SOUTH KOREA Law and Practice Contributed by: Brian Tae-Hyun Chung, Haewon Han, Ari Yoon and Jisoo Yoo, Kim & Chang
troller, and such necessity clearly supersedes the rights of the data subject. In such cases, third-party provision is limited to where the legitimate interests of the data controller are substantially related and do not go beyond the reasonable scope; or • third-party provision is urgently required for public safety and security. If the transfer in question constitutes a del - egation, consent from the data subject is not required. However, the data controller must dis - close details of delegation and enter into a writ - ten agreement with the entity which is delegated with the processing of personal information. Such agreement should include matters that are statutorily required under the PIPA. 5.2 Government Notifications and Approvals Apart from regulations mentioned in 5.1 Restric- tions on International Data Transfers and 5.3 Data Localisation Requirements , the data con - trollers are not required to provide notification to government agencies or obtain approvals. 5.3 Data Localisation Requirements While there is no general data localisation rule under the PIPA, there are individual laws that prohibit overseas transfer of specific types of data, such as the following: • the Medical Services Act prohibits storing Electronic Medical Records (EMR) outside of Korea; • the Act on the Establishment and Manage - ment of Spatial Data requires a licence to transfer certain map data outside of Korea; • the Industrial Technology Protection Act requires a company to obtain approval from or file a prior report with the Ministry of Trade,
Industry and Energy in order to export nation - al core technology; • the Electronic Financial Transactions Act stip - ulates that financial companies or electronic financial business operators’ systems for processing (i) unique identification information or (ii) personal credit information cannot be located outside Korea in the course of using cloud computing services; and • the Cloud Computing Act stipulates that data processed by Korean government organisa - tions and public institutions must be located in Korea. 5.4 Blocking Statutes There are no “blocking” statutes that protect Korean companies from the effect of extrater - ritorial sanctions. 5.5 Recent Developments As outlined in 5.1 Restrictions on International Data Transfers , one of the legal bases for trans - ferring personal information internationally is when the PIPC acknowledges that the destina - tion country provides an adequate level of pri - vacy protection. Currently, no country has been recognised by the PIPC as having equivalent personal information protection standards. How - ever, PIPC is working towards recognising such equivalence with the EU. If achieved, this rec - ognition would facilitate the transfer of personal information to the EU. Since much of the pro - cess for recognising EU equivalence has been completed, it is anticipated that the remaining steps will conclude shortly. In addition, in the year plan published by the PIPC, it has expressed its willingness to start a adequacy process for US and Japan, and the adoption of standard contractual clauses as an additional legal ground for international data transfers.
399 CHAMBERS.COM
Powered by FlippingBook