Skip Navigation

Proposed Amendment to Enforcement Decree of the PIPA Integrating Online and Offline Regulations Entered into Force


The amended Personal Information Protection Act (the “PIPA”), which focuses on issues such as (i) strengthening the rights of data subjects, (ii) integrating and updating regulations on processing personal information by regular data controllers and online service providers, and (iii) shifting from criminal penalties to economic sanctions, entered into force on September 15, 2023. On September 5, 2023, the proposed amendments to the Enforcement Decree of the PIPA (the “Proposed Amendments”), which aim to align the current Enforcement Decree with the amended PIPA and provide more details regarding the amended PIPA provisions, were approved at the State Council.

The Proposed Amendments entered into force on September 15, 2023, together with the amended PIPA. Moreover, amendments to the enforcement decree regarding certain amended PIPA provisions which will come into force on March 15, 2024, namely, (i) the right to request the transmission of personal information, (ii) a data subject’s rights regarding automated decisions, and (iii) the evaluation of the level of personal information protection at public institutions, will be gradually announced starting from October, 2023. 


Key Details

Requirements for Processing Personal Information

  • How to obtain consent. Legitimate consent must satisfy the following conditions: (i) consent is obtained from the data subject at his/her own free will, (ii) details for the consent must be specific and clear, (iii) the text for obtaining the consent must be easy to understand, and (iv) the data subject must be provided with a way to clearly express his/her consent.

Mobile Visual Data Processing Devices

  • Definition of mobile visual data processing devices. Mobile visual data processing devices are classified into (i) devices that are worn on the human body and clothes, such as glasses and watches (“wearable devices”), (ii) devices that can be easily carried by people, such as mobile devices and digital cameras (“portable devices”), and (iii) devices that are fixed and attached to or hung from movable objects, such as vehicles and drones (“attached/hung devices”).

  • How to notify data subjects of filming. The relevant provision stipulates that when using mobile visual data processing devices, the fact that filming is taking place must be displayed and notified by means of lights, sounds, signboards, written statements, announcements or other similar means. If it is difficult to display and notify that filming is taking place due to the nature of the filming method used (e.g., drone), a notice should be posted on a website operated by the PIPC.

Restriction on Overseas Transfer of Personal Information

  • Recognition of level of personal information protection. The Proposed Amendments provide for the matters and procedures to be considered when recognizing the level of personal information protection offered by certain countries and international organizations (assessment by the expert committee on overseas transfer and consultation with the policy council).

  • Criteria for suspension orders. In determining whether the PIPC should order a suspension of an overseas transfer, the PIPC must consider (i) the type and amount of personal information that has been transferred overseas or is expected to be transferred, (ii) the severity of the violation of the relevant regulations, (iii) whether the damage is serious or irreparable, (iv) whether there is a clear benefit to the data subject, (v) whether it is possible to protect and prevent the infringement of personal information through corrective measures, (vi) whether the recipient/country of destination has effective means of remedy for damages, and (vii) whether there are reasons to believe that it is difficult to properly protect personal information, such as material infringement of personal information at the recipient/country of destination.

Privacy Policy Evaluation System

  • Subject of evaluation. The target of the evaluation will be selected by considering (i) the type and amount of revenue of the data controller, (ii) the type (e.g., sensitive information and unique identification information) and amount of personal information processed, (iii) the legal basis and method of processing personal information, (iv) whether any violation of law has occurred, and (v) the characteristics of data subjects (e.g., children and juveniles).

  • Assessment procedures. The PIPC will provide an assessment plan to the data controller at least ten days before the assessment begins, and notify the data controller of the results of the assessment without delay.

Integration of Online and Offline Regulations

  • Notification of history of using and/or providing personal information. A data controller must notify data subjects of its history of using and/or providing their personal information at least once a year if (i) the data controller processes sensitive information or unique identification information of 50,000 or more data subjects on a daily average basis during the three months immediately preceding the end of the previous year, or (ii) the data controller processes personal information of 1 million or more data subjects.

  • Which data controllers must designate a domestic privacy agent. Data controllers that meet one of the following thresholds must designate a domestic privacy agent: (i) the data controller had a total revenue of KRW 1 trillion or more in the previous fiscal year, (ii) the data controller stored and managed the personal information of 1 million or more domestic data subjects on a daily average basis during the three months immediately preceding the end of the previous year, or (iii) the PIPC has requested the data controller to submit certain materials and decided that said data controller needs to designate a domestic privacy agent.

  • Notification and reporting of personal information leakages. In the event of a personal information leakage, the data controller must notify the affected data subjects within 72 hours of becoming aware of the leakage. The data controller must also report to the regulator within 72 hours if (i) personal information of 1,000 or more data subjects has been leaked, (ii) sensitive information or unique identification information has been leaked, or (iii) personal information has been leaked through unauthorized access from the outside. However, the data controller does not need to report to the regulator if it is able to take measures to significantly reduce the possibility that the rights and interests of the affected data subjects might be infringed, such as retrieving or deleting the compromised personal information.

Personal Information Dispute Mediation    

  • Notification of Intention not to accept mediation. In cases where a data controller refuses to participate in a dispute mediation based on statutory grounds, it must notify the Dispute Mediation Committee of its intention and the reasons for the non-participation within ten days of receiving the notice of dispute mediation.

  • Prior notice of examination for dispute mediation. The Dispute Mediation Committee must give the data controller subject to mediation a seven-day written notice of its examination, including the purpose, period, place, scope and details of the examination.

Detailed Standards and Procedures for Imposing Administrative Penalties

  • Criteria for determining revenue unrelated to a violation. The following revenues may be excluded from the base revenue from which a penalty is calculated: (i) revenue from goods or services that are unrelated to personal information processing and (ii) revenue that the PIPC has acknowledged as not obtained from goods or services directly or indirectly affected by the violation.

  • Exemptions from administrative penalties. Parties may be exempted from administrative penalties if the violation is remedied and falls under the criteria to be further notified by the PIPC.

  • Seriousness of the violation when calculating the base fine. Violations are categorized into four grades: (i) very serious violation, (ii) serious violation, (iii) moderate violation, and (iv) minor violation.

Detailed Standards and Procedures for Imposing Administrative Fines

  • Additional grounds for reduction of, or exemption from, administrative fines. Additional grounds for the reduction of, or exemption from, an administrative fine include (i) having implemented measures to compensate for damages and to prevent further harm, (ii) having made efforts to protect personal information, such as obtaining the relevant information protection certification and partaking in voluntary personal information protection activities, and (iii) voluntarily reporting violations.


Taking into account the significance of the Proposed Amendments, affected companies may obtain meaningful insights by keeping track of the latest developments regarding the Proposed Amendments and carefully examining additional notifications and guidelines to be published by the PIPC.


[Korean Version]