Standards for Orders to Suspend Cross-Border Transfers
(1) Where the Protection Commission orders the suspension of cross-border transfers of personal information under Article 28-9 (1) of the Act, it shall comprehensively consider the following matters:
- The type and scale of personal information, the cross-border transfer of which has been made or any further cross-border transfer of which is expected;
- The severity of a violation of Article 28-8 (1), (4), or (5) of the Act;
- Whether any damage that occurs or is likely to occur to data subjects is material or irrecoverable;
- Whether ordering the suspension of cross-border transfers obviously brings more benefits to data subjects than not doing so;
- Whether it is possible to protect personal information and to prevent personal information breach with the measures taken under the subparagraphs of Article 64 (1) of the Act;
- Whether the recipient of personal information or the recipient country, etc. to which personal information is transferred has effective means of relieving damage suffered by data subjects;
- Whether there is any reason to deem that it is difficult to adequately protect personal information, such as that the recipient of personal information or the recipient country, etc. to which personal information is transferred suffers a serious personal information breach.
(2) If the Protection Commission orders the suspension of cross-border transfers of personal information under Article 28-9 (1) of the Act, it shall undergo the evaluation by the expert committee for cross-border transfer.
(3) When the Protection Commission orders the suspension of cross-border transfers of personal information pursuant to Article 28-9 (1) of the Act, it shall notify in writing the relevant personal information controller of the details of and the grounds for such order, the procedures and methods for filing objections, and other necessary matters.
(4) Except as provided in paragraphs (1) through (3), matters necessary for the standards, etc. for orders to suspend cross-border transfers of personal information shall be determined and publicly notified by the Protection Commission.