SOUTH KOREA Law and Practice Contributed by: Brian Tae-Hyun Chung, Haewon Han, Ari Yoon and Jisoo Yoo, Kim & Chang
• Surveillance devices: Installing surveillance devices, like CCTV, in the workplace requires labour-management consultation accord - ing to the Act on the Promotion of Workers’ Participation and Cooperation. • Data retention: Employers must retain employee data for a specific period as man - dated by the Labour Standards Act. Also, in terms of sharing employees’ personal information with affiliates outside of Korea, data controllers must pay close attention to the legal requirements explained in 5.1 Restrictions on International Data Transfers . 4.4 Transfer of Personal Data in Asset Deals As detailed in 5.1 Restrictions on International Data Transfers , transferring personal informa - tion to a third party typically involves either (i) third-party provision or (ii) delegation of pro - cessing. Transferring personal information in the course of asset deals is likely to be considered as third-party provision. While the PIPA generally requires consent from data subjects to provide personal information to a third party, it includes a specific provision regarding the transfer of personal data during asset deals. If a data controller transfers per - sonal information as part of a business transfer or a merger involving all or part of its operations, the controller must notify the data subjects in advance about the following, and a consent requirement is exempted: • the fact that their personal information will be transferred; • the name, address, telephone number and other contact information of the recipient of the personal information; and
• the method and procedure for withdrawing consent if the data subject does not wish their personal information to be transferred. In principle, the business transferor shall pro - vide the above information in writing (eg, written document, email, fax, phone, text message or any other equivalent method). However, if the business transferor is unable to provide such information in writing without negligence, the business transferor shall publish this information on a website for at least 30 days. If there is a jus - tifiable reason for not being able to publish the above information on a website, the business transferor shall (i) publish the above information in an easily visible location within the business transferor’s place of business for at least 30 days or (ii) publish it in a daily newspaper that is mainly distributed in the city, province, or region where the business transferor’s place of busi - ness is located. The business transferee has the same notifi - cation obligation as the business transferor. However, if the notification has been provided by the business transferor, the business trans- feree is not required to provide one. Meanwhile, a business transferee which has received per - sonal information as part of a business transfer or merger may use the personal information or provide it to a third party only for the original purpose for which it received the information. Please note that for “overseas transfer” of per - sonal information that may take place during asset deals, the PIPC has expressed its view that such consent exceptions may not be rec - ognised in its draft guideline published on 31 December 2024. However, this is a “draft” guide - line, and the PIPC is expected to release a final version in early 2025.
397 CHAMBERS.COM
Powered by FlippingBook