Global Data and Cyber Handbook

South Korea

Select a Topic
Start Comparison
Information Requirements, Data Subject Rights, Accountability and Governance
Jump to
Information Requirements, Data Subject Rights, Accountability and Governance Start Comparison
What information needs to be included in a privacy notice to data subjects?

Last review date: 1 January 2025

☒   the identity and the contact details of the controller and, where applicable, of the controller's representative

☒   the contact details of the data protection officer, where applicable

☒   the purposes of the processing for which the personal data is intended

☒   the legal basis for the processing

☒   the categories of personal data concerned

☒   the recipients or categories of recipients of the personal data, if any

☒   information regarding data transfers to third countries, where applicable, and reference to appropriate or suitable safeguards and the means by which by to obtain a copy of them or where they have been made available

☒   the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period

☒   the existence of data subjects' rights, such as the right to access, rectification, erasure, data portability, etc.

☒   the existence of the right to withdraw consent if processing is based on consent

☒   the security provided to the data

☒   the right to lodge a complaint with a supervisory authority (not mandatory, but recommended)

☒   if applicable, information regarding automated decision making, including profiling

☒   other

The following information also needs to be included in a privacy notice:

  • Information on the processing of personal information of children under 14 (not mandatory, but recommended)
  • Information on the procedures and methods for the destruction of personal information
  • Criteria for determining additional use or provision when continuous additional use or provision occurs
  • Possibility of disclosing sensitive information and methods for choosing non-disclosure
  • Information on the processing pseudonymized information
  • Information on the installation, operation and rejection of automatic collection tool for personal information (e.g., cookies)
  • Information on the collection, use and rejection of behavioral information by third parties through automatic collection tools, if allowed (recommended)
  • Information on the designation of domestic representatives for foreign personal information controllers
  • Information on the operation and management of video information processing equipment
  • Information on changes to the privacy policy
Do data subjects have specific privacy rights that must be operationalized?

Last review date: 1 January 2025

Yes

Data subjects have the following data privacy rights, although the specifics of the scope and conditions for each of these vary depending on the circumstances and local law:

  right to access the data subject's own personal data

  right to rectify/correct the data subject's own personal data where inaccurate or incomplete

  right to erasure of personal data

  right to restrict data processing

  right to data portability

  right to object to the processing of personal data

  right to withdraw consent

  other

Are there accountability and governance requirements?

Last review date: 1 January 2025

There are accountability and governance requirements to:

☒  take privacy by default and design measures for all processing of personal data

The PIPC has introduced a Privacy by Design (PbD) certification scheme to promote privacy-friendly design measures on a voluntary basis. Companies that achieve PbD certification can benefit from increased consumer trust and competitive advantage in the marketplace by demonstrating their commitment to privacy throughout the product lifecycle. However, there are no specific legal obligations or regulatory incentives associated with achieving PbD certification.

☒  perform and document data protection impact assessments (DPIAs) for high-risk processing:

Public institutions must conduct and submit to the PIPC an impact assessment to analyze risk factors and derive improvements when the operation of personal information files that meet certain criteria may infringe on the personal information of data subjects (PIPA, Article 33). Private companies are not required to conduct such privacy impact assessments.

☒  maintain a record of processing activities

☒  implement appropriate measures to comply with data privacy and security

☒  demonstrate compliance with data privacy and security

☒  identify a specific individual as the data privacy contact for data subject or data protection authority inquiries

☒  provide training to employees

☒  audit or supervise data processors

☒  appoint a local representative in the jurisdiction (if the controller or processor is not located in the jurisdiction)

{{ $store.state.loadingScreen.message }} ...