enforcement action KR enforcement 9/10
Government · Personal Information Protection Commission (South Korea)

The South Korean Personal Information Protection Commission (PIPC) issued substantial administrative sanctions against Coupang and Coupang Fulfillment Services (CFS) for severe breaches of the Personal Information Protection Act (PIPA). This action, including a penalty of KRW 624.681 billion for Coupang, resulted from a data breach affecting over 33 million users and 4.33 million third parties, caused by inadequate security management, delayed notifications, and undermining the Chief Privacy Officer's role. The PIPC also found failures in data destruction and evidence preservation. This indicates an active enforcement posture by the PIPC.

Effective date

2026-06-10

Action required

Companies operating in South Korea, particularly those handling large volumes of personal data, must immediately review and enhance their data security practices, incident response protocols, and CPO authority to ensure compliance with PIPA and prevent similar severe penalties.

Binding status

binding

Governing body

Personal Information Protection Commission

Direction

restrictive

Innovation impact

constraining

Enforcement details

Case name

The PIPC Sanctions Coupang and CFS for Data Breaches and Infringements on Privacy

Agency

Personal Information Protection Commission (PIPC)

Penalty

KRW 624,681,000,000

Compliance requirements

Required disclosures

  • Data breach notification to PIPC and competent authorities within 72 hours
  • Notification to affected data subjects

Prohibited practices

  • Failure to securely manage authentication methods (e.g., signing keys)
  • Insufficient access control to prevent illegal access
  • Delayed data breach notification
  • Undermining the independent work of a CPO
  • Failure to destruct personal information after withdrawal
  • Failure to preserve evidence (e.g., access logs)

Transparency requirements

  • Disclosure of investigation results (when conducted by CPO)

Affected industries

retailtechnologylogistics

Affected roles

compliance officerprivacy officercisoctoboard director

Cross-references

Cites laws

Personal Information Protection Act (PIPA)

"The PIPC found that the data breach was caused by inadequate management of baseline personal data protection, not by sophisticated hacking techniques."

Enriched 2026-06-25

Stay informed

Get daily intelligence briefs on this and related regulatory developments.

Start 14-day trial