As global digital services expand, the Republic of Korea has strengthened its regulatory framework to protect the personal information of its residents. For foreign companies, navigating the Personal Information Protection Act (PIPA) is critical, as the law applies extraterritorially to businesses that significantly impact "Korean Data Subjects," even without a physical presence in the country.

This overview outlines the scope of PIPA’s application to foreign operators and the key compliance obligations required to do business in Korea.

1. Does PIPA Apply to Your Company?
The PIPA applies to foreign business operators in three primary scenarios:

  1. Provision of Goods or Services: If a company provides goods or services to "Korean Data Subjects" (individuals who reside or use services in Korea).
  2. Impact on Data Subjects: If the processing of personal information has a "direct and substantial impact" on Korean data subjects, even if services are not directly offered to them (e.g., publishing collected personal data online).
  3. Place of Business: If the company maintains a place of business (such as a branch or liaison office) within Korea.

2. How Regulators Determine "Targeting"
Because the internet is borderless, regulators look for specific intent to determine if a foreign company is "providing services" to Korea. Factors indicating PIPA applicability include:

  • Operating a website with a Korean country domain (.kr or ko-kr).
  • Providing services or customer support in the Korean language.
  • Accepting payment in Korean Won (KRW).
  • Offering shipping or delivery to Korean addresses.
  • Running advertisements specifically targeting Korean consumers.

Note: Mere accessibility of a website by a Korean national abroad, or incidental use where Korea is explicitly excluded from supported regions, generally does not trigger PIPA application,.

3. Key Compliance Obligations for Foreign Companies
If PIPA applies, foreign operators must adhere to the same principles as domestic companies.

A. Privacy Policy Disclosure
Foreign operators must establish and disclose a Privacy Policy. Crucially, this policy must be written in Korean so data subjects can easily understand it. It cannot simply be a direct translation of a global policy; it must specifically address PIPA requirements, such as clearly labeling the "Privacy Policy" on the website and distinguishing between third-party provision and entrustment of data.

B. The "Domestic Agent" Requirement
Foreign companies without a physical address in Korea must designate a Domestic Agent (local representative) if they meet specific thresholds.

  • Who must appoint an agent? Companies with no Korean address that have global annual sales of 1 trillion KRW or more, or store/manage the data of 1 million or more domestic users daily on average. Learn more about it on our article about Korea PIPA Domestic Agent Requierments for Foreign Companies
  • Role of the Agent: The agent handles grievances, manages data breach notifications, and submits materials to regulators. Their contact details (name, address, phone, email) must be listed in the Privacy Policy.
  • 2025 Amendment: Effective October 2, 2025, if a foreign controller has a Korean subsidiary or affiliate over which it exercises "significant influence," it must designate that Korean entity as its domestic agent, rather than a third-party service.

C. Data Subject Rights
Foreign companies must guarantee the rights of Korean data subjects, including access, correction, erasure, and suspension of processing.

  • Response Time: Companies must respond to rights requests within 10 days.
  • Procedure: The method for exercising these rights must be no more difficult than the method used to collect the data (e.g., if data was collected online, requests must be accepted online).

D. Children’s Privacy (Under 14)
The age of consent for digital services in Korea is 14. Foreign operators must obtain consent from a legal representative (parent/guardian) before processing the personal information of a child under 14. Age verification measures are recommended to ensure compliance.

E. Data Breaches and Reporting
In the event of a data breach (loss, theft, or divulgence), companies must:

  • Notify Data Subjects: Without delay.
  • Report to Authorities: If the breach involves 1,000 or more users, sensitive data, or external hacking, a report must be filed with the Personal Information Protection Commission (PIPC) or Korea Internet & Security Agency (KISA) within 72 hours.

4. Cross-Border Data Transfers
PIPA generally prohibits cross-border transfers unless specific conditions are met, such as obtaining separate consent from the data subject or ensuring the transfer is necessary for contract performance.

  • Disclosure: When obtaining consent, companies must specify the country to which data is transferred, the recipient's name, and the purpose/retention period.
  • Penalties: The PIPC can order the suspension of cross-border transfers if a company fails to protect the rights of data subjects.

5. Enforcement and Penalties
Korea actively enforces PIPA against foreign operators. The PIPC investigates violations and can impose corrective orders, administrative fines, and penalty surcharges.

  • Penalty Surcharges: Violations can result in surcharges of up to 3% of total sales.
  • Global Revenue Calculation: "Total sales" refers to the company's global sales, not just sales in Korea. However, companies may exclude sales unrelated to the violation if they can prove the amount; otherwise, the calculation may be based on total global revenue.

Eligibility: KOISRA UP is a Korea-based company eligible to provide PIPA Domestic Agent (Local Representative) services in accordance with the Personal Information Protection Commission (PIPC) requirements and applicable regulations. For details, please see our insight: Korea PIPA Domestic Agent Requirements for Foreign Companies.

Disclaimer
This article provides a general overview based on PIPC guidelines and legal texts. Companies should consult with legal professionals to ensure full compliance with South Korean law.