ARTICLE
5 January 2026

Data Controllers' Obligations Under The Personal Information Protection Act In Data Breaches And The Legal Consequences Of Violations

DA
D&A LLC

Contributor

D&A LLC logo
Explore Firm Details
Although the accelerating digital transition has made data storage and processing more convenient, the risk of data incidents, such as breaches, during storage has been steadily increasing.
South Korea Privacy
Hye In Lee
Hye In Lee’s articles from D&A LLC are most popular:
  • within Privacy topic(s)
  • with Finance and Tax Executives and Inhouse Counsel
  • in India
  • with readers working within the Law Firm industries

1. Introduction

Although the accelerating digital transition has made data storage and processing more convenient, the risk of data incidents, such as breaches, during storage has been steadily increasing. Recently, a series of large-scale data breaches involving major corporations has been widely reported in the media, drawing the attention of both businesses and consumers to the methods for the lawful processing of personal data and the scope of liability imposed on data controllers when data is compromised.

The development of personal information protection laws in Korea started with the Act on the Protection of Personal Information Maintained by Public Institutions in 1994, followed by the Credit Information Use and Protection Act, the Official Information Disclosure Act, and the Act on Promotion of Information and Communications Network Utilization and Information Protection. In 2011, the Personal Information Protection Act ("PIPA" or "Act") was enacted, and the 2023 amendment to the PIPA has since established the current legal framework.

Below, I examine the definitions of "personal information" and "data controllers" under the PIPA, Korea's general law on the protection of personal information. I then explore controllers' key obligations relating to data breaches and the legal consequences of violating those obligations.

2. The Definition and Scope of "Personal Information" Under the PIPA

The "personal information" under the PIPA means any of the following information relating to a living individual: (i) information that identifies a specific individual by full name, resident registration number, pictures, etc. ("directly identifiable personal information"); (ii) information that cannot identify a specific individual by itself but may be easily combined with other information to identify an individual ("indirectly identifiable personal information"); and (iii) information under items (i) or (ii) above that is pseudonymized by deleting in part, or replacing in whole or in part and thereby becomes incapable of identifying a specific individual without the use or combination of additional information for restoration to the original state ("pseudonymized information") (items (a) to (c) of subparagraph 1 of Article 2 of the Act).

The PIPA defines its scope of protection as "information relating to a living individual," which indicates that information concerning legal entities, rather than natural persons, is not covered by the Act. The PIPA includes not only information that directly identifies a specific individual, but also information that can distinguish an individual when combined with other information, as well as pseudonymized information in its subject of protection, thereby expanding the scope of protection.

3. The Definition and Scope of "Data Controllers" Under the PIPA

Under the PIPA, the term "data controllers" refers to "public institutions, corporations, organizations, and individuals, etc. that process personal information, either directly or through any third party, in order to operate personal information files for the purpose of performing their duties" (subparagraph 5 of Article 2 of the Act). The term "personal information file" means "a collection of personal information that is systematically arranged or organized according to specific rules to allow for easy retrieval of such information." Accordingly, the mere one-time or separate collection of personal information does not confer data controller status.

According to case law concerning the scope of "data controllers," a person who creates a personal information file and processes personal information, either directly or through any third party, is deemed a data controller. However, "a person who merely has access to a personal information file established by another person1 " is not regarded as a data controller (Seoul Western District Court Decision 2018 No 556 Decided February 14, 2019, which was finalized by Supreme Court Decision 2019 Do 3215 Decided July 25, 2019).

4. Key Obligations of Data Controllers Under the PIPA in Respect of Security Incidents, Including Data Breaches

A. Restrictions on the Processing of Unique Identifiable Information and Obligations to Safely Retain Such Information (Articles 24 and 24-2 of the Act)

(1) Unique identifiable information refers to resident registration numbers, passport numbers, driver's license numbers, and alien registration numbers (Article 24(1) of the Act and each subparagraph of Article 19 of its Enforcement Decree). When data controllers process such information, they must inform data subjects of matters necessary to process unique identifiable information and obtain separate consent for its processing, distinct from consent for the processing of other types of personal information (Article 24(1) of the Act).

In this case, data controllers must take necessary security measures, including encryption, to prevent the loss, theft, disclosure, forgery, alteration, or damage of unique identifiable information (Article 24(3) of the Act).

(2) Among unique identifiable information, resident registration numbers require a heightened level of protection. Except in cases specifically permitted by other laws, or in rare and exceptional circumstances, such as urgent situations where processing resident registration numbers is clearly necessary to protect the life, physical safety, or property interests of relevant data subjects or third parties, data controllers are prohibited from processing resident registration numbers (Article 24-2(1) of the Act).

Where data controllers process resident registration numbers, they must securely store them using encryption (Article 24-2(2) of the Act) and provide data subjects with an alternative method for membership registration without requiring the use of their resident registration numbers (Article 24-2(3) of the Act).

B. Obligation to Ensure Security of Personal Information (Article 29 of the Act)

Data controllers are required to implement the technical, managerial, and physical measures necessary to ensure the security of personal information, in order to prevent its loss, theft, disclosure, forgery, alteration, or damage (Article 29(1) of the Act). Such "security measures" include establishing, implementing, and reviewing internal management plans; restricting internal access to personal information; controlling external access to personal information processing systems, including intrusion detection and blocking; encrypting personal information for secure storage and transmission; and taking any other equivalent safeguards (Article 30(1) of its Enforcement Decree). The detailed standards for these measures are determined and notified by the Personal Information Protection Commission ("PIPC") (Article 30(3) of its Enforcement Decree).

The Standards for Measures to Ensure the Security of Personal Information specify the concrete obligations that data controllers must fulfill to ensure security. In cases involving personal information leaks, courts have assessed whether data controllers adequately fulfilled their security obligations in accordance with these standards (Supreme Court Decision 2018Da238278 Decided July 24, 2019).

C. Obligation to Notify Data Subjects Without Delay in the Event of a Data Breach (Article 34(1) of the Act)

When data controllers become aware that personal information has been lost, stolen, or disclosed, they must notify the affected data subjects of the following matters without delay (each subparagraph of Article 34(1) of the Act):

  1. the types of personal information that was lost, stolen, or disclosed;
  2. the time and circumstances of the loss, theft, or disclosure;
  3. information on measures data subjects can take to minimize potential harm resulting from the loss, theft, or disclosure;
  4. the actions taken by data controllers in response to the incident and the available remedial procedures;
  5. the contact information of the responsible department and other points of contact for reporting any damages.

D. Obligation to Report Data Loss, Theft, or Disclosure of Personal Information Above a Certain Threshold to the PIPC (Article 34(3) of the Act and Article 40(1) of its Enforcement Decree)

Upon the occurrence of any of the following events, data controllers must report the loss, theft, or disclosure of personal information in writing to the PIPC or other relevant authorities within 72 hours from the time they become aware of the incident:

  1. cases in which personal information of at least 1,000 data subjects has been lost, stolen, or disclosed;
  2. cases in which sensitive information or unique identifiable information has been lost, stolen, or disclosed; or
  3. cases in which personal information has been lost, stolen, or disclosed due to unauthorized external access to personal information systems or information devices used by data controllers for processing personal information.

5. Liabilities of Data Controllers for Security Incidents, Including Data Breaches, Under the PIPA

A. Liability to Compensate Data Subjects for Damages (Articles 39 and 39-2 of the Act)

(1) When personal information is lost, stolen, disclosed, forged, altered, or damaged due to data controllers' intent or gross negligence, and damage is thereby caused to a data subject, punitive damages may be awarded in an amount not exceeding five times the actual damages (Article 39(3) of the Act). However, claimants seeking punitive damages bear the burden of directly and specifically proving the amount of damages suffered.

(2) Article 39-2(1) of the PIPA establishes a statutory damages regime under which, if personal information is lost, stolen, disclosed, forged, altered, or damaged due to a data controller's intent or gross negligence, a data subject may claim damages in an amount of up to KRW 3 million. This regime is intended to allow data subjects to obtain compensation based on the statutory criteria for calculating damages, even without the need to prove the specific amount of damages suffered.

When data subjects file such a claim, the data controller bears the burden of proving the absence of intent or negligence (proviso to Article 39-2(1) of the Act). Accordingly, the data subject's burden of proof is reduced as compared to a claim for tort liability under Article 750 of the Civil Act.

Data breaches may also give rise to data controllers' liability to pay non-pecuniary damages (consolation damages) to data subjects. According to Supreme Court precedent, if personal information collected by a data controller is disclosed against data subjects' will, the determination of whether the data subjects suffered emotional distress sufficient to warrant compensation by way of emotional distress damages requires a comprehensive assessment of various circumstances, including: (i) the type and nature of the compromised personal information; (ii) whether the compromised personal information gave rise to the possibility of identifying the data subjects; (iii) whether any third party actually accessed the compromised personal information, or, if such access is not confirmed, whether any third party was or is likely to make such access; (iv) the extent to which the compromised personal information has been disseminated; (v) whether the data breach has led to the possibility of further infringement of legally protected interests; (vi) the manner in which the data controller had managed the personal information and the specific circumstances under which the personal information was compromised; and (vii) the measures taken to prevent the occurrence or spread of damage resulting from the data breach. Based on this assessment, the data controller' liability to pay consolation damages may be recognized (Supreme Court Decision 2011 Da 59834 Decided December 26, 2012).

(3) When a claim for statutory damages is filed due to a data breach or other similar incidents, the court may recognize a reasonable amount of damages, up to KRW 3 million, taking into account the overall context of the hearings and the evidence presented (Article 39-2(2) of the Act).

Unlike pecuniary damages, the amount of consolation damages may be determined at the discretion of the trial court, taking into account all relevant circumstances (Supreme Court Decision 98 Da 41377 Decided April 23, 1999). In a recent Supreme Court ruling, the Court upheld the lower court's decision to award KRW 100,000 in consolation damages to each plaintiff whose personal information had been breached, where a data controller's customers' card information, including any and all of names, resident registration numbers, card numbers and expiration dates, payment account numbers, company addresses, home addresses, alternate addresses, business phone numbers, landline numbers, and mobile numbers, had been copied to a USB drive and transferred to third parties (Supreme Court Decisions 2018 Da 207953, 2018 Da 207977, 2018 Da 207960, 2018 Da 207984 Decided October 18, 2019).

B. Imposition of Corrective Measures and Penalty Surcharges (Articles 64 and 64-2 of the Act)

The PIPC may order any person who violates the PIPA to take corrective measures (Article 64 of the Act). Where a data controller processed resident registration numbers in violation of Article 24-2(1) of the Act, resulting in the loss, theft, disclosure, forgery, alteration, or damage of personal information processed by the data controller, if it is found that the data controller failed to implement the security measures required under Article 29 of the Act, the PIPC may impose penalty surcharges on the data controller of up to three percent of its total sales2 (Article 64-2(1) of the Act).

C. Imposition of Administrative Fines for Failure to Comply with Notification and Reporting Obligations (subparagraphs 7, 8, 17, and 18 of Article 75(2) of the Act)

An administrative fine of up to KRW 30 million may be imposed on data controllers in the following cases (subparagraphs 7, 8, 17, and 18 of Article 75(2) of the Act):

  1. Where they process resident registration numbers in violation of Article 24-2(1) of the PIPA;
  2. Where they fail to implement encryption measures in violation of Article 24-2(2) of the PIPA;
  3. Where they fail to provide an alternative method of membership registration that does not require the use of resident registration numbers in violation of Article 24-2(3) of the PIPA;
  4. Where they violate the notification obligation under Article 34(1) of the PIPA; or
  5. Where they violate the reporting obligation under Article 34(3) of the PIPA.

6. Conclusion

Driven by big data, the Internet of Things (IoT), and artificial intelligence (AI), recent advancements in data collection and processing technologies have enabled public institutions, private enterprises, and other organizations to acquire and manage vast amounts of personal information with ease. At the same time, the potential scale of damages resulting from data breaches has steadily increased. With heightened consumer awareness and sensitivity to data breaches and resulting damages, a single incident of personal information leakage can not only undermine a company's reputation and credibility but also result in various financial losses, including compensation payments, penalty surcharges, and administrative fines.

Accordingly, corporations and other entities acting as data controllers must comply with the personal information processing requirements set forth in the PIPA and thoroughly implement security measures to proactively prevent damages arising from potential data breaches and other security incidents. In addition, prior to any such incidents, data controllers should establish action plans to ensure the timely fulfillment of statutory obligations, such as notifying affected data subjects and reporting to competent authorities, so that, even if a breach or similar incident takes place, harm can be minimized and unnecessary penalties avoided.

Footnotes

1. However, such a person may fall within the category of "a person who processes or has processed personal information" as set forth in Article 59 of the PIPA. Accordingly, if that person discloses personal information acquired in the course of performing its duties or provides such information to others for unauthorized use, the person may be subject to criminal penalties.

2. In calculating the amount of penalty surcharges, the base amount shall be the total sales excluding those unrelated to the violations (Article 64-2(2) of the Act).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Hye In Lee
Hye In Lee
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More