Skip Navigation
KO EN JP CN
Intellectual Property Careers
Menu
Intellectual Property Careers
Locations Contacts
Close
Search
Newsletters

Proposed Amendment to the Enforcement Decree of the Personal Information Protection Act

2025.06.25
Audio Print

In our last newsletter (Link), we shared that the National Assembly passed the amendment to the Personal Information Protection Act (“PIPA”), which will tighten the obligation for foreign businesses (i.e., foreign data controllers) to designate a domestic agent in Korea. This amendment is set to take effect on October 2, 2025.
 
As a follow-up measure, the Personal Information Protection Commission announced the draft amendment to the Enforcement Decree of the PIPA (the “Proposed Amendment”) on May 30, 2025 to provide more details on which domestic entities of foreign data controllers must be designated as domestic agents, as well as the scope of duties of such agents. You can find the legislative notice (available in Korean, Link).
 

1.

Entities Eligible for Designation as Domestic Agents (Articles 32-3)

Under the amended PIPA, foreign data controllers subject to the domestic agent designation requirement must appoint a domestic agent from among the following: (i) a Korean entity established by the data controller or (ii) a Korean entity over which the data controller exerts “significant influence” with respect to executive composition, business operations, and other related matters, as further detailed in the Presidential Decree.

The Proposed Amendment clarifies that “significant influence” exists where the data controller: (i) appoints or dismisses the representative director, or appoints or has the authority to appoint 50% or more of the company’s board members, or (ii) holds 30% or more of the total issued shares or capital contribution in the company.
 

2.

Clarification on the Duties of Domestic Agents (Article 63)

The Proposed Amendment clarifies the duties imposed on domestic agents. Specifically, domestic agents will be required to: (i) establish work plans for fulfilling their responsibilities and review their implementation, (ii) verify whether appropriate improvements have been made based on those reviews, and (iii) provide training to their employees at least once per year.
 

3.

Administrative Fine Criteria (Annex 2)

Under the Proposed Amendment, administrative fines will be imposed as follows:
 

  • An administrative fine of up to KRW 20 million for: (i) failing to designate a Korean entity or an entity over which the data controller exercises significant influence as the domestic agent, even when a foreign data controller has one or (ii) failing to properly oversee the designated domestic agent.
     

  • An administrative fine ranging from KRW 2 million to 8 million, depending on the number of violations, for failing to include the domestic agent’s name, address, telephone number, and email address in the privacy policy.
     

The Proposed Amendment is scheduled to take effect on October 2, 2025, following a 40-day public consultation period from May 30 to July 9, 2025. Given the potential impact on foreign data controllers operating in Korea, close attention should be paid to the requirements for domestic agents and the associated oversight obligations under the Proposed Amendment.

Related Topics

#Personal Information Protection Act #Privacy #Privacy & Data Security #Legal Update

List

Share

Close

Professionals

CLose

Professionals

CLose
Korea Legal Insight 2025