Republic of Korea: Bill amending Personal Information Protection Act (Bill No. 2216765) was signed into law

On 10 March 2026, the Bill amending the Personal Information Protection Act (Bill No. 2216765) was signed into law. The Act designates the business owner or representative as the ultimate party responsible for processing and safeguarding personal information. Personal information processors who meet the criteria set out in the Presidential Decree must report the appointment of a personal information protection officer, whose role is further reinforced to include personnel management and budget oversight. The Act introduces mandatory personal information protection certification for processors meeting standards related to sales volume and the scale of data processing. Notification requirements are expanded to cover not only loss, theft, or leakage, but also forgery, alteration, or damage of personal data, and companies must notify authorities when there is a potential risk of leakage as defined by the Presidential Decree. Companies responsible for intentional or grossly negligent violations affecting over 10 million individuals, repeated violations within three years, or failure to follow corrective orders may face surcharges of up to 10% of total sales. Surcharges may be reduced where investments in personnel, facilities, and preventive measures have been made. The Act enters into force on 11 September 2026, six months after signing, with the exception of the amended provisions of Article 32-2(1) proviso and Article 75(2) item 15, which enter into force on 1 July 2027.