"Means prescribed by Presidential Decree, such as electronic mail" in Article 28-8 (1) 3 (b) of the Act means in writing, etc.
Chapter IV-3 (Art. 29.7 - 29.12) — Cross-Border Transfer of Personal Information
(1) Where the Protection Commission intends to publicly notify certification under the provisions, with the exception of the items, of Article 28-8 (1) 4 of the Act, it shall complete all of the following procedures:
- Evaluation by an institution specializing in certifying personal information protection under Article 34-6;
- Evaluation by an expert committee for cross-border transfer of personal information under Article 5 (1) 1 (hereinafter referred to as "expert committee for cross-border transfer");
- Consultation with the Policy Council.
(2) When the Protection Commission publicly notifies certification under the provisions, with the exception of the items, of Article 28-8 (1) 4 of the Act, it may determine and publicly notify its effective period of up to five years.
(3) Except as provided in paragraphs (1) and (2), matters necessary for the procedures, etc. for publicly notifying certification shall be determined and publicly notified by the Protection Commission.
(1) If the Protection Commission intends to recognize that a country or an international organization (hereinafter referred to as "recipient country, etc.") where personal information is provided (including inquired), processed under entrustment, or stored (hereafter in this Chapter referred to as "transfer") under Article 28-8 (1) 5 of the Act has a personal information protection system, the scope of guarantee of the rights of data subjects, the procedures for damage relief, etc. at a level substantially equal to the level of personal information protection under this Act, it shall comprehensively take into account the following matters:
- Whether the personal information protection system of the recipient country, etc., including its statutes, regulations, and rules, is in conformity with the principles of information protection under Article 3 of the Act and guarantees the rights of data subjects under Article 4 of the Act;
- Whether the recipient country, etc. has an independent supervisory authority responsible for guaranteeing and implementing the personal information protection system;
- Whether the public institutions (including institutions that conduct business affairs similar to those of public institutions) of the recipient country, etc. process personal information under statutes and whether means to protect data subjects, such as the procedures for damage relief, exist and are effectively guaranteed;
- Whether the recipient country, etc. has the procedures for damage relief that are easily available to data subjects and whether such procedures effectively protect data subjects;
- Whether the supervisory authority of the recipient country, etc. is able to facilitate mutual cooperation with the Protection Commission in protecting the rights of data subjects;
- Other matters determined and publicly notified by the Protection Commission as necessary to recognize the personal information protection level of the recipient country, etc., such as the personal information protection system, the scope of guarantee of the rights of data subjects, the procedures for damage relief.
(2) If the Protection Commission intends to grant recognition under paragraph (1), it shall follow the following procedures:
- Evaluation by an expert committee for cross-border transfer;
- Consultation with the Policy Council.
(3) If necessary for the protection of the rights of data subjects, etc., the Protection Commission may, when granting recognition under paragraph (1), determine the scope of the personal information to be transferred to a recipient country, etc., the scope of the personal information controllers to which personal information is transferred, the recognition period, the conditions of cross-border transfer, and other relevant matters differently for each recipient country, etc.
(4) Upon granting recognition under paragraph (1), the Protection Commission shall examine whether a recipient country, etc. maintains its personal information protection level that is substantially equal to the level under this Act.
(5) Where any change is made to the personal information system, the scope of guarantee of the rights of data subjects, the procedures for damage relief, etc. of a recipient country, etc. that are recognized under paragraph (1), the Protection Commission may revoke the recognition of the recipient country, etc. or change the details of the recognition, after hearing its opinions.
(6) Where the Protection Commission grants recognition under paragraph (1) or revokes such recognition or changes the details thereof under paragraph (5), it shall give public notice of such fact in the Official Gazette and publish it on its website.
(7) Except as provided in paragraphs (1) through (6), matters necessary for the recognition of a recipient country, etc. shall be determined and publicly notified by the Protection Commission.
(1) Where a personal information controller makes a cross-border transfer of personal information under the proviso, with the exception of the subparagraphs, of Article 28-8 (1) of the Act, he or she shall take the following protective measures under Article 28-8 (4) of the Act:
- Measures to ensure safety for protecting personal information under Article 30 (1);
- Measures to handle grievances and resolve disputes with respect to personal information breach;
- Other measures necessary to protect the personal information of data subjects.
(2) Where a personal information controller makes a cross-border transfer of personal information under the proviso, with the exception of the subparagraphs, of Article 28-8 (1) of the Act, it shall have a prior consultation with the recipient of the personal information on the matters specified in the subparagraphs of paragraph (1) and shall reflect the results of such consultation in the details of a contract, etc.
(1) Where the Protection Commission orders the suspension of cross-border transfers of personal information under Article 28-9 (1) of the Act, it shall comprehensively consider the following matters:
- The type and scale of personal information, the cross-border transfer of which has been made or any further cross-border transfer of which is expected;
- The severity of a violation of Article 28-8 (1), (4), or (5) of the Act;
- Whether any damage that occurs or is likely to occur to data subjects is material or irrecoverable;
- Whether ordering the suspension of cross-border transfers obviously brings more benefits to data subjects than not doing so;
- Whether it is possible to protect personal information and to prevent personal information breach with the measures taken under the subparagraphs of Article 64 (1) of the Act;
- Whether the recipient of personal information or the recipient country, etc. to which personal information is transferred has effective means of relieving damage suffered by data subjects;
- Whether there is any reason to deem that it is difficult to adequately protect personal information, such as that the recipient of personal information or the recipient country, etc. to which personal information is transferred suffers a serious personal information breach.
(2) If the Protection Commission orders the suspension of cross-border transfers of personal information under Article 28-9 (1) of the Act, it shall undergo the evaluation by the expert committee for cross-border transfer.
(3) When the Protection Commission orders the suspension of cross-border transfers of personal information pursuant to Article 28-9 (1) of the Act, it shall notify in writing the relevant personal information controller of the details of and the grounds for such order, the procedures and methods for filing objections, and other necessary matters.
(4) Except as provided in paragraphs (1) through (3), matters necessary for the standards, etc. for orders to suspend cross-border transfers of personal information shall be determined and publicly notified by the Protection Commission.
(1) A person who intends to file an objection pursuant to Article 28-9 (2) of the Act shall submit to the Protection Commission a written objection determined by the Protection Commission along with a document substantiating the grounds for the objection, within seven days from the date of receipt of an order to suspend cross-border transfer under Article 28-9 (1) of the Act.
(2) The Protection Commission shall notify in writing the relevant personal information controller of the results of processing a written objection submitted under paragraph (1) within 30 days from the date of receipt of the written objection.
(3) Except as provided in paragraphs (1) and (2), matters necessary for the procedures, etc. for filing an objection shall be determined and publicly notified by the Protection Commission.