (Korean physical address).
  • Phone number (a valid domestic number reachable during business hours).
  • Email address.

If you are looking for an operational partner to serve as your local point of contact, our Domestic Agent in Korea for PIPA Compliance service page explains scope, onboarding, and ongoing support options.

B. Cross-Border Transfers

Since foreign operators commonly transfer data abroad, this section is vital. You should disclose:

  • Country: Where the data is transferred.
  • Recipient: Name of the entity receiving the data.
  • Purpose: Why it is transferred (e.g., “cloud storage”).
  • Refusal: How users can refuse the transfer and the consequences of refusal (e.g., “service cannot be provided”).

Note: While the PIPC often recommends separating “Cross-Border Transfers” from “Third-Party Provision,” the sections may be consolidated if separation harms readability - provided all required details remain clear.

4. Children’s Privacy (Under 14)

If you process data of children under 14, you must state that consent from a legal representative (guardian) is required. You should also explain how the guardian can exercise rights on the child’s behalf.

5. Best Practices for Drafting

  • Avoid “global” ambiguity: Do not use vague statements such as “We share data with global affiliates.” Be specific about which entities handle Korean personal data.
  • Comparisons for updates: When updating the policy, keep previous versions accessible. It is recommended to provide a comparison table showing what changed between versions.
  • Consolidation: Where possible, publish a single page that consolidates PIPA requirements for Korean users rather than scattering Korean addendums across multiple global-policy pages.

Finally, if you are not sure whether your business is considered to be “targeting” Korea or creating a direct and substantial impact, use our practical checklist on whether PIPA applies to your business before finalizing policy language and operational controls.

Disclaimer: This guideline is based on the PIPC’s “Guidelines on Applying the Personal Information Protection Act to Foreign Business Operators” (2024). Privacy policies should be reviewed by legal counsel to ensure compliance with the latest regulations and enforcement practices.