South Korea

PIPC is the independent supervisory authority with strong enforcement powers.

Opt-in consent required with detailed disclosure. Separate consent for sensitive data, cross-border transfers, and marketing.

Rights to access, correction, deletion, suspension, and data portability (2023 amendment).

Adequacy, consent, SCCs, or BCRs. 2023 amendments modernised transfer framework. EU adequacy mutual recognition.

Must notify PIPC and affected individuals within 72 hours of discovery.

Chief Privacy Officer (CPO) required for all personal information processors above certain thresholds.

Consent of legal guardian required for children under 14.

Up to 3% of related revenue. Criminal penalties. Active enforcement with significant fines.

Credit Information Act, Network Act provisions, health data regulations.

Network Act requires consent for cookies and tracking. Active enforcement.

Right to reject automated decisions. AI governance framework under development.

Financial and certain government data must be stored locally.

No direct equivalent but thresholds trigger enhanced obligations.

PIPA applies to government. Separate provisions for public institutions.