South Korea

What must be included in a privacy policy?

PIPA Art. 15
Legal basis
7-day notice
Update deadline
KRW 30M
Max fine
Consent require
For sensitive data
The Short Answer

A privacy policy in South Korea must include the purpose of personal data collection, categories of data collected, retention period, third-party sharing details, and the rights of data subjects.

What the Law Says

South Korea’s Personal Information Protection Act (PIPA) sets strict requirements for privacy policies to ensure transparency and accountability in personal data handling.

Under PIPA, operators of personal information processing systems must publicly disclose a privacy policy that clearly explains how personal information is collected, used, stored, and shared.

The policy must specify the purpose of collection, categories of personal information processed, retention periods, recipients of shared data (including third parties), and procedures for exercising data subject rights such as access, correction, deletion, and consent withdrawal.

If personal information is transferred overseas, the policy must state the destination country, recipient’s name, purpose of transfer, and safeguards applied — and obtain separate consent unless an exception applies.

Operators must notify data subjects of any material changes to the privacy policy at least seven days before implementation, unless urgent circumstances require immediate updates.

Statutory Text

The personal information controller shall notify the data subject of the items prescribed by Presidential Decree, including the purpose of collecting and using personal information, the items of personal information to be collected, the retention and use period of personal information, and matters concerning the provision of personal information to a third party.

Personal Information Protection Act, Art. 15 — Obligation to Notify Data Subjects
Statutory Text

Where the personal information controller intends to change the matters notified pursuant to Article 15, it shall notify the data subject thereof at least seven days prior to such change.

Personal Information Protection Act, Art. 16 — Notification of Changes to Notified Matters

What to Do

1

Identify all personal information collected and its purpose(s) under PIPA Art. 15.

2

Specify exact retention periods (e.g., '1 year after account closure') — not vague terms like 'as long as necessary'.

3

List every third party receiving data, including overseas recipients and their countries.

4

Publish the policy in Korean on your website/app homepage and obtain explicit consent for sensitive data processing.

5

Update and re-notify users at least 7 days before any material change to the policy.

Sources

statutePersonal Information Protection Act, Art. 15 — Obligation to Notify Data SubjectsstatutePersonal Information Protection Act, Art. 16 — Notification of Changes to Notified Matters

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.