Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Create an account
Join our community for free to access exclusive whitepapers, reports, and regulatory information.
South Korea: Overview of data retention requirements
In this Insight article, Hyeon Song Lee, Principal at Pine Law Office, explores how the Personal Information Protection Act (PIPA) in South Korea grants personal data rights and sets obligations for data processors. Additionally, he delves into the complex landscape of data retention regulations that extend beyond PIPA, highlighting the necessity for businesses to navigate various individual laws to ensure compliance and avoid potential penalties.
PIPA provides the personal data rights granted to data subjects, encompassing rights such as information disclosure, access, rectification, and erasure. It also imposes obligations on data processors, mandating clear notification of the purposes for personal data collection, maintenance of data accuracy and completeness, and the implementation of measures to safeguard personal information.
However, the landscape of regulations governing the retention of various types of information held by data processors extends beyond the confines of PIPA, creating challenges for businesses in determining which information to retain and when disposal is appropriate. This fragmentation requires a comprehensive understanding of data retention requirements in South Korea to ensure regulatory compliance and mitigate potential penalties, which may encompass fines and legal sanctions.
With regard to data retention regulations, PIPA simply stipulates that data processors must collect the minimum necessary personal information required for the intended purpose, with the onus of justifying the necessity of collected data resting on the data processor (Article 16 of PIPA). Additionally, upon the expiration of the retention period or achievement of the collecting purpose, personal information must be promptly disposed of unless other legal obligations require extended retention (Article 21(1) of PIPA).
PIPA does not explicitly define criteria for setting the retention period for personal information held by private entities, leaving companies to assess the necessity of retained information for processing purposes, thereby introducing uncertainties. Rather, various individual laws, distinct from PIPA, prescribe retention periods for different types of information held by companies, superseding PIPA in such instances.
To address these complexities, companies may develop data retention policies based on the following principles:
- Permanent retention of information is not feasible. Establish a retention period aligned with the collecting purpose, obtain data subject consent, and dispose of information upon expiry of the retention period or fulfillment of the purpose.
- When retention periods are specified by individual laws, adhere to these stipulations accordingly and dispose of information upon expiry of the designated period.
Company and finance
As per the provisions outlined in the Korean Commercial Act (the Commercial Act), companies are obliged to uphold the retention of comprehensive financial records, including accounting books, balance sheets, and important operational documents, for a duration of 10 years. In addition, receipts or vouchers must be retained for a period of five years (Article 33 of the Commercial Act). The importance of documents is determined by gauging their relevance as potential evidence in resolving future disputes arising from business transactions, specifically encompassing major commercial contracts, purchase orders, minutes of shareholder and board of directors meetings, shareholder registries, and audit reports.
In terms of contractual agreements, certain statutes provide obligatory retention periods. For example, distribution agreements should be preserved for three years following the conclusion of the distributorship period, and documentation pertaining to subcontracting transactions must be retained for three years after the transaction completion (Article 5(3) of the Fair Agency Transactions Act, Article 6(2) of the Enforcement Decree of the Fair Transactions in Subcontracting Act).
In matters concerning taxation, businesses are mandated to retain documentary evidence - such as credit card sales receipts, cash receipts, tax invoices, and electronic invoices - for all transactions associated with each business entity, for a minimum period of five years subsequent to the expiration of the relevant tax filing deadline (Article 71 of the Value-Added Tax Act, Article 85-3 of the Framework Act on National Taxes).
Employment
As stipulated by the Fair Hiring Procedure Act, which supersedes PIPA in this context, companies are obliged to retain documents submitted by job applicants for a duration ranging from 14 days to 180 days following the confirmation of the applicant's status, as determined by the employing entity. In addition, the employer is obliged to return the submitted documents upon request by the applicant (Article 11 of the Fair Hiring Procedure Act).
Upon entering into an employment agreement with an employee, companies are required to collect various documents containing the employee's information. These documents must be retained for the duration specified by law, irrespective of the employee's resignation. Under the purview of the Labour Standards Act, crucial documents pertaining to employment agreements must be retained for a minimum period of three years. The commencement date for each retention period is subject to variation, as outlined below (Article 42 of the Labour Standard Act):
Documents | Contents | Commencement date for three-year retention period |
Employee roster | Name, gender, date of birth, type of work, date of employment, duration of employment contract, date of retirement, and reason for retirement | The day the employee is dismissed, or the day of retirement or death |
Employment contract | Wage, regular working hours, annual leave, workplace, job description | The day the employment relationship ends |
Wage ledger | Name, resident registration number, employment period, number of workdays, working hours, overtime work, holiday work | The last date recorded |
Documents on wage determination and payment methods and the basis for wage calculation | Documents containing information on wage payment methods, calculation methods | The last date recorded |
Documents related to employment, dismissal, and retirement | Resignation notices, advance notices of dismissal, dismissal notices | The day the employee is dismissed or retires |
Documents related to leave | Application for leave, management ledger of paid annual leave | The day the leave is completed |
Documents related to promotion and demotion | Documents such as personnel notices or notifications regarding promotion, demotion | The day the promotion or demotion is completed |
Documents related to the employment of minors under 18 years old | Documents proving the employee's age, certificates of family relationship, consent forms for parental rights or guardianship | The day the employee turns 18 (If the employee is dismissed, retires, or dies before turning 18, the day of dismissal, retirement, or death) |
Nevertheless, documents concerning industrial accidents are required to be retained until the cessation of industrial accident compensation or until the expiration of the statute of limitations for claiming such compensation. (Article 91 of the Labour Standards Act). Furthermore, in cases where employers settle and disburse retirement grants pre-emptively, pertinent documents must be retained for a duration of five years following the employee's retirement date (Article 3(2) of the Enforcement Decree of the Act on Guarantee of Employee's Retirement Benefits).
Health and safety
Businesses are obliged to maintain documents pertinent to industrial safety and health, encompassing records of industrial accidents and safety measures, for a duration of three years from their preparation date, as mandated by the Occupational Safety and Health Act. However, documents detailing the outcomes of workplace environment measurements concerning employee health and safety, along with documents substantiating health diagnoses submitted by employees, are to be retained for an extended period of five years (Article 64 of the Occupational Safety and Health Act).
On the other hand, documents containing records of hazardous substances, as well as those validating health diagnoses for employees handling such hazardous substances, are subject to a lengthier retention period of 30 years (Article 241 of the Enforcement Decree of the Occupational Safety and Health Act).
Retention Period | Type of Document |
30 years | Documents containing records of hazardous substances designated by the Minister of Employment and Labor and documents containing health diagnosis results for employees handling such hazardous substances |
5 years | Documents recording workplace environment measurements and documents related to employee health diagnoses |
3 years | Records of industrial accident causes, measures related to safety and health, contents and results of risk assessments, documents related to safety certification and safety inspections, documents related to investigations or surveys due to violations of laws and regulations, etc. |
2 years | Records of meetings of labor-management consultative bodies conducted under voluntary inspection programs |
In instances where specific documents are not delineated within individual legislations, it is worth noting that the Ministry of Employment and Labor is likely to request data spanning the preceding three years during business inspections in practice. Finally, considering that the statute of limitations for fines under the Act on the Regulation of Violations of Public Order is five years, it is advisable to manage health and safety-related documents for a five-year duration whenever feasible.
Sales and marketing
In principle, the retention of customer information, which falls within the definition of personal information, is governed by PIPA. Hence, the business collecting customer information is obliged to notify of the purpose of data collecting, and retention period, and obtain consent from customers for the collection, usage, and processing of their data. As previously mentioned, documents containing personal information must be expeditiously disposed of once the retention period expires or the collecting purpose is accomplished. However, it is worth noting that the general principle of 10 years under the Commercial Act is applicable at the same time according to the types of documents.
In 2023, the Personal Information Protection Commission (PIPC) issued Standard Guidelines on PIPA, furnishing private companies with a framework for adhering to the legislation. According to these Guidelines:
- for website member registration, documents should be retained until the member opts to withdraw;
- if a claim-obligation relationship arises during the process of using the website, the documents pertaining to the claim and/or obligation should be retained until the resolution of said relationship;
- in the context of goods or service provision, documents should be retained until the completion of the supply process or receipt of payment; and
- in instances where investigations or inquiries concerning violations of pertinent laws are underway, documents should be retained until the conclusion of the relevant procedures.
With regard to e-commerce transactions, the Act on Consumer Protection in Electronic Commerce stipulates that transaction records related to advertising must be retained for a period of six months. Records associated with consumer complaints or dispute resolution must be retained for three years, while records linked to contracts, subscriptions, payment, and the supply of goods must be retained for five years (Article 6(1) of the Enforcement Decree of the Act on Consumer Protection in Electronic Commerce).
Best practice tips for South Korea
Under the mandate of PIPA, requiring the 'necessary minimum' criterion for data retention, business operators must first comprehend not only the legal and regulatory requirements but also their business context concerning data collection to formulate an effective data retention policy. Moreover, it is vital to ensure that the company's data retention policy is established by thoroughly examining the presence of individual legislations pertinent to each business division, including, but not limited to, corporate and finance, employment, health and safety, and sales and marketing.
In essence, a business operator should:
- comprehend the organization's rationale for collecting personal data and harmonize this purpose with the principles of data minimization;
- retain data in accordance with individual legislations, which include, but are not limited to, the Commercial Act, the Labor Standards Act, the Framework Act on National Taxes, and the Occupational Safety and Health Act; and
- if the data pertains to personal information and is not governed by individual laws, promptly dispose of the data upon the expiration of the consented retention period or upon fulfillment of the purpose.
Hyeon Song Lee Principal
[email protected]
Pine Law Office, South Korea
Send us your Feedback!
Please let us know what you think of DataGuidance! It will only take 60 seconds and help us make the site better for you.
