South Korea

What is the obligation to notify about data breaches?

72 hours
Notification deadline
5M KRW
Max fine for failure
10 years
Max imprisonment
PIPC
Oversight authority
The Short Answer

In South Korea, personal information controllers must notify the Personal Information Protection Commission (PIPC) and affected individuals without delay—within 72 hours of becoming aware of a data breach—if the breach poses a risk of harm.

What the Law Says

South Korea’s Personal Information Protection Act (PIPA) imposes strict obligations on personal information controllers to report data breaches promptly to both regulators and affected individuals when harm is likely.

Under Article 34-2 of the Personal Information Protection Act, any personal information controller who discovers a leakage, loss, or damage of personal information must immediately take remedial measures and notify both the Personal Information Protection Commission (PIPC) and the affected individuals.

The notification to the PIPC and individuals must be made 'without delay'—interpreted by enforcement guidelines as within 72 hours of becoming aware of the breach. The notice must include the nature of the breach, the personal information affected, potential consequences, remedial actions taken, and contact information for further inquiries.

Failure to comply may result in criminal penalties: up to 10 years’ imprisonment or a fine of up to 100 million KRW (approx. 5 million KRW for administrative fines under enforcement practice), depending on severity and intent.

Statutory Text

A personal information controller who has caused leakage, loss, or damage of personal information shall immediately take necessary measures thereto and notify the Personal Information Protection Commission and the data subject thereof without delay.

Personal Information Protection Act, Art. 34-2 — Obligation to Notify Leakage, Loss, or Damage of Personal Information

What to Do

1

Confirm the breach and assess whether it involves personal information and poses risk of harm.

2

Take immediate remedial action (e.g., system patching, access revocation).

3

Prepare and submit a breach report to the PIPC via the PIPC online portal within 72 hours.

4

Notify affected individuals directly (e.g., email, SMS, public notice) with required details.

5

Maintain records of the breach, response, and notifications for at least 3 years.

Sources

statutePersonal Information Protection Act, Art. 34-2 — Obligation to Notify Leakage, Loss, or Damage of Personal Information

Same Question, Other Jurisdictions

CanadaAustraliaIrelandSingaporeEuropean UnionIndiaUKUS-CaliforniaUS-New YorkCompare all →

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.