Republic of Korea: Personal Information Protection Commission adopted revised guidelines on processing of pseudonymised information

On 31 March 2026, the Personal Information Protection Commission (PIPC) adopted revised guidelines on the processing of pseudonymised information. The guidelines apply to all organisations processing pseudonymised personal data, including Artificial Intelligence (AI) providers. The revision introduces a standardised, risk-based framework under which internal data use is classified as low risk, while provision to third parties is classified as medium or high risk depending on the degree of environmental control. Documentation and review requirements are now proportionate to risk level, with required forms reduced from 24 to 10. It also provides that organisations may pre-designate expandable purposes to allow reuse of pseudonymised data for related activities without restarting the review process, and processing period criteria have been made more flexible to accommodate continuous AI training.