South Korea

A company shared my data with a third party.

14 days
Breach notification deadline
₩30M
Max fine for violation
5 years
Max imprisonment
Article 17
Third-party provision rule
The Short Answer

In South Korea, a company generally cannot share your personal data with a third party without your prior, explicit consent — unless an exception under the Personal Information Protection Act applies.

What the Law Says

South Korea’s Personal Information Protection Act (PIPA) strictly regulates how companies may share personal information with third parties. Consent is mandatory unless a narrow statutory exception applies.

Under Article 17 of the Personal Information Protection Act, a personal information controller (e.g., a company) must obtain the data subject’s prior, explicit consent before providing their personal information to a third party.

The law defines 'provision to a third party' broadly — it includes sharing, transferring, or disclosing personal information to any entity outside the original controller’s direct control, even if affiliated.

Exceptions exist — for example, when required by law, necessary for public safety, or for preventing imminent harm — but these are narrowly interpreted and do not excuse routine commercial sharing.

If a company violates Article 17, it may face administrative fines up to ₩30 million, criminal penalties including up to five years’ imprisonment, and civil liability for damages.

Statutory Text

A personal information controller shall not provide personal information to a third party without obtaining the prior consent of the data subject.

Personal Information Protection Act, Art. 17 — Provision of Personal Information to Third Parties
Statutory Text

Where a personal information controller provides personal information to a third party, it shall notify the data subject of the purpose of provision, the items of personal information provided, the name of the third party, and other matters prescribed by Presidential Decree.

Personal Information Protection Act, Art. 17(2)

What to Do

1

Confirm whether you gave clear, written consent — verbal or implied consent is insufficient under PIPA.

2

Request a written explanation from the company about why and how your data was shared (under Article 35).

3

File a complaint with the Korea Communications Commission (KCC) or the Personal Information Protection Commission (PIPC).

4

Seek civil compensation through court if you suffered damage (e.g., identity fraud, financial loss).

Sources

statutePersonal Information Protection Act, Art. 17 — Provision of Personal Information to Third PartiesstatutePersonal Information Protection Act, Art. 35 — Right to Request Correction or Deletion

Same Question, Other Jurisdictions

CanadaAustraliaIrelandSingaporeEuropean UnionIndiaUKCompare all →

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.