SOUTH KOREA Law and Practice Contributed by: Brian Tae-Hyun Chung, Haewon Han, Ari Yoon and Jisoo Yoo, Kim & Chang
5. International Considerations 5.1 Restrictions on International Data Transfers Restrictions on International Data Transfer Under the PIPA, a data controller may transfer personal information overseas (ie, provide, del - egate the processing of, or store personal infor - mation with an overseas entity) only if there is one or more of the following grounds: • the data controller obtains separate consent from the data subject; • there is specific authorisation by treaty or other international agreement; • where personal information is stored overseas and/or personal information processing is delegated to an overseas entity because it is necessary for the execution and performance of an agreement with the data subject, and certain information regarding the overseas transfer (storage/delegation) is disclosed to the data subject, either through the data con - troller’s privacy policy or other written means such as email; • the recipient party located overseas has obtained certification from the PIPC and has taken measures (i) to ensure that personal information and rights of data subjects are protected and (ii) to implement the matters subject to certification in the destination country; or • the PIPC has recognised the adequacy of the level of the privacy protection provided in the destination country. In case of international data transfers, the data controller must consult with the recipient and reflect the following in the relevant agreement: • measures to ensure safety for protecting per - sonal information under the PIPA;
• measures to handle grievances and resolve disputes with respect to personal information breach; and • other measures necessary to protect the per - sonal information of data subjects. Separate from such regulation regarding over - seas transfer, transferring personal information to a third party outside Korea for the purpose of (i) providing personal information to a third party or (ii) delegating the processing of personal informa - tion also constitutes (a) third party provision or (b) delegation of processing of personal information under the PIPA, respectively, and these are subject to the relevant provisions of the PIPA in addition to the above-mentioned regulation on overseas transfer. Third-party provision occurs where a data controller provides personal information to a third- party recipient for the purpose and benefit of the third-party recipient. Delegation occurs where a third-party entity processes personal information it receives from the data controller for the purpose and benefit of the data controller. Restrictions on Third-Party Provision and Delegation If the transfer in question constitutes a third- party provision within the original purpose of collection, the PIPA requires the data controller to meet at least one of the following grounds: • the data controller obtains consent from the data subject; • there are special provisions in law allowing third-party provision, or third-party provision is inevitable to comply with statutory obliga - tions; • third-party provision is evidently deemed necessary for urgent protection of life, body or property of a data subject or a third party; • where third-party provision is necessary to achieve the legitimate interests of a data con -
398 CHAMBERS.COM
Powered by FlippingBook