On September 16th, the Personal Information Protection Commission of Korea announced the following:
This announcement allows Korean companies to transfer customer data, which constitutes personal information, to controllers or processors in 27 EU countries and three EEA countries without separate customer consent.
The following is the translation of the announcement, and the original Korean text is attached.
The results of the review of the European Union's (EU) level of personal information protection are hereby announced in accordance with Article 28-8 of the Personal Information Protection Act and Article 29-9 of the Enforcement Decree of the same Act.
Equivalence Recognition: The EU is recognized as having a level of personal information protection substantially equivalent to that provided under the Personal Information Protection Act, including a personal information protection system, the scope of data subject rights protection, and redress procedures.
Effect: Pursuant to Article 28-8, Paragraph 1, Subparagraph 5 of the Personal Information Protection Act, personal information processors may transfer personal information to controllers or processors in the 27 EU countries subject to the EU General Data Protection Regulation (GDPR) and three countries within the European Economic Area (EEA) (Norway, Liechtenstein, and Iceland). However, this equivalence recognition does not affect the transfer of resident registration numbers under Article 7-2 of the Resident Registration Act or personal credit information under Article 2, Subparagraph 2 of the Act on the Use and Protection of Credit Information.
On September 16th, the Personal Information Protection Commission of Korea announced the following:
This announcement allows Korean companies to transfer customer data, which constitutes personal information, to controllers or processors in 27 EU countries and three EEA countries without separate customer consent.
The following is the translation of the announcement, and the original Korean text is attached.
The results of the review of the European Union's (EU) level of personal information protection are hereby announced in accordance with Article 28-8 of the Personal Information Protection Act and Article 29-9 of the Enforcement Decree of the same Act.
Equivalence Recognition: The EU is recognized as having a level of personal information protection substantially equivalent to that provided under the Personal Information Protection Act, including a personal information protection system, the scope of data subject rights protection, and redress procedures.
Effect: Pursuant to Article 28-8, Paragraph 1, Subparagraph 5 of the Personal Information Protection Act, personal information processors may transfer personal information to controllers or processors in the 27 EU countries subject to the EU General Data Protection Regulation (GDPR) and three countries within the European Economic Area (EEA) (Norway, Liechtenstein, and Iceland). However, this equivalence recognition does not affect the transfer of resident registration numbers under Article 7-2 of the Resident Registration Act or personal credit information under Article 2, Subparagraph 2 of the Act on the Use and Protection of Credit Information.