The Electrical Appliances Safety Control Act authorises the Korean Agency for Technology and Standards to develop safety certification schemes for the import of electronic appliances. The agency has created three certification schemes: KC Safety Certification, KC Safety Confirmation, and SDoC.
The requirements are the following:
- Type 1 products must go through a certification procedure that includes factory inspection (initial and regular) with mandatory product testing every two years in order to get KC Certification. Type 1 products include electric wire, cords, switches for electrical appliances, motor-oriented electric tools, breakers, insulated transformers, and lighting appliances;
- Type 2 products, which are considered less dangerous, must overcome certification procedures that include safety testing without factory inspection. Type 2 products include electric switches, electric appliances, audio and video electronic apparatus, lighting appliances, insulated transformers, and information technology equipment;
- Type 3 products are qualified to be clear of mandatory certification procedures with a showing of SDoC. Except for products that qualify for SDoC, the other two methods, which include local testing, could be burdensome. Type 3 products include fluorescent lamp starters, DC power supplies, and electric chargers connected to the electric appliances, as well as some electric appliances, audio and video electronic apparatus, and information technology equipment.

The Ministry of Science, ICT & Future Planning (MSIP) is an authority that conducts EMC and wireless communication certification. KC certification is issued by Korea’s National Radio Research Agency (RRA) and requires testing at an RRA-approved laboratory. There are three mandatory certification mechanisms for imported broadcasting and communications equipment to test the safety of radio waves (Art. 58-2):
- Certain equipment must receive a certification of conformity from the Ministry of Science, ICT and Future Planning after undergoing a test by a designated third-party laboratory. Such equipment includes wireless telephone alarm automatic receiver, radar equipment for ships, telephone, and modem;
- Equipment that is not subject to this certification may come in only with a showing of confirmation that verifies the compatibility after undergoing a test either by a designated third-party testing body or self-tests. The equipment that falls in this category includes Computing devices and peripherals, broadcasting set-top boxes, measuring instruments, industrial devices, and connectors.
- Equipment that is not subject to either of these schemes must have interim conformity after passing a test showing conformity with domestic or international standards. Equipment that is newly developed but whose conformity assessment criteria have yet to be developed falls in this category.
Korea has entered into a mutual recognition arrangement with the United States, Canada, EU, Vietnam, and Chile. However, except for Canada, the import of broadcasting and communications equipment from other countries must still receive certification of conformity from the South Korean government, even if a conformity test has been conducted in the exporting countries.

Pursuant to Art. 4 of the National Intelligence Service Korea Act and Art. 56 of the Electronic Government Act, the National Intelligence Service (NIS) imposes security verification requirements on network equipment and cyber-security software in government procurement. Generally, they may satisfy the requirement by showing that the products are certified at a Common Criteria Recognition Arrangement (CCRA) accredited lab outside of Korea. However, certain network equipment must undergo an additional security verification process. Furthermore, the Common Criteria (CC) certification may not be sufficient for two reasons. First, NIS may substitute the CC certification with other certification mechanisms that were internally developed (e.g., GS Certification). Second, NIS may reject a CC certification when it deems that the certification does not cover particular functions of the product that the government entity needs.

If software systems or hardware equipment such as virtual private networks and firewall systems deal with non-confidential yet important information and are to be used in the government, they must pass verification for appropriate encryption modules under the auspices of the National Intelligence Service (NIS). Appropriate encryption standards are developed in Korea, such as ARIA, SEED, LEA, and Hight. The suppliers need to submit the source code of their products to receive the verification test. The same encryption standards also apply to certain network equipment such as VPN and SW USB series.

Enforcement Decree of the Electronic Financial Transactions Act provides under Art. 12 that a subsidiary electronic financial company, such as a payment gateway system that records and transmits electronic transaction information, must keep the records for at least three years. This affects not only payment gateway service providers but also electronic commerce firms that utilise the services. This retention period requirement has been in place since its enactment in 2006.

Under the Personal Information Protection Act, data controllers must appoint a privacy officer who comprehensively takes charge of personal information processing (Art. 31). The requirement has been in place since its enactment in 2011.

The Copyright Act, since its 2006 amendment, has established a safe harbour regime for intermediaries, exempting Internet Service Providers (ISPs) from liability for copyright infringement when acting as mere conduits, caching, hosting, or searching information (Art. 102). ISPs are also not liable for users' infringing acts if it is technically impossible for them to take preventive measures. Additionally, Art. 122-2 of the Act led to the creation of the Korean Copyright Protection Agency (KCOPA) in 2016, which, under Art. 133-3, is empowered to investigate networks for illegal reproductions and apply corrective measures such as issuing warnings, suppressing or suspending transmissions, and suspending repeat infringers' accounts. KCOPA can also request the blocking of access to foreign websites involved in copyright infringement, as per Art. 44-7 of the Law on the Promotion of the Use of Information and Communications Networks and Information Protection.

A basic legal framework on intermediary liability beyond copyright infringement is absent in Korea's law and jurisprudence.

According to Arts. 12-3 of the Game Industry Promotion Act, users are required to verify the real names and ages of users of game products when they join as members and self-authenticate. This requirement has been in place since 2011 as part of the amendment of the Game Industry Promotion Act through Law No. 10879 of July 2011.

It is reported that Korea imposes an identity requirement for SIM registration. Anyone wanting to purchase a SIM card has to provide their national ID card or a passport in case of foreigners to activate a new prepaid SIM card.

In accordance with Art. 7 of the Ministry of Health and Welfare Notice No. 2023-245 on the Standards for Facilities and Equipment for Managing and Storing Hospital-Generated Electronic Medical Records, cloud servers storing patient electronic medical records created by hospitals must be situated in South Korea. Additionally, Art. 9 mandates that the Ministry of Health and Welfare shall issue an official notification every three years outlining the requirements for servers, including backup servers, used to store these records. Currently, these servers must be physically located in South Korea, and accessing medical records from outside the country is prohibited.

In January 2023, the Korean Ministry of Science and Technology Information and Communication issued a notice of implementation and adopted an amendment to the Cloud Security Assurance Program (CSAP). Under the amendment, it is reported that, to obtain CSAP certification from the Korea Internet and Security Agency (KISA), a service provider’s cloud computing infrastructure, associated data, backup systems, as well as management and operational personnel, must all be located within Korea.

Art. 16 of Act on the Establishment, Management of Spatial Data provides that geographical data related to maps or photos produced for the purpose of a survey cannot be transferred abroad except with the permission of the Minister of Land, Infrastructure and Transport. This provision has been in place since 2014.

Art. 28-8 of the Personal Information Protection Act prohibits any transfer of personal information overseas by a personal information manager unless it is in any of the following cases: (i) where a separate consent for overseas transfer has been obtained from the data subject; (ii) where there exist special provisions in a statute, a treaty or other international conventions to which the Republic of Korea is a party; or (iii) where it is necessary to delegate the processing of, or retain, personal information in order to execute and perform a contract with a data subject, and the matters to be informed to the data subject when obtaining his/her consent to overseas transfer have been informed to the data subject or have been disclosed in the personal information manager privacy policy; (iv) where the recipient of personal information has obtained certification determined and publicly notified by the Personal Information Protection Commission (PIPC) and has implemented certain measures to protect personal information; or (v) where the PIPC has recognised that the country or the international organization to where the personal information is transferred has the personal information protection system, etc. that are substantially equal to the level of those under the Personal Information Protection Act. The personal information manager shall also take certain technical, managerial and physical protection measures.

According to Art. 32 of the Credit Information Act, the credit information provider/user should obtain the prior consent of the customer in writing or by other reliable means each time it provides to a third party or uses personal credit information (including any personally identifiable information) of a customer. When the credit information provider/user obtains consent to the provision (i.e. sharing) and utilisation of personal credit information, it should notify the customer of: the recipient of the information; the purpose of provision; the content of information; the duration of maintenance; and use by the recipient. Furthermore, a separate explanation to the customer is required with respect to the mandatory items of personal data that must be provided for the provision of the services and other optional items of personal data, and consent must be obtained. In such cases, as to the mandatory items, the credit information provider/user must explain their relevance to the service provision. Art. 32 requires the credit information provider/user to notify the customer that they may opt not to consent to the provision of any optional data that may be collected.
The Act established that financial institutions are required to obtain consent of individuals only if the use of personal information "conflict[s] with the original purpose of the collection." Thus, under this regime, a financial institution may "entrust" personal information to a third party but may not "supply" it. Supplying and entrusting are terms of art under the Act. "Supplying" means transferring personal information for the transferee's own purpose, whereas "entrusting" means transferring personal information to a third party to help carry out the purpose of the original data collection.