EU-Republic of Korea Adequacy Decisions Finalized

December 29th, 2021 | Posted by Claude-Etienne Armingaud in Data Transfer | Privacy

Following the conclusion of the adequacy talks in March 2021, the European Commission has adopted on 17 December 2021 an adequacy decision addressing the transfers of personal data to the Republic of Korea under the General Data Protection Regulation (GDPR) and the Law Enforcement Directive.

Both texts prohibit the transfer of personal data to “third countries” unless (a) the destination country benefits from (i) an adequacy decision or (ii) appropriate safeguards, such as standard contractual clauses (see our alert here) or codes of conduct (see our alert here); or (b) one of the limited derogations under Article 49 GDPR applies.

With regards to the adequacy talks, the Republic of Korea agreed on the implementation of additional safeguards. Accordingly, the reform of Republic of Korea’s data protection framework (the Personal Information Protection Act) in August 2020, the several addition safeguards have been implemented including transparency provisions and enforcement power strengthening of the Personal Information Protection Commission (§70).

The Republic of Korea adequacy decision complements the Free Trade Agreement (FTA) of July 2011 and allows a seamless flow of personal data between the Republic of Korea and the European Union.

Unlike the UK adequacy decision which contains a sunset clause (see our alert here), the Republic of Korea adequacy decision is not limited in time. However, pursuant to Article 45.3 GDPR, the European Commission carry out a first review of the decision after three years to evaluate any evolution in the Republic of Korea data protection framework, that would lead to divergence with the EU regulations (§220). 

The Republic of Korea now belongs to the increasing group of third countries benefiting from an adequacy decision (including, since GDPR’s entry into force, Japan and the UK).

The firm’s global data protection team (including in each of our European offices) remains available to assist you in achieving the compliance of your data transfers at global levels.

First publication: K&L Gates Hub in collaboration with Andrew L. Chung, Camille Scarparo and Eric Yoon

To Go Further:

  1. EU-UK Adequacy Decisions Finalized On 28 June 2021, within 48 hours of the expiration of the post-Brexit grace period under the UK-EU Trade and...
  2. A New Framework for Transfers of Personal Data EU and Korea Conclude Adequacy Decision Talks BACKGROUND On 30 March 2021, the European Commission, in a joint statement with the Personal Information Protection Commission, the data protection authority of...
  3. Adequacy Agreements, Legislation and Compliance in a GDPR World While Capitol Hill is inundated with proposed privacy legislations from the Data Breach Prevention and Compensation Act (DBPCA), the CLOUD...
  4. Impact of the Digital Republic Act on Online Intermediation Platforms The French Act No. 2016-1321 of 7 Oct. 2016 for a Digital Republic (the “Digital Republic Act”) amends the existing...

You can follow any responses to this entry through the RSS 2.0 Responses are currently closed, but you can trackback.