Personal Information Protection Commission Holds Meeting on Expanding Data Portability Measures for Major Public Institutions

by Roh Kyungjo

Published 29 Apr.2026 16:53(KST)

Final Version of the Guidelines to Be Released in June

The Personal Information Protection Commission announced on April 29 that it held a “Meeting on Measures to Expand Data Portability for Major Public Institutions” at the Government Complex Sejong. The Ministry of the Interior and Safety, the Ministry of Health and Welfare, and the National Health Insurance Service also participated.

Personal Information Protection Commission logo. Courtesy of the Personal Information Protection Commission

This meeting was organized to explain the key details to public system operating institutions that have become data portability providers for individuals following the amendment to the Enforcement Decree of the Personal Information Protection Act, and to gather feedback from the field. The major amendments include expanding the scope of data portability requests and introducing prior consultation on transmission methods.

Data portability is a system that allows data subjects to request the transfer of their own personal information. Previously, it was only applied in the medical and telecommunications sectors, but the amendment to the Enforcement Decree has broadened its scope. Now, not only private businesses that process sensitive or unique information of more than 50,000 data subjects with average annual sales exceeding 180 billion won, or personal information of more than 1 million data subjects, but also public system operating institutions are included. A public system operating institution is defined as an institution that operates a public system meeting the criteria announced by the Personal Information Protection Commission, such as the scale of personal information processed and the number of personal information handlers.

The items subject to data portability requests are those that the data subject has consented to provide or that have been collected in accordance with laws and regulations, and that have been reviewed and approved by the Personal Information Protection Commission. However, information separately generated by the personal information processor or personal information processed by information processing devices is excluded. Data that may infringe on the rights of others, or that includes trade secrets or national industrial technologies, is also excluded.

The Personal Information Protection Commission has also specified guidelines to address situations where an agent submits a data portability request on behalf of a data subject using automated tools (scraping). Before transferring data, the data portability provider and the agent must discuss and agree in advance on the scope, purpose, and method of transmission, verify the agent’s authority of representation, establish protection and safety management measures for the agent, and clarify the agent’s responsibilities.

The Personal Information Protection Commission plans to reflect the feedback received at the meeting and release the final version of the guidelines in June. An official from the Commission stated, “We will continue to make consistent efforts to ensure the smooth implementation of this new system.”