The Personal Information Protection Commission (“PIPC”) announced a proposed amendment to the Enforcement Decree of the Personal Information Protection Act (“PIPA”). The amendment extends third-party transfer rights—which allow individuals to have their personal information transferred to an organization of their choosing—to the education and employment sectors. The proposed amendment is open for public comment for a 41-day period from June 30 until August 10, 2026.
The right to request third-party transfer of personal information is part of the broader data portability regime (i.e., “MyData”) introduced by the March 2023 amendment to the PIPA, and currently applies to the healthcare, telecommunications, and energy sectors. The PIPC has been implementing this framework in a phased manner, taking into account public perception, private-sector data needs, and national impact. Specifically, the implementation began with healthcare and telecommunications in 2025; expands to energy, education, employment, and culture/leisure in 2026; and will cover welfare, transportation, real estate, and distribution in 2027. The most recent proposed amendment implements the next phase of this roadmap by adding the education and employment sectors. Key details and implications are set out below:
1. Expansion to the Education and Employment Sectors
Once effective, the amendment will allow individuals to transfer their academic records (including enrollment, coursework, grades, and graduation details) from universities, as well as employment and job-search records from organizations like the Korea Employment Information Service, to a recipient of their choice. For example, a job seeker would be able to have their transcripts or graduation records securely sent directly to prospective employers without having to personally obtain and submit the documents themselves, enabling tailored job matching and application processes. The PIPC expects this to particularly benefit young job applicants by allowing them to leverage their academic and career records for personalized job searches and employment services.
The categories of entities that must comply with an individual’s request to have his/her personal information transferred to another third party (“Third-party Data Transferors”), as well as the scope of personal information subject to such requests under the proposed amendment, are summarized below. The specific scope will be determined by a subsequent public notice following consultations with relevant ministries.
| Sector | Third-party Data Transferor | Data Subject to Transfer Request |
|---|---|---|
| Education | (1) National universities; (2) Public and private universities with 20,000 or more enrolled students as of the preceding year. |
Information designated by public notice following consultation between the PIPC and the Minister of Education, such as information on enrollment, coursework, grades, and graduation. |
| Employment | (1) Korea Employment Information Service; (2) Providers of occupational information services under the Framework Act on Employment Policy, designated by public notice by the PIPC in consultation with the Minister of Employment and Labor, considering technical and financial capacity. |
Information designated by public notice following consultation between the PIPC and the Minister of Employment and Labor, including: (i) Employment/occupational information collected and managed under the Framework Act on Employment Policy; (ii) Job application data and employment application information generated through employment services pursuant to the Employment Security Act. |
2. Reduced Burden for Entities That Transfer Data Directly to Data Subjects
The amendment also eases the compliance burden on organizations that transfer personal information directly to the data subject (“Direct Data Transferors”). Under the current Enforcement Decree, these organizations are required to publish instructions on how to submit transfer requests, check transfer status and history on their website, while also maintaining records of all data transmissions. However, under the amendment, if a Direct Data Transferor transmits personal information to the data subject using “specialized intermediaries,” such intermediaries may perform these posting and retention obligations on the transferor’s behalf. In addition, for transfers requested by a data subject for their own use, the scope of transfer records that must be kept has been narrowed to cover only the purpose of the request and the specific data requested.
3. Updates to Designation Criteria and Management Framework for Specialized Personal Information Management Institutions
The amendment also refines the designation criteria and management framework for specialized personal information management institutions to address the public’s potential concerns over the secure transfer of their personal information.
| Article | Current (effective Aug. 20, 2026) | Amendment |
|---|---|---|
| Institution Functions (Article 42-9 of the Enforcement Decree of the PIPA) |
Specialized intermediaries may not concurrently perform the functions of general or special institutions. | A new proviso exempts public institutions from this restriction where the PIPC and the head of the relevant central administrative agency determine it is necessary for the institution to carry out its statutorily prescribed duties. |
| Designation Criteria (Article 42-11 of the Enforcement Decree of the PIPA) |
Public institutions are completely exempted from financial capacity requirements (such as a sound financial structure, minimum capital, and liability insurance). | For public institutions, exemptions apply only to the financial structure and minimum capital requirements. |
| Supervision (Article 42-15 of the Enforcement Decree of the PIPA) |
PIPC may request materials from data transferors, specialized institutions, and general recipients. | For specialized institutions and general recipients, the PIPC may also conduct on-site inspections, in addition to requesting materials. |
| Platform Registration (Article 42-16 of the Enforcement Decree of the PIPA) |
Third-party Data Transferors, specialized institutions, and general recipients are listed on the transfer-support platform. | Direct Data Transferors are added to the list of registrants. Furthermore, a legal basis is created for them to submit data transfer history directly or through a specialized intermediary. |
| Identity/Representative Verification (Article 46 of the Enforcement Decree of the PIPA) |
Heads of central administrative agencies may request information (such as resident registration data) from the Minister of the Interior and Safety to support identity/representative verification | Specialized intermediaries may also request such resident registration data. Additionally, the amendment requires providing explanations for and allowing the refusal of automated decisions in connection with identity/representative verification |
4. Implications
- Education and Employment Data Transferors to Assess Necessary System Upgrades. National universities, qualifying public and private universities with 20,000 or more enrolled students, the Korea Employment Information Service, and employment information providers to be designated by future public notice will become obligated Third-party Data Transferors once the amendment takes effect. Since implementing transfer systems, identity/representative verification procedures, and review processes for refusing or suspending transfers may take considerable lead time, these institutions should review the amendment and the forthcoming public notices in advance.
- HR and recruiting platforms should evaluate new business opportunities. As academic records, employment history, and job application data become subject to transfer requests, new opportunities are expected to emerge in areas such as personalized job matching and streamlined job application services. However, in order to receive data transferred at a data subject’s request, the recipient must either qualify as a general recipient or be designated as a specialized personal information management institution. Therefore, companies looking to launch MyData services in the education or employment sectors need to clearly understand the relevant requirements and designation procedures ahead of time.
- Consider using specialized intermediaries to streamline compliance. Since entities that qualify as Direct Data Transferors may delegate their posting and retention obligations to a specialized intermediary when transmitting personal information to data subjects, they should consider integrating these intermediaries into their compliance design as they build out their transfer framework.
- Submit comments and monitor future developments. Interested organizations, associations, and individuals may submit comments on the proposed amendment by August 10 through the National Legislation Participation Center or the PIPC website. Furthermore, since key details—such as the specific scope of data transferors and transferable data—have been delegated to public notices (with further expansion into the welfare, transportation, real estate, and distribution sectors scheduled for 2027), even businesses not currently affected should continue to monitor developments on the relevant implementing regulations and public notices.
About Shin & Kim’s ICT Group
Shin & Kim’s ICT Group possesses unparalleled expertise in the ICT sector, consistently earning top-tier client recognition in recent years. Drawing upon our deep-seated capabilities in broadcasting, telecommunications, personal information protection, and internet IT, we deliver the highest level of legal advisory services encompassing regulatory trend analysis in broadcasting, telecommunications, and ICT; government affairs, legislative improvement and consulting; regulatory impact assessment; and corporate strategic planning. Furthermore, we possess extensive professional experience and expertise in AI compliance and security incident response. Please contact us if you have any questions or require more information.
[Korean version] 개인정보보호위원회, 교육·고용 분야까지 개인정보 제3자 전송요구권 확대 추진 – 「개인정보 보호법 시행령」 개정안 입법예고






