The Ministry of Science, ICT & Future Planning (MSIP) is an authority that conducts EMC and wireless communication certification. KC certification is issued by Korea’s National Radio Research Agency (RRA) and requires testing at an RRA-approved laboratory. There are three mandatory certification mechanisms for imported broadcasting and communications equipment to test the safety of radio waves (Art. 58-2):
- Certain equipment must receive a certification of conformity from the Ministry of Science, ICT and Future Planning after undergoing a test by a designated third-party laboratory. Such equipment includes wireless telephone alarm automatic receiver, radar equipment for ships, telephone, and modem;
- Equipment that is not subject to this certification may come in only with a showing of confirmation that verifies the compatibility after undergoing a test either by a designated third-party testing body or self-tests. The equipment that falls in this category includes Computing devices and peripherals, broadcasting set-top boxes, measuring instruments, industrial devices, and connectors.
- Equipment that is not subject to either of these schemes must have interim conformity after passing a test showing conformity with domestic or international standards. Equipment that is newly developed but whose conformity assessment criteria have yet to be developed falls in this category.
Korea has entered into a mutual recognition arrangement with the United States, Canada, EU, Vietnam, and Chile. However, except for Canada, the import of broadcasting and communications equipment from other countries must still receive certification of conformity from the South Korean government, even if a conformity test has been conducted in the exporting countries.

Pursuant to Art. 4 of the National Intelligence Service Korea Act and Art. 56 of the Electronic Government Act, the National Intelligence Service (NIS) imposes security verification requirements on network equipment and cyber-security software in government procurement. Generally, they may satisfy the requirement by showing that the products are certified at a Common Criteria Recognition Arrangement (CCRA) accredited lab outside of Korea. However, certain network equipment must undergo an additional security verification process. Furthermore, the Common Criteria (CC) certification may not be sufficient for two reasons. First, NIS may substitute the CC certification with other certification mechanisms that were internally developed (e.g., GS Certification). Second, NIS may reject a CC certification when it deems that the certification does not cover particular functions of the product that the government entity needs.

If software systems or hardware equipment such as virtual private networks and firewall systems deal with non-confidential yet important information and are to be used in the government, they must pass verification for appropriate encryption modules under the auspices of the National Intelligence Service (NIS). Appropriate encryption standards are developed in Korea, such as ARIA, SEED, LEA, and Hight. The suppliers need to submit the source code of their products to receive the verification test. The same encryption standards also apply to certain network equipment such as VPN and SW USB series.

The amendment of the Telecommunications Business Act by Act no. 12761 on 15 October 2014 included Art. 22-3. According to Art. 22-3, value-added telecommunication service providers, encompassing all online hosts of applications and content, must implement technical measures as outlined in the Presidential Decree to counteract the dissemination of explicit materials.

In January 2023, the Korean Ministry of Science and Technology Information and Communication issued a notice of implementation and adopted an amendment to the Cloud Security Assurance Program (CSAP). Under the amendment, it is reported that, to obtain CSAP certification from the Korea Internet and Security Agency (KISA), a service provider’s cloud computing infrastructure, associated data, backup systems, as well as management and operational personnel, must all be located within Korea.

Art. 16 of Act on the Establishment, Management of Spatial Data provides that geographical data related to maps or photos produced for the purpose of a survey cannot be transferred abroad except with the permission of the Minister of Land, Infrastructure and Transport. This provision has been in place since 2014.

Art. 28-8 of the Personal Information Protection Act prohibits any transfer of personal information overseas by a personal information manager unless it is in any of the following cases: (i) where a separate consent for overseas transfer has been obtained from the data subject; (ii) where there exist special provisions in a statute, a treaty or other international conventions to which the Republic of Korea is a party; or (iii) where it is necessary to delegate the processing of, or retain, personal information in order to execute and perform a contract with a data subject, and the matters to be informed to the data subject when obtaining his/her consent to overseas transfer have been informed to the data subject or have been disclosed in the personal information manager privacy policy; (iv) where the recipient of personal information has obtained certification determined and publicly notified by the Personal Information Protection Commission (PIPC) and has implemented certain measures to protect personal information; or (v) where the PIPC has recognised that the country or the international organization to where the personal information is transferred has the personal information protection system, etc. that are substantially equal to the level of those under the Personal Information Protection Act. The personal information manager shall also take certain technical, managerial and physical protection measures.

According to Art. 32 of the Credit Information Act, the credit information provider/user should obtain the prior consent of the customer in writing or by other reliable means each time it provides to a third party or uses personal credit information (including any personally identifiable information) of a customer. When the credit information provider/user obtains consent to the provision (i.e. sharing) and utilisation of personal credit information, it should notify the customer of: the recipient of the information; the purpose of provision; the content of information; the duration of maintenance; and use by the recipient. Furthermore, a separate explanation to the customer is required with respect to the mandatory items of personal data that must be provided for the provision of the services and other optional items of personal data, and consent must be obtained. In such cases, as to the mandatory items, the credit information provider/user must explain their relevance to the service provision. Art. 32 requires the credit information provider/user to notify the customer that they may opt not to consent to the provision of any optional data that may be collected.
The Act established that financial institutions are required to obtain consent of individuals only if the use of personal information "conflict[s] with the original purpose of the collection." Thus, under this regime, a financial institution may "entrust" personal information to a third party but may not "supply" it. Supplying and entrusting are terms of art under the Act. "Supplying" means transferring personal information for the transferee's own purpose, whereas "entrusting" means transferring personal information to a third party to help carry out the purpose of the original data collection.

Per Art. 27 of Act on the Development of Cloud Computing and Protection of Its Users, generally, "no cloud computing service provider shall provide any user information to a third party or use user information for any purpose other than for the purpose of providing services, without the relevant user's consent." This conditional flow regime has been in place since 2015.

Korea has entered into an agreement entailing binding commitments to facilitate cross-border data transfers. Art. 14.14 of the Free Trade Agreement between the Government of the Republic of Korea and the Government of the Republic of Singapore, as amended by the Digital Partnership Agreement between the two governments, stipulates that neither party shall prohibit or restrict the transfer of information by electronic means, including personal data, where such transfers are necessary for the business operations of a covered person.

The Personal Information Protection Act, which was enacted in 2011 and recently amended in 2020, provides a comprehensive framework for data protection in Korea.

Per Art. 41 of the Enforcement Decree of Protection of Communications Secrets Act, telecoms or internet infrastructure operators should retain for 12 months the following:
- the date of the telecommunication, the commencement time and end time of the telecommunication, the communications number of outgoing and incoming calls, the frequency of use, and the location data for 12 months (six months in case of long-distance calls and local call services); and
- the log records of users and the location data for three months.
This requirement has been in place since the Act's enactment in 1994.

Under Art. 20 of the Credit Information Use and Protection Act, credit information companies are required to maintain the following information for three years:
- the name and address of the customer and the entity whom the personal information was provided to or exchanged with,
- the details of the work scope requested by the customer and the data thereof, and
- the processing details of the requested work scope and the date and details of the credit information provided.
Furthermore, Art. 20-2 provides that all credit information be deleted by the date that is the earlier of five years from the termination of the financial transaction and three months from the date on which the purpose for collecting and providing personal information has been achieved.

Enforcement Decree of the Electronic Financial Transactions Act provides under Art. 12 that a subsidiary electronic financial company, such as a payment gateway system that records and transmits electronic transaction information, must keep the records for at least three years. This affects not only payment gateway service providers but also electronic commerce firms that utilise the services. This retention period requirement has been in place since its enactment in 2006.

Under the Personal Information Protection Act, data controllers must appoint a privacy officer who comprehensively takes charge of personal information processing (Art. 31). The requirement has been in place since its enactment in 2011.