Under South Korea’s Personal Information Protection Act (PIPA), the requirement to appoint a Domestic Agent (국내대리인) is a critical compliance obligation for many overseas companies. While PIPA may apply to foreign companies that provide goods or services to Korean data subjects—or whose processing has a direct and substantial impact on them—being subject to PIPA does not automatically mean you must appoint a Domestic Agent.

This guide explains (1) who must appoint an agent, (2) how the 2025 subsidiary rule affects “paper companies,” and (3) how to operationally train and supervise the agent so it works in real regulatory scenarios.

1) Who Must Appoint a Domestic Agent?

The Domestic Agent obligation generally applies to foreign companies that:

  • Do not have a registered address or place of business in Korea; and
  • Meet one of the scale or enforcement triggers below.

The main triggers:

  • High revenue: Annual global sales of KRW 1 trillion (approx. $750M USD) or more.
  • High user volume: You store/manage the personal information of 1 million+ Korean users on a daily average basis (calculated over the prior 3 months).
  • Regulatory order: The Personal Information Protection Commission (PIPC) explicitly orders appointment, typically in the context of a case where your company is asked to submit materials regarding a violation or investigation.

2) The “Paper Company” & Subsidiary Rule (New 2025 Mandate)

A common scenario involves a foreign company that already has a Korean subsidiary, but the subsidiary is effectively a “paper company” (registered entity with no employees) or a minimal sales/marketing office.

The “Significant Influence” rule (effective October 2, 2025):
If a foreign controller is required to appoint an agent and has a Korean subsidiary over which it exercises “significant influence” (e.g., 30%+ equity ownership or executive appointment/control), it must designate that Korean subsidiary as its Domestic Agent.

  • The operational challenge: A “paper company” with no staff cannot practically fulfill agent duties (e.g., answering calls, handling grievances, coordinating responses).
  • The compliant solution: If the “significant influence” rule applies, you generally cannot bypass it by appointing a third-party agent instead. The Korean subsidiary remains the legal Domestic Agent, but it may formally outsource day-to-day execution (phone response, grievance intake/routing, and regulatory submission coordination) to a service provider—while the subsidiary stays accountable as the designated agent.

3) What If You Do Not Meet the Thresholds? (Exempt Companies)

If your global revenue is under KRW 1 trillion and you have fewer than 1 million Korean users, you are exempt from appointing a Domestic Agent.

However, PIPA may still apply. In that case, you must manage compliance from abroad and should ensure the following are addressed:

  • CPO designation: Designate a Chief Privacy Officer (CPO) and disclose the department/contact information in your privacy policy.
  • Korean-language privacy policy: Publish a compliant policy in Korean.
  • Breach notification: You remain responsible for notifying users and the PIPC within 72 hours of a breach.

4) Training and Supervision: The “Book of Flow” Approach

The foreign company (controller) is expected to supervise and educate the agent. This is not a check-the-box exercise. If the regulator calls the agent and the agent can only say, “I don’t know—let me email headquarters,” the company may be exposed for failing to maintain a functional agent arrangement.

A practical method: prepare a “Book of Flow” (operational manual)

A) The “Book of Flow” (data mapping)
The agent should be able to explain your data lifecycle quickly and consistently, including:

  • What is processed (e.g., user ID, device identifiers, payment-related data).
  • From whom the data is collected (e.g., app users, web users, guest checkout).
  • To whom the data is disclosed/shared (e.g., hosting vendors, delivery vendors).
  • By whom access is granted (e.g., support team, DevOps, limited roles).
  • Where data is stored (e.g., primary region, backup region).

Why it matters: During an inquiry, the PIPC may request immediate “submission of materials.” A ready “Book of Flow” helps avoid delays and inconsistent answers.

B) Template answers (SOPs)
Provide pre-approved response playbooks for common situations, such as:

  • Rights requests: what to do when a user requests deletion or access (identity verification, ticket logging, routing, closure).
  • Regulator inquiries: how to acknowledge receipt, escalate internally, and produce materials promptly.
  • Grievance FAQ: prepared answers for recurring complaints (e.g., account closure, collection necessity).

C) Drills and simulation
Run a tabletop breach simulation: can the agent coordinate drafting the Korean notice and locate the reporting process within the 72-hour window?

5) Real-Life Case Studies (How It Works in Practice)

Case 1: The Global Giant (mandatory designation)

  • Profile: US-based social media platform, no office in Seoul.
  • Stats: 5 million daily Korean users; $10B global revenue.
  • Result: Must appoint a Domestic Agent; agent details appear in the Korean privacy policy.

Case 2: The Niche Luxury Brand (exempt)

  • Profile: European fashion e-commerce shipping to Korea.
  • Stats: 50,000 daily Korean visitors; $500M global sales (approx. 660B KRW).
  • Result: No Domestic Agent required, but Korean privacy policy and rights-request handling remain necessary.

Case 3: The “Paper Agent” failure (non-compliance)

  • Profile: Foreign developer appoints an acquaintance as agent to save costs.
  • Scenario: Breach occurs; PIPC calls; number goes to voicemail; agent lacks “Book of Flow.”
  • Result: Viewed as failure to maintain a functional agent and grievance channel.

Case 4: The “Significant Influence” subsidiary (post-2025 rule)

  • Profile: Global software company; sales > KRW 1 trillion; 100%-owned marketing subsidiary in Seoul.
  • Result: Must designate the subsidiary as Domestic Agent; subsidiary must be resourced/trained or outsource execution while remaining the legal agent.

Case 5: The B2B / API provider (indirect impact)

  • Profile: US company provides chat API to Korean shopping malls and processes chat logs of Korean users.
  • Result: If thresholds are met, agent appointment is required to handle disputes and regulator interactions tied to that processing.

Case 6: Online gaming company (dual-agent issue)

  • Profile: Global RPG developer with 2 million daily active users in Korea; no physical office; has a separate local GRAC rating agent.
  • Result:Game Domestic agent” and “PIPA Domestic Agent” are distinct roles; a dedicated PIPA Domestic Agent is required unless one entity is contractually capable of both. For users under 14, the company should ensure a system for legal representative (parental) consent where required.

6) Liability: Who Is Responsible?

Outsourcing the agent function does not outsource the risk.

  • The foreign company (controller): retains ultimate liability. If the agent fails to report a breach on time or provides incorrect information to the regulator, the controller may be treated as having committed the violation.
  • The agent: acts as a legal representative and may have independent liability in certain misconduct scenarios, but enforcement typically focuses on the controller.

Disclaimer
This article is based on the PIPC Guidelines (2024) and the Personal Information Protection Act. Rules regarding “significant influence” and agent obligations may change; professional legal advice is recommended.