Financial Crime World

Here’s the article reformatted in markdown format:

Personal Information Protection Act (PIPA) in South Korea

=====================================================

The Personal Information Protection Act (PIPA) is a comprehensive law in South Korea that regulates the collection, use, and disclosure of personal information.

Obligations of Personal Data Controllers

The following are key obligations of personal data controllers under PIPA:

  • Register: Personal data controllers must register with the Privacy Mark Certification Board if they collect or process personal information.
  • Privacy Policy: They must establish a privacy policy that explains how they will use and protect personal information.
  • Consent: Obtain consent from individuals before collecting, using, or disclosing their personal information, unless an exception applies (e.g., emergency situations).
  • Purpose Specification: Specify the purpose of collecting, using, or disclosing personal information in advance.

Rights of Data Subjects

The following are key rights of data subjects under PIPA:

  • Access and Correction: Individuals have the right to access and correct their personal information.
  • Deletion: Request deletion of their personal information if it is no longer necessary for the original purpose.
  • Withdrawal of Consent: Withdraw consent at any time.

Breach Notification

If a breach occurs, personal data controllers must notify affected individuals within three days of discovering the breach.

Enforcement and Penalties

PIPA is enforced by the Personal Information Protection Commission (PPIC). Failure to comply with PIPA can result in administrative fines of up to KRW 30 million. In severe cases, both the data controller and the transferee may be subject to criminal sanctions (imprisonment of up to 5 years or a criminal fine of up to KRW 50 million).

Electronic Marketing

To send electronic marketing messages, companies must obtain explicit consent from individuals and provide clear instructions on how to opt-out.

Online Privacy

PIPA also regulates the use of cookies, logs, and IP addresses as personal information. Location information is governed by a separate Act (LBS Act), which requires prior consent for collection, use, or disclosure.

Additional Regulations

The Korea Communications Commission (KCC) regulates location-based service providers and location information providers. These entities must report to the KCC and obtain licenses. They also must disclose specific information in their service agreements, including rights held by individuals and methods of exercising those rights.

This summary provides an overview of the key aspects of the PIPA in South Korea. For more detailed information or specific guidance, it is recommended to consult with a qualified professional or seek resources from reputable sources.