South Korea

A data breach occurred. Can I receive compensation?

₩3 million
Max statutory damages
3 years
Limitation period
Article 39-2
PIPA liability
100% fault
Strict liability
The Short Answer

Yes, you may receive compensation for damages caused by a data breach under South Korea’s Personal Information Protection Act (PIPA), including actual losses and statutory damages up to ₩3 million.

What the Law Says

South Korean law holds personal information handlers strictly liable for damages arising from data breaches, even without proof of negligence.

Under the Personal Information Protection Act (PIPA), any entity that processes personal information — such as companies, government agencies, or schools — is legally responsible for protecting that data. If a breach occurs due to their failure to implement required security measures, they must compensate affected individuals for resulting damages.

Compensation includes both actual damages (e.g., financial loss from identity theft) and statutory damages. Statutory damages apply automatically if unlawful processing or security failures are proven — no need to prove intent or gross negligence.

The law imposes strict liability: if the handler cannot prove it took all required technical and managerial safeguards, it is presumed at fault. This shifts the burden of proof to the organization, not the individual.

Statutory Text

A personal information handler shall be liable for damages incurred by a data subject due to the leakage, loss, alteration, or falsification of his/her personal information, unless the handler proves that it has taken all required technical and managerial measures.

Personal Information Protection Act, s. 39-2 — Liability for Damages
Statutory Text

Where damages are difficult to prove, the court may award statutory damages of up to three million won per claimant.

Personal Information Protection Act, s. 39-2 — Liability for Damages

What to Do

1

Confirm whether your personal information was involved in the breach (check official notice from the handler or Korea Internet & Security Agency [KISA] alerts)

2

Gather evidence of harm (e.g., unauthorized transactions, phishing attempts, credit report changes)

3

File a damage claim with the personal information handler in writing — they must respond within 30 days

4

If unresolved, file a complaint with the Personal Information Dispute Mediation Committee (PIDMC) or sue in district court

5

Note: You must file a lawsuit within 3 years from when you knew (or should have known) about the breach and damage

Sources

statutePersonal Information Protection Act, s. 39-2 — Liability for Damages

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.