Skip to Main Content
Our Commitment to Diversity

EU-Republic of Korea Adequacy Decisions Finalized

Share via LinkedIn
Share via Twitter
Share via Facebook
Download PDF Version
Date: 10 January 2022
EU and Asia Data Protection, Privacy, and Security Alert
By: Andrew L. Chung, Claude-Étienne Armingaud, Camille J. Scarparo, Eric Yoon

Following the conclusion of the adequacy talks in March 2021, the European Commission adopted on 17 December 2021 an adequacy decision addressing the transfers of personal data to the Republic of Korea under the General Data Protection Regulation (GDPR) and the Law Enforcement Directive
 
Both texts prohibit the transfer of personal data to “third countries” unless (a) the destination country benefits from (i) an adequacy decision or (ii) appropriate safeguards, such as standard contractual clauses (see our alert here) or codes of conduct (see our alert here); or (b) one of the limited derogations under Article 49 GDPR applies.
 
With regard to the adequacy talks, the Republic of Korea agreed on the implementation of additional safeguards. Accordingly, following reform of Republic of Korea’s data protection framework (the Personal Information Protection Act) in August 2020, several addition safeguards have been implemented, including transparency provisions and enforcement power strengthening of the Personal Information Protection Commission (§ 70). 
 
The Republic of Korea adequacy decision complements the Free Trade Agreement of July 2011 and allows a seamless flow of personal data between the Republic of Korea and the European Union.
 
Unlike the UK adequacy decision, which contains a sunset clause (see our alert here), the Republic of Korea adequacy decision is not limited in time. However, pursuant to Article 45.3 GDPR, the European Commission will carry out a first review of the decision after three years to evaluate any evolution in the Republic of Korea data protection framework that would lead to divergence with the EU regulations (§ 220). 

The Republic of Korea now belongs to the increasing group of third countries benefiting from an adequacy decision (including, since GDPR’s entry into force, Japan and the United Kingdom).

The firm’s global data protection team (including in each of our European offices) remains available to assist you in achieving the compliance of your data transfers at global levels.

Andrew L. Chung
Andrew L. Chung
Seoul
Claude-Étienne Armingaud
Claude-Étienne Armingaud
Paris
Camille J. Scarparo
Camille J. Scarparo
Paris

This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author(s) and not necessarily those of the law firm's clients.

Find more items tagged as: Data Protection, Privacy, and Security, Intellectual Property, Policy and Regulatory, Technology, Technology Transactions and Sourcing
Return to top of page

Email Disclaimer

We welcome your email, but please understand that if you are not already a client of K&L Gates LLP, we cannot represent you until we confirm that doing so would not create a conflict of interest and is otherwise consistent with the policies of our firm. Accordingly, please do not include any confidential information until we verify that the firm is in a position to represent you and our engagement is confirmed in a letter. Prior to that time, there is no assurance that information you send us will be maintained as confidential. Thank you for your consideration.

Accept Cancel