South Korea

A company collected my personal data without consent.

PIPA Art. 15
Consent required
Up to ₩30M
Max fine
5 years
Max imprisonment
7 days
Response deadline
The Short Answer

In South Korea, collecting personal data without consent is generally illegal under the Personal Information Protection Act (PIPA), unless a specific exception applies.

What the Law Says

South Korea’s Personal Information Protection Act (PIPA) strictly regulates how personal information may be collected, used, and shared. Consent is the default legal basis — and collecting data without it violates core provisions of the law.

Under PIPA, a personal information handler must obtain clear, informed, and voluntary consent before collecting personal information — unless one of the narrow statutory exceptions applies (e.g., required by law or necessary for contract performance).

The law defines 'personal information' broadly: any information relating to a living individual that can identify them directly or indirectly — including name, ID number, contact details, biometric data, and online identifiers.

If consent is obtained, it must be specific to the purpose of collection and processing. Blanket or bundled consent is not valid. Individuals also have the right to withdraw consent at any time.

Statutory Text

A personal information handler shall, in principle, obtain the consent of the data subject when collecting personal information.

Personal Information Protection Act, Art. 15 — Collection of Personal Information
Statutory Text

Any person who collects personal information without consent, in violation of Article 15, shall be punished by imprisonment with labor for not more than five years or by a fine not exceeding 30 million won.

Personal Information Protection Act, Art. 71 — Punishment

What to Do

1

Contact the company in writing to request confirmation of data collection, purpose, and deletion.

2

File a complaint with the Korea Internet & Security Agency (KISA) via its Personal Information Dispute Mediation Committee (https://www.kisa.or.kr).

3

Request correction or deletion of your data under PIPA Art. 35 and Art. 36.

4

If harm occurred (e.g., financial loss or reputational damage), consider filing a civil claim for damages under PIPA Art. 39-2.

5

Report serious violations to the Personal Information Protection Commission (PIPC) for investigation.

Sources

statutePersonal Information Protection Act, Art. 15 — Collection of Personal InformationstatutePersonal Information Protection Act, Art. 71 — PunishmentstatutePersonal Information Protection Act, Art. 35 — Right to Request CorrectionstatutePersonal Information Protection Act, Art. 36 — Right to Request DeletionstatutePersonal Information Protection Act, Art. 39-2 — Claim for Damages

Same Question, Other Jurisdictions

GermanyIrelandEuropean UnionUKSingaporeCompare all →

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.