South Korea

Is consent needed when transferring personal data overseas?

PIPA Art. 17
Main provision
Prior consent
General rule
3 exceptions
Statutory exemptions
KISA approval
For certain transfers
The Short Answer

Yes, consent is generally required before transferring personal data overseas from South Korea, unless an exception applies under the Personal Information Protection Act.

What the Law Says

South Korea’s Personal Information Protection Act (PIPA) strictly regulates cross-border transfers of personal data. Consent is the default requirement — but limited statutory exceptions exist.

Under Article 17 of the Personal Information Protection Act, a personal information controller must obtain the prior consent of the data subject before transferring their personal information to a foreign country or a third party located abroad.

The law defines 'transfer' broadly — it includes any transmission, disclosure, or provision of personal information to a foreign entity, whether for processing, storage, or other purposes.

Three statutory exceptions allow transfer without consent: (1) where the foreign country has personal information protection standards equivalent to Korea’s; (2) where the recipient has obtained certification under Korea’s international data transfer framework (e.g., KISA’s ‘Privacy Shield’-style program); or (3) where the transfer is necessary for performance of a contract with the data subject or for legal obligations.

Statutory Text

A personal information controller shall obtain the prior consent of the data subject when providing his/her personal information to a third party located abroad.

Personal Information Protection Act, Art. 17 — Provision of Personal Information to Third Parties Abroad
Statutory Text

The provisions of Paragraph 1 shall not apply where: 1. The foreign country has personal information protection standards equivalent to those of the Republic of Korea; 2. The recipient has been certified by the Korea Internet & Security Agency (KISA) as meeting prescribed data protection requirements; or 3. The transfer is necessary for the performance of a contract with the data subject or for compliance with legal obligations.

Personal Information Protection Act, Art. 17(2) — Exceptions

What to Do

1

Obtain explicit, written consent from the data subject before transferring personal data overseas.

2

Verify whether the destination country or recipient qualifies under one of the three statutory exceptions in PIPA Art. 17(2).

3

If relying on a KISA certification or equivalence determination, retain documentation and confirm current status via KISA’s official portal.

4

Maintain records of consent and transfer justifications for at least 3 years, as required under PIPA Art. 34-2.

5

Notify the data subject of the purpose, recipient’s name, country, and retention period before obtaining consent (PIPA Art. 15(1)).

Sources

statutePersonal Information Protection Act, Art. 17 — Provision of Personal Information to Third Parties AbroadstatutePersonal Information Protection Act, Art. 15(1) — Notification RequirementsstatutePersonal Information Protection Act, Art. 34-2 — Record Keeping Obligations

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.