Under Art. 20 of Credit Information Use and Protection Act, credit information companies are required to maintain the following information for three years:
- the name and address of the customer and the entity whom the personal information was provided to or exchanged with,
- the details of the work scope requested by the customer and the data thereof, and
- the processing details of the requested work scope and the date and details of the credit information provided.
Furthermore, Art. 20-2 provides that all credit information be deleted by the date that is the earlier of five years from the termination of the financial transaction and three months from the date on which the purpose for collecting and providing personal information has been achieved.

Korea has not joined any agreement with binding commitments to open transfers of data across borders.

The Personal Information Protection Act, which was enacted in 2011 and recently amended in 2020, provides a comprehensive framework for data protection in Korea.

Per Art. 27 of Act on the Development of Cloud Computing and Protection of Its Users, generally, "no cloud computing service provider shall provide any user information to a third party or use user information for any purpose other than for the purpose of providing services, without the relevant user's consent." This conditional flow regime has been in place since 2015.

According to Art. 17 of the Personal Information Protection Act, in order to transfer personal data to third parties abroad, a data handler must inform the data subjects of the name of the receiving party, the purpose of transfer, the items of personal information to be transferred, the use and retention period, and the right to refuse transfer, and obtain consent unless otherwise allowed by the law. In addition, under Art. 39-12, to transfer personal information overseas, a data handler, including an information and communication service provider, must notify its data subjects (and obtain consent unless otherwise allowed by the law) the items of the personal data to be transferred; the country to which the personal information is to be transferred; the date, time, and the methods of transfer; the name of the recipient (referring to the name of a legal entity and the contact information of the person responsible for the management of information if the person is a legal entity); and the purposes of use of the data by the transferee, and how long the data will be retained and used.
Art. 22 of the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc (the Network Act) used to govern a conditional flow regime from 2001, but was repealed in February 2020 upon the amendment of the Personal Information Protection Act.

According to Art. 32 of the Credit Information Act, the credit information provider/user should obtain prior consent of the customer in writing or by other reliable means each time it provides to a third party or uses personal credit information (including any personal identifiable information) of a customer. When the credit information provider/user obtains consent to the provision (i.e. sharing) and utilisation of personal credit information, it should notify the customer of: the recipient of the information; the purpose of provision; the content of information; the duration of maintenance; and use by the recipient. Furthermore, a separate explanation to the customer is required with respect to the mandatory items of personal data that must be provided for the provision of the services and other optional items of personal data, and consent obtained. In such cases, as to the mandatory items, the credit information provider/user must explain their relevance to the service provision. Art. 32 requires the credit information provider/user to notify the customer that they may opt not to consent to the provision of any optional data that may be collected.
The Act established that financial institutions are required to obtain consent of individuals only if the use of personal information "conflict[s] with the original purpose of the collection." Thus, under this regime, a financial institution may "entrust" personal information to a third party but may not "supply" it. Supplying and entrusting are terms of art under the Act. "Supplying" means transferring personal information for the transferee's own purpose whereas "entrusting" means transferring personal information to a third party to help carry out the purpose of the original data collection.

Art. 16 of Act on the Establishment, Management of Spatial Data provides that geographical data related to maps or photos produced for the purpose of a survey cannot be transferred abroad except with the permission of the Minister of Land, Infrastructure and Transport. This provision has been in place since 2014.

Under the Electronic Financial Transactions Act, payment gateway services providers do not need to register with the Financial Service Commission. Yet, despite the apparent absence of the registration regime, it is reported that Korea maintains a facilities infrastructure requirement with respect to "payment gateway" services, preventing suppliers from leveraging investments in facilities outside Korea. A payment gateway is a "financial data processing system that deals with business affairs relating to the settlement of accounts and payments by transmitting electronic financial transaction information between a financial company and an electronic financial business entity" (Art. 2(6)).

Per Art. 5 of the Act on the Protection, Use, Etc. of Location Information, any person who intends to engage in location information business shall obtain permission from the Korea Communications Commission. Even if permitted to do such business, location information providers or location-based service providers cannot collect location information of individuals without individual's' consent under Art. 18. These restrictions have been in place since 2005.
It is reported that, although a supplier may export location information once acquiring a permit, Korea has never approved such a permit despite numerous applications by foreign suppliers over the past decade.

The Electronic Financial Supervisory Regulations imposes a local processing requirement for financial services who intend to utilize cloud services for credit information and unique identification information (e.g. resident registration number, driver’s licence number, passport number and alien registration number) (Art. 14-2). Financial companies and electronic financial business operators are required to use cloud systems located in Korea for processing of personal credit information and unique identification information. This provision was inserted as part of an amendment in December of 2018.

Korea has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

Korea has a telecommunications authority: The Korea Communications Commission. However, it is reported that the decision making process of this entity is not fully independent from the government.

Under the Telecommunications Business Act, telecommunications businesses are divided into two categories: namely, facilities-based telecommunications services (FTS) and value-added telecommunications services (VATS). FTS refers to businesses that install telecommunications line equipment and facilities and provide telecom services. VATS are online services using the FTS network, such as cloud computing services, email, e-commerce platforms, and internet search engines. Since 2009, the Act has prohibited foreigners from owning more than 49% of the stock of a telecom enterprise when it comes to FTS (Art. 8).

Korea does not mandate functional separation for operators with significant market power (SMP) in the telecom market. However, accounting separation is required in certain cases: According to the Telecommunications business act, accounting is mandated for facilities-based telecommunications business operators who possess telecommunication service equipment and whose telecommunications service turnover of the preceding year exceeds 30 billion won (approx. 22.5 million USD), and for facilities-based telecommunications business operators who do not possess telecommunication service equipment and whose telecommunications service turnover of the preceding year exceeds 80 billion won (approx. 60.2 million USD).

The Telecommunications Business Act regulates licenses for network equipment and creates rules for the fair use of telecom facilities. Per Art. 8, foreign corporations cannot operate facilities-based telecom business in the country. Foreign ownership is allowed only up to 49% of the stock.