Privacy & Cybersecurity Law Blog

On December 17, 2021, the European Commission announced that it had adopted its adequacy decision on the Republic of Korea. The adequacy decision allows for the free flow of personal data between the EU and Korea, without any further need for authorization or additional transfer tool. The adequacy decision also covers transfers of personal data between public authorities.

The adequacy decision builds on the protections afforded to Europeans under Korean law when their data is transferred, including through additional safeguards agreed by both parties as part of the adequacy dialogue, such as additional transparency requirements and onward data transfer requirements. These rules are binding and enforceable by the Korean data protection authority, the Personal Information Protection Commission (“PIPC”) and Korean Courts.

Regarding potential access to EU personal data transferred by Korean public authorities, the framework will rely on the strong oversight role of the PIPC and will facilitate EU individuals’ redress rights by allowing them to lodge a complaint before the PIPC.

In terms of next steps, the European Commission will carry out a first review of the decision after three years to evaluate the functioning of the framework. Following this initial review, periodic reviews of the framework will take place at least every four years.

Read the full adequacy decision. The European Commission has also released a Q&As on the adequacy decision.