(Credit: Unsplash)

This article is presented to you in association with the European Commission.

Today, the Commission is launching the process of adopting the adequacy decision for the transfer of personal data to the Republic of Korea. It will cover transfers of personal data to business operators in the Republic of Korea as well as to public authorities. If adopted, this decision would offer Europeans enhanced protection of their personal data when transferred to the Republic of Korea. At the same time, it would complete the EU-Republic of Korea Free Trade Agreement (FTA) and strengthen cooperation between the EU and the Republic of Korea as great digital powers. The trade agreement has resulted in a significant increase in bilateral trade in goods and services. Ensuring the free flow of personal data to the Republic of Korea through an adequacy decision based on a high level of data protection will support this nearly € 90 billion business relationship.

The draft adequacy decision has been published and sent to the European Data Protection Board (EDPB) for its opinion. Over the past few months, the Commission has carefully assessed the Republic of Korea’s personal data protection laws and practices, including the rules on data access by public authorities. It concludes that the Republic of Korea provides a level of protection substantially equivalent to that guaranteed by the General Data Protection Regulation (GDPR).

True Jourova, Vice President for Values ​​and Transparency, said: “This agreement with the Republic of Korea will improve the protection of personal data of our citizens and support businesses in dynamic business relationships. It is also a sign of an increasing convergence of data protection laws around the world. In the digital economy, free and secure data streams are not a luxury, but a necessity. “

Didier Reynders, the justice commissioner said: “Two years ago, together with Japan, we created the largest free and secure data flow area in the world. Soon the Republic of Korea is expected to follow – another important partner in East Asia and another great achievement. The Republic of Korea has a strong track record in the field of data protection. The fact that the EU and the Republic of Korea apply similar privacy standards is good for both businesses and citizens. “

Key elements

In the Republic of Korea, the processing of personal data is governed by the Privacy Act (PIPA), which provides for principles, guarantees, individual rights and obligations similar to those of EU law. The recent reform of PIPA, which strengthened the powers of investigation and enforcement of Commission for the protection of personal information (PIPC), the independent data protection authority of the Republic of Korea. This reform entered into force in August 2020. It confirms the importance of an independent data protection authority vested with effective powers as a central element of a modern data protection system as well as a key element of increasing international convergence of confidentiality standards.

As part of the adequacy talks, the two sides also agreed to several additional safeguards that will increase the protection of personal data processed in the Republic of Korea. These guarantees will provide enhanced protection with regard to, for example, transparency, sensitive data and onward transfers of data. These rules will be binding and enforceable by the PIPC.

With regard to the possible access to data by the public authorities of the Republic of Korea, in particular for law enforcement and national security purposes, the framework established under the adequacy decision will be based in particular on the important supervisory role of the PIPC and will facilitate the access of EU citizens to redress.

Next steps

The Commission is now awaiting the opinion of the EDPS and will seek the approval of a committee composed of representatives of the EU Member States. It is only after these two stages have been completed that the Commission could proceed to adopt the adequacy decision.


Article 45, paragraph 3 of General Data Protection Regulation grants the Commission the power to decide, by means of an implementing act, that a third country ensures ‘an adequate level of protection’, i.e. a level of protection of personal data which is essentially equivalent to the level of protection within the EU. The effect of adequacy decisions is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any additional safeguards being necessary. In other words, transfers to the country in question will be assimilated to intra-EU data transmissions.

As announced in January 2017 in its Communication on the exchange and protection of personal data in a globalized world, the Commission has launched a dialogue with the Republic of Korea with the aim of reaching an adequacy decision under the General Data Protection Regulation (GDPR).

An adequacy decision would complete the Free trade Agreement between the European Union and the Republic of Korea which entered into force in July 2011 and was the first such trade agreement between the EU and an Asian country. In addition, in 2010, the EU and the Republic of Korea transformed their extended relationship into a strategic partnership by signing a framework agreement, which entered into force on June 1, 2014. It is a cooperation agreement. global policy having a legal link with the EU. Republic of Korea Free Trade Agreement.

Leave a Reply

Your email address will not be published.