Global Data and Cyber Handbook

South Korea

Select a Topic
Start Comparison
Territorial Scope
What is the territorial reach of the data privacy and cybersecurity laws?

Last review date: 1 January 2025

In April 2024, the PIPC announced "Guidelines on Applying the Personal Information Protection Act to Foreign Business Operators," outlining three main criteria:

☒  applies to organizations located in the jurisdiction

☒  applies to organizations located outside of the jurisdiction offering goods or services to data subjects in the jurisdiction

PIPA may apply when an overseas business provides goods or services to Korean data subjects, when the overseas business's processing of personal information affects Korean data subjects, or when the overseas business has an establishment within Korean territory.

☒  applies to organizations located outside of the jurisdiction engaged in the monitoring of the behavior of data subjects located in the jurisdiction

PIPA applies if an overseas business processes personal information of Korean individuals or Korean data subjects in a way that directly and substantially affects Korean data subjects, regardless of whether goods or services are provided in Korea. The impact on Korean individuals or data subjects is assessed on a case-by-case basis to determine PIPA applicability. For example, the PIPC applied PIPA in a case where an overseas business collected behavioral information through user identifiers targeting service subscribers in Korea.

 ☒  no express territorial scope, but would require some nexus to the jurisdiction

  • As a matter of principle, if a global service provider has an establishment in Korea where personal information is processed, they must comply with PIPA. Additionally, if a company providing goods or services globally establishes a business in Korea and designates it as the personal information controller for Korean data subjects, PIPA may apply to that Korean business.
  • However, if it does not involve the processing of personal information of Korean individuals or Korean data subjects, PIPA applicability will be determined comprehensively considering the laws of the relevant country and other circumstances. If the personal information of foreign data subjects processed at a domestic establishment in Korea is compromised and requires action by the Korean government (e.g., if a website operating in Korea for private sanctions publishes names, photos, etc. of foreign data subjects who have taken certain actions, and the relevant country requests measures against such website), application of PIPA may be considered.
{{ $store.state.loadingScreen.message }} ...