May 26, 2022

Volume XII, Number 146


May 25, 2022

Subscribe to Latest Legal News and Analysis

May 24, 2022

Subscribe to Latest Legal News and Analysis

May 23, 2022

Subscribe to Latest Legal News and Analysis

EU Commission Confirms Adequate Level of Data Protection in South Korea

Free and uncomplicated data flows are now possible between the EU and the Republic of Korea.

With its adoption of an adequacy decision pursuant to Art. 45 General Data Protection Regulation (GDPR) for the Republic of Korea on Dec. 17, 2021, the European Commission has declared that the country provides an adequate data protection level comparable with GDPR standards. The Republic of Korea joins Andorra, Argentina, commercial organisations in Canada, Faroe Islands, Guernsey, Isle of Man, Japan, Jersey, New Zealand, Switzerland, the UK under the GDPR and the Data Protection Law Enforcement Directive (LED), as well as Uruguay, as the countries or institutions for which such decisions have been passed by the Commission.

The decision has a high practical impact, as personal data may now flow from the EU (as well as Norway, Liechtenstein and Iceland) to the Republic of Korea without any further necessary safeguards pursuant to Chapter 5 of the GDPR.


Pursuant to GDPR, the transfer of personal data outside the European Economic Area (EEA) requires one of the special safeguards provided in Chapter 5 GDPR to ensure that the data remains protected. Chapter 5 GDPR provides for a number of mechanisms in this regard: Standard Contractual Clauses (SCC), Binding Corporate Rules (BCR), approved certification mechanisms, approved codes of conduct, so-called “derogations” and – last but not least – an adequacy decision.

According to Art. 45 of the GDPR, the European Commission has the power to determine via a formal decision whether a country, territory, sector, or international organisation outside the EEA offers a level of data protection equivalent to that of the EU.

Adequacy Decision for the Republic of Korea

The Republic of Korea undertook reforms of its data protection legislation in 2020 with a special focus on ensuring it had an independent supervisory authority in place to enforce data protection rules.

The adequacy decision for Korea was initiated in June 2021 by the Commission. During the adequacy talks, the Commission placed, amongst others, requirements regarding onward transfer obligations of data recipients in South Korea and regarding transparent information about the processing of data. In addition, the problem of potential access of public authorities to personal data in South Korea was addressed, and changes were made to ensure that there are redress mechanisms for data subjects in the EEA in the event of unlawful requests. This includes the ability to raise complaints with the Korean data protection regulator, the Personal Information Protection Commission (PIPC).

Upon a final examination of the Korean legislation and particularly the Personal Information Protection Act (PIPA) as well as the investigatory and enforcement powers of the PIPC, the Commission concluded the level of data protection provided by Korean law was equivalent to the level guaranteed by the GDPR.

Having received the opinion of the European Data Protection Board (EDPB) and approval from representatives of EU countries, the decision was adopted by the Commission. The decision has no time limitation but will be reviewed against any changes in the laws of South Korea every four years.

Practical Consequences

The decision permits a cross-border data transfer to the Republic of Korea without further authorization from a national supervisory authority or other safeguards. For example, no SCC will need to be entered into in relation to data processing conducted by a South Korean processor on behalf of an EU controller.

It does not, however, affect the obligations of data controllers or processors in the Republic of Korea to enter into data processing agreements pursuant to Art. 28 GDPR, or other agreements potentially required for any transfer of data to the Republic of Korea. Also, to the extent Art. 3(2) GDPR applies, controllers or processors in the Republic of Korea continue to be obliged to comply with GDPR as provided therein.

Last but not least, the adequacy decision has an even wider impact because some countries (such as Argentina, Colombia, Israel and Switzerland) recognize that countries and territories whose level of data protection is considered adequate by the EU Commission also meet the requirements for data transfers under their own data protection laws.

©2022 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XII, Number 26

About this Author

Viola Bensinger, Greenberg Traurig Law Firm, Germany, Cybersecurity Litigation Attorney

Viola Bensinger chairs the Technology Practice as well as the Litigation Practice in Germany. She advises clients from the technology, media and healthcare industries.

Within the technology sector, Viola advises international internet, technology and healthcare companies in the areas of digital products, e-commerce, electronic payment, data protection, software licensing, (IT-) outsourcing as well as digital media.

49 -030700-171-150
Carsten Kociok, Greenberg Traurig Law Firm, Germany, Cybersecurity and Technology, Finance Litigation Attorney

Carsten Kociok focuses his practice on the technology, media and telecommunications industries. He has broad experience in the areas of Internet, information technology, electronic and mobile payments and new media, as well as regulatory and data protection law issues.

Carsten advises national and international companies from the Internet, payments and technology industries on the commercial and regulatory side of their business, in particular in the areas of e-commerce and e-business, electronic and mobile payments, service distribution,...

Ricarda Seifert Attorney IP Law Greenberg Traurig Germany

Ricarda Seifert is member of the Intellectual Property & Technology Practice in Greenberg Traurig’s Germany office.