Personal Information Protection Commission

Press Release

The PIPC Sanctions Temu for Unlawful Cross-Border Data Transfer and Other Violations 

- Separately, a correction order was issued on Temu to designate its Korean corporation as a domestic agent to ensure compliance with the PIPA 

- The PIPC released a Chinese version of “Guidelines on Applying the Personal Information Protection Act to Foreign Business Operators”

May 9, 2025

(This is an unofficial translation of a press release, originally prepared in Korean.)

The Personal Information Protection Commission (PIPC) held its 11th plenary meeting of 2025 and reached a resolution to sanction Temu for their failures to comply with the legal requirements concerning cross-border transfer for personal data under the Personal Information Protection Act (PIPA) on May 15, 2025. Administrative sanctions by the PIPC are as follows:

● A penalty for violations (Gwajingguem): KRW 1.369 billion 

● A fine for wrongdoing (Gwataeryo): KRW 17.6 million 

● Correction orders and recommendations issued

Temu’s user data is managed by Whaleco Technology Limited, while sellers’ data is handled by Elementary Innovation Pte. Ltd. In this sense, the PIPC decided to sanction the two businesses.

I. Background 

The PIPC started launching investigations into Temu and other online marketplaces last year as part of a broader examination of “Overseas Direct Purchase (OPD)” services. In July 2024, the PIPC sanctioned Alibaba.com Singapore E-Commerce Private Limited (AliExpress) for violations of unlawful cross-border data transfer by imposing KRW 1.978 billion. The commission ordered AliExpress to be equipped with domestic-level personal data management capabilities.

Meanwhile, media outlets recently reported that Temu collected sellers' ID and facial data during seller-recruitment processes. In this regard, the PIPC examined this data processing practice as well.

II. Investigation Results

1. Personal data processing of users

▪ Overview of Temu’s Business Model 

Temu is an online marketplace that connects sellers and buyers. It receives commissions from sellers for each product they sell, based on a certain range of percentages depending on the product category. However, the company directly ships out sellers' products from its intermediary warehouses to buyers and does not provide users' personal information to sellers. Temu's shipping mechanism differs from that of general online marketplaces, which provide sellers with users’ personal data for shipping purposes. 

▪ Violations

The PIPC's investigation results showed that Temu has entrusted personal data processing and storage to several businesses located in Korea, China, Singapore, and Japan, for shipping products, but it failed to disclose the entrustment of personal data processing in its privacy policy and notify users. It also failed to properly manage and supervise entrusted entities, such as conducting training on how to securely manage personal data and examining their data processing practices. 

The PIPA stipulates that personal data processors that need to entrust personal data processing or storage to foreign businesses for the performance of a contract are required to disclose this in their privacy policy or inform data subjects of it via email or other methods. However, Temu failed to comply with the legal requirements as required by the PIPA.

Moreover, as of the end of 2023, its average monthly users reached 2.9 million; however, the company failed to designate a domestic agent as required by the PIPA. It also made it difficult for users to exercise their right to withdraw membership by establishing a seven-step process. During the investigation, the company voluntarily took measures to correct its data processing practices by revising its privacy policy to disclose cross-border data transfers, the use of entrusted businesses, and the appointment of a domestic agent. It also streamlined the process for un-registering membership. 

2. Unlawful Identity Verification Practices

In February 2025, Temu began recruiting Korean sellers to provide a 'local-to-local' service, enabling them to directly sell and ship products to users. For Korean sellers to join this service, they should go through a six-step process: i) Setting up an account; ii) Entering business information; iii) Entering a seller's information; iv) Entering a store's information; v) Checking the entered data; and vi) Identity verification. 

For identity verification, the company collected sellers' ID and facial video data and processed resident registration numbers (RRNs) without a lawful basis. However, Temu destructed all the data collected as part of seller-recruitment processes during the investigation.

III. Sanctions

The PIPC imposed a penalty of KRW 1.369 billion on Temu for violations of cross-border data transfer and limitations on processing RRNs, and a fine of KRW 17.6 million for violations concerning the entrustment of personal data processing and designating a domestic agent.

● KRW 879 million in a penalty for violations and KRW 17.6 million in a fine for wrongdoing on Whaleco Technology Limited; and 

● KRW 490 million in a penalty for violations on Elementary Innovation Pte. Ltd. 

Along with financial penalties, the PIPC issued correction orders and recommendations on Temu to disclose the status of cross-border data transfer, entrustment of personal data processing, and data processing flows in a transparent manner; conduct management and oversight; and respect the data subjects' rights to be in compliance with the PIPA.

In particular, the PIPC issued recommendations on the company to designate its Korean corporation as a domestic agent as required by the PIPA. The domestic agent scheme aims to effectively safeguard the personal data of the people by ensuring redress for data subjects affected by data breaches, among others.

IV. Future plans

The PIPC will thoroughly monitor Temu’s implementation status to safeguard Korean users’ personal information. As more and more Chinese companies enter and operate in Korea, the Commission will use various channels, such as the Korea-China Internet Cooperation Center and on-site meetings with Chinese business operators to provide guidance on how to comply with the PIPA.

Meanwhile, the PIPC released "Guidelines on Applying the Personal Information Protection Act to Foreign Business Operators" in English in April 2024, to help foreign businesses ensure full compliance with the PIPA. Taking this opportunity, the PIPC released a Chinese version of the aforementioned guidance material, urging Chinese business operators to gain a better understanding of the PIPA and ensure compliance.

* A PDF file, formatted for better readability, is attached.