skip to Main Content
BY THE POLISH DATA PROTECTION AUTHORITY: The EDPB Adopts Opinion On Draft South Korea Adequacy Decision

BY THE POLISH DATA PROTECTION AUTHORITY: The EDPB adopts opinion on draft South Korea Adequacy Decision

This post is also available in: Italiano Español Français

The EDPB adopted its opinion on the European Commission’s draft adequacy decision for the Republic of Korea on September 24th.

During its 55 plenary section the EDPB adopted its opinion on the European Commission’s draft adequacy decision which notes an adequate level of personal data protection in the Korean Republic. It will regard transfers of personal data both in the public and private sector.

The EDPB focused on general GDPR aspects and access by public authorities to personal data transferred from the European Economic Area (EEA) to the Republic of Korea for the purposes of law enforcement and national security, including the legal remedies available to individuals in the EEA. The EDPB also assessed whether the safeguards provided under the Korean legal framework are effective.

On the general data protection framework, the EDPB notes that there are key areas of alignment between the EU and South Korean data protection frameworks with regard to certain core provisions, such as:

– data protection concepts (e.g. personal information; processing; data subject);

– grounds for lawful processing for legitimate purposes;

– purpose limitation;

– data retention, security and confidentiality; and

– transparency.

The EDPB welcomes the efforts made by the European Commission and the Korean Authorities to ensure that the Republic of Korea provides a level of data protection essentially equivalent to that of the GDPR. Such as, for example, the adoption of notifications by the South Korea data protection authority (PIPC), which aim to fill the gaps between the GDPR and the Korean data protection framework, like the additional protections provided by Notification n. 2021-1. At the same time the EDPB invites the European Commission to provide further information on the binding nature, the enforceability and validity of Notification n. 2021-1, and would recommend an attentive monitoring of this in practice.

On the access by public authorities to data transferred to the Republic of Korea, the EDPB notes that PIPA’s provisions apply without limitation in the area of law enforcement. The EDPB further notes that data processing in the area of national security is subject to a more limited set of provisions enshrined in PIPA, although PIPA’s core principles, as well as the fundamental guarantees for data subject rights and the provisions on supervision, enforcement and remedies, do apply to the access and use of personal data by national security authorities. The South Korean constitution also enshrines essential data protection principles, which are applicable to the access to personal data by public authorities in the areas of law enforcement and national security. In addition, the EDPB agrees with the Commission’s conclusion that South Korea can be considered to have an independent and effective supervisory system.

Finally, regarding effective remedies and rights of redress, the EDPB asks the Commission to clarify the substantive and/or procedural requirements, such as a burden of proof, to which a complaint with the PIPC or any action before a court is subject, and whether EU individuals would be able to meet such a precondition.

55 plenary section press release:

Oświadczenie prasowe z 55. posiedzenia plenarnego EROD (tłumaczenie nieoficjalne


Back To Top