According to Art. 8 of the Notice of Import Customs Clearance for Express Goods, as amended in 2016 to increase the value of the de minimis rule, the de minimis threshold, meaning the minimum value of goods below which customs do not charge duties, is USD 150, which is below the 200 USD threshold recommended by the International Chamber of Commerce (ICC). This threshold applies to goods for personal consumption and samples not exceeding USD 150, with an exception for trade with the U.S. and Puerto Rico, where the threshold is USD 200 as per the Korea-US FTA, allowing these goods to be exempt from taxes and duties collected by customs.

According to Art. 4 of the Domain Name Management Rules set forth by the Korea Internet & Security Agency (KISA), domain name registrants must have a postal address of their place of residence in Korea. In addition, it is reported that a Copy of Company registration in Korea with proof of company address in both English and Korean languages is required for registration and that a Korean-based administrative contact is mandatory.

According to Art. 32 of the Act on Promotion of Information and Communications Network Utilization and Information Protection, foreign IT service providers without an office in Korea are required to appoint a local agent responsible for ensuring compliance with data privacy regulations.

The Act on Consumer Protection in Electronic Commerce Transactions provides a comprehensive framework for consumer protection that also applies to online transactions. In addition, it is reported that for business-to-business transactions, the Regulation of Terms and Conditions Act and the Fair Trade Act are the main frameworks applied.

Under Art. 13 of the Act on the Promotion of Newspapers, a person who is not a national of Korea shall not be qualified as a publisher or editor of an online newspaper or as a news article layout manager of an online news service. This requirement has been in place since 2009.

Per Art. 5 of the Location Information Use and Protection Act, any person who intends to engage in location information business shall obtain permission from the Korea Communications Commission. According to Art. 18 of the Act, even if permitted to do such business, location information providers or location-based service providers cannot collect location information of individuals without individuals' consent. It is reported that, although a supplier may export location information once acquiring a permit, Korea has never approved such a permit despite numerous applications by foreign suppliers over the past decade.

Art. 28-8 of the Personal Information Protection Act prohibits any transfer of personal information overseas by a personal information manager unless it is in any of the following cases: (i) where a separate consent for overseas transfer has been obtained from the data subject; (ii) where there exist special provisions in a statute, a treaty or other international conventions to which the Republic of Korea is a party; or (iii) where it is necessary to delegate the processing of, or retain, personal information in order to execute and perform a contract with a data subject, and the matters to be informed to the data subject when obtaining his/her consent to overseas transfer have been informed to the data subject or have been disclosed in the personal information manager privacy policy; (iv) where the recipient of personal information has obtained certification determined and publicly notified by the Personal Information Protection Commission (PIPC) and has implemented certain measures to protect personal information; or (v) where the PIPC has recognised that the country or the international organization to where the personal information is transferred has the personal information protection system, etc. that are substantially equal to the level of those under the Personal Information Protection Act. The personal information manager shall also take certain technical, managerial and physical protection measures.

According to Art. 32 of the Credit Information Act, the credit information provider/user should obtain the prior consent of the customer in writing or by other reliable means each time it provides to a third party or uses personal credit information (including any personally identifiable information) of a customer. When the credit information provider/user obtains consent to the provision (i.e. sharing) and utilisation of personal credit information, it should notify the customer of: the recipient of the information; the purpose of provision; the content of information; the duration of maintenance; and use by the recipient. Furthermore, a separate explanation to the customer is required with respect to the mandatory items of personal data that must be provided for the provision of the services and other optional items of personal data, and consent must be obtained. In such cases, as to the mandatory items, the credit information provider/user must explain their relevance to the service provision. Art. 32 requires the credit information provider/user to notify the customer that they may opt not to consent to the provision of any optional data that may be collected.
The Act established that financial institutions are required to obtain consent of individuals only if the use of personal information "conflict[s] with the original purpose of the collection." Thus, under this regime, a financial institution may "entrust" personal information to a third party but may not "supply" it. Supplying and entrusting are terms of art under the Act. "Supplying" means transferring personal information for the transferee's own purpose, whereas "entrusting" means transferring personal information to a third party to help carry out the purpose of the original data collection.

Per Art. 27 of Act on the Development of Cloud Computing and Protection of Its Users, generally, "no cloud computing service provider shall provide any user information to a third party or use user information for any purpose other than for the purpose of providing services, without the relevant user's consent." This conditional flow regime has been in place since 2015.

Korea has entered into an agreement entailing binding commitments to facilitate cross-border data transfers. Art. 14.14 of the Free Trade Agreement between the Government of the Republic of Korea and the Government of the Republic of Singapore, as amended by the Digital Partnership Agreement between the two governments, stipulates that neither party shall prohibit or restrict the transfer of information by electronic means, including personal data, where such transfers are necessary for the business operations of a covered person.

The Personal Information Protection Act, which was enacted in 2011 and recently amended in 2020, provides a comprehensive framework for data protection in Korea.

Per Art. 41 of the Enforcement Decree of Protection of Communications Secrets Act, telecoms or internet infrastructure operators should retain for 12 months the following:
- the date of the telecommunication, the commencement time and end time of the telecommunication, the communications number of outgoing and incoming calls, the frequency of use, and the location data for 12 months (six months in case of long-distance calls and local call services); and
- the log records of users and the location data for three months.
This requirement has been in place since the Act's enactment in 1994.

Under Art. 20 of the Credit Information Use and Protection Act, credit information companies are required to maintain the following information for three years:
- the name and address of the customer and the entity whom the personal information was provided to or exchanged with,
- the details of the work scope requested by the customer and the data thereof, and
- the processing details of the requested work scope and the date and details of the credit information provided.
Furthermore, Art. 20-2 provides that all credit information be deleted by the date that is the earlier of five years from the termination of the financial transaction and three months from the date on which the purpose for collecting and providing personal information has been achieved.

Enforcement Decree of the Electronic Financial Transactions Act provides under Art. 12 that a subsidiary electronic financial company, such as a payment gateway system that records and transmits electronic transaction information, must keep the records for at least three years. This affects not only payment gateway service providers but also electronic commerce firms that utilise the services. This retention period requirement has been in place since its enactment in 2006.

Under the Personal Information Protection Act, data controllers must appoint a privacy officer who comprehensively takes charge of personal information processing (Art. 31). The requirement has been in place since its enactment in 2011.