Following the conclusion of the adequacy talks in March 2021, the European Commission adopted on 17 December 2021 an adequacy decision addressing the transfers of personal data to the Republic of Korea under the General Data Protection Regulation (GDPR) and the Law Enforcement Directive.
Both texts prohibit the transfer of personal data to “third countries” unless (a) the destination country benefits from (i) an adequacy decision or (ii) appropriate safeguards, such as standard contractual clauses (see our alert here) or codes of conduct (see our alert here); or (b) one of the limited derogations under Article 49 GDPR applies.
With regard to the adequacy talks, the Republic of Korea agreed on the implementation of additional safeguards. Accordingly, following reform of Republic of Korea’s data protection framework (the Personal Information Protection Act) in August 2020, several addition safeguards have been implemented, including transparency provisions and enforcement power strengthening of the Personal Information Protection Commission (§ 70).
The Republic of Korea adequacy decision complements the Free Trade Agreement of July 2011 and allows a seamless flow of personal data between the Republic of Korea and the European Union.
Unlike the UK adequacy decision, which contains a sunset clause (see our alert here), the Republic of Korea adequacy decision is not limited in time. However, pursuant to Article 45.3 GDPR, the European Commission will carry out a first review of the decision after three years to evaluate any evolution in the Republic of Korea data protection framework that would lead to divergence with the EU regulations (§ 220).
The Republic of Korea now belongs to the increasing group of third countries benefiting from an adequacy decision (including, since GDPR’s entry into force, Japan and the United Kingdom).