Republic of Korea: Personal Information Protection Commission announced amendment to Enforcement Decree of Personal Information Protection Act

On 20 August 2025, the Personal Information Protection Commission (PIPC) announced a proposed amendment to the Enforcement Decree of the Personal Information Protection Act. The amendment aims to expand the right to data portability by widening the scope of data controllers and transferable personal information beyond the previously limited sectors of medical, telecommunications, and energy. It now applies to all data controllers meeting certain thresholds, including annual sales of at least KRW 150 billion or processing over one million data subjects, or over 50’000 sensitive or unique identifiers. The amendment sets out secure procedures for exercising the right, including requirements for encrypted transfers, pre-agreed methods when using automated tools by authorised agents, and guidance for websites enabling users to download their own information. Small and medium-sized enterprises and start-ups are excluded from mandatory data transfer obligations to reduce compliance burdens, while analysed or processed derivative information is not subject to transfer, addressing concerns over trade secret exposure. A six-month grace period will follow the amendment’s entry into force to allow for system development.