Cross-Border Transfer of Personal Information
(1) No cross-border provision (including inquiry), entrusted processing, or storage (hereafter in this Section referred to as "transfer") of personal information shall be allowed by a personal information controller: Provided, That in any of the following cases, the cross-border transfer of personal information may be allowed:
- Where separate consent is obtained from the data subject;
- Where there are special provisions regarding the cross-border transfer of personal information in a statute, a treaty to which the Republic of Korea is a party, or other international conventions;
- In any of the following cases where it is necessary to entrust the processing of personal information and to retain such personal information in order to conclude and perform a contract with the data subject:
- (a) Where the matters set forth in the subparagraphs of paragraph (2) are disclosed in the Privacy Policy provided in Article 30;
- (b) Where the matters provided in the subparagraphs of paragraph (2) are communicated to the data subject by means prescribed by Presidential Decree, such as electronic mail;
- Where the recipient of personal information obtains certification determined and publicly notified by the Protection Commission, such as the certification of personal information protection under Article 32-2, and takes all of the following measures:
- (a) Safety measures necessary for protecting personal information and measures necessary for guaranteeing the rights of data subjects;
- (b) Measures necessary for implementing certified matters in the country to which personal information is to be transferred;
- Where the Protection Commission recognizes that the personal information protection system of the country or international organization to which the personal information is to be transferred, the scope of guarantee of the rights of the data subject, and the procedures for damage relief, etc. are substantially equal to the level of personal information protection under this Act.
(2) A personal information controller shall inform data subjects of the following matters in advance when obtaining consent under paragraph (1) 1:
- Particulars of the personal information to be transferred;
- The country to which the personal information is transferred, transfer date, and method;
- Name of the recipient of personal information (referring to the name of a corporation and the contact information of the corporation, if the recipient is a corporation);
- The purpose of using personal information by the recipient of personal information and the period of retention and use of personal information;
- The method and procedure for refusing the transfer of personal information and the effect of such refusal.
(3) A personal information controller that intends to change the matters provided in any subparagraph of paragraph (2) shall inform a data subject of such change and obtain the data subject's consent thereto.
(4) A personal information controller shall comply with other provisions of this Act and Articles 17 through 19 and Chapter V of this Act, which are related to the cross-border transfer of personal information, and shall take protective measures prescribed by Presidential Decree, where it makes crossborder transfers of personal information pursuant to the proviso, with the exception of the subparagraphs, of paragraph (1).
(5) A personal information controller shall not enter into a contract for cross-border transfers of personal information containing terms and conditions that are in violation of this Act.
(6) Except as provided in paragraphs (1) through (5), matters necessary for the criteria and procedures for the cross-border transfer of personal information, etc. shall be prescribed by Presidential Decree.