Personal Information Protection Act
Personal Information Protection Act
Personal Information Protection Act (PIPA)
1. Overview: The Personal Information Protection Act, South Korea’s general law on personal data protection
flowchart LR
A["Indiscriminate data use"] -- "Transition to a data-subject-rights protection framework" --> B["Personal Information Protection Act"]
Definition: A general law enacted to protect citizens’ rights and interests from the collection, leakage, and misuse of personal information.
Characteristics: (Unified application) A single legal framework applies to the processing of personal information across all domains, online and offline alike. (Independent governance) Establishes the Personal Information Protection Commission as an independent central administrative agency, strengthening enforcement. (Use of pseudonymized information) Introduces the concept of pseudonymized information, supporting both privacy protection and the data economy at the same time.
2. Structure and Key Systems of the Personal Information Protection Act
A. A Protection Model Across the Personal-Data Lifecycle
flowchart LR
COL["Collection / Use<br/>(consent-based)"]
PRO["Provision / Entrustment<br/>(third-party provision)"]
MGT["Management / Destruction<br/>(ensuring safety)"]
RIGHT["Exercise of subject rights<br/>(access / correction)"]
COL --> PRO --> MGT
MGT --> RIGHT
RIGHT --> COL
style COL fill:#E3F2FD,stroke:#1976D2
style MGT fill:#FFF3E0,stroke:#F57C00
| Stage | Key Compliance Requirement | Related System |
|---|---|---|
| Collection/use | Principle of minimal collection, notice of the right to refuse consent | Statutory mandatory notice items |
| Provision/entrustment | Consent for third-party provision, limits on the scope of entrusted work | Obligation to manage and supervise entrustees |
| Retention/destruction | Validity-period system, principle of immediate destruction | Notification of destruction |
B. Processing Pseudonymized Information to Boost the Data Economy
flowchart TD
subgraph INFO["Classification of Personal Data"]
P1["Personal information<br/>(Identifiable)"]
P2["Pseudonymized information<br/>(Pseudonymized)"]
P3["Anonymized information<br/>(Anonymized)"]
end
subgraph USE["Scope of Use"]
U1["Consent required"]
U2["Used without consent<br/>for statistics, research, etc."]
U3["Used without restriction"]
end
P1 --> U1
P2 --> U2
P3 --> U3
style P2 fill:#E8F5E9,stroke:#388E3C,stroke-width:2px
| Category | Definition | Permitted Scope of Use |
|---|---|---|
| Pseudonymized information | Information from which a specific individual cannot be identified without additional information | Statistics, scientific research, archiving for public interest |
| Anonymized information | Information from which an individual cannot be identified even considering time, cost, and technology | May be freely used without legal restriction |
| Combined-data specialized institution | A designated institution that combines datasets of pseudonymized information | Supports value creation through data combination |
3. Managing and Responding to Risk of Violating the Personal Information Protection Act
| Category | Key Compliance Requirement | Expected Effect and Use |
|---|---|---|
| Technical measures | Access control, encryption, retention of access logs | Reduces fines and mitigates legal liability in the event of a breach |
| Organizational measures | Appointing a CPO, regular employee training | Embeds a culture of personal-data protection within the organization and prevents misuse |
| Incident response | Breach notification and reporting (within 5 days) | Limits harm and enables swift cooperation with the regulator |