Global Data and Cyber Handbook

South Korea

Select a Topic
Start Comparison
Legal Bases for Processing of Personal Data
Jump to
Legal Bases for Processing of Personal Data Start Comparison
Is an identified legal basis required in order to collect or process non-sensitive personal data?

Last review date: 1 January 2025

Yes

The following are potential legal bases for processing personal data:

  the data subject has provided consent to the processing for the identified purposes

  the personal data is necessary to perform a contract with the data subject

  the personal data is necessary to comply with a legal obligation

  the personal data is necessary to protect the vital interests of a natural person

  the personal data is necessary for a public interest

  the personal data is necessary to fulfil a legitimate interest of the controller or third party (provided that the interest is not overridden by the data subject's privacy interests and the data subject has not made use of his/her right to object)

Is an identified legal basis required in order to collect or process sensitive personal data?

Last review date: 1 January 2025

The following are potential legal bases for processing sensitive personal data:

☒  the data subject has given consent to the processing, where consent is measured to a higher standard than for non-sensitive personal data (for example, additional requirement for consent to be "explicit")

☒  other

  • processing of sensitive information and personally identifiable information is permitted when required or allowed by laws and regulations (PIPA, Articles 23 and 24).

However, resident registration numbers cannot be processed even with the data subject's consent that meets the higher standard required, except in the following cases:

  • When specifically required or permitted by specific superordinate legislation (Acts, Presidential Enforcement Decrees, National Assembly Regulations, Supreme Court Regulations, Constitutional Court Regulations, National Election Commission Regulations, or Board of Audit and Inspection Regulations)
  • When clearly necessary to protect the vital interests of life, body, or property of the data subject or a third party (PIPA, Article 24-2).
Are there special requirements that apply to the collection or processing of personal data from minors?

Last review date: 1 January 2025

Yes. If a personal information controller is required to obtain consent under PIPA to process the personal information of a child under the age of 14, the controller must obtain consent from the child's legal representative and verify that the legal representative has given consent. When notifying a child under the age of 14 about the processing of personal information, the controller must use an easy-to-understand format and clear, simple language (PIPA, Article 22-2).

In July 2022, the PIPC announced its "Guidelines on the Protection of Personal Information of Children and Adolescents," which provide guidance on the processing of personal information for children under 14 and for adolescents aged 14 to under 18. The guidelines detail the obligations of personal information controllers in planning and designing services, as well as in collecting, using, disclosing, storing, and disposing of personal information. Additionally, the guidelines emphasize the importance of safeguarding the rights of children and adolescents who are the subjects of personal information.

In what circumstances do these special requirements apply?

Last review date: 1 January 2025

Generally

What are the special requirements that apply to collecting or processing personal data from minors?

Last review date: 1 January 2025

What are the special requirements that apply to collecting personal data from minors?

☒  consent must be given or authorized by the holder of parental responsibility over the child

{{ $store.state.loadingScreen.message }} ...