Skip to main content
Korea Business HubbySMA
Back to Blog

Korea PIPA Decree for Foreign Controllers 2026

Korea Business Hub
April 21, 2026
10 min read
Regulatory Updates
#PIPA#data privacy#domestic agent#foreign controllers#compliance

Introduction

A foreign platform company serves Korean users from abroad and assumes that local privacy compliance is mostly a matter of website notices and contract language. Then the Korean business team learns that the amended Personal Information Protection Act and its enforcement decree now require a closer local link, especially where the foreign controller has a subsidiary or affiliate in Korea. At that moment, Korea PIPA decree for foreign controllers stops being a theoretical legal update and becomes an operational compliance project.

In 2026, Korea PIPA decree for foreign controllers is one of the most important privacy developments for overseas companies touching Korean personal data. The rule change is particularly relevant to software providers, e-commerce groups, digital platforms, financial service firms, and multinational groups that process Korean data offshore while maintaining some corporate footprint in Korea. The days of treating the local affiliate as commercially useful but legally irrelevant for privacy governance are ending.

Kim & Chang’s summary of the 2025 amendment cycle highlighted two especially important changes. First, foreign data controllers that are already subject to the domestic-agent obligation and that have a Korean subsidiary or affiliate may need to designate that local entity as the domestic agent. Second, the amended decree specifies who qualifies as an eligible affiliate and what supervision duties the foreign controller must perform.

This guide explains the new Korea PIPA decree for foreign controllers, how the domestic-agent rules work, what “significant influence” means, and what foreign companies should do in 2026 to avoid privacy compliance becoming a governance failure.

Why this decree matters now

Korea’s privacy framework has been moving steadily toward stronger accountability, sharper enforcement, and clearer extra-territorial expectations. The Personal Information Protection Act (PIPA) already had global reach in practical terms because overseas companies collecting or processing Korean personal data could face Korean enforcement risk. The new decree matters because it closes a common governance gap.

Previously, some foreign businesses appointed outside representatives or handled domestic-agent issues more loosely even while operating through a Korean affiliate. Regulators appear to have concluded that if an overseas controller already has a meaningful Korea corporate presence, there should be a more direct accountability bridge between the offshore controller and the local organization.

For foreign executives, this changes internal assumptions about responsibility. The Korean affiliate may no longer be just a sales office or support entity. It may become the legally designated domestic agent for privacy purposes, with training, inspection, and oversight implications that reach headquarters and the local team simultaneously.

The legal baseline under PIPA and the decree

The key source is the amended PIPA, effective from October 2, 2025, together with the amended Enforcement Decree of PIPA approved in September 2025 and taking effect concurrently.

According to the Kim & Chang summary, the amended regime provides that foreign data controllers subject to the domestic-agent obligation must designate, as the domestic agent, either:

  • a Korean entity established by the foreign controller, or
  • a Korean entity over which the foreign controller has significant influence concerning executive appointment, business operations, and related matters.

The decree then clarifies what “significant influence” means. It is recognized where the foreign controller:

  • has the right to appoint or dismiss the representative director,
  • has the right to appoint 50% or more of the board, or
  • holds 30% or more of the issued shares or capital contributions.

This is a practical rule, not a symbolic one. Many multinational structures will meet one of these tests easily.

Korea PIPA decree for foreign controllers and domestic-agent eligibility

The old mindset: use any convenient local representative

Many foreign businesses treated the domestic agent as a formal contact point. They would choose a service provider or an external representative and move on. That approach becomes much harder when a Korean affiliate exists and falls within the new influence tests.

The new mindset: use the Korean affiliate if the law points there

Under the new Korea PIPA decree for foreign controllers, a local subsidiary or affiliate may no longer be optional if the foreign controller has the required degree of influence. That means internal legal, compliance, HR, and information-security teams need to understand whether the Korean entity is merely part of the business structure or now also part of the privacy accountability structure.

This can be uncomfortable for groups that historically separated the two. But from the regulator’s perspective, the change makes sense. If the foreign company has meaningful control over a Korean entity, that entity is a logical domestic accountability point.

Supervision duties are the real operational shift

The decree does not stop at designation. It also requires active supervision by the foreign controller over the domestic agent.

Kim & Chang’s summary notes two specific supervisory duties:

  • the foreign controller must provide training to the domestic agent on duties and responsibilities at least once annually,
  • the foreign controller must conduct inspections to confirm whether the domestic agent has a performance plan, has implemented that plan, and has remedied deficiencies found during inspection.

This is a bigger change than many companies first realize. It means the domestic-agent appointment is not a nameplate exercise. Headquarters must build a repeatable governance process.

In practical terms, foreign groups should expect to create:

  • annual privacy training records,
  • formal domestic-agent role descriptions,
  • compliance plans and checklists,
  • inspection logs,
  • remediation tracking,
  • reporting lines from Korea back to headquarters.

What kinds of companies are most affected

Global SaaS and platform businesses

These businesses often process Korean user data abroad while maintaining a Korea sales subsidiary. The sales entity may now become the domestic agent if the group has the required influence.

E-commerce and marketplace groups

Cross-border e-commerce operators with Korean marketing subsidiaries should review whether consumer data handling, returns support, or local customer communication create extra privacy obligations that now need to be managed through the designated local entity.

Financial and fintech groups

Financial-sector players already live under heavy compliance expectations. The new Korea PIPA decree for foreign controllers adds another governance layer where offshore processing and local customer acquisition intersect.

Multinational employers

Groups processing employee or applicant data across borders should not focus only on consumer data. Korean HR and recruiting data can also trigger meaningful privacy obligations.

Interaction with broader Korea data compliance

The domestic-agent rule should not be viewed in isolation. It sits inside a larger Korean privacy framework that includes:

  • notice and consent requirements under PIPA,
  • cross-border transfer compliance,
  • breach reporting and response,
  • retention and destruction obligations,
  • vendor-management and outsourcing controls.

A foreign company that designates a domestic agent but still has weak cross-border transfer mapping or incident response procedures has not solved the real problem. The decree is best understood as an accountability bridge, not a complete privacy program.

That is also why the rule overlaps with governance. Once the Korean affiliate becomes the domestic agent, local management may need better authority, staffing, and budget to do the job credibly.

Comparison with EU and UK concepts

Foreign executives often compare the Korean domestic-agent model with the EU GDPR Article 27 representative requirement or local representative concepts in other jurisdictions. The comparison is helpful because all of these regimes seek a reachable local accountability point for overseas organizations.

But Korea’s current approach is more specific in one important way. Where the foreign controller already has a Korean entity it controls or significantly influences, the law now pushes the group toward using that entity rather than keeping the privacy representative function at arm’s length.

That makes Korea’s approach feel more integrated into corporate reality. It also means multinational groups cannot delegate the issue entirely to outside counsel or a paper representative if the local affiliate is plainly part of the same business structure.

Common compliance mistakes to avoid

Mistake 1: assuming the rule only affects big tech

The rule can affect any foreign controller covered by the domestic-agent obligation, including B2B businesses and multinational groups with employee data flows.

Mistake 2: appointing the Korean affiliate but doing nothing else

The decree requires training and inspections. Passive appointment is not enough.

Mistake 3: ignoring ownership and control mapping

Groups often know their top-level structure but have not mapped exactly who appoints directors, who holds 30% or more, or how much influence headquarters exercises over the Korea entity.

Mistake 4: separating privacy from local management too sharply

If the Korean affiliate is the domestic agent, local leaders need clarity on authority, escalation, and response expectations.

A practical compliance roadmap for 2026

1) Determine whether the domestic-agent obligation applies

This threshold question should be reviewed first under PIPA based on the company’s Korean data activities.

2) Map Korean entities and influence tests

Check whether the foreign controller has a Korean subsidiary or affiliate meeting the decree’s significant-influence standards.

3) Designate the correct domestic agent

If the local entity qualifies and the law points there, document the designation formally.

4) Build supervision controls

Prepare annual training, internal monitoring, performance plans, and inspection routines.

5) Update privacy governance documents

Revise internal policies, data maps, incident protocols, and vendor-management materials so the domestic-agent role is reflected consistently.

6) Train both Korea and headquarters teams

The local entity cannot perform its role if the offshore controller does not understand what support and oversight are required.

Practical example: overseas SaaS company with Korea sales affiliate

Assume a US software company hosts customer data in Singapore and the US while its Korean subsidiary handles enterprise sales and account management. The parent appoints the Korean representative director and owns 100% of the shares. Under the amended decree, that Korea subsidiary is an obvious domestic-agent candidate. If the company instead keeps an outside representative on paper but gives the Korean subsidiary no privacy role, it risks misalignment with the amended framework.

A stronger approach would be to designate the Korea subsidiary formally, assign privacy responsibilities to a local manager, train that manager annually, and maintain inspection records from headquarters. That is the kind of governance evidence regulators expect to see.

Practical Tips / Key Takeaways

  • Review whether PIPA’s domestic-agent obligation applies to your Korean data activities first.
  • Map ownership and governance rights carefully. The 30% shareholding and board-appointment tests matter.
  • Treat domestic-agent designation as a governance function, not a paperwork exercise.
  • Implement annual training and inspections because the decree expressly requires supervision.
  • Align the Korean affiliate’s authority and staffing with the responsibilities it is expected to carry.
  • Coordinate privacy, HR, and business teams so cross-border data flows and local accountability match.

Conclusion

The new Korea PIPA decree for foreign controllers is a meaningful shift in how Korea expects overseas companies to connect local corporate presence with privacy accountability. If a foreign controller has a Korean subsidiary or affiliate it controls or significantly influences, the domestic-agent function may now need to sit inside that local structure, backed by real training and oversight.

Korea Business Hub advises foreign companies on PIPA compliance, domestic-agent structuring, cross-border data transfers, and governance design for Korean affiliates. We also coordinate with our company-setup and litigation teams where privacy compliance overlaps with local subsidiary management, regulatory investigations, or disputes arising from Korean data operations.

About the Author

Korea Business Hub

Providing expert legal and business advisory services for foreign investors and companies operating in Korea.

Need help with regulatory compliance?

Our team of experienced professionals is ready to assist you. Get in touch for a consultation.

Contact Us