Recognition of Countries' Personal Information Protection Levels
(1) If the Protection Commission intends to recognize that a country or an international organization (hereinafter referred to as "recipient country, etc.") where personal information is provided (including inquired), processed under entrustment, or stored (hereafter in this Chapter referred to as "transfer") under Article 28-8 (1) 5 of the Act has a personal information protection system, the scope of guarantee of the rights of data subjects, the procedures for damage relief, etc. at a level substantially equal to the level of personal information protection under this Act, it shall comprehensively take into account the following matters:
- Whether the personal information protection system of the recipient country, etc., including its statutes, regulations, and rules, is in conformity with the principles of information protection under Article 3 of the Act and guarantees the rights of data subjects under Article 4 of the Act;
- Whether the recipient country, etc. has an independent supervisory authority responsible for guaranteeing and implementing the personal information protection system;
- Whether the public institutions (including institutions that conduct business affairs similar to those of public institutions) of the recipient country, etc. process personal information under statutes and whether means to protect data subjects, such as the procedures for damage relief, exist and are effectively guaranteed;
- Whether the recipient country, etc. has the procedures for damage relief that are easily available to data subjects and whether such procedures effectively protect data subjects;
- Whether the supervisory authority of the recipient country, etc. is able to facilitate mutual cooperation with the Protection Commission in protecting the rights of data subjects;
- Other matters determined and publicly notified by the Protection Commission as necessary to recognize the personal information protection level of the recipient country, etc., such as the personal information protection system, the scope of guarantee of the rights of data subjects, the procedures for damage relief.
(2) If the Protection Commission intends to grant recognition under paragraph (1), it shall follow the following procedures:
- Evaluation by an expert committee for cross-border transfer;
- Consultation with the Policy Council.
(3) If necessary for the protection of the rights of data subjects, etc., the Protection Commission may, when granting recognition under paragraph (1), determine the scope of the personal information to be transferred to a recipient country, etc., the scope of the personal information controllers to which personal information is transferred, the recognition period, the conditions of cross-border transfer, and other relevant matters differently for each recipient country, etc.
(4) Upon granting recognition under paragraph (1), the Protection Commission shall examine whether a recipient country, etc. maintains its personal information protection level that is substantially equal to the level under this Act.
(5) Where any change is made to the personal information system, the scope of guarantee of the rights of data subjects, the procedures for damage relief, etc. of a recipient country, etc. that are recognized under paragraph (1), the Protection Commission may revoke the recognition of the recipient country, etc. or change the details of the recognition, after hearing its opinions.
(6) Where the Protection Commission grants recognition under paragraph (1) or revokes such recognition or changes the details thereof under paragraph (5), it shall give public notice of such fact in the Official Gazette and publish it on its website.
(7) Except as provided in paragraphs (1) through (6), matters necessary for the recognition of a recipient country, etc. shall be determined and publicly notified by the Protection Commission.