From global-privacy-regulations-skills
Guides compliance with South Korea's PIPA, covering pseudonymisation framework, consent standards, PIPC enforcement, and cross-border transfer rules under 2023 amendments.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin global-privacy-regulations-skillsThis skill uses the workspace's default tool permissions.
The Personal Information Protection Act (PIPA, 개인정보 보호법) is South Korea's comprehensive data protection law, originally enacted on 29 September 2011 (Act No. 10465) and significantly amended in 2020 (effective 5 August 2020) and 2023 (effective 15 September 2023). The Personal Information Protection Commission (PIPC, 개인정보보호위원회) is the independent supervisory authority with centralised enforceme...
Guides Next.js Cache Components and Partial Prerendering (PPR) with cacheComponents enabled. Implements 'use cache', cacheLife(), cacheTag(), revalidateTag(), static/dynamic optimization, and cache debugging.
Guides building MCP servers enabling LLMs to interact with external services via tools. Covers best practices, TypeScript/Node (MCP SDK), Python (FastMCP).
Generates original PNG/PDF visual art via design philosophy manifestos for posters, graphics, and static designs on user request.
The Personal Information Protection Act (PIPA, 개인정보 보호법) is South Korea's comprehensive data protection law, originally enacted on 29 September 2011 (Act No. 10465) and significantly amended in 2020 (effective 5 August 2020) and 2023 (effective 15 September 2023). The Personal Information Protection Commission (PIPC, 개인정보보호위원회) is the independent supervisory authority with centralised enforcement jurisdiction since the 2020 amendments consolidated regulatory authority from multiple agencies.
South Korea received an adequacy decision from the European Commission on 17 December 2021, recognising PIPA as providing an adequate level of data protection for GDPR transfer purposes.
Information relating to a living individual that identifies or can identify the individual through the information alone or in combination with other information that can be easily used. Includes:
Personal information processed by partially deleting or replacing to make it impossible to identify a specific individual without the use of additional information. Pseudonymised information may be processed for statistical purposes, scientific research, and preservation of records in the public interest without consent (Art. 28-2).
| Requirement | PIPA Provision | Detail |
|---|---|---|
| Informed consent | Art. 15(2) | Must disclose: purpose, items collected, retention period, right to refuse and consequences |
| Separate consent | Art. 22(1) | Consent for processing beyond the purpose must be separated from other consent items |
| Clear distinction | Art. 22(1) | Important content must be clearly displayed (larger font, colour, bold) |
| Opt-in for marketing | Art. 22(2) | Marketing purpose collection requires separate opt-in consent |
| Refusal right | Art. 22(5) | Data handler must not refuse service due to refusal of consent for non-essential information |
| Minor consent | Art. 22(6) | For children under 14, consent from legal representative required |
Processing sensitive information requires the data subject's separate explicit consent or a specific legal basis. The consent must clearly indicate the sensitive categories being processed.
The 2023 amendments introduced additional lawful processing bases beyond consent:
| Basis | Article | Description |
|---|---|---|
| Consent | Art. 15(1)(1) | Data subject's consent obtained per Art. 22 |
| Legal obligation | Art. 15(1)(2) | Special provisions in laws or compliance with legal obligations |
| Public institution duty | Art. 15(1)(3) | Necessary for public institutions to perform statutory duties |
| Contract performance | Art. 15(1)(4) | Necessary for contract with data subject |
| Legitimate interest | Art. 15(1)(6) | Necessary for legitimate interest of the data handler, where substantially related to the purpose and within the data subject's reasonable expectations (added 2023) |
| Urgent necessity | Art. 15(1)(5) | Urgently necessary for life, body, or property of the data subject or third party |
Legitimate interest (Art. 15(1)(6)) requirements:
Pseudonymised information may be processed without consent for:
| Measure | Requirement |
|---|---|
| Separation of additional information | Additional information enabling re-identification must be stored and managed separately |
| Technical safeguards | Encryption or equivalent protection for additional information |
| Access restrictions | Designation of authorised personnel; access logging |
| Prohibition on re-identification | Prohibited from using pseudonymised information to re-identify individuals; if re-identification occurs accidentally, immediate destruction or cessation of processing required |
| Data Set | Purpose | Pseudonymisation Method | Additional Information Storage | PIPC Compliance |
|---|---|---|---|---|
| Customer shipping patterns | Statistical analysis of route optimisation | k-anonymity (k=5) with generalisation of location data | Key mapping table stored in HSM, separate from analytics environment | Compliant |
| Employee performance metrics | Industrial research on workforce productivity | Tokenisation of employee identifiers | Token-identifier mapping in isolated database with MFA access | Compliant |
| Logistics volume trends | Public interest statistical reporting | Aggregation to postal code level with suppression of groups < 10 | No additional information retained (anonymised output) | Not applicable (anonymised) |
The 2023 amendments significantly reformed cross-border transfer provisions:
| Mechanism | Article | Detail |
|---|---|---|
| Consent | Art. 28-8(1)(1) | Data subject's consent with disclosure of: recipient, destination country, transfer purpose, PI items, right to refuse and consequences |
| Contract necessity | Art. 28-8(1)(2) | Transfer necessary for contract with data subject |
| Adequacy recognition | Art. 28-8(1)(3) | Transfer to a country or international organisation recognised by the PIPC as having adequate protection |
| Standard contractual clauses | Art. 28-8(1)(4) | PIPC-approved standard contractual clauses between the parties |
| BCR equivalent | Art. 28-8(1)(4) | PIPC-approved data protection rules within a corporate group |
| PIPC certification | Art. 28-8(1)(5) | Recipient certified by a PIPC-designated certification body |
As of March 2026, the PIPC has recognised:
The data handler must notify the data subject of:
Zenith Global Enterprises Cross-Border Transfer Register:
| Transfer ID | Flow | Destination | Mechanism | Notification | Status |
|---|---|---|---|---|---|
| CBT-KR-001 | Customer data → EU HQ | Germany (EU) | Adequacy recognition | Privacy notice updated | Active |
| CBT-KR-002 | Employee data → Regional HR | Singapore | Standard contractual clauses | Employee notice provided | Active |
| CBT-KR-003 | Logistics data → APAC ops | Japan | Consent (Art. 28-8(1)(1)) | Consent collected | Active |
| CBT-KR-004 | Payment data → Treasury | United Kingdom | Adequacy recognition | Privacy notice updated | Active |
| Sanction Type | PIPA Provision | Detail |
|---|---|---|
| Corrective orders | Art. 64 | Orders to cease violations, take corrective measures, or implement safeguards |
| Administrative fines (과태료) | Art. 75 | Up to KRW 50 million for procedural violations |
| Penalty surcharges (과징금) | Art. 64-2 | Up to 3% of related revenue (increased from prior cap by 2023 amendments) |
| Criminal penalties | Art. 71-73 | Imprisonment up to 5 years or fine up to KRW 50 million for serious violations |
| Public naming | Art. 64(4) | Public disclosure of violators |
Meta Platforms (September 2022):
Kakao (2023):
Scatter Lab (2021):
| Right | Article | Response Deadline | Implementation |
|---|---|---|---|
| Right to access | Art. 35 | 10 days | Self-service portal in Korean |
| Right to correction/deletion | Art. 36 | 10 days | Correction through customer portal; deletion workflow with legal hold check |
| Right to suspension | Art. 37 | 10 days | Processing suspension within 10 days of request |
| Right to notification | Art. 34 | Without delay | Breach notification to affected individuals |
| Right to data portability | Art. 35-2 (2023) | Per PIPC regulation | Structured export (implementation timeline per PIPC guidance) |
| Right regarding automated decisions | Art. 37-2 (2023) | Per PIPC regulation | Right to explanation and refusal of automated decisions |
| Element | Requirement |
|---|---|
| Individual notification | Without delay upon discovery of breach |
| PIPC notification | Within 72 hours of discovery for breaches affecting 1,000+ individuals |
| Content | Facts of breach, items of PI leaked, countermeasures, grievance procedures |
| Large-scale breach | 10,000+ individuals: additional reporting to PIPC and public notification through the website |
| Investigation cooperation | Cooperate fully with PIPC investigation |
| Component | Detail |
|---|---|
| Internal management plan | Documented plan per Art. 29 and Enforcement Decree Art. 30 |
| Chief Privacy Officer (CPO) | Designated officer meeting PIPA qualifications (Art. 31) |
| Annual training | PIPA compliance training for all Korean employees |
| Technical safeguards | Encryption of resident registration numbers and sensitive data (Art. 24-2) |
| Data destruction | Destruction within 5 days of retention period expiry (Art. 21) |
| Privacy impact assessment | Required for public institutions; recommended for private sector for large-scale processing |