South Korea’s Personal Information Protection Act (PIPA)

The Constitution of South Korea recognizes the privacy of communications and freedom of expression as a fundamental right. PIPA went into effect September 2011 and was considered one of the world’s most stringent data protection laws. The goal of PIPA was to develop a ‘data economy’ by introducing a legal basis on which data may be used in a more flexible way provided it’s reasonably related to the original purpose for which it was collected. This law dictates standard procedures for data transfer and protects citizens’ rights and interests.

PIPA was amended in 2020, enforcing specific rules for data processing, collection and disclosure. An additional amendment was published by the Personal Information Protection Council (PIPC) for public comment on January 6, 2021. The proposed amendment introduces the right to data portability and the right to be excluded from automated decision-making, diversifies the methods of transferring personal data overseas and includes pseudonymised data in the scope of information that a data handler is required to destroy.

Amendments Passed in 2020


1st Amendment Introduces the concept of “pseudonymised data” and distinguishes between personal data and pseudonymized data. Pseudonymized data can typically be processed without consent when the purpose is for research, statistics and public records.


2nd Amendment Allows entities to reasonably use personal data without consent, if data is being used “within a scope that is reasonably related to the original purpose of collection.”


3rd Amendment Allows data to be merged under special conditions. Data sets by two different processors may be amalgamated if performed by specialized agencies that commit to meeting regulations in compliance with PIPA requirements.

Key Definitions

Personal Data

Personal Data

PIPA has a broad definition of personal data, which is any data relating to a living natural person that:

  • Dot Identifies a particular individual by his/her full name, resident registration number ('RRN'), image, or the like
  • Dot May be easily combined with other information to identify a particular individual
  • Dot Falls under the above two categories which is pseudonymised, thereby becomes incapable of identifying a particular individual without the use or combination of additional information for restoration to its original state
Sensitive Personal Data

Sensitive Data

Personal information regarding an individual's ideology, faith, trade union or political party membership, political views, health, sexual orientation and other personal information that may cause a material breach of privacy. Further includes genetic information, criminal records, information on an individual's physical, physiological, and behavioral characteristics for the purpose of identifying a specific individual and racial/ethnic data.

Personal Data


Data from which the specific individual cannot be identified without the use or combination of additional information for restoring to the original state.

Sensitive Personal Data

Anonymised Information

Any information which cannot be used to identify a specific individual even if the information is combined with other information, after reasonably considering factors such as time, cost, and technology (not subject to PIPA).

Similarities between PIPA and GDPR


Purpose of Law



Safeguards the rights and interests of data subjects by protecting their privacy from the unauthorized collection, leak, abuse or misuse of personal information.
Applies to any public institution, corporate body, organization, individual, etc., that manages personal information directly or via another person to administer personal information files as part of their duties.
Decrees “technical, managerial and physical measures … necessary to ensure the safety, so that personal information may not be lost, stolen, leaked, altered or damaged.”
Aims “to enable the free movement of personal data within the Union while protecting fundamental rights and freedoms of natural persons and, in particular, their right to the protection of personal data.”
Applies to the processing of personal data wholly or partly by automated means, within the scope of Union law.
Decrees appropriate technical responses and measures “to ensure a level of security appropriate to the risk.”

Differences between PIPA and GDPR


Personal Data Definition

Breach Definition

Officer In Charge

Has a more detailed definition of personal data.
Does not define a breach, but refers to it as an event where personal information has been breached.
Requires that the Personal Information Processor appoint a Privacy Officer.
Sets precedence when it comes to the definition of personal data, but it’s not as specific as PIPA’s definition.
Defines data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed.
Requires that the Controller appoint a Data Protection Officer.

The information on this page is provided for educational purposes only and should not be confused with or construed as Annex Cloud’s compliance capabilities or scope. Learn more about Annex Cloud’s enterprise-ready solution, including security, privacy and compliance.

See Loyalty in Action

Be inspired with endless ways to make every customer interaction rewarding.


We Can Help

Let's explore how loyalty can help you become one of your customers' most beloved brands.


©2021 All Rights Reserved. AnnexCloud