{"id":785,"date":"2026-04-24T00:36:14","date_gmt":"2026-04-24T00:36:14","guid":{"rendered":"https:\/\/atlaw.kr\/en-blog\/?p=785"},"modified":"2026-05-03T08:31:05","modified_gmt":"2026-05-03T08:31:05","slug":"personal-data-controller-south-korea-pipa","status":"publish","type":"post","link":"https:\/\/atlaw.kr\/en-blog\/personal-data-controller-south-korea-pipa\/","title":{"rendered":"Who Is a Personal Data Controller in South Korea? Four Supreme Court Cases"},"content":{"rendered":"<p><!-- ATLAS_HREFLANG_START --><link rel=\"alternate\" hreflang=\"ko\" href=\"https:\/\/atlaw.kr\/kr-blog\/%ea%b0%9c%ec%9d%b8%ec%a0%95%eb%b3%b4%ec%b2%98%eb%a6%ac%ec%9e%90-%ed%8c%90%eb%8b%a8%ea%b8%b0%ec%a4%80-%eb%8c%80%eb%b2%95%ec%9b%90-%ed%8c%90%eb%a1%80\/\" \/><link rel=\"alternate\" hreflang=\"en\" href=\"https:\/\/atlaw.kr\/en-blog\/personal-data-controller-south-korea-pipa\/\" \/><link rel=\"alternate\" hreflang=\"x-default\" href=\"https:\/\/atlaw.kr\/kr-blog\/%ea%b0%9c%ec%9d%b8%ec%a0%95%eb%b3%b4%ec%b2%98%eb%a6%ac%ec%9e%90-%ed%8c%90%eb%8b%a8%ea%b8%b0%ec%a4%80-%eb%8c%80%eb%b2%95%ec%9b%90-%ed%8c%90%eb%a1%80\/\" \/><!-- ATLAS_HREFLANG_END --><br \/>\n<!-- Article Schema --><br \/>\n<script type=\"application\/ld+json\">{\"@context\": \"https:\/\/schema.org\", \"@type\": \"Article\", \"headline\": \"Who Is a Personal Data Controller in South Korea? Four Supreme Court Cases Explained | Atlas Legal\", \"description\": \"South Korea's Supreme Court has drawn the boundaries of 'personal data controller' liability through four landmark rulings. Learn what PIPA means for businesses, insurers, and individuals facing criminal exposure.\", \"author\": {\"@type\": \"Person\", \"name\": \"Taejin Kim\", \"jobTitle\": \"Managing Partner\", \"worksFor\": {\"@type\": \"LegalService\", \"name\": \"Atlas Legal\", \"url\": \"https:\/\/atlaw.kr\", \"address\": {\"@type\": \"PostalAddress\", \"addressLocality\": \"Incheon\", \"addressRegion\": \"Songdo\"}}, \"@id\": \"https:\/\/atlaw.kr\/en\/taejin-kim-en\/#person\"}, \"publisher\": {\"@type\": \"Organization\", \"name\": \"Atlas Legal\", \"url\": \"https:\/\/atlaw.kr\", \"@id\": \"https:\/\/atlaw.kr\/#legalservice\"}, \"datePublished\": \"2026-04-24\", \"dateModified\": \"2026-04-24\", \"mainEntityOfPage\": {\"@type\": \"WebPage\"}, \"@id\": \"https:\/\/atlaw.kr\/en-blog\/personal-data-controller-south-korea-pipa#article\"}<\/script><\/p>\n<p><!-- FAQ Schema --><br \/>\n<script type=\"application\/ld+json\">{\"@context\": \"https:\/\/schema.org\", \"@type\": \"FAQPage\", \"mainEntity\": [{\"@type\": \"Question\", \"name\": \"Does using illegally obtained personal data make someone a personal data controller under South Korean law?\", \"acceptedAnswer\": {\"@type\": \"Answer\", \"text\": \"Yes. The Supreme Court of South Korea (Case 2026Do477, April 16, 2026) held that a person who acquires personal data through hacking or unlawful distribution channels and then operates a personal data file for business purposes qualifies as a personal data controller under PIPA Article 2(5), regardless of how the data was obtained. The statutory definition places no restriction on the method of acquisition.\"}}, {\"@type\": \"Question\", \"name\": \"Is an insurance solicitor in South Korea automatically a personal data controller?\", \"acceptedAnswer\": {\"@type\": \"Answer\", \"text\": \"Not automatically. The Supreme Court (Case 2024Do14998, February 26, 2026) reversed and remanded, holding that merely performing data processing acts does not establish controller status. The decisive question is who holds ultimate authority to determine how personal data is processed. Because insurance companies typically hold that authority over their solicitors, the lower court's conviction was overturned.\"}}, {\"@type\": \"Question\", \"name\": \"What is the legal test for personal data controller status under South Korea's PIPA?\", \"acceptedAnswer\": {\"@type\": \"Answer\", \"text\": \"Under Case 2024Do14998, courts must consider: (1) whose proprietary business and interests the data processing serves; (2) who exercises actual supervision and direction over the processing; (3) who creates, holds, and operates the personal data file; and (4) which attribution of controller duties best serves data subject protection. Performing processing acts alone is not sufficient.\"}}, {\"@type\": \"Question\", \"name\": \"Does prior consent from a data subject prevent criminal liability for disclosure under South Korean law?\", \"acceptedAnswer\": {\"@type\": \"Answer\", \"text\": \"Yes. The Supreme Court (Case 2024Do19539, October 30, 2025) held that where a data subject has given prior consent to the disclosure of their personal data, the defendant cannot be punished under former PIPA Article 59(2) (current Article 59(2), punishable under Article 71(9)). The Court reversed a conviction in a case involving disclosure of residents' names and unit numbers in a group chat.\"}}, {\"@type\": \"Question\", \"name\": \"Does South Korea's PIPA protect personal data that has already been made public?\", \"acceptedAnswer\": {\"@type\": \"Answer\", \"text\": \"Yes. The Supreme Court (Case 2012Da49933, July 24, 2014) confirmed that the right to informational self-determination protects not only private information but also information formed in the course of public life or already disclosed. The unauthorized publication of teachers' trade union membership records was held to be unlawful even though the information related to their professional activities.\"}}, {\"@type\": \"Question\", \"name\": \"What is the relationship between PIPA Article 71(2) and Article 71(10) offences in South Korea?\", \"acceptedAnswer\": {\"@type\": \"Answer\", \"text\": \"The Supreme Court in Case 2026Do477 held that the two offences stand in an imaginary concurrence relationship under Criminal Act Article 40, not a special-general relationship. Because the constituent elements of each provision differ, a single act satisfying both provisions is punished under the heavier offence rather than allowing the lighter one to be absorbed.\"}}, {\"@type\": \"Question\", \"name\": \"Can someone avoid all PIPA criminal liability by arguing they are not a personal data controller in South Korea?\", \"acceptedAnswer\": {\"@type\": \"Answer\", \"text\": \"Not necessarily. The Supreme Court in Case 2024Do14998 noted that even if the defendant is not a personal data controller, liability may still arise if the person qualifies as an 'actor' under the joint punishment provision of PIPA Article 74(2) (Supreme Court 2020Do1942, October 28, 2021).\"}}], \"@id\": \"https:\/\/atlaw.kr\/en-blog\/personal-data-controller-south-korea-pipa#faq\"}<\/script><\/p>\n<p><!-- LocalBusiness Schema --><br \/>\n<script type=\"application\/ld+json\">\n{\n    \"@context\": \"https:\/\/schema.org\",\n    \"@type\": \"LocalBusiness\",\n    \"name\": \"Atlas Legal\",\n    \"image\": \"https:\/\/atlaw.kr\/logo.png\",\n    \"url\": \"https:\/\/atlaw.kr\",\n    \"telephone\": \"+82-32-864-8300\",\n    \"address\": {\n        \"@type\": \"PostalAddress\",\n        \"streetAddress\": \"323 Incheon Tower-daero, B-dong 2901, Songdo-dong, Yeonsu-gu\",\n        \"addressLocality\": \"Incheon\",\n        \"addressRegion\": \"Incheon Metropolitan City\",\n        \"addressCountry\": \"KR\"\n    },\n    \"priceRange\": \"$$\",\n    \"openingHoursSpecification\": {\n        \"@type\": \"OpeningHoursSpecification\",\n        \"dayOfWeek\": [\"Monday\",\"Tuesday\",\"Wednesday\",\"Thursday\",\"Friday\"],\n        \"opens\": \"09:00\",\n        \"closes\": \"18:00\"\n    }\n}\n<\/script><\/p>\n<style>\n    body {\n        font-family: Georgia, serif;\n        line-height: 1.6;\n        max-width: 1000px;\n        margin: 0 auto;\n        padding: 20px;\n        background-color: #f9f9f9;\n    }\n    .content-container {\n        background-color: white;\n        padding: 20px;\n        margin: 0;\n    }\n    h2 {\n        font-size: 22px;\n        color: #2c3e50;\n        margin-top: 30px;\n        margin-bottom: 10px;\n    }\n    h3 {\n        font-size: 20px;\n        color: #34495e;\n        margin-top: 20px;\n        margin-bottom: 10px;\n    }\n    p, li {\n        font-size: 18px;\n        color: #333;\n        margin-bottom: 10px;\n        margin-top: 0;\n    }\n    ul, ol {\n        padding-left: 25px;\n        margin: 10px 0;\n    }\n    li {\n        margin-bottom: 5px;\n    }\n    table {\n        width: 100%;\n        border-collapse: collapse;\n        margin: 15px 0;\n    }\n    th, td {\n        border: 1px solid #ddd;\n        padding: 10px;\n        text-align: left;\n        font-size: 16px;\n    }\n    th {\n        background-color: #f5f5f5;\n        font-weight: bold;\n    }\n    .toc {\n        padding: 15px;\n        border-radius: 0;\n        margin-bottom: 20px;\n        background-color: #f5f5f5;\n    }\n    .toc h2 {\n        font-size: 20px;\n        margin-top: 0;\n        margin-bottom: 10px;\n    }\n    .toc ul {\n        list-style-type: none;\n        padding-left: 0;\n        margin: 0;\n    }\n    .toc ul li {\n        margin-bottom: 5px;\n    }\n    .toc a {\n        text-decoration: none !important;\n        color: #3498db;\n        border-bottom: none !important;\n    }\n    .toc a:hover {\n        text-decoration: underline;\n    }\n    .story-hook {\n        padding: 15px 20px;\n        margin-bottom: 15px;\n        border-radius: 0;\n        background-color: #f5f5f5;\n    }\n    .story-hook p {\n        font-style: italic;\n        color: #555;\n        line-height: 1.6;\n        font-size: 17px;\n        margin: 0;\n    }\n    .direct-answer {\n        padding: 15px;\n        border-radius: 0;\n        margin-bottom: 20px;\n        font-weight: 500;\n        background-color: #f5f5f5;\n    }\n    .story-detail {\n        padding: 20px;\n        border-radius: 0;\n        margin: 20px 0;\n        background-color: #f5f5f5;\n    }\n    .story-detail h3 {\n        margin-top: 0;\n        font-size: 19px;\n        color: #2c3e50;\n    }\n    .story-detail p {\n        line-height: 1.8;\n        color: #444;\n    }\n    .disclaimer {\n        font-size: 15px;\n        color: #666;\n        font-style: italic;\n        margin-bottom: 15px;\n    }\n    .faq-section {\n        padding: 20px;\n        border-radius: 0;\n        margin: 30px 0;\n        background-color: #f5f5f5;\n    }\n    .faq-item {\n        margin-bottom: 20px;\n    }\n    .faq-question {\n        font-weight: bold;\n        color: #2c3e50;\n        margin-bottom: 8px;\n        font-size: 18px;\n    }\n    .faq-answer {\n        color: #555;\n        font-size: 17px;\n        line-height: 1.6;\n    }\n    .author-box {\n        background-color: #f8f9fa;\n        padding: 20px;\n        border-radius: 0;\n        margin-top: 30px;\n        border-left: 2px solid #722f37;\n    }\n    .author-box h3 {\n        margin-top: 0;\n        margin-bottom: 10px;\n        font-size: 20px;\n        color: #2c3e50;\n        font-weight: bold;\n    }\n    .author-box .author-name {\n        font-size: 18px;\n        font-weight: bold;\n        color: #333;\n        margin-bottom: 5px;\n    }\n    .author-box .author-info {\n        font-size: 16px;\n        color: #555;\n        margin-bottom: 5px;\n        line-height: 1.4;\n    }\n    .author-box a {\n        display: inline-block;\n        background-color: #722f37;\n        color: white;\n        padding: 12px 24px;\n        text-decoration: none;\n        border-radius: 6px;\n        font-size: 16px;\n        font-weight: bold;\n        border: 2px solid #722f37;\n        cursor: pointer;\n        box-shadow: 0 2px 4px rgba(114, 47, 55, 0.3);\n        margin-top: 5px;\n    }\n    .statute-box {\n        background-color: #f5f5f5;\n        border-radius: 0;\n        padding: 15px 20px;\n        margin: 15px 0;\n        font-size: 16px;\n        color: #444;\n        line-height: 1.8;\n    }\n    .statute-box .statute-title {\n        font-weight: bold;\n        color: #2c3e50;\n        margin-bottom: 8px;\n        font-size: 16px;\n    }\n    .statute-box .statute-title br {\n        display: block;\n    }\n    br {\n        display: none;\n    }\n    strong {\n        font-weight: bold;\n    }\n    @media (max-width: 768px) {\n        body { padding: 10px; }\n        .content-container { padding: 15px; }\n        h2 { font-size: 18px; }\n        h3 { font-size: 17px; }\n        p, li { font-size: 16px; }\n        th, td { font-size: 14px; padding: 8px; }\n    }\n    .site-container, .content-area, .entry-content {\n        padding: 0;\n        margin: 0;\n    }\n    .entry-content > *:first-child {\n        margin-top: 0 !important;\n    }\n    .entry-content {\n        margin-top: 0 !important;\n    }\n    .kb-row-container, .kb-column-container {\n        margin: 0;\n        padding: 0;\n    }\n<\/style>\n<div class=\"content-container\">\n<p>    <!-- Table of Contents --><\/p>\n<div class=\"toc\">\n<h2>Table of Contents<\/h2>\n<ul>\n<li><a href=\"#section1\">1. What Is a &#8220;Personal Data Controller&#8221; Under South Korea&#8217;s PIPA?<\/a><\/li>\n<li><a href=\"#section2\">2. What Is the Right to Informational Self-Determination? \u2014 Supreme Court 2012Da49933<\/a><\/li>\n<li><a href=\"#section3\">3. Does Using Illegally Obtained Data Make You a Controller? \u2014 Supreme Court 2026Do477<\/a><\/li>\n<li><a href=\"#section4\">4. Is an Insurance Solicitor a Personal Data Controller? \u2014 Supreme Court 2024Do14998<\/a><\/li>\n<li><a href=\"#section5\">5. Does Prior Consent Block a Disclosure Offence? \u2014 Supreme Court 2024Do19539<\/a><\/li>\n<li><a href=\"#section6\">6. Four Cases Compared<\/a><\/li>\n<li><a href=\"#section7\">7. How Do PIPA Article 71(2) and Article 71(10) Relate to Each Other?<\/a><\/li>\n<li><a href=\"#section8\">8. What Does This Mean for Foreign-Invested Companies in South Korea?<\/a><\/li>\n<li><a href=\"#section9\">9. FAQ<\/a><\/li>\n<\/ul><\/div>\n<p>    <!-- Story Hook --><\/p>\n<div class=\"story-hook\">\n<p><strong>Hypothetical scenario:<\/strong><\/p>\n<p>\u00b7 Y, who runs an illegal gambling platform in South Korea \u2014<br \/>\n        &#8220;I bought data that had already been leaked. I didn&#8217;t hack anyone. Surely I&#8217;m not a data controller?&#8221;<\/p>\n<p>\u00b7 Y2, an insurance solicitor \u2014<br \/>\n        &#8220;I collected the customer&#8217;s data, yes \u2014 but doesn&#8217;t the insurance company control it, not me?&#8221;<\/p>\n<p>\u00b7 Y3, an apartment resident \u2014<br \/>\n        &#8220;I posted names in the group chat, but everyone consented when they signed up. Isn&#8217;t that a defence?&#8221;<\/p>\n<p>\u00b7 Y4, a member of parliament \u2014<br \/>\n        &#8220;Teachers&#8217; union membership is a matter of public record. Why can&#8217;t I publish it?&#8221;<\/p>\n<p>Are all four of them in violation of South Korea&#8217;s Personal Information Protection Act?<\/p>\n<\/p><\/div>\n<p>    <!-- Direct Answer --><\/p>\n<div class=\"direct-answer\">\n        <strong>Key Answer:<\/strong> The answer differs for each case.<\/p>\n<div style=\"height: 10px\"><\/div>\n<p>        \u00b7 Y (gambling platform) \u2014<br \/>\n        Using illegally obtained personal data to operate a business file makes you a controller. Criminal liability confirmed. (2026Do477)<\/p>\n<div style=\"height: 10px\"><\/div>\n<p>        \u00b7 Y2 (insurance solicitor) \u2014<br \/>\n        Performing data processing acts alone is not enough. The decisive question is who holds ultimate decision-making authority. (2024Do14998, reversed and remanded)<\/p>\n<div style=\"height: 10px\"><\/div>\n<p>        \u00b7 Y3 (apartment resident) \u2014<br \/>\n        Prior consent from data subjects blocks disclosure liability. (2024Do19539, reversed and remanded)<\/p>\n<div style=\"height: 10px\"><\/div>\n<p>        \u00b7 Y4 (parliamentarian) \u2014<br \/>\n        Even publicly accessible personal data is protected. Unauthorized disclosure is unlawful. (2012Da49933)\n    <\/div>\n<p>    <!-- Story Development --><\/p>\n<div class=\"story-detail\">\n<h3>Same statute, four different outcomes \u2014 where does PIPA criminal liability begin and end?<\/h3>\n<p class=\"disclaimer\">\u203b The hypothetical scenario above is based on the facts of the cases described below and is provided for illustrative purposes only. It does not constitute legal advice.<\/p>\n<p>South Korea&#8217;s Personal Information Protection Act (PIPA) imposes obligations on &#8220;personal data controllers&#8221; across the entire data lifecycle \u2014 collection, use, provision, and disclosure \u2014 and backs those obligations with criminal penalties of up to five years&#8217; imprisonment. Yet the statute&#8217;s definition of &#8220;personal data controller&#8221; leaves open many practical questions: Does it matter how data was acquired? Does processing data automatically make you a controller? Can consent eliminate liability? The Supreme Court of South Korea has addressed each of these questions in a series of rulings spanning 2014 to 2026. Reading the four decisions together provides a coherent framework for assessing PIPA criminal exposure.<\/p>\n<\/p><\/div>\n<p><\/p>\n<h2 id=\"section1\">1. What Is a &#8220;Personal Data Controller&#8221; Under South Korea&#8217;s PIPA?<\/h2>\n<p>PIPA Article 2(5) defines a &#8220;personal data controller&#8221; (\uac1c\uc778\uc815\ubcf4\ucc98\ub9ac\uc790) as &#8220;a public institution, corporation, organisation, or individual that processes personal data, either directly or through a third party, in order to operate a personal data file for business purposes.&#8221; This definition determines who is subject to PIPA&#8217;s criminal sanctions under Articles 71 and 74.<\/p>\n<div class=\"statute-box\">\n<div class=\"statute-title\">Personal Information Protection Act (PIPA)<br \/>Article 2(5) \u2014 Definition of Personal Data Controller<\/div>\n<p>        &#8220;Personal data controller&#8221; means a public institution, corporation, organisation, or individual that processes personal data, either by itself or through another person, in order to operate a personal data file for business purposes.\n    <\/p><\/div>\n<h3>Elements of the Definition<\/h3>\n<table>\n<tr>\n<th>Element<\/th>\n<th>Content<\/th>\n<\/tr>\n<tr>\n<td>Purpose<\/td>\n<td>For business purposes<\/td>\n<\/tr>\n<tr>\n<td>Object<\/td>\n<td>To operate a personal data file<\/td>\n<\/tr>\n<tr>\n<td>Method<\/td>\n<td>Directly or through a third party<\/td>\n<\/tr>\n<tr>\n<td>Act<\/td>\n<td>Processing of personal data<\/td>\n<\/tr>\n<tr>\n<td>Subject<\/td>\n<td>Public institutions, corporations, organisations, individuals \u2014 all included<\/td>\n<\/tr>\n<\/table>\n<p>The statutory text places no restriction on the method or circumstances by which data was originally acquired \u2014 a textual gap that is central to the 2026Do477 ruling discussed below.<\/p>\n<p><\/p>\n<h2 id=\"section2\">2. What Is the Right to Informational Self-Determination? \u2014 Supreme Court 2012Da49933<\/h2>\n<p>The fundamental right that PIPA is designed to protect is the right to informational self-determination (\uac1c\uc778\uc815\ubcf4\uc790\uae30\uacb0\uc815\uad8c). Its content and scope were authoritatively defined by the Supreme Court in its judgment of July 24, 2014 (Case 2012Da49933), which has since been cited in virtually every PIPA-related ruling.<\/p>\n<h3>Background<\/h3>\n<p>A then-serving member of the National Assembly obtained a list identifying teachers by name, school, and trade union membership, and published it on the internet. The publication went beyond the stated purpose for which the data had been requested from the Ministry of Education. The affected teachers and their union sued for damages, arguing that their right to informational self-determination had been violated.<\/p>\n<h3>The Court&#8217;s Definition<\/h3>\n<p>The Supreme Court defined the right to informational self-determination as the right of each data subject to determine for themselves when, to whom, and to what extent their personal information is disclosed and used. The right is grounded in the general right of personality derived from Article 10 of the Constitution (human dignity and the pursuit of happiness) and the right to privacy under Article 17.<\/p>\n<p>Crucially, the Court held that the protected category of &#8220;personal data&#8221; is not limited to intimate or sensitive information. <strong>It includes information formed in the course of public life or information that has already been made public.<\/strong> Teachers&#8217; trade union membership \u2014 a professional activity \u2014 was held to fall squarely within this definition.<\/p>\n<h3>Balancing Privacy Against Free Expression<\/h3>\n<p>Where the disclosure of personal data conflicts with freedom of expression, the Court held that courts must weigh the competing interests by reference to: whether the individual is a public figure; the public nature and public interest value of the information; the appropriateness of the collection method, purpose, and use; the necessity of the use; and the nature of the harm caused. In this case, the parliamentary defendant&#8217;s interest in disclosure was held not to outweigh the teachers&#8217; interest in privacy, and the publication was found unlawful (citing Supreme Court 2008Da42430 en banc, September 2, 2011).<\/p>\n<p><\/p>\n<h2 id=\"section3\">3. Does Using Illegally Obtained Data Make You a Controller? \u2014 Supreme Court 2026Do477<\/h2>\n<p>In Case 2026Do477 (April 16, 2026), the Supreme Court confirmed that a person who acquires personal data through hacking or unlawful channels and then uses it to operate a business personal data file qualifies as a personal data controller under PIPA Article 2(5). The defendant&#8217;s appeal was dismissed and the conviction affirmed.<\/p>\n<div class=\"statute-box\">\n<div class=\"statute-title\">Personal Information Protection Act (PIPA)<br \/>Article 18(1) \u2014 Prohibition on Use or Provision Beyond Collected Purpose<\/div>\n<p>        A personal data controller shall not use personal data beyond the scope permitted under Article 15(1), or provide personal data to a third party beyond the scope permitted under Article 17(1) and Article 28-8(1).\n    <\/p><\/div>\n<h3>The Court&#8217;s Three-Part Rationale<\/h3>\n<p>First, statutory text. PIPA Article 2(5) defines &#8220;personal data controller&#8221; without any restriction on the method or circumstances of data acquisition. The definition is silent on how the data was obtained.<\/p>\n<p>Second, legislative purpose. PIPA exists to protect the right to informational self-determination as established in 2012Da49933 and reaffirmed in 2024Do19539. Excluding unlawful acquirers from the controller definition would create a significant gap in that protection.<\/p>\n<p>Third, practical consistency. If unlawful acquisition stripped a person of controller status, that person would simultaneously escape controller duties \u2014 including the obligation to disclose data sources, respond to access and deletion requests, and face civil liability. This result would be directly contrary to PIPA&#8217;s protective purpose.<\/p>\n<h3>Practical Implication<\/h3>\n<p>Purchasing leaked or stolen personal data from dark web brokers or other unlawful sources, and then using it for marketing, fraud, or other business operations, constitutes criminal conduct under PIPA regardless of who originally obtained the data unlawfully. The argument &#8220;I didn&#8217;t hack anyone myself&#8221; carries no legal weight.<\/p>\n<p><\/p>\n<h2 id=\"section4\">4. Is an Insurance Solicitor a Personal Data Controller? \u2014 Supreme Court 2024Do14998<\/h2>\n<p>In Case 2024Do14998 (February 26, 2026), the Supreme Court reversed and remanded an insurance solicitor&#8217;s conviction, holding that merely performing data processing acts does not automatically establish personal data controller status under PIPA.<\/p>\n<h3>Facts<\/h3>\n<p>Y was an insurance solicitor affiliated with Company A. During the solicitation process, Y collected customer B&#8217;s date of birth, address, and contact information. Y later conspired with C to have C call A&#8217;s customer service centre, impersonate B using the data Y had collected, and request cancellation of policy riders and changes to coverage terms. The prosecution charged Y as a personal data controller who had used B&#8217;s data beyond the original collection purpose under former PIPA Articles 71(2) and 18(1). Both the trial court and the appellate court convicted Y.<\/p>\n<h3>The Legal Test<\/h3>\n<p>The Supreme Court held that <strong>controller status turns on who holds the ultimate authority to determine the purpose, content, method, and procedure of personal data processing<\/strong> \u2014 not who performs processing acts. Courts must consider:<\/p>\n<ul>\n<li>Whose proprietary business and interests the data processing is closely connected to<\/li>\n<li>Who exercises actual supervision and direction over the processing<\/li>\n<li>Who creates, holds, and operates the personal data file, and for what purpose<\/li>\n<li>Which attribution of controller duties and liabilities best serves data subject protection<\/li>\n<\/ul>\n<p>Applying this test, the Court observed that when an insurance solicitor collects policyholder data in the course of brokering insurance contracts, the processing purpose is ordinarily tied to the insurance company&#8217;s proprietary business, and the ultimate decision-making authority resides with the insurance company. The lower court failed to conduct this inquiry and instead inferred controller status from Y&#8217;s mere act of data collection \u2014 a legal error requiring reversal.<\/p>\n<h3>Note on Joint Punishment Liability<\/h3>\n<p>The Court noted that even if Y is found not to be a personal data controller on remand, liability may still arise if Y qualifies as an &#8220;actor&#8221; under PIPA Article 74(2), the joint punishment provision (Supreme Court 2020Do1942, October 28, 2021). Controller status is a threshold question, not the only path to criminal liability.<\/p>\n<p><\/p>\n<h2 id=\"section5\">5. Does Prior Consent Block a Disclosure Offence? \u2014 Supreme Court 2024Do19539<\/h2>\n<p>In Case 2024Do19539 (October 30, 2025), the Supreme Court reversed and remanded a conviction for unlawful disclosure of personal data, holding that prior consent from data subjects eliminates liability under former PIPA Article 59(2) (currently Article 59(2), punishable under Article 71(9)).<\/p>\n<div class=\"statute-box\">\n<div class=\"statute-title\">Personal Information Protection Act (PIPA)<br \/>Article 59(2) \u2014 Prohibition on Disclosure<\/div>\n<p>        Any person who processes or has processed personal data shall not engage in any of the following acts:<\/p>\n<div style=\"height: 8px\"><\/div>\n<p>        2. Disclosing personal data learned in the course of business, or providing it to another person for use without authorisation.<\/p>\n<div style=\"height: 6px\"><\/div>\n<p>        <span style=\"font-size:14px; color:#666;\">\u203b Penalty: Article 71(9) \u2014 up to 5 years&#8217; imprisonment or a fine of up to KRW 50 million (formerly Article 71(5) prior to the 2025 amendment)<\/span>\n    <\/div>\n<h3>Facts<\/h3>\n<p>Y coordinated a noise-damage compensation claim on behalf of apartment residents and collected residents&#8217; names, unit numbers, and contact details through a consent form. Y then created a group chat using the collected data. When some residents posted criticism of Y&#8217;s conduct in the chat, Y responded by publicly naming them with their unit numbers. The prosecution charged Y with unlawfully disclosing personal data learned in the course of business. Both lower courts convicted Y.<\/p>\n<h3>The Court&#8217;s Reasoning<\/h3>\n<p>The Supreme Court held that because the right to informational self-determination belongs to the data subject, the data subject&#8217;s prior consent to a particular disclosure eliminates the unlawfulness of that disclosure. The Court found that the residents had in fact consented to having their names and unit numbers used in the group chat, based on the following evidence:<\/p>\n<ul>\n<li>The consent form and accompanying notice stated that names and unit numbers would be used for resident opinion-gathering, announcements, and related group chat activities.<\/li>\n<li>Some residents voluntarily identified themselves by name and unit number during group chat discussions.<\/li>\n<li>Two of the named complainants submitted statements to the appellate court confirming they had consented to the use of their information and did not believe their data had been improperly disclosed.<\/li>\n<li>The investigation was initiated by a building manager, not by the residents themselves.<\/li>\n<\/ul>\n<h3>Practical Implication<\/h3>\n<p>The scope and specificity of consent is critical. Consent obtained for one purpose does not extend to materially different uses. This ruling confirms that well-documented, specific prior consent is an effective defence to PIPA disclosure charges \u2014 but the consent must actually cover the manner in which the data was used.<\/p>\n<p><\/p>\n<h2 id=\"section6\">6. Four Cases Compared<\/h2>\n<table>\n<tr>\n<th>Case<\/th>\n<th>Core Issue<\/th>\n<th>Outcome<\/th>\n<th>Key Takeaway<\/th>\n<\/tr>\n<tr>\n<td>Supreme Court<br \/>2012Da49933<br \/>(July 24, 2014)<\/td>\n<td>Scope of the right to informational self-determination; whether public data is protected<\/td>\n<td>Public and professional data included. Publishing teachers&#8217; union membership unlawful.<\/td>\n<td>No data is automatically &#8220;public enough&#8221; to lose PIPA protection<\/td>\n<\/tr>\n<tr>\n<td>Supreme Court<br \/>2024Do14998<br \/>(Feb. 26, 2026)<\/td>\n<td>Whether an insurance solicitor qualifies as a personal data controller<\/td>\n<td>Processing acts alone insufficient. Ultimate authority is the test. Reversed and remanded.<\/td>\n<td>Controller status requires substantive decision-making authority, not just handling of data<\/td>\n<\/tr>\n<tr>\n<td>Supreme Court<br \/>2024Do19539<br \/>(Oct. 30, 2025)<\/td>\n<td>Whether prior data subject consent blocks a disclosure offence<\/td>\n<td>Prior consent eliminates liability. Reversed and remanded.<\/td>\n<td>Documented, specific consent is a complete defence \u2014 but must match the actual use<\/td>\n<\/tr>\n<tr>\n<td>Supreme Court<br \/>2026Do477<br \/>(Apr. 16, 2026)<\/td>\n<td>Whether unlawful data acquisition excludes controller status<\/td>\n<td>Acquisition method irrelevant. Unlawful acquirer who operates data file is a controller. Appeal dismissed.<\/td>\n<td>Buying leaked data and using it for business creates full PIPA controller liability<\/td>\n<\/tr>\n<\/table>\n<p>The common thread across all four rulings is that PIPA is interpreted by reference to its core protective purpose \u2014 the right to informational self-determination \u2014 rather than by formal or technical criteria. Neither the illegality of data acquisition, nor the mere performance of processing acts, nor the public nature of information, is a reliable shield against PIPA liability. What matters is the substance of the data relationship and the presence or absence of data subject consent.<\/p>\n<p><\/p>\n<h2 id=\"section7\">7. How Do PIPA Article 71(2) and Article 71(10) Relate to Each Other?<\/h2>\n<p>In Case 2026Do477, the Supreme Court addressed sua sponte the relationship between two separate PIPA offences: Article 71(2) (use or provision of data beyond its collection scope, violating Article 18(1)) and Article 71(10) (unauthorised use, destruction, alteration, falsification, or leakage of another person&#8217;s data, violating Article 59(3)).<\/p>\n<div class=\"statute-box\">\n<div class=\"statute-title\">Personal Information Protection Act (PIPA)<br \/>Article 71 (Penalties) \u2014 Relevant Provisions<\/div>\n<p>        Any person falling under any of the following shall be punished by imprisonment of up to five years or a fine of up to KRW 50 million:<\/p>\n<div style=\"height: 8px\"><\/div>\n<p>        2. A person who uses personal data or provides it to a third party in violation of Article 18(1) or (2) \u2026 and a person who receives personal data for profit or improper purposes knowing the foregoing circumstances.<\/p>\n<div style=\"height: 8px\"><\/div>\n<p>        10. A person who uses, destroys, damages, alters, forges, or leaks another person&#8217;s personal data in violation of Article 59(3).\n    <\/p><\/div>\n<div class=\"statute-box\">\n<div class=\"statute-title\">Criminal Act of South Korea<br \/>Article 40 \u2014 Imaginary Concurrence<\/div>\n<p>        Where one act constitutes several offences, the punishment shall be imposed under the provision for the most serious offence.\n    <\/p><\/div>\n<h3>The Court&#8217;s Holding<\/h3>\n<p>The lower court had treated the two offences as standing in a special-general relationship, with Article 71(2) absorbing Article 71(10), and acquitted on the latter charge in its reasoning. The Supreme Court held this to be an error. Because the two provisions differ in their subject class and the specific conduct prohibited, neither fully subsumes the other. Where one act satisfies both, the offences stand in <strong>imaginary concurrence<\/strong> under Criminal Act Article 40, and punishment is imposed under the heavier offence.<\/p>\n<p>The Court found the error did not affect the outcome \u2014 the sentencing range and practical result were identical \u2014 and therefore dismissed the appeal rather than remanding.<\/p>\n<p><\/p>\n<h2 id=\"section8\">8. What Does This Mean for Foreign-Invested Companies in South Korea?<\/h2>\n<p>Foreign companies operating in South Korea&#8217;s Incheon Free Economic Zone (IFEZ \u2014 Songdo, Cheongna, Yeongjong) and across the country routinely engage third-party vendors, agency staff, and solicitors who handle customer data as part of daily operations. The four decisions discussed above have direct practical implications for these businesses.<\/p>\n<p>The 2024Do14998 ruling on insurance solicitors offers a template for analysing controller status in any outsourced data processing relationship \u2014 including relationships with logistics agents, sales distributors, and platform operators. Companies should document clearly who holds ultimate authority over data processing decisions, and ensure that contractual arrangements with processors reflect that allocation of responsibility.<\/p>\n<p>The 2024Do19539 ruling on consent underscores the importance of drafting specific, purpose-limited consent forms. Consent obtained for customer onboarding does not automatically extend to subsequent uses. Legal teams reviewing data processing agreements should map each data use to a specific consent basis.<\/p>\n<p>The 2026Do477 ruling on unlawfully obtained data is a reminder that purchasing or receiving personal data from third parties carries PIPA controller liability regardless of where the data originated. Due diligence on the provenance of any externally sourced data lists is now a legal necessity, not merely a compliance recommendation. Our team at Atlas Legal has advised multiple foreign-invested companies in the IFEZ on structuring data governance frameworks that withstand this scrutiny.<\/p>\n<p><\/p>\n<h2 id=\"section9\">9. FAQ<\/h2>\n<div class=\"faq-section\">\n<div class=\"faq-item\">\n<div class=\"faq-question\">Q1. Does using illegally obtained personal data make someone a personal data controller under South Korean law?<\/div>\n<div class=\"faq-answer\">A. Yes. The Supreme Court (Case 2026Do477, April 16, 2026) held that a person who acquires personal data through hacking or unlawful distribution channels and then operates a business personal data file qualifies as a personal data controller under PIPA Article 2(5), regardless of how the data was obtained. The statutory definition places no restriction on the method of acquisition.<\/div>\n<\/p><\/div>\n<div class=\"faq-item\">\n<div class=\"faq-question\">Q2. Is an insurance solicitor in South Korea automatically a personal data controller?<\/div>\n<div class=\"faq-answer\">A. Not automatically. The Supreme Court (Case 2024Do14998, February 26, 2026) reversed and remanded, holding that merely performing data processing acts does not establish controller status. The decisive question is who holds ultimate authority to determine how personal data is processed. Because insurance companies typically hold that authority over their solicitors, the lower court&#8217;s conviction was overturned.<\/div>\n<\/p><\/div>\n<div class=\"faq-item\">\n<div class=\"faq-question\">Q3. What is the legal test for personal data controller status under South Korea&#8217;s PIPA?<\/div>\n<div class=\"faq-answer\">A. Under Case 2024Do14998, courts must consider: (1) whose proprietary business and interests the data processing serves; (2) who exercises actual supervision and direction; (3) who creates, holds, and operates the personal data file; and (4) which attribution of controller duties best serves data subject protection.<\/div>\n<\/p><\/div>\n<div class=\"faq-item\">\n<div class=\"faq-question\">Q4. Does prior consent from a data subject prevent criminal liability for disclosure under South Korean PIPA?<\/div>\n<div class=\"faq-answer\">A. Yes, where consent genuinely covers the manner of disclosure. The Supreme Court (Case 2024Do19539, October 30, 2025) reversed a conviction where residents had consented to having their names and unit numbers used in a group chat. However, consent is only effective if it specifically covers the actual use \u2014 consent for one purpose does not extend to materially different uses.<\/div>\n<\/p><\/div>\n<div class=\"faq-item\">\n<div class=\"faq-question\">Q5. Does South Korea&#8217;s PIPA protect personal data that has already been publicly disclosed?<\/div>\n<div class=\"faq-answer\">A. Yes. The Supreme Court (Case 2012Da49933, July 24, 2014) confirmed that the right to informational self-determination protects not only private information but also information formed in the course of public life or already disclosed to the public. Unauthorized republication of such data can still be unlawful.<\/div>\n<\/p><\/div>\n<div class=\"faq-item\">\n<div class=\"faq-question\">Q6. What is the relationship between PIPA Article 71(2) and Article 71(10) in South Korea?<\/div>\n<div class=\"faq-answer\">A. The Supreme Court (Case 2026Do477) held that the two offences are in an imaginary concurrence relationship under Criminal Act Article 40, not a special-general relationship. A single act satisfying both provisions is punished under the heavier offence.<\/div>\n<\/p><\/div>\n<div class=\"faq-item\">\n<div class=\"faq-question\">Q7. Can someone avoid all PIPA liability in South Korea by arguing they are not a personal data controller?<\/div>\n<div class=\"faq-answer\">A. Not necessarily. Even without controller status, a person may be liable as an &#8220;actor&#8221; under PIPA Article 74(2), the joint punishment provision, if they carried out the prohibited conduct on behalf of a controller (Supreme Court 2020Do1942, October 28, 2021). Controller status is a threshold issue \u2014 not the only route to criminal liability.<\/div>\n<\/p><\/div>\n<\/p><\/div>\n<p>PIPA criminal enforcement in South Korea is increasingly sophisticated, and the four Supreme Court decisions discussed above show that liability can arise in contexts that initially appear straightforward. Whether the issue is the provenance of a data set, the legal status of a field agent, the scope of a consent form, or the public nature of information, the analysis must return to the same question: whose right to informational self-determination is at stake, and has it been respected? Our legal team has handled data privacy matters across a range of industries and is available to advise on PIPA compliance and criminal defence strategy.<\/p>\n<p class=\"disclaimer\" style=\"margin: 20px 0;\">\u203b This article is provided for general informational purposes only and does not constitute legal advice. The applicable law may differ depending on the specific facts of each case. Please consult a qualified attorney before taking action.<\/p>\n<div class=\"author-box\">\n<h3>About the Author<\/h3>\n<div class=\"author-name\">Taejin Kim | Managing Partner<\/div>\n<div class=\"author-info\">Corporate Advisory, Commercial Disputes, White-Collar Criminal Defence<\/div>\n<div class=\"author-info\">Former Prosecutor | 33rd Class, Judicial Research and Training Institute<\/div>\n<div class=\"author-info\">LL.B. &#038; LL.M. in Criminal Law, Korea University | LL.M., University of California, Davis<\/div>\n<div class=\"author-info\">Atlas Legal | Incheon Songdo, South Korea<\/div>\n<p>        <a href=\"https:\/\/atlaw.kr\" target=\"_blank\" rel=\"noopener noreferrer\">Visit Atlas Legal<\/a>\n    <\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Table of Contents 1. What Is a &#8220;Personal Data Controller&#8221; Under South Korea&#8217;s PIPA? 2. What Is the Right to Informational Self-Determination? \u2014 Supreme Court 2012Da49933 3. Does Using Illegally Obtained Data Make You a Controller? \u2014 Supreme Court 2026Do477 4. Is an Insurance Solicitor a Personal Data Controller? \u2014 Supreme Court 2024Do14998 5. Does&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_kadence_starter_templates_imported_post":false,"_kad_post_transparent":"default","_kad_post_title":"default","_kad_post_layout":"default","_kad_post_sidebar_id":"","_kad_post_content_style":"default","_kad_post_vertical_padding":"default","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"_kad_post_classname":"","footnotes":""},"categories":[16,224],"tags":[695,696,692,694,693],"class_list":["post-785","post","type-post","status-publish","format-standard","hentry","category-criminal","category-white-collar-crime","tag-data-privacy-criminal-liability","tag-korea-corporate-law","tag-personal-data-controller","tag-personal-information-protection-act","tag-pipa-south-korea"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Who Is a Personal Data Controller in South Korea? Four Supreme Court Cases | Atlas Legal<\/title>\n<meta name=\"description\" content=\"South Korea&#039;s Supreme Court defined personal data controller liability in four landmark PIPA rulings. Learn the legal test and what it means for your business.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/atlaw.kr\/en-blog\/personal-data-controller-south-korea-pipa\/\" \/>\n<meta property=\"og:locale\" content=\"ko_KR\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Who Is a Personal Data Controller in South Korea? Four Supreme Court Cases | Atlas Legal\" \/>\n<meta property=\"og:description\" content=\"South Korea&#039;s Supreme Court defined personal data controller liability in four landmark PIPA rulings. Learn the legal test and what it means for your business.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/atlaw.kr\/en-blog\/personal-data-controller-south-korea-pipa\/\" \/>\n<meta property=\"og:site_name\" content=\"Atlas Legal Blog\" \/>\n<meta property=\"article:published_time\" content=\"2026-04-24T00:36:14+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-05-03T08:31:05+00:00\" \/>\n<meta name=\"author\" content=\"\ubc95\ubb34\ubc95\uc778 \uc544\ud2c0\ub77c\uc2a4\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\uae00\uc4f4\uc774\" \/>\n\t<meta name=\"twitter:data1\" content=\"\ubc95\ubb34\ubc95\uc778 \uc544\ud2c0\ub77c\uc2a4\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/atlaw.kr\\\/en-blog\\\/personal-data-controller-south-korea-pipa\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/atlaw.kr\\\/en-blog\\\/personal-data-controller-south-korea-pipa\\\/\"},\"author\":{\"name\":\"\ubc95\ubb34\ubc95\uc778 \uc544\ud2c0\ub77c\uc2a4\",\"@id\":\"https:\\\/\\\/atlaw.kr\\\/en-blog\\\/#\\\/schema\\\/person\\\/184bcdecc06f89fd6c36b29781165b55\"},\"headline\":\"Who Is a Personal Data Controller in South Korea? Four Supreme Court Cases\",\"datePublished\":\"2026-04-24T00:36:14+00:00\",\"dateModified\":\"2026-05-03T08:31:05+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/atlaw.kr\\\/en-blog\\\/personal-data-controller-south-korea-pipa\\\/\"},\"wordCount\":3321,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/atlaw.kr\\\/en-blog\\\/#organization\"},\"keywords\":[\"data privacy criminal liability\",\"Korea corporate law\",\"personal data controller\",\"personal information protection act\",\"PIPA South Korea\"],\"articleSection\":[\"White Collar Crime\",\"White-Collar Crime\"],\"inLanguage\":\"ko-KR\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/atlaw.kr\\\/en-blog\\\/personal-data-controller-south-korea-pipa\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/atlaw.kr\\\/en-blog\\\/personal-data-controller-south-korea-pipa\\\/\",\"url\":\"https:\\\/\\\/atlaw.kr\\\/en-blog\\\/personal-data-controller-south-korea-pipa\\\/\",\"name\":\"Who Is a Personal Data Controller in South Korea? Four Supreme Court Cases | Atlas Legal\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/atlaw.kr\\\/en-blog\\\/#website\"},\"datePublished\":\"2026-04-24T00:36:14+00:00\",\"dateModified\":\"2026-05-03T08:31:05+00:00\",\"description\":\"South Korea's Supreme Court defined personal data controller liability in four landmark PIPA rulings. Learn the legal test and what it means for your business.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/atlaw.kr\\\/en-blog\\\/personal-data-controller-south-korea-pipa\\\/#breadcrumb\"},\"inLanguage\":\"ko-KR\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/atlaw.kr\\\/en-blog\\\/personal-data-controller-south-korea-pipa\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/atlaw.kr\\\/en-blog\\\/personal-data-controller-south-korea-pipa\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"\ud648\",\"item\":\"https:\\\/\\\/atlaw.kr\\\/en-blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Who Is a Personal Data Controller in South Korea? Four Supreme Court Cases\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/atlaw.kr\\\/en-blog\\\/#website\",\"url\":\"https:\\\/\\\/atlaw.kr\\\/en-blog\\\/\",\"name\":\"Atlas Legal English Blog\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/atlaw.kr\\\/en-blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/atlaw.kr\\\/en-blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"ko-KR\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/atlaw.kr\\\/en-blog\\\/#organization\",\"name\":\"Atlas Legal English Blog\",\"url\":\"https:\\\/\\\/atlaw.kr\\\/en-blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"ko-KR\",\"@id\":\"https:\\\/\\\/atlaw.kr\\\/en-blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/atlaw.kr\\\/en-blog\\\/wp-content\\\/uploads\\\/sites\\\/3\\\/2025\\\/09\\\/\ud3f4\ub354-\uc0c1\ub2e8-\uc9c1\uc0ac\uac01\ud615.png\",\"contentUrl\":\"https:\\\/\\\/atlaw.kr\\\/en-blog\\\/wp-content\\\/uploads\\\/sites\\\/3\\\/2025\\\/09\\\/\ud3f4\ub354-\uc0c1\ub2e8-\uc9c1\uc0ac\uac01\ud615.png\",\"width\":540,\"height\":485,\"caption\":\"Atlas Legal English Blog\"},\"image\":{\"@id\":\"https:\\\/\\\/atlaw.kr\\\/en-blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/atlaw.kr\\\/en-blog\\\/#\\\/schema\\\/person\\\/184bcdecc06f89fd6c36b29781165b55\",\"name\":\"\ubc95\ubb34\ubc95\uc778 \uc544\ud2c0\ub77c\uc2a4\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"ko-KR\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d4c25916239244225f5f853b2ddf50fdcb7ea24d63347445261fe71c707cc558?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d4c25916239244225f5f853b2ddf50fdcb7ea24d63347445261fe71c707cc558?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d4c25916239244225f5f853b2ddf50fdcb7ea24d63347445261fe71c707cc558?s=96&d=mm&r=g\",\"caption\":\"\ubc95\ubb34\ubc95\uc778 \uc544\ud2c0\ub77c\uc2a4\"},\"sameAs\":[\"https:\\\/\\\/atlaw.kr\"],\"url\":\"https:\\\/\\\/atlaw.kr\\\/en-blog\\\/author\\\/prinz001\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Who Is a Personal Data Controller in South Korea? Four Supreme Court Cases | Atlas Legal","description":"South Korea's Supreme Court defined personal data controller liability in four landmark PIPA rulings. Learn the legal test and what it means for your business.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/atlaw.kr\/en-blog\/personal-data-controller-south-korea-pipa\/","og_locale":"ko_KR","og_type":"article","og_title":"Who Is a Personal Data Controller in South Korea? Four Supreme Court Cases | Atlas Legal","og_description":"South Korea's Supreme Court defined personal data controller liability in four landmark PIPA rulings. Learn the legal test and what it means for your business.","og_url":"https:\/\/atlaw.kr\/en-blog\/personal-data-controller-south-korea-pipa\/","og_site_name":"Atlas Legal Blog","article_published_time":"2026-04-24T00:36:14+00:00","article_modified_time":"2026-05-03T08:31:05+00:00","author":"\ubc95\ubb34\ubc95\uc778 \uc544\ud2c0\ub77c\uc2a4","twitter_card":"summary_large_image","twitter_misc":{"\uae00\uc4f4\uc774":"\ubc95\ubb34\ubc95\uc778 \uc544\ud2c0\ub77c\uc2a4"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/atlaw.kr\/en-blog\/personal-data-controller-south-korea-pipa\/#article","isPartOf":{"@id":"https:\/\/atlaw.kr\/en-blog\/personal-data-controller-south-korea-pipa\/"},"author":{"name":"\ubc95\ubb34\ubc95\uc778 \uc544\ud2c0\ub77c\uc2a4","@id":"https:\/\/atlaw.kr\/en-blog\/#\/schema\/person\/184bcdecc06f89fd6c36b29781165b55"},"headline":"Who Is a Personal Data Controller in South Korea? Four Supreme Court Cases","datePublished":"2026-04-24T00:36:14+00:00","dateModified":"2026-05-03T08:31:05+00:00","mainEntityOfPage":{"@id":"https:\/\/atlaw.kr\/en-blog\/personal-data-controller-south-korea-pipa\/"},"wordCount":3321,"commentCount":0,"publisher":{"@id":"https:\/\/atlaw.kr\/en-blog\/#organization"},"keywords":["data privacy criminal liability","Korea corporate law","personal data controller","personal information protection act","PIPA South Korea"],"articleSection":["White Collar Crime","White-Collar Crime"],"inLanguage":"ko-KR","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/atlaw.kr\/en-blog\/personal-data-controller-south-korea-pipa\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/atlaw.kr\/en-blog\/personal-data-controller-south-korea-pipa\/","url":"https:\/\/atlaw.kr\/en-blog\/personal-data-controller-south-korea-pipa\/","name":"Who Is a Personal Data Controller in South Korea? Four Supreme Court Cases | Atlas Legal","isPartOf":{"@id":"https:\/\/atlaw.kr\/en-blog\/#website"},"datePublished":"2026-04-24T00:36:14+00:00","dateModified":"2026-05-03T08:31:05+00:00","description":"South Korea's Supreme Court defined personal data controller liability in four landmark PIPA rulings. Learn the legal test and what it means for your business.","breadcrumb":{"@id":"https:\/\/atlaw.kr\/en-blog\/personal-data-controller-south-korea-pipa\/#breadcrumb"},"inLanguage":"ko-KR","potentialAction":[{"@type":"ReadAction","target":["https:\/\/atlaw.kr\/en-blog\/personal-data-controller-south-korea-pipa\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/atlaw.kr\/en-blog\/personal-data-controller-south-korea-pipa\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"\ud648","item":"https:\/\/atlaw.kr\/en-blog\/"},{"@type":"ListItem","position":2,"name":"Who Is a Personal Data Controller in South Korea? Four Supreme Court Cases"}]},{"@type":"WebSite","@id":"https:\/\/atlaw.kr\/en-blog\/#website","url":"https:\/\/atlaw.kr\/en-blog\/","name":"Atlas Legal English Blog","description":"","publisher":{"@id":"https:\/\/atlaw.kr\/en-blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/atlaw.kr\/en-blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"ko-KR"},{"@type":"Organization","@id":"https:\/\/atlaw.kr\/en-blog\/#organization","name":"Atlas Legal English Blog","url":"https:\/\/atlaw.kr\/en-blog\/","logo":{"@type":"ImageObject","inLanguage":"ko-KR","@id":"https:\/\/atlaw.kr\/en-blog\/#\/schema\/logo\/image\/","url":"https:\/\/atlaw.kr\/en-blog\/wp-content\/uploads\/sites\/3\/2025\/09\/\ud3f4\ub354-\uc0c1\ub2e8-\uc9c1\uc0ac\uac01\ud615.png","contentUrl":"https:\/\/atlaw.kr\/en-blog\/wp-content\/uploads\/sites\/3\/2025\/09\/\ud3f4\ub354-\uc0c1\ub2e8-\uc9c1\uc0ac\uac01\ud615.png","width":540,"height":485,"caption":"Atlas Legal English Blog"},"image":{"@id":"https:\/\/atlaw.kr\/en-blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/atlaw.kr\/en-blog\/#\/schema\/person\/184bcdecc06f89fd6c36b29781165b55","name":"\ubc95\ubb34\ubc95\uc778 \uc544\ud2c0\ub77c\uc2a4","image":{"@type":"ImageObject","inLanguage":"ko-KR","@id":"https:\/\/secure.gravatar.com\/avatar\/d4c25916239244225f5f853b2ddf50fdcb7ea24d63347445261fe71c707cc558?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/d4c25916239244225f5f853b2ddf50fdcb7ea24d63347445261fe71c707cc558?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d4c25916239244225f5f853b2ddf50fdcb7ea24d63347445261fe71c707cc558?s=96&d=mm&r=g","caption":"\ubc95\ubb34\ubc95\uc778 \uc544\ud2c0\ub77c\uc2a4"},"sameAs":["https:\/\/atlaw.kr"],"url":"https:\/\/atlaw.kr\/en-blog\/author\/prinz001\/"}]}},"_links":{"self":[{"href":"https:\/\/atlaw.kr\/en-blog\/wp-json\/wp\/v2\/posts\/785","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/atlaw.kr\/en-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/atlaw.kr\/en-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/atlaw.kr\/en-blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/atlaw.kr\/en-blog\/wp-json\/wp\/v2\/comments?post=785"}],"version-history":[{"count":3,"href":"https:\/\/atlaw.kr\/en-blog\/wp-json\/wp\/v2\/posts\/785\/revisions"}],"predecessor-version":[{"id":932,"href":"https:\/\/atlaw.kr\/en-blog\/wp-json\/wp\/v2\/posts\/785\/revisions\/932"}],"wp:attachment":[{"href":"https:\/\/atlaw.kr\/en-blog\/wp-json\/wp\/v2\/media?parent=785"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/atlaw.kr\/en-blog\/wp-json\/wp\/v2\/categories?post=785"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/atlaw.kr\/en-blog\/wp-json\/wp\/v2\/tags?post=785"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}