(1)

Regulation (EU) 2016/679 sets out the rules for the transfer of personal data from controllers or processors in the Union to third countries and international organisations to the extent that such transfers fall within its scope of application. The rules on international data transfers are laid down in Chapter V (Articles 44 to 50) of that Regulation. While the flow of personal data to and from countries outside the European Union is essential for the expansion of cross-border trade and international cooperation, the level of protection afforded to personal data in the Union must not be undermined by transfers to third countries (2).

(2)

Pursuant to Article 45(3) of Regulation (EU) 2016/679, the Commission may decide, by means of an implementing act, that a third country, a territory or one or more specified sectors within a third country, or an international organisation ensure(s) an adequate level of protection. Under this condition, transfers of personal data to a third country may take place without the need to obtain any further authorisation, as provided for in Article 45(1) and recital 103 of Regulation (EU) 2016/679.

(3)

As specified in Article 45(2) of Regulation (EU) 2016/679, the adoption of an adequacy decision has to be based on a comprehensive analysis of the third country’s legal order, covering both the rules applicable to data importers and the limitations and safeguards as regards access to personal data by public authorities. In its assessment, the Commission has to determine whether the third country in question guarantees a level of protection ‘essentially equivalent’ to that ensured within the European Union (recital 104 of Regulation (EU) 2016/679). Whether this is the case is to be assessed against Union legislation, notably Regulation (EU) 2016/679, as well as the case law of the Court of Justice of the European Union (3).

(4)

As clarified by the Court of Justice of the European Union, this does not require finding an identical level of protection (4). In particular, the means to which the third country in question has recourse for protecting personal data may differ from the ones employed in the Union, as long as they prove, in practice, effective for ensuring an adequate level of protection (5). The adequacy standard therefore does not require a point-to-point replication of Union rules. Rather, the test is whether, through the substance of privacy rights and their effective implementation, supervision and enforcement, the foreign system as a whole delivers the required level of protection (6). The adequacy referential of the European Data Protection Board, which seeks to further clarify this standard, also provides guidance in this regard (7).

(5)

The Commission has carefully analysed Korean law and practice. Based on the findings set out in recitals (8) - (208), the Commission concludes that the Republic of Korea ensures an adequate level of protection for personal data transferred from a controller or processor in the Union (8) to entities (e.g. natural or legal persons, organisations, public institutions) in Korea falling within the scope of application of the Personal Information Protection Act (Act No. 10465 of 29 March 2011, as last amended by Act No. 16930 of 4 February 2020). This includes both controllers and processors (called ‘outsourcees’ (9)) within the meaning of Regulation (EU) 2016/679. The adequacy finding does not cover the processing of personal data for missionary activities by religious organisations and for the nomination of candidates by political parties, or the processing of personal credit information pursuant to the Credit Information Act by controllers that are subject to oversight by the Financial Services Commission.

(6)

This conclusion takes into account the additional safeguards set out in Notification No 2021-5 (Annex I) and the official representations, assurances and commitments by the Korean government to the Commission (Annex II).

(7)

This Decision has the effect that transfers to controllers and processors in the Republic of Korea may take place without the need to obtain any further authorisation. It does not affect the direct application of Regulation (EU) 2016/679 to such entities where the conditions regarding the territorial scope of that Regulation, laid down in its Article 3, are fulfilled.

(8)

The legal system governing privacy and data protection in Korea has its roots in the Korean Constitution, promulgated on 17 July 1948. While the right to the protection of personal data is not expressly set forth in the Constitution, it is nonetheless recognised as a basic right, derived from the constitutional rights to human dignity and the pursuit of happiness (Article 10), private life (Article 17) and privacy of communications (Article 18). This has been confirmed by both the Supreme Court (10) and the Constitutional Court (11). Restrictions on fundamental rights and freedoms (including the right to privacy) may only be imposed by law, when necessary for national security or the maintenance of law and order for public welfare, and may not affect the essence of the right or freedom at stake (Article 37(2)).

(9)

Even though the Constitution in various places refers to the rights of Korean citizens, the Constitutional Court has ruled that also foreign nationals are the subject of basic rights (12). In particular, the Court held that the protection of one’s dignity and value as a human being, as well as the right to seek happiness, are rights of any human being, not just of citizens (13). Moreover, according to the official representations from the Korean government (14), it is generally recognised that Articles 12 to 22 of the Constitution (which include privacy rights) provide for basic human rights (15). Although so far no case law exists specifically regarding the right to privacy of foreign nationals, its grounding in the protection of human dignity and the pursuit of happiness supports this conclusion (16).

(10)

Moreover, Korea has enacted a series of laws in the area of data protection that provide safeguards for all individuals, irrespective of their nationality (17). For the purpose of this Decision, the relevant laws are:

(11)

PIPA provides the general legal framework for data protection in the Republic of Korea. It is supplemented by an Enforcement Decree (Presidential Decree No. 23169 of 29 September 2011, last amended by Presidential Decree No. 30892 of 4 August 2020) (PIPA Enforcement Decree), which like PIPA is legally binding and enforceable.

(12)

Moreover, regulatory ‘Notifications’ adopted by the Personal Information Protection Commission (PIPC) provide further rules on the interpretation and application of PIPA. Based on Article 5 (Obligations of State) and Article 14 PIPA (International Cooperation), the PIPC adopted Notification No 2021-5 of 1 September 2020 (as amended by No 2021-1 of 21 January 2021 and Notification No 2021-5 of 16 November 2021, Notification No 2021-5) on the interpretation, application and enforcement of certain provisions of PIPA. This Notification provides clarifications that apply to any processing of personal data under PIPA as well as additional safeguards for personal data transferred to Korea based on this Decision. The Notification is legally binding on personal information controllers and enforceable by both the PIPC and courts (19). A violation of the rules set out in the Notification entails a violation of the relevant provisions of PIPA they complement. The content of the additional safeguards is therefore analysed as part of the assessment of the relevant PIPA articles. Finally, further guidance on PIPA and its Enforcement Decree, which informs the application and enforcement of the data protection rules by the PIPC, is provided in the PIPA Handbook and Guidelines adopted by the PIPC (20).

(13)

In addition, the Act on the Use and Protection of Credit Information (CIA) lays down specific rules that apply both to ‘ordinary’ commercial operators and specialised entities within the financial sector when they process personal credit information, i.e. information that is necessary to determine the creditworthiness of parties to financial or commercial transactions. This includes, in particular, the name, contact details, financial transactions, credit rating, insurance status, or loan balance when such information is used to determine an individual’s creditworthiness (21). Conversely, where such information is used for other purposes (such as human resources), the PIPA applies in its entirety. Concerning the specific data protection provisions of the CIA, compliance is supervised partly by the PIPC (for commercial organisations, see Article 45-3 CIA) and partly by the Financial Services Commission (22) (for the financial sector, including credit rating agencies, banks, insurance companies, mutual savings banks, specialised credit financial companies, financial investment services companies, securities finance companies, credit unions, etc., see Article 45(1) CIA in conjunction with Article 36-2 CIA Enforcement Decree and Article 38 of the Act on the Financial Services Commission). In this regard, the scope of this Decision is limited to commercial operators that are subject to the oversight of the PIPC (23). The specific rules of the CIA that apply in this context (the general PIPA rules apply where no specific rules exist) are described in section 2.3.11.

(14)

Except as otherwise specifically provided for in other Acts, the protection of personal data is governed by PIPA (Article 6). The material and personal scope of its application is determined by the defined concepts of ‘personal information’, ‘processing’ and ‘personal information controller’.

(15)

Article 2(1) PIPA defines personal information as information relating to a living individual that identifies the individual directly, for instance by his or her name, resident registration number or image, or indirectly, namely where information that cannot by itself identify a certain individual can be easily combined with other information. Whether information can be ‘easily’ combined depends on whether such combination is reasonably likely, taking into account the possibility of obtaining other information as well as the time, cost and technology required to identify an individual.

(16)

In addition, pseudonymous information – i.e. information that cannot identify a specific individual without using or combining it with additional information to restore it to its original state – is considered personal data under PIPA (Article 2(1) lit. c) PIPA). Conversely, information that is fully ‘anonymised’ is excluded from the scope of application of PIPA (Article 58-2 PIPA). This is the case for information that cannot identify a specific individual, even if combined with other information, taking into account the time, cost and technology reasonably required for identification.

(17)

This corresponds to the material scope of application of Regulation (EU) 2016/679 and its notions of ‘personal data’, ‘pseudonymisation’ (24) and ‘anonymised information’ (25).

(18)

The notion of ‘processing’ is broadly defined in PIPA as covering the ‘collection, generation, connecting, interlocking, recording, storage, retention, value-added processing, editing, retrieval, output, correction, recovery, use, provision, and disclosure, destruction of personal information and other similar activities’ (26). Although certain provisions in PIPA refer only to specific types of processing, such as ‘use’, ‘provision’ or ‘collection’ (27), the notion of ‘use’ is interpreted as including any type of processing other than ‘collection’ or (third-party) ‘provision’. This broad interpretation of ‘use’ thereby ensures that there are no gaps in the protection with respect to specific processing activities. The concept of processing therefore corresponds to the same notion under Regulation (EU) 2016/679.

(19)

PIPA applies to ‘personal information controllers’ (controller). Similar to Regulation (EU) 2016/679, this includes any public institution, legal person, organisation or individual that processes personal data directly or indirectly to operate personal data files as part of their activities. (28) In this context, ‘personal information file’ means any ‘set or sets of personal information arranged or organised in a systematic manner based on a certain rule for easy access to the personal information’ (Article 2(4) PIPA) (29). Internally, the controller is under an obligation to train the persons involved in the processing under its direction, such as company officers or employees, and to exercise appropriate control and supervision (Article 28(1) PIPA).

(20)

Specific obligations apply when a controller (the ‘outsourcer’) outsources the processing of personal data to a third party (the ‘outsourcee’). In particular, the outsourcing must be governed by a legally binding arrangement (typically a contract) (30) that sets out the scope of the outsourced work, the purpose of processing, the technical and managerial safeguards to be applied, supervision by the controller, liability (such as compensation for damages caused by a breach of contractual obligations) as well as the limitations to any sub-processing (31) (Article 26(1), (2) PIPA in conjunction with Article 28(1) of the Enforcement Decree) (32).

(21)

In addition, the controller has to publish, and continuously update, details on the outsourced work and the identity of the outsourcee, or, to the extent the outsourced processing concerns direct marketing activities, directly notify individuals of the relevant information (Article 26(2), (3) PIPA in conjunction with Article 28(2)-(5) of the Enforcement Decree) (33).

(22)

Furthermore, pursuant to Article 26(4) PIPA in conjunction with Article 28(6) of the Enforcement Decree, the controller is under an obligation to ‘educate’ the outsourcee on necessary security measures and supervise, including through inspections, whether it complies with all the controller’s obligations under PIPA (34) as well as under the outsourcing contract. Where the outsourcee causes damage due to a violation of PIPA, its actions or failure to act will be attributed to the controller for liability purposes as in the case of an employee (Article 26(6) PIPA).

(23)

Although PIPA therefore does not use different concepts for ‘controllers’ and ‘processors’, the rules on outsourcing provide essentially equivalent obligations and safeguards as those regulating the relationship between controllers and processors under Regulation (EU) 2016/679.

(24)

While PIPA applies to the processing of personal data by any controller, certain provisions contain specific rules (as a lex specialis) for the processing of personal data of ‘users’ by ‘providers of information and communication services’ (35). The notion of ‘users’ covers individuals that use information and communication services (Article 2(1) lit. 4 of the Act on the Promotion of Information and Communications Network Utilisation and Data Protection, Network Act). This requires that the individual either directly uses telecommunication services provided by a Korean telecommunications operator or uses information services (36) provided commercially (i.e. for profit) by an entity that in turn relies on the services of a telecommunications operator licenced/registered in Korea (37). In both cases, the entity bound by the specific PIPA provisions is one that offers an online service directly to an individual (i.e. a user).

(25)

Conversely, an adequacy finding exclusively concerns the level of protection afforded to personal data transferred from a controller/processor in the Union to an entity in a third country (here: the Republic of Korea). In the latter scenario, individuals in the Union will normally have a direct relationship only with the ‘data exporter’ in the Union and not with any Korean information and communication service provider (38). Therefore, the specific provisions of PIPA with respect to personal data of users of information and communication services will, at most, only apply in limited situations to personal data transferred under this Decision.

(26)

Article 58(1) PIPA excludes the application of part of PIPA (i.e. Articles 15 to 57) with respect to four categories of data processing (39). In particular, the parts of PIPA dealing with the specific grounds for processing, certain data protection obligations, the detailed rules for the exercise of individual rights as well as the rules governing dispute resolution by the Personal Information Dispute Mediation Committee do not apply. Other basic provisions of PIPA remain applicable, in particular the general provisions on data protection principles (Article 3 PIPA) – including for instance the principles of lawfulness, purpose specification and purpose limitation, data minimisation, data accuracy and security – and individual rights (of access, rectification, deletion and suspension, see Article 4 PIPA). In addition, Article 58(4) PIPA imposes specific obligations on those processing activities, namely with respect to data minimisation, limited data retention, security measures and the handling of complaints (40). As a consequence, individuals could still file a complaint with the PIPC if these principles and obligations would not be respected and the PIPC is empowered to take enforcement action in case of non-compliance.

(27)

Firstly, the partial exemption covers personal data collected pursuant to the Statistics Act for processing by public institutions. According to clarifications received from the Korean government, personal data processed in this context normally concerns Korean nationals and might only exceptionally include information on foreigners, namely in the case of statistics on entry to and departure from the territory, or on foreign investments. However, even in these situations, such data is normally not transferred from controllers/processors in the Union, but would rather be directly collected by public authorities in Korea (41). Moreover, similar to what is provided in recital 162 of Regulation (EU) 2016/679, the processing of data under the Statistics Act is subject to several conditions and safeguards. In particular, the Statistics Act imposes specific obligations, such as to ensure accuracy, consistency and impartiality; guarantee the confidentiality of individuals; protect the information of respondents to statistical queries including with a view to prevent such information from being used for any other purpose than that of compiling statistic and subject staff members to confidentiality requirements (42). Public authorities processing statistics must also comply with, inter alia, the principles of data minimisation, purpose limitation and security (Article 3 and 58(4) PIPA) and allow individuals to exercise their rights (of access, correction, deletion and suspension, see Article 4 PIPA). Finally, the data must be processed in an anonymised or pseudonymised form if this allows fulfilling the purpose of processing (Article 3(7) PIPA).

(28)

Secondly, Article 58(1) PIPA refers to personal data collected or requested for the analysis of information related to national security. The scope and consequences of this partial exemption are described in more detail in recital (149).

(29)

Thirdly, the partial exemption applies to the temporary processing of personal data where this is urgently necessary for reasons of public safety or security, including public health. This category is interpreted strictly by the PIPC and, according to the information received, has never been used. It applies only in emergencies requiring urgent action, for example to track infectious agents, or to rescue and aid victims of natural disasters (43). Even in those situations, the partial exemption only covers the processing of personal data for a limited time period to carry out such action. Situations where this could apply to data transfers covered by this Decision are even more limited, given the low likelihood that personal data transferred from the Union to Korean operators would be of the type that could render its subsequent processing ‘urgently necessary’ for such emergencies.

(30)

Finally, the partial exemption applies to personal data collected or used by the press, for missionary activities by religious organisations, or for the nomination of candidates by political parties. The exemption only applies when personal data is processed by the press, religious organisations or political parties for those specific purposes (i.e. journalistic activities, missionary work and the nomination of political candidates). Where those entities process personal data for other purposes, such as management of human resources or internal administration, PIPA applies in full.

(31)

With respect to the processing of personal data by the press for journalistic activities, the balancing between freedom of expression and other rights (including the right to privacy) is provided by the Act on Arbitration and Remedies, etc. for Damage Caused by Press Reports (Press Act) (44). In particular, Article 5 of the Press Act provides that the press (i.e. any broadcasting organisation, newspaper, periodical or online newspaper), any internet news service, or internet multimedia broadcasting organisation may not infringe the privacy of individuals. If a privacy infringement nevertheless occurs, it must be remedied promptly in accordance with specific procedures set out in the Act. In this respect, the Act grants individuals that suffer damage due to a press report a number of rights, such as to obtain the publication of a correction of a false statement, a rectification by way of a contradictory statement or a further report (where a press report concerns allegations of crimes of which the individual is later on acquitted) (45). Claims by individuals may be resolved by press outlets directly (through an ombudsperson) (46), through conciliation or arbitration (before a specialised Press Arbitration Commission) (47) or before the courts. Individuals may also obtain compensation when they suffer monetary damage, infringement of a personality right, or any other emotional distress due to an illegal act of the press (by intention or negligence) (48). The press is exempt from liability under the Act to the extent that a press report that interferes with the rights of an individual is not contrary to social values and is published either with the consent of the individual concerned, or in the public interest (and there are sufficient grounds to consider that the report corresponds to the truth) (49).

(32)

Whereas the processing of personal data by the press for journalistic activities is therefore subject to specific safeguards that follow from the Press Act, there are no such additional safeguards framing the use of the exceptions for the processing activities by religious organisations and political parties in a way comparable to Articles 85, 89 and 91 of Regulation (EU) 2016/679. The Commission therefore considers it appropriate to exclude religious organisations to the extent they process personal data for their missionary activities and political parties to the extent they process personal data in the context of the nomination of candidates from the scope of application of this Decision.

(33)

Personal data should be processed lawfully and fairly.

(34)

This principle is laid down by Article 3(1), (2) PIPA and is reinforced by Article 59 PIPA, which prohibits the processing of personal data ‘by fraud, improper or unjust means’, ‘without legal authority’ or ‘beyond proper authority’ (50). These general principles of lawful processing are elaborated in Articles 15 to 19 PIPA which set out the different legal bases for processing (collection, use and provision to third parties), including the circumstances under which this may involve a change of purpose (Article 18 PIPA).

(35)

According to Article 15(1) PIPA, a controller may only collect personal data (within the scope of the purpose of collection) on a limited number of legal grounds. These are (1) the data subject’s consent (51) (lit. 1); (2) the necessity to execute and perform a contract with the data subject (lit. 4); (3) a special authorisation in law or necessity for compliance with a legal obligation (lit. 2); the necessity (52) for a public institution to carry out the tasks within its jurisdiction as prescribed by law; (4) the manifest necessity for the protection of the data subject’s or a third party’s life, body or property interests from imminent danger (only if the data subject is not in a position to express his or her intention, or prior consent cannot be obtained) (lit. 5); (5) the necessity to attain the ‘justifiable interest’ of the controller if it is ‘manifestly superior’ to the interests of the data subject (and only where the processing bears a ‘substantial relation’ to the legitimate interest and does not go beyond what is reasonable) (lit. 6) (53). These grounds for processing are essentially equivalent to those laid down in Article 6 of Regulation (EU) 2016/679, including the ‘justifiable interest’ ground that equals the ‘legitimate interest’ ground in Article 6(1) point (f) of Regulation (EU) 2016/679.

(36)

Once collected, personal data may be used within the scope of the purpose of collection (Article 15(1) PIPA), or ‘within the scope reasonably related’ to the purpose of collection, taking into account possible disadvantages caused to the data subject and provided the necessary security measures (e.g. encryption) have been adopted (Articles 15(3) PIPA). To determine whether the purpose of use is ‘reasonably related’ to the original collection purpose, the Enforcement Decree sets out specific criteria, which are similar to those of Article 6(4) Regulation (EU) 2016/679. In particular, there must be a considerable relevance to the original purpose; the additional use must be predictable (for instance in light of the circumstances in which the information was collected); and, where possible, the data must be pseudonymised (54). The specific criteria used by a controller in this assessment must be disclosed in advance in the privacy policy (55). Moreover, the privacy officer (see recital (94)) is specifically required to review whether further use takes place within those parameters.

(37)

Similar (but somewhat stricter) rules apply to the provision of data to a third party. According to Article 17(1) PIPA, the provision of personal data to a third party is allowed on the basis of consent (56) or, within the purpose of collection, where the information has been collected on one of the legal grounds in Article 15 (1) lit. 2, 3, and 5 PIPA. This excludes in particular any disclosure based on the ‘justifiable interest’ of the controller. Beyond this, Article 17(4) PIPA allows third-party provision ‘within the scope reasonably related’ to the purpose of collection, again taking into account possible disadvantages caused to the data subject and provided the necessary security measures (such as encryption) have been adopted. The same factors as the ones described in recital (36) must be taken into account to assess whether the provision is within the scope reasonably related to the purpose of collection and the same safeguards (i.e. with respect to transparency through the privacy policy and the involvement of the privacy officer) apply.

(38)

The receipt of personal data by a Korean data controller from the Union is considered a ‘collection’ within the meaning of Article 15 PIPA. Notification No 2021-5 (Section I of Annex I to this Decision) clarifies that the purpose for which the data was transferred by the concerned EU entity constitutes the purpose of collection for the Korean data controller. As a consequence, Korean data controllers receiving personal data from the Union are in principle required to process such information within the scope of the purpose of the transfer, in accordance with Article 17 PIPA.

(39)

Special limitations apply in the event the controller seeks to use the personal data or provide it to a third party for a different purpose than the purpose of collection (57). According to Article 18(2) PIPA, a private controller may exceptionally (58) use personal data or provide it to a third party for a different purpose: (1) based on the data subject’s additional (meaning separate) consent; (2) where this is provided by special statutory provisions; or (3) where this is manifestly necessary for the protection of the data subject’s or a third party’s life, body or property interests from imminent danger (only if the data subject is not in a position to express his or her intention, and prior consent cannot be obtained) (59).

(40)

Public institutions may also use personal data or provide it to a third party for a different purpose in certain situations. This includes cases where it would otherwise be impossible for public institutions to perform their statutory duties as prescribed by law, subject to authorisation of the PIPC. In addition, public institutions may provide personal data to another authority or court, where this is necessary for the investigation and prosecution of crimes or an indictment; for a court to carry out its functions related to ongoing judicial proceedings; or for the enforcement of a criminal penalty, or an order of care or custody (60). They may also provide personal data to a foreign government or international organisation to comply with a legal obligation following from a treaty or international convention, in which case they also need to comply with the requirements for cross-border data transfers (see recital (90)).

(41)

The principles of lawfulness and fairness of processing are therefore implemented in the Korean legal framework in an essentially equivalent way to Regulation (EU) 2016/679, by allowing processing only on the basis of legitimate and clearly defined grounds. Moreover, in all mentioned cases, the processing is only allowed if it is not likely to ‘infringe unfairly’ on the interests of the data subject or a third party, which requires a balancing of interests. In addition, Article 18(5) of PIPA prescribes additional safeguards when the controller provides the personal data to a third party, which may include a request to restrict the purpose and method of use, or to put in place specific security measures. The third party is in turn required to implement the requested measures.

(42)

Finally, Article 28-2 PIPA allows the (further) processing of pseudonymised information without the consent of the concerned individual for the purpose of statistics, scientific research (61) and archiving in the public interest, subject to specific safeguards. Similar to Regulation (EU) 2016/679 (62), PIPA therefore facilitates (further) processing of personal data for such purposes within a framework providing for appropriate safeguards to protect the rights of individuals. Instead of relying on pseudonymisation as a possible safeguard, PIPA imposes it as a pre-condition in order to carry out certain processing activities for the purposes of statistics, scientific research and archiving in the public interest (such as to be able to process the data without consent or to combine different datasets).

(43)

Moreover, PIPA imposes a number of specific safeguards, in particular in terms of required technical and organisational measures, record-keeping, limitations on data sharing and addressing possible risks of re-identification. The combination of the various safeguards described in recitals (44) - (48) ensures that the processing of personal data in this context is subject to essentially equivalent protections compared to those that would be required in accordance with Regulation (EU) 2016/679.

(44)

Firstly, and most importantly, Article 28-5(1) PIPA prohibits the processing of pseudonymised information with the purpose of identifying a certain individual. If information that could identify an individual would nevertheless be generated while processing pseudonymised information, the controller must immediately suspend the processing and destroy such information (Article 28-5(2) PIPA). Failure to comply with these provisions is subject to administrative fines and constitutes a criminal offence (63). This means that, even in those situations where it would be practically possible to re-identify the individual, such re-identification is legally prohibited.

(45)

Secondly, when (further) processing pseudonymised information for such purposes, the controller is required to put in place specific technological, managerial and physical measures to ensure the security of the information (including separately storing and managing the information that is necessary to restore the pseudonymised information to its original state) (64). In addition, records must be kept of the pseudonymised information processed, the purpose of processing, the history of use and any third party recipients (Article 29-5(2) PIPA Enforcement Decree).

(46)

Thirdly and lastly, PIPA provides for specific safeguards to prevent the identification of individuals by third parties in the case where the information is shared. In particular, when providing pseudonymised information to a third party for the purpose of statistics, scientific research or archiving in the public interest, controllers may not include information that could be used to identify a specific individual (Article 28-2(2) PIPA) (65).

(47)

More specifically, while PIPA allows the combination of pseudonymised information (processed by different controllers) for the purpose of statistics, scientific research or archiving in the public interest, it reserves that power to specialised institutions equipped with specific security facilities (Article 28-3(1) PIPA) (66). When applying for a combination of pseudonymised data, a controller must submit documentation on, amongst others, the data to be combined, the purpose of combination, as well as the proposed security measures for processing the combined data (67). To allow for the combination, the controller has to send the data to be combined to the specialised institution and provide a ‘combination key’ (i.e. the information that has been used for pseudonymisation) to the Korea Internet and Security Agency (68). The latter generates ‘combination key link data’ (that allows linking the combination keys of different applicants in order to achieve combination of the datasets) and provides them to the specialised institution (69).

(48)

The controller requesting combination may analyse the combined information at the premises of the specialised institution, in a space where specific technical, physical and administrative security measures are applied (Article 29-3 PIPA Enforcement Decree). Controllers that contribute a dataset for such combination may only take the combined data outside the specialised institution following further pseudonymisation or anonymisation of the combined data, and with the approval of that institution (Article 28-3(2) PIPA) (70). In considering whether or not to grant such approval, the institution will assess the link between the combined data and the purpose of processing and whether a specific security plan has been drawn up for the use of such data (71). Exporting the combined information outside the institution will not be allowed if the information contains data that would allow identification of an individual (72). Finally, the combination and release of pseudonymised data by the specialised institution is supervised by the PIPC (Article 29-4(3) PIPA Enforcement Decree).

(49)

Specific safeguards should exist where ‘special categories’ of data are being processed.

(50)

PIPA contains specific rules as regards the processing of sensitive data (73), which is defined as personal data revealing information about the ideology, belief, admission to or withdrawal from a trade union or political party, political opinions, health, and sexual life of an individual, as well as other personal information that is likely to threaten the data subject’s privacy ‘noticeably’ and has been prescribed as sensitive information by Presidential Decree (74). According to clarifications received from the PIPC, sexual life is interpreted as also covering the individual’s sexual orientation or preferences (75). Moreover, Article 18 of the Enforcement Decree adds further categories to the scope of sensitive data, in particular DNA information acquired from genetic testing and data that constitutes a criminal history record. The recent amendment of the PIPA Enforcement Decree has further broadened the notion of sensitive data, by also including personal data revealing racial or ethnic origin and biometric information (76). Following that amendment, the notion of sensitive data under PIPA is essentially equivalent to the one in Article 9 of Regulation (EU) 2016/679.

(51)

According to Article 23(1) PIPA and similarly to what is provided under Article 9(1) of Regulation (EU) 2016/679, processing of sensitive data is generally prohibited, unless one of the enumerated exceptions applies (77). These limit processing to cases where the controller informs the data subject in accordance with Articles 15 and 17 PIPA and obtains separate consent (i.e. separate from the consent for the processing of other personal data), or where the processing is required or permitted by statute. Public authorities may also process biometric information, DNA information acquired from genetic testing, personal information revealing racial or ethnic origin and data that constitutes a criminal history record on those grounds that are exclusively available to them (for instance where necessary for the investigation of crimes or where necessary for a court to proceed with a case) (78). As such, the legal bases available for the processing of sensitive data are more limited than for other types of personal data, and even more restrictive in Korean law than they are under Article 9(2) of Regulation (EU) 2016/679.

(52)

Moreover, Article 23(2) of PIPA – non-compliance with which can lead to sanctions (79) – underlines the particular importance of ensuring appropriate security when handling sensitive data so that it ‘may not be lost, stolen, divulged, forged, altered, or damaged.’ While this is a general requirement under Article 29 PIPA, Article 3(4) makes clear that the level of security must be adapted to the type of personal data that is processed, which means that the particular risks involved in the processing of sensitive data must be taken into account. Moreover, data processing shall always be carried out ‘in a manner to minimize the possibility to infringe’ the data subject’s privacy, and if possible ‘in anonymity’ (Article 3(6) and (7) PIPA). These requirements are particularly relevant where the processing concerns sensitive data.

(53)

Personal data should be collected for a specific purpose and in a manner that is not incompatible with the purpose of processing.

(54)

This principle is ensured by Article 3(1) and (2) PIPA, according to which the controller shall ‘specify and explicit’ the purpose of processing, shall process personal data in an appropriate manner necessary for such purpose and shall not use it beyond such purpose. The general principle of purpose limitation is also confirmed in Articles 15(1), 18(1), 19 and – for processors (so-called ‘outsourcees’) – in Article 26(1) lit. 1, (5) and (7) PIPA. In particular, personal data may in principle only be used and provided to third parties within the scope of the purpose for which it was collected (Article 15(1) and 17(1) lit. 2). Processing for a compatible purpose, i.e. ‘within the scope reasonably related to the initial purpose of the collection’, may only take place if it does not negatively affect the data subjects concerned and if necessary security measures (such as encryption) are adopted (Articles 15(3) and 17(4) PIPA). To determine whether further processing is for a compatible purpose, the PIPA Enforcement Decree lists specific criteria that are similar to those provided by Article 6(4) of Regulation (EU) 2016/679, see recital (36).

(55)

As explained in recital (38), the purpose of collection in case of Korean controllers receiving personal data from the Union is the purpose for which the data is transferred. A change of purpose by the controller is only allowed exceptionally, in specific (enumerated) cases (Article 18(2) lit. 1-3 PIPA, see also recital (39)). To the extent a change of purpose is authorised by law, such laws in turn have to respect the fundamental right to privacy and data protection, as well as the principles of necessity and proportionality laid down in the Korean Constitution. Moreover, Article 18(2) and (5) PIPA provides for additional safeguards, in particular the requirement that such a change of purpose must not ‘infringe unfairly on the interest of a data subject’, thus always necessitating a balancing of interests. This provides for a level of protection essentially equivalent to that under Article 5(1) lit. b) and Article 6, in conjunction with recital 50, of Regulation (EU) 2016/679.

(56)

Personal data should be accurate and, where necessary, kept up to date. It should also be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

(57)

The principle of accuracy is similarly recognised in Article 3(3) PIPA, which requires that personal data is ‘accurate, complete and up to date to the extent necessary in relation to the purposes’ for which the data is processed. Data minimisation is required under Articles 3(1), (6) and 16(1) PIPA, which stipulate that the controller shall (only) collect personal data ‘to the minimum extent necessary’ for the intended purpose, and that it bears the burden of proof in this regard. If it is possible to fulfil the purpose of collection by processing information in anonymised form, controllers should endeavour to do so (Article 3(7) PIPA).

(58)

Personal data should in principle be kept for no longer than is necessary for the purposes for which the personal data is processed

(59)

The principle of storage limitation is similarly provided by Article 21(1) PIPA (80), which requires the controller to ‘destroy’ (81) personal data without delay upon achievement of the purpose of processing or upon expiry of the retention period (whichever is earlier), unless further retention is required by statute (82). In the latter case, the relevant personal data ‘shall be stored and managed separately from other personal information’ (Article 21(3) PIPA).

(60)

Article 21(1) PIPA does not apply when pseudonymised data is processed for statistical purposes, scientific research or archiving in the public interest (83). To ensure the principle of limited data retention also in this case, Notification 2021-5 requires controllers to anonymise the information in accordance with Article 58-2 PIPA if the data has not been destroyed upon fulfilment of the specific purpose of processing (84).

(61)

Personal data should be processed in a manner that ensures its security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage. To that end, business operators should take appropriate technical or organisational measures to protect personal data from possible threats. These measures should be assessed taking into consideration the state of the art, related costs and the nature, scope, context and purposes of processing, as well as the risks for the rights of individuals.

(62)

A similar principle of security is laid down in Article 3(4) PIPA, which requires controllers to ‘manage personal information safely according to the processing methods, types, etc. of personal information, taking into account the possibility of infringement on data subject rights and the severity of the relevant risks’. Moreover, the controller ‘shall process personal information in a manner to minimise the possibility to infringe on the privacy of a data subject’, and in this context shall endeavour to process personal data in anonymity or in pseudonymised form, if possible (Article 3(6) and (7) PIPA).

(63)

These general requirements are further elaborated in Article 29 PIPA, according to which every controller ‘shall take such technical, managerial and physical measures as establishing an internal management plan and preserving log-on records, etc. that are necessary to ensure safety as prescribed by Presidential Decree so that the personal information may not be lost, stolen, divulged, forged, altered or damaged.’ Article 30(1) of the PIPA Enforcement Decree specifies those measures by referring to (1) the formulation and implementation of an internal management plan for the safe processing of personal data, (2) access controls and restrictions, (3) the adoption of encryption technology to safely store and transmit personal data, (4) login records (5) security programs, and (6) physical measures such as a safe storage or locking system (85).

(64)

In addition, specific obligations apply if a data breach occurs (Article 34 PIPA in conjunction with Articles 39 and 40 of the PIPA Enforcement Decree) (86). In particular, the controller is required to notify the aggrieved data subjects of the details of the breach without delay (87), including information about (mandatory) countermeasures taken by the controller and what data subjects can do to minimise the risk of damage (Article 34(1), (2) PIPA) (88). Where the data breach concerns at least 1 000 data subjects, the controller shall, without delay, also report the data breach and the countermeasures taken to the PIPC and the Korea Internet and Security Agency, which may provide technical assistance (Article 34(3) PIPA in conjunction with Article 39 of the PIPA Enforcement Decree). Controllers are liable for damage resulting from data breaches, in accordance with the provisions of the Civil Act on tort liability (see also section 2.5 on redress) (89).

(65)

In complying with its security obligations, the controller must be assisted by a privacy officer, whose tasks include, among others, the building of an internal control system ‘to prevent the divulgence, abuse and misuse of personal information’ (Article 31(2) lit. 4 PIPA). Moreover, the controller has a duty to conduct ‘appropriate control and supervision’ of those of its staff processing personal data, including as regards its safe management; this includes the necessary training (‘education’) of employees (Article 28(1), (2) PIPA). Finally, in the case of sub-processing, the controller must impose requirements on the ‘outsourcee’ among others as regards the safe management of personal data (‘technical and managerial safeguards’), and must supervise how these are implemented through inspections (Article 26(1) and (4) PIPA in conjunction with Article 28(1) lit. 3, 4 and (6) of the PIPA Enforcement Decree).

(66)

Data subjects should be informed of the main features of the processing of their personal data.

(67)

This is ensured in different ways in the Korean system. Aside from the right to information pursuant to Article 4 lit. 1 (in general) and Article 20(1) PIPA (for personal data collected from third parties), as well as the right of access pursuant to Article 35 PIPA, PIPA includes a general transparency requirement as regards the purpose of processing (Article 3(1) PIPA) and specific transparency requirements in the case where the processing is based on consent (Articles 15(2), 17(2) and 18(3) PIPA) (90). Moreover, Article 20(2) PIPA requires certain controllers – those for which processing exceeds certain thresholds (91) – to notify the data subject whose personal data they have received from a third party of the information source, the purpose of processing and the data subject’s right to demand a suspension of processing, unless such notification proves impossible due to the lack of any contact information. Exceptions apply for certain personal data files held by public authorities, in particular files that contain data processed for national security, other particularly important (‘grave’) national interests, or criminal law enforcement purposes, or where notification is likely to cause harm to the life or body of another person, or unfairly damages the property and other interests of another person, however only where the public or private interests at stake are ‘manifestly superior’ to the rights of the data subjects concerned (Article 20(4) PIPA). This requires a balancing of interests.

(68)

In addition, Article 3(5) PIPA prescribes that controllers shall make their privacy policy (and other matters related to personal data processing) public. This requirement is further specified in Article 30 PIPA in conjunction with Article 31 of the PIPA Enforcement Decree. According to those provisions, the public privacy policy must among others include (1) the types of personal data processed, (2) the purpose of processing, (3) the retention period, (4) whether personal data is provided to a third party (92), (5) any sub-processing, (6) information on the rights of the data subject and how to exercise them and (7) contact information (including the name of the privacy officer or the internal department responsible for ensuring compliance with the data protection rules and complaint handling). The privacy policy must be made publicly available in such a way that data subjects ‘may recognise it with ease’ (Article 30(2) of PIPA) (93) and must be continuously updated (Article 31(2) of the PIPA Enforcement Decree).

(69)

Public institutions are subject to an additional obligation to register, in particular, the following information with the PIPC: (1) the name of the public institution, (2) the grounds and purposes for the processing of the personal data files, (3) the particulars of the personal data that is recorded, (4) the method of processing, (5) the retention period, (6) the number of data subjects whose personal data is retained, (7) the department that handles data subject requests and (8) the recipients of personal data when data is provided routinely or repetitively (Article 32(1) PIPA) (94). Registered personal data files are made public by the PIPC and must also be referenced by public institutions in their privacy policy (Articles 30(1) and 32(4) PIPA).

(70)

To enhance transparency for data subjects in the Union whose personal data is transferred to Korea on the basis of this Decision, Section 3(i) and (ii) of Notification 2021-5 (Annex I) imposes additional transparency requirements. Firstly, when receiving personal data from the Union on the basis of this Decision, Korean controllers must notify the concerned data subjects without undue delay (and in any event not later than one month from the transfer) of the name and contact details of the entities transferring and receiving the information, the personal data (or categories of personal data) transferred, the purpose of collection by the Korean controller, the retention period and the rights available under PIPA. Secondly, when providing personal data received from the Union on the basis of this Decision to third parties, data subjects must be informed inter alia about the recipient, the personal data or categories of personal data to be provided, the country to which the data is provided (where applicable), as well as the rights available under PIPA (95). This way, the Notification ensures that EU individuals continue to be informed of the specific controllers processing their information and are able to exercise their rights vis-à-vis the relevant entities.

(71)

Section 3 (iii) of the Notification (Annex I) allows certain limited and qualified exceptions to these additional transparency obligations that are essentially equivalent to those provided under Regulation (EU) 2016/679. In particular, notification of data subjects in the Union is not required (1) where and as long as it is necessary to restrict notification for certain reasons of public interest (for instance where the information is processed for the purposes of national security or ongoing criminal investigations), to the extent that these public interest objectives are manifestly superior to the rights of the data subject; (2) where the data subject already has the information; (3) where and as long as notification is likely to cause harm to the life or body of the individual or another person, or to unfairly infringe on the property interests of another person, where those rights or interests are manifestly superior to the rights of the data subject; or (4) where there are no contact details for the concerned individuals, or a disproportionate effort would be required to notify them. In determining whether or not it is possible to contact the data subject, or whether this involves excessive efforts, the possibility to cooperate with the data exporter in the Union shall be taken into account.

(72)

The rules in recitals (67) - (71) therefore ensure an essentially equivalent level of protection with respect to transparency as to what is provided for under Regulation (EU) 2016/679.

(73)

Data subjects should have certain rights which can be enforced against the controller or processor, in particular the right of access to data, the right to rectification, the right to object to processing and the right to have data erased. At the same time, such rights may be subject to restrictions, insofar as these restrictions are necessary and proportionate to safeguard important objectives of general public interest.

(74)

According to Article 3(5) PIPA, the controller shall guarantee the data subject rights listed in Article 4 PIPA and further specified in Articles 35 to 37, 39 and 39-2 PIPA.

(75)

Firstly, individuals have rights to information and access. When the controller has collected personal data from a third party – as will always be the case where the data is transferred from the Union – data subjects generally have the right to receive information on (1) the ‘source’ of the personal data collected (i.e. the transferor), (2) the purpose of processing and (3) the fact that the data subject is entitled to demand suspension of processing (Article 20(1) PIPA). Limited exceptions apply, namely where such notification is likely to cause harm to the life or body of another person, or ‘unfairly damages the property and other interests’ of another person, but only where these third party interests are ‘explicitly superior’ to the rights of the data subject (Article 20(4) lit. 2 PIPA).

(76)

In addition, Article 35(1) and (3) PIPA in conjunction with Article 41(4) of the PIPA Enforcement Decree provides data subjects with the right of access to their personal information (96). The right of access covers confirmation on the processing, information on the type of data processed, the purpose of processing, the retention period, as well as any disclosure to a third party, and the provision of a copy of the personal information processed (Article 4 lit. 3 PIPA in conjunction with Article 41(1) of the PIPA Enforcement Decree) (97). Access may be limited (partial access) (98) or denied only where this is provided for by law (99), where it would likely cause damage to the life or body of a third party, or an unjustified infringement of property and other interests of another person (Article 35(4) PIPA) (100). The latter implies that a balancing should take place between the constitutionally protected rights and freedoms of the individual, on the one hand, and of other persons, on the other hand. Where access is limited or denied, the controller must notify the data subject of the grounds therefor and how to appeal the decision (Articles 41(5), 42(2) of the PIPA Enforcement Decree).

(77)

Secondly, data subjects have the right to the correction or erasure (101) of their personal data, ‘unless otherwise specifically provided by other statutes’ (Article 36(1) and (2) PIPA) (102). Upon receipt of a request, the controller must investigate the matter without delay, take the necessary measures (103) and notify the data subject thereof within 10 days; where the request cannot be granted, this notification requirement covers the reasons for the denial and how to appeal (see Article 36(4) PIPA in conjunction with Article 43(3) of the PIPA Enforcement Decree) (104).

(78)

Finally, data subjects have the right to the suspension of processing of their personal data, without delay (105), unless one of the enumerated exceptions apply (Article 37(1), (2) PIPA) (106). The controller may deny the request (1) where this is specifically authorised by law or necessary (‘inevitable’) to comply with legal obligations, (2) where suspension would likely cause damage to the life or body of a third party, or an unjustified infringement of property and other interests of another person, (3) where it would be impossible for a public institution to carry out its function as prescribed by law without processing the information, or (4) where the data subject fails to expressly terminate the underlying contract with the controller even though it would be impracticable to perform the contract without such data processing. In this case, the controller must, without delay, notify the data subject of the reasons for denial and how to appeal (Article 37(2) PIPA in conjunction with Article 44(2) of the PIPA Enforcement Decree). According to Article 37(4) PIPA, the controller must, without delay, ‘take necessary measures including destruction of the relevant personal information’ when complying with the suspension request (107).

(79)

The right to suspension also applies where personal data is used for direct marketing purposes, i.e. in order to promote goods or services, or solicit the purchase thereof. Moreover, such further processing generally requires the specific (additional) consent of the data subject (see Article 15(1) lit. 1, Article 17(2) lit. 1 of PIPA) (108). When requesting this consent the controller must inform the data subject in particular of the intended use of the data for direct marketing purposes – i.e. the fact that (s)he may be contacted to promote goods or services or solicit the purchase thereof – in an ‘explicitly recognisable manner’ (Article 22(2), (4) of PIPA in conjunction with Article 17(2) lit. 1 of the PIPA Enforcement Decree).

(80)

In order to facilitate the exercise of individual rights, the controller must establish dedicated procedures and publicly announce them (Article 38(4) PIPA). (109) This includes procedures for raising objections against the denial of a request (Article 38(5) PIPA). The controller must ensure that the procedure for exercising rights is ‘data-subject friendly’ and not more difficult than the one for the collection of the personal data; this also includes the obligation to provide information on the procedure on its website (Articles 41(2), 43(1) and 44(1) of the PIPA Enforcement Decree). (110) Individuals may authorise a representative to file such a request (Article 38(1) PIPA in conjunction with Article 45 of the PIPA Enforcement Decree). While the controller is entitled to impose a fee (and, in case of a request to mail copies of personal data, postage), the amount has to be determined ‘within the actual expenses necessary for the processing of [the request]’; no fee (nor postage) may be imposed where the controller has caused the request (Article 38(3) PIPA in conjunction with Article 47 of the PIPA Enforcement Decree).

(81)

PIPA and its Enforcement Decree do not contain general provisions addressing the issue of decisions affecting the data subject and based solely on the automated processing of personal data. However, as regards personal data that has been collected in the Union, any decision based on automated processing will typically be taken by the controller in the Union (which has a direct relationship with the concerned data subject) and is thus subject to Regulation (EU) 2016/679. (111) This includes transfer scenarios where the processing is carried out by a foreign (for instance Korean) business operator acting as an agent (processor) on behalf of the controller in the Union (or as a sub-processor acting on behalf of the Union processor having received the data from a Union controller that collected it) which on this basis then takes the decision. Therefore, the absence of specific rules on automated decision-making in the PIPA is unlikely to affect the level of protection of the personal data transferred under this Decision.

(82)

As an exception, the provisions of regarding transparency on request (Article 20) and individual rights (Articles 35 to 37), as well as the individual notification requirement for information and communication service providers (Article 39-8 PIPA), do not apply with respect to pseudonymised information, when this is processed for the purpose of statistics, scientific research or archiving in the public interest (Article 28-7 PIPA) (112). In line with the approach of Article 11(2) (in conjunction with recital 57) of Regulation (EU) 2016/679, this is justified by the fact that, to ensure transparency or grant individual rights, the controller would have to identify whether any (and if so which) data is related to the individual making the request, which is expressly prohibited under PIPA (Article 28-5(1) PIPA). Moreover, where such re-identification involves undoing the pseudonymisation for the entire (pseudonymised) dataset, it would expose the personal information of all other individuals concerned to increased risks.. Whereas Regulation (EU) 2016/679 refers to situations where re-identification is practically impossible, PIPA adopts a stricter approach by expressly prohibiting re-identification in all situations where pseudonymised information is processed.

(83)

The Korean system, as described in recitals (74) - (82), therefore contains rules on data subject rights that provide a level of protection essentially equivalent to that under Regulation (EU) 2016/679.

(84)

The level of protection afforded to personal data transferred from the Union to controllers in the Republic of Korea must not be undermined by the further transfer of such data to recipients in a third country.

(85)

Such ‘onward transfers’, constitute international transfers from the Republic of Korea from the perspective of the Korean controller. In this respect, PIPA distinguishes between the outsourcing of processing to an outsourcee (i.e. a processor) and the provision of personal data to third parties (113).

(86)

Firstly, when the processing of personal data is outsourced to an entity located in a third country, the Korean controller has to ensure compliance with PIPA’s provisions on outsourcing (Article 26 PIPA). This includes putting in place a legally binding instrument that among others limits the processing by the outsourcee to the purpose of the outsourced work, imposes technical and managerial safeguards and limits sub-processing (see Article 26(1) PIPA); and publishing information on the outsourced work. In addition, the controller is under an obligation to ‘educate’ the outsourcee on necessary security measures and supervise, including through inspections, compliance with all the controller’s obligations under PIPA (114) as well as the outsourcing contract.

(87)

If the outsourcee causes damage by processing the personal data in violation of PIPA, this will be attributed to the controller for liability purposes, as would be the case with the controller’s employees (Article 26(6) PIPA). The Korean controller therefore remains responsible for the personal data that has been outsourced and must ensure that the overseas processor processes the information in accordance with PIPA. If the outsourcee processes the information in violation of PIPA, the Korean controller can be held responsible for a failure to comply with its obligation to ensure compliance with PIPA, such as through its supervision of the outsourcee. The safeguards included in the outsourcing contract and the responsibility of the Korean controller for the actions of the outsourcee ensure continuity of protection when personal data processing is outsourced to an entity outside of Korea.

(88)

Secondly, Korean controllers may provide personal data to a third party located outside of Korea. While PIPA includes a number of legal grounds allowing for the provision to third parties in general, if the third party is located outside of Korea, the controller in principle (115) has to obtain the data subject’s consent (116) after having provided the data subject with information on (1) the type of personal data, (2) the recipient of the personal data, (3) the purpose of transfer in the sense of the purpose of processing pursued by the recipient, (4) the retention period for processing by the recipient as well as (5) the fact that the data subject may deny consent (Article 17(2), (3) PIPA). Notification 2021-5, in its section on transparency (see recital (70)), requires that individuals are informed about the third country to which their data will be provided. This ensures that data subjects in the Union can take a fully informed decision on whether or not to consent to an overseas provision. Moreover, the controller must not enter into a contract with the third party-recipient in violation of PIPA, which means that the contract must not contain obligations that would contradict the requirements imposed by PIPA on the controller (117).

(89)

Without the individual’s consent, personal data may be provided to a third party (overseas) where the purpose of disclosure remains ‘within the scope reasonably related’ to the initial purpose of collection (Article 17(4) PIPA, see recital (36)). However, in deciding whether (or not) to disclose personal data for a ‘related’ purpose, the controller must take into consideration whether the disclosure causes disadvantages to the individual and whether necessary security measures (such as. encryption) have been taken. Given that the third country to which personal data is transferred may not offer protections similar to those provided under PIPA, Section 2 of Notification 2021-5 recognises that such disadvantages may arise and can only be avoided if the Korean controller and the overseas recipient, through a legally binding instrument (such as a contract), ensure a level of protection equivalent to PIPA, including with respect to data subject rights.

(90)

Special rules apply to ‘out-of-purpose’ disclosure, i.e. provision of data to a third party for a new (unrelated) purpose, which may only take place on one of the grounds of Article 18(2) PIPA, as described in recital (39). However, even under those conditions third-party provision is excluded if it is likely to ‘unfairly infringe’ the interests of the data subject or a third party, which requires a balancing of interests. In addition, under Article 18(5) PIPA, the controller must apply additional safeguards, which may include requesting the third party to restrict the purpose and method of processing, or to put in place specific security measures. Again, given that the third country to which personal data is transferred may not offer protections similar to those provided under PIPA, Section 2 of Notification 2021-5 recognises that such an ‘unfair infringement’ of the interests of the individual or a third party may arise and can only be avoided if the Korean controller and the overseas recipient, through a legally binding instrument (such as a contract), ensure a level of protection equivalent to PIPA, including with respect to data subject rights.

(91)

The rules in recitals (86) - (90) therefore ensure continuity of protection when personal data is onward transferred (to an ‘outsourcee’ or a third party) from the Republic of Korea in a way that is essentially equivalent to what is provided under Regulation (EU) 2016/679.

(92)

Under the accountability principle, entities processing data are required to put in place appropriate technical and organisational measures to effectively comply with their data protection obligations and be able to demonstrate such compliance, in particular to the competent supervisory authority.

(93)

According to Article 3(6), (8) PIPA, the controller must process personal data ‘in a manner to minimise the possibility to infringe’ the data subject’s privacy, and shall endeavour to obtain the trust of the data subject by observing and performing such duties and responsibilities as provided for in PIPA and other related statutes. This includes the establishment of an internal management plan (Article 29 PIPA) as well as appropriate training and supervision of staff (Article 28 PIPA).

(94)

As a means to ensure accountability, Article 31 PIPA in conjunction with Article 32 of the PIPA Enforcement Decree creates an obligation for controllers to designate a privacy officer that ‘comprehensively takes charge of personal information processing’. In particular, such privacy officer is tasked to perform the following functions: (1) establishing and implementing a personal data protection plan and drawing up of the privacy policy, (2) conducting regular surveys on the status and practices of personal data processing, with a view to improve any shortcomings, (3) complaint-handling and remedial compensation, (4) establishing an internal control system to prevent the disclosure, abuse or misuse of personal data, (5) preparing and implementing an education program, (6) protecting, controlling and managing personal data files, and (7) destroying personal data once the purpose of processing has been achieved or the retention period has expired. In carrying out these duties, the privacy officer may inspect the status of personal data processing and related systems and may request information thereon (Article 31(3) PIPA). If the privacy officer becomes aware of any violation of PIPA or other relevant data protection statutes, (s)he shall immediately take corrective measures and report such measures to the management (‘head’) of the controller, if necessary (Article 31(4) PIPA). According to Article 31(5) PIPA, the privacy officer must not suffer unjustified disadvantages as a consequence of performing these functions.

(95)

In addition, controllers must proactively endeavour to conduct a privacy impact assessment in the case where the operation of personal data files entails a privacy risk (Article 33(8) PIPA). Based on Article 33(1), (2) PIPA in conjunction with Articles 35, 36 and 38 of the PIPA Enforcement Decree, factors such as the type and nature of the data processed (in particular whether it constitutes sensitive information), its volume, the retention period, and the likelihood of data breaches will be relevant in assessing the degree of risk to the rights of data subjects. The purpose of the privacy impact assessment is to ensure that the privacy risk factors as well as any safety or other countermeasures are analysed, and to indicate matters that need improvement (see Article 33(1) PIPA in conjunction with Article 38 of the PIPA Enforcement Decree).

(96)

Public institutions are under an obligation to carry out an impact assessment when processing certain personal data files which present a higher risk for possible privacy violations (Article 33(1) PIPA). In accordance with Article 35 of the PIPA Enforcement Decree, this is the case, among others, for files that contain sensitive information on at least 50 000 data subjects, files that will be matched with other files and as a result thereof will contain information on at least 500 000 data subjects, or files that contain information on at least one million data subjects. The result of an impact assessment carried out by a public institution must be communicated to the PIPC (Article 33(1) PIPA), which may provide its opinion (Article 33(3) PIPA).

(97)

Finally, Article 13 PIPA provides that the PIPC shall establish policies necessary to promote and support ‘self-regulating data protection activities’ by controllers, among others through education on data protection, the promotion of and support for organisations engaged in data protection, and by assisting controllers in establishing and implementing self-regulatory rules. Moreover, it shall introduce and facilitate the ePRIVACY Mark system. In this respect, Article 32-2 PIPA in conjunction with Articles 34-2 to 34-8 of the PIPA Enforcement Decree provides for the possibility to certify that a controller’s personal data processing and protection system(s) comply with the requirements of PIPA. According to these rules, a certification (118) may be granted (for a period of 3 years) if the controller satisfies the certification criteria determined by the PIPC, including the establishment of managerial, technical and physical safeguards to protect personal data (119). The PIPC must examine the controller’s systems relevant for the certification at least once per year to maintain its effectiveness, which can lead to the revocation of the certification (Article 32(4) PIPA in conjunction with Article 34-5 of the PIPA Enforcement Decree; so-called ‘follow-up management’).

(98)

The Korean framework therefore implements the principle of accountability in a way that ensures a level of protection essentially equivalent to that under Regulation (EU) 2016/679, including by providing for different mechanisms to ensure and demonstrate compliance with PIPA.

(99)

As described in recital (13), the CIA lays down specific rules for the processing of personal credit information by commercial operators. When processing personal credit information, commercial operators therefore need to comply with the general requirements of PIPA, unless the CIA contains more specific rules. This will for example be the case when they process information related to a credit card or bank account in the context of a commercial transaction with an individual. As sectoral legislation for the processing of credit information (both personal and non-personal), the CIA not only imposes specific data protection safeguards (for instance in terms of transparency and security), but also more generally regulates the specific circumstances in which personal credit information may be processed. This is, in particular, reflected in the detailed requirements for the use, the provision of data to a third party and retention of such data.

(100)

Like PIPA, the CIA reflects the principle of lawfulness and proportionality. Firstly, as a general requirement, Article 15(1) CIA only allows the collection of personal credit information by reasonable and fair means and to the smallest extent necessary to serve a specified purpose, in accordance with Article 3(1)-(2) PIPA. Secondly, the CIA specifically regulates the lawfulness of processing of personal credit information, by restricting its collection, use and provision to a third party and generally tying those processing activities to the requirement of consent of the person concerned.

(101)

Personal credit information may be collected based on one of the grounds provided by PIPA or on specific grounds set out in the CIA. Given that Article 45 of Regulation (EU) 2016/679 presupposes a transfer of personal data by a controller or processor in the Union, but does not cover direct collection (such as from the individual or a website) by a controller in Korea, only consent and the grounds available under PIPA are relevant for this Decision. Those grounds include, in particular, scenarios where the transfer is necessary to perform a contract with the individual or for the legitimate interests of the Korean controller (Article 15(1) lit. 4, 6 PIPA) (120).

(102)

Once collected, personal credit information may be used (1) for the original purpose for which it was (directly) provided by the individual (121); (2) for a purpose that is compatible with the original purpose of collection (122); (3) to determine whether to establish or maintain a commercial relationship requested by the individual (123); (4) for the purpose of statistics, research and archiving in the public interest (124) if the information is pseudonymised (125); (5) if further consent is obtained or (6) in accordance with the law.

(103)

If a commercial operator intends to disclose personal credit information to a third party, it must obtain the individual’s consent (126) after informing the individual of the recipient of the data, the purpose of processing by the recipient, the details of the data to be provided, the period of storage by the recipient and the right to refuse consent (Article 32(1) CIA and Article 28(2) CIA Enforcement Decree) (127). This consent requirement does not apply in specific situations, namely where personal credit information is disclosed (128): (1) to an outsourcee for outsourcing purposes (129); (2) to a third party in case of a business transfer, division or merger; (3) for the purpose of statistics, research and archiving in the public interest, where the information is pseudonymised; (4) for a purpose that is compatible with the original purpose of collection; (5) to a third party that uses the information to collect a debt owed by the individual (130); (6) to comply with a court order; (7) to a prosecutor/judicial police officer in an emergency where the individual’s life is in danger or (s)he is expected to suffer bodily injury and no time is available to issue a judicial warrant (131); (8) to competent tax authorities to comply with taxation laws; or (9) in accordance with other laws. In case of disclosure on one of these grounds, the data subject must be notified thereof in advance (Article 32(7) CIA).

(104)

The CIA also specifically regulates the duration of processing of personal credit information on the basis of one of those grounds for use or provision to a third party after the end of the commercial relationship with the individual (132). Only information that was necessary to establish or maintain that relationship may be retained, subject to additional safeguards (it must be kept separately from credit information that relates to individuals with whom a commercial relationship is ongoing, protected by specific security measures and only accessible by authorised individuals) (133). All other data must be deleted (Article 17-2(1) lit. 2 CIA Enforcement Decree). To determine which data was necessary for the commercial relationship, different factors must be taken into account, including whether it would have been possible to establish the relationship without the data and whether it directly relates to the goods or services provided to the individual (Article 17-2(2) CIA Enforcement Decree).

(105)

Even in cases where personal credit information may in principle be kept beyond the end of the commercial relationship, it must be deleted within three months after achieving the further purpose of processing (134) or, in any event, after five years (Article 20-2 CIA). In a limited number of circumstances, personal credit information may be kept for longer than five years, in particular where necessary to comply with a legal obligation; where necessary for the vital interests of an individual’s life, body or property; for the archiving of pseudonymised information (that was used for purposes of scientific research, statistics or archiving in the public interest); or for insurance purposes (in particular for insurance payments or to prevent insurance fraud) (135). In these exceptional cases, specific safeguards apply (such as notification of the individual of the further use, separating the retained information from the information that relates to individuals with whom there is still a commercial relationship, limiting access rights, see Article 17-2(1)-(2) CIA Enforcement Decree).

(106)

The CIA also further specifies the principles of accuracy and data quality, by requiring that personal credit information is ‘registered, modified and managed’ to keep it accurate and up to date (Article 18(1) CIA and Article 15(3) CIA Enforcement Decree) (136). When providing credit information to certain other entities (such as credit rating agencies), commercial operators are also specifically required to verify the accuracy of the information to ensure that only accurate information is registered and managed by the recipient (Article 15(1) CIA Enforcement Decree, in conjunction with Article 18(1) CIA). More generally, the CIA requires records to be kept on the collection, use, third party disclosure and destruction of personal credit information (Article 20(2) CIA) (137).

(107)

Furthermore, the processing of personal credit information is subject to specific requirements with respect to data security. In particular, the CIA requires the implementation of technological, physical and organisational measures to prevent unlawful access to computer systems as well as the alteration, destruction or any other risk to the processed data (for instance by means of access controls, see Article 19 CIA and Article 16 CIA Enforcement Decree). In addition, when exchanging personal credit information with a third party, an agreement must be concluded that lays down specific security measures (Article 19(2) CIA). If a breach of personal credit information occurs, measures to minimise any damage must be taken and the concerned individuals must be notified without delay (Article 39-4(1)-(2) CIA). In addition, the PIPC must be informed about the notification provided to individuals and the measures that have been implemented (Article 39-4(4) CIA).

(108)

The CIA also imposes specific transparency obligations when obtaining consent for the use or provision of personal credit information (Article 32(4) and Article 34-2 CIA and Article 30-3 CIA Enforcement Decree) and, more generally, before providing information to a third party (Article 32(7) CIA) (138). In addition, individuals have a right to obtain information upon request about the use and provision of their credit information to third parties in the three years preceding the request (including the purpose and dates of such use/provision) (139).

(109)

Under the CIA, individuals also have a right to access their personal credit information (Article 38(1) CIA) and to obtain correction of inaccurate data (Article 38(2)-(3) CIA) (140). Moreover, in addition to the general right to erasure under PIPA (see recital (77)), the CIA provides for a specific right to erasure of personal credit information that has been retained beyond the retention periods mentioned in recital (104), i.e. five years (for personal credit information that was necessary to establish or maintain a commercial relationship) or three months (for other types of personal credit information) (141). A request for erasure may exceptionally be refused where further retention is necessary in the circumstances described in recital (105). If an individual requests erasure, but one of the exceptions applies, specific safeguards must be applied to the concerned credit information (Article 38-3(3) CIA and Article 33-3 CIA Enforcement Decree). For example, the information must be kept separately from other information, may only be accessed by an authorised person and must be subject to specific security measures.

(110)

In addition to the rights mentioned in recital (109), the CIA guarantees individuals a right to request a controller to stop contacting them for direct marketing purposes (Article 37(2) of the Act) and a right to data portability. As regards the latter, the CIA allows individuals to request transmission of their personal credit information to themselves or to certain third parties (such as financial institutions and credit rating companies). The personal credit information must be processed and transmitted to the third party in a format that can be processed by an information-processing device (such as a computer).

(111)

To the extent that the CIA contains specific rules compared to PIPA, the Commission therefore considers that also these rules ensure a level of protection essentially equivalent to that afforded under Regulation (EU) 2016/679.

(112)

In order to ensure that an adequate level of data protection is guaranteed in practice, an independent supervisory authority tasked with powers to monitor and enforce compliance with the data protection rules should be in place. This authority should act with complete independence and impartiality in performing its duties and exercising its powers.

(113)

In the Republic of Korea, the independent authority in charge of monitoring and enforcing PIPA is the PIPC. The PIPC is composed of a Chairperson, a Vice Chairperson and seven Commissioners. The Chairperson and Vice Chairperson are appointed by the President upon recommendation of the Prime Minister. Of the Commissioners, two are appointed by the President upon recommendation of the Chairperson and five upon recommendation of the National Assembly (of which two upon recommendation from the political party to which the President belongs and three upon recommendation from other political parties (Article 7-2(2) PIPA), which helps to counteract partisanship in the appointment process) (142). This procedure is in line with the requirements applicable to the appointment of members of data protection authorities in the Union (Article 53(1) of Regulation (EU) 2016/679). Moreover, all Commissioners must abstain from any profit-related business, political activities and from holding positions in public administration or the National Assembly (Articles 7-6 and 7-7(1) lit. 3 PIPA) (143). All Commissioners are subject to specific rules preventing them from participation in deliberations in case of a possible conflict of interest (Article 7-11 PIPA). The PIPC is assisted by a Secretariat (Article 7-13) and may establish sub-commissions (consisting of three Commissioners) to handle minor violations and recurring matters (Article 7-12 PIPA).

(114)

Each member of the PIPC is appointed for three years and may be reappointed once (Article 7-4(1) PIPA). Commissioners may only be dismissed under specific circumstances, namely if they are no longer able to perform their duties due to long-term mental or physical disability, act in violation of the law, or fulfil one of the grounds for disqualification from office (144) (Article 7-5 PIPA). This provides them with institutional protection in the exercise of their functions.

(115)

More generally, Article 7(1) PIPA explicitly guarantees the PIPC’s independence, and Article 7-5(2) PIPA requires Commissioners to perform their duties independently, according to law and their conscience (145). The institutional and procedural safeguards described, including with respect to the appointment and dismissal of its members, ensure that the PIPC acts with complete independence, free from external influence or instructions. Moreover, as a central administrative agency, the PIPC annually proposes its own budget (which is reviewed by the Ministry of Finance as part of the overall national budget before adoption by the National Assembly) and is in charge of its own personnel management. The PIPC has a current budget of about 35 million euro and has 154 staff members (including 40 employees specialised in information and communications technology, 32 employees focusing on investigations and 40 legal experts).

(116)

The tasks and powers of the PIPC are mainly provided for in Articles 7-8 and 7-9, as well as in Articles 61-66 PIPA (146). In particular, the tasks of the PIPC include advising on laws and regulations related to data protection, developing data protection policies and guidelines, investigating infringements of individual rights, handling complaints and mediating disputes, enforcing compliance with PIPA, ensuring education and promotion in the area of data protection, and exchanging and cooperating with third country data protection authorities (147).

(117)

Based on Article 68 PIPA in conjunction with Article 62 of the PIPA Enforcement Decree, certain tasks of the PIPC have been delegated to the Korea Internet and Security Agency, namely: (1) education and public relations, (2) training of specialists and development of criteria for privacy impact assessments, (3) the handling of requests for designating a so-called privacy impact assessment institution, (4) the handling of requests for indirect access to personal data held by public authorities (Article 35(2) PIPA), and (5) the task of requesting materials and carrying out inspections with respect to complaints received through the so-called Privacy Call Centre. In the context of the handling of complaints through the Privacy Call Centre, the Korea Internet and Security Agency transmits the case to the PIPC or to the prosecution if it finds that a violation of the law has occurred. The possibility of submitting a complaint to the Privacy Call Centre does not prevent individuals from directly lodging a complaint with the PIPC or from turning to the PIPC if they consider that their complaint was not satisfactorily handled by the Korea Internet and Security Agency.

(118)

With a view to ensuring compliance with PIPA, the legislator has granted the PIPC both investigatory and enforcement powers, ranging from recommendations to administrative fines. These powers are further complemented by a regime of criminal sanctions.

(119)

As regards investigatory powers, if a violation of PIPA is suspected or has been reported, or where necessary for the protection of data subject rights against infringements, the PIPC may conduct on-site inspections and request all relevant materials (such as articles and documents) from personal data controllers (Article 63 PIPA in conjunction with Article 60 of the PIPA Enforcement Decree) (148).

(120)

In terms of enforcement, under Article 61(2) PIPA, the PIPC may provide advice to data controllers on how to improve the level of personal data protection of specific processing activities. Data controllers must make good faith efforts to implement such advice and are required to inform the PIPC of the outcome. Moreover, when there are reasonable grounds to believe that a violation of PIPA has occurred and failure to take action is likely to cause damage that is difficult to remedy, the PIPC may impose corrective measures (Article 64(1) PIPA) (149). Section 5 of Notification 2021-5 (Annex I) clarifies, with binding effect, that these conditions are fulfilled with respect to the violation of any PIPA provision that protects the privacy rights of individuals with respect to personal information (150). The measures that the PIPC is empowered to take include ordering cessation of the conduct causing the violation, temporary suspension of the data processing or any other necessary measures. Failure to comply with a corrective measure may lead to a sanction by means of a fine of a maximum amount of 50 million won (Article 75(2) lit. 13 PIPA).

(121)

With respect to certain public authorities (such as the National Assembly, central administrative agencies, local government bodies and the courts), Article 64(4) PIPA provides that the PIPC may ‘recommend’ any of the corrective measures mentioned in recital (120) and that these authorities are required to comply with such a recommendation unless there are extraordinary circumstances. According to Section 5 of Notification 2021-5, this refers to extraordinary factual or legal circumstances of which the PIPC was not aware when making its recommendation. The concerned public authority may only invoke such extraordinary circumstances if it clearly demonstrates that no infringement occurred and the PIPC determines that this is indeed not the case. Otherwise, the public authority has to follow the PIPC’s recommendation and ‘take a corrective measure, including to immediately stop the action, and compensate for damages in the exceptional case where an illegal act was nevertheless committed.’

(122)

The PIPC may also request other administrative agencies with specific competence under sectoral legislation (e.g. health, education) to carry out an investigation – alone or jointly with the PIPC – into (suspected) privacy violations by controllers operating in these sectors under their jurisdiction, and to impose corrective measures (Article 63(4)-(5) PIPA). In that case, the PIPC determines the grounds, object and scope of the investigation (151). In turn, the relevant administrative agency must submit an inspection plan to the PIPC and notify the PIPC of the result of the inspection. The PIPC can recommend a specific corrective measure to be taken, which the relevant agency must endeavour to implement. In any event, such a request does not limit the PIPC’s competence to carry out its own investigation or impose sanctions.

(123)

In addition to its corrective powers, the PIPC may impose administrative fines between 10 and 50 million won for infringements of various PIPA requirements (Article 75 PIPA) (152). Among others, this includes non-compliance with the requirements for the lawfulness of processing, failure to take the necessary security measures, failure to notify data subjects in case of a data breach, non-compliance with the requirements for sub-processing, failure to establish and disclose a privacy policy, failure to designate a privacy officer, or failure to act upon a request by the data subject in the exercise of his or her individual rights, as well as certain procedural violations (non-cooperation during an investigation). In case of breaches of several provisions of PIPA by the same controller, a fine may be imposed for each violation, and the number of individuals affected will be taken into account in setting the level of the fine.

(124)

Moreover, where reasonable grounds exist to suspect a violation of PIPA or any other ‘data protection-related statutes’, the PIPC may submit a criminal complaint to the competent investigative agency (such as a prosecutor, see Article 65(1) PIPA). In addition, the PIPC may advise the controller to take disciplinary action against the person responsible (including the manager in charge, see Article 65(2) PIPA). Upon receiving such advice, the controller must comply (153) with it and must notify the PIPC in writing of the result (Article 65 of PIPA in conjunction with Article 58 of the PIPA Enforcement Decree).

(125)

As regards advice pursuant to Article 61, corrective measures pursuant to Article 64, accusation or advice for disciplinary action pursuant to Article 65 and the imposition of administrative fines pursuant to Article 75 PIPA, the PIPC may publicise the facts – i.e. the infringement, the entity having infringed the law and the imposed measure(s) – by posting them on its website or in a general, nationwide daily newspaper (Article 66 PIPA in conjunction with Article 61(1) of the PIPA Enforcement Decree) (154).

(126)

Finally, compliance with the data protection requirements in PIPA (as well as other ‘data protection-related statutes’) is supported by a regime of criminal sanctions. In this respect, Articles 70-73 PIPA contain penalty provisions that can lead to the imposition of either a fine (between 20 and 100 million won) or imprisonment (with the maximum sentence varying between 2 and 10 years). Relevant infringements include, among others, the use of personal data or provision of such data to a third party without the necessary consent, the processing of sensitive information contrary to the prohibition in Article 23(1) PIPA, non-compliance with applicable safety requirements resulting in the personal data being lost, stolen, divulged, forged, altered or damaged, failure to take the necessary measures to correct, erase or suspend personal data, or unlawful transfer of personal data to a third country (155). According to Article 74 PIPA, in each of these cases the employee, agent or representative of the controller as well as the controller itself shall be liable (156).

(127)

In addition to the criminal sanctions provided in PIPA, the misuse of personal data may also constitute an offence under the Criminal Act. This is the case in particular with respect to the violation of the secrecy of letters, documents or electronic records (Article 316), the disclosure of information subject to professional secrecy (Article 317), fraud by use of computers (Article 347-2) as well as embezzlement and breach of trust (Article 355).

(128)

The Korean system therefore combines different types of sanctions, from corrective measures and administrative fines to criminal sanctions, which are likely to have a particularly strong deterrent effect on controllers and the individuals handling the data. Immediately after its establishment in 2020, the PIPC started to make use of its powers. The PIPC’s annual report 2021 shows that the PIPC already issued a number of recommendations, administrative fines and corrective orders, both against the public sector (around 34 public authorities) and private operators (around 140 companies) (157). Notable cases include, for example, the imposition of a fine of 6,7 billion won in December 2020 on a company for violating different provisions of PIPA (including security requirements, requirements for consent for third party provision and transparency) (158) and a fine of 103,3 million won in April 2021 on an AI technology company (for violating, amongst other provisions, the rules on lawfulness of processing, in particular consent, and the processing of pseudonymised information) (159). In August 2021, the PIPC finalised another investigation into the activities of three companies, which led to corrective measures and the imposition of fines of up to 6,47 billion won (inter alia, for failing to inform individuals about the disclosure of personal data to third parties, including transfers to third countries) (160). Also, already before the recent reform, South Korea had a strong track record of enforcement, with the responsible authorities making use of the full range of enforcement actions, including administrative fines, corrective measures, and ‘naming and sharing’ with respect to a variety of controllers, including communication service providers (Korea Communications Commission), as well as commercial operators, financial institutions, public authorities, universities and hospitals (Ministry of Interior and Safety) (161). On this basis, the Commission concludes that the Korean system ensures the effective enforcement of the data protection rules in practice, thereby guaranteeing a level of protection essentially equivalent to that under Regulation (EU) 2016/679.

(129)

In order to ensure adequate protection and in particular the enforcement of individual rights, the data subject should be provided with effective administrative and judicial redress, including compensation for damages.

(130)

The Korean system provides individuals with various mechanisms to effectively enforce their rights and obtain (judicial) redress.

(131)

As a first step, individuals who consider that their data protection rights or interests have been violated can turn to the relevant controller. According to Article 30(1) lit. 5 PIPA, the controller’s privacy policy shall among others include information on the rights of data subjects and how to exercise them. Moreover, it shall provide contact information – such as the name and telephone number of the privacy officer or the department responsible for data protection – to allow the filing of complaints (‘grievances’). Within the organisation of the controller, the privacy officer is charged with handling complaints, the adoption of corrective measures in case of a privacy violation and remedial compensation (Article 31(2) lit. 3, (4) PIPA). The latter is relevant, for instance, in case of a data breach as the controller has to inform the data subject of the contact point(s) for reporting any damage, among others (Article 34(1) lit. 5 PIPA).

(132)

In addition, PIPA offers several redress avenues to individuals against controllers. Firstly, any individual who considers that his or her data protection rights or interests have been violated by the controller may report such infringement directly to the PIPC and/or one of the specialised institutions designated by the PIPC to receive and handle complaints; this includes the Korea Internet and Security Agency, which for that purpose operates a personal information call centre (the so-called ‘Privacy Call Centre’) (Article 62(1), (2) PIPA in conjunction with Article 59 of the PIPA Enforcement Decree). The Privacy Call Centre investigates and establishes infringements, provides counselling in relation to personal data processing (Article 62(3) PIPA) and may report infringements to the PIPC (but cannot take enforcement measures itself). The Privacy Call Centre receives a large numbers of complaints/requests (e.g. 177 457 in 2020, 159 255 in 2019 and 164 497 in 2018). (162) According to information received from the PIPC, the PIPC itself received around 1 000 complaints between August 2020 and August 2021. In response to a complaint, the PIPC may issue an advice for improvements, corrective measures, an ‘accusation’ to the competent investigative agency (including a prosecutor) or advice for disciplinary action (see Articles 61, 64 and 65 PIPA). Decisions of the PIPC (such as a refusal to handle a complaint or a rejection on substance of a complaint) can be challenged under the Administrative Litigation Act (163).

(133)

Second, according to Articles 40 to 50 PIPA in conjunction with Articles 48-14 to 57 of the PIPA Enforcement Decree, data subjects may bring claims to a so-called ‘Dispute Mediation Committee’, which consist of representatives appointed by the Chairperson of the PIPC from members of the Senior Executive Service of the PICP and individuals appointed based on their experience in the area of data protection from among certain eligible groups (see Article 40(2), (3) and (7) PIPA, Article 48-14 of the PIPA Enforcement Decree) (164). The possibility to make use of mediation before the Dispute Mediation Committee provides an alternative avenue to obtain redress, but does not limit the right of the individual to instead turn to the PIPC or courts. In order to examine the case, the Committee may request the disputing parties to provide necessary materials and/or call for relevant witnesses to appear before it (Article 45 PIPA). Once the matter has been clarified, the Committee prepares a draft mediation award (165) on which a majority of its members must agree. Draft mediation may include suspension of the violation, necessary remedies (including restitution or compensation) as well as any measures necessary to prevent recurrence of the same or similar violation(s) (Article 47(1) PIPA). Where both parties agree to the mediation award, it will have the same effect as a settlement in court (Article 47(5) PIPA). Neither of the parties is prevented from initiating a court action while mediation is ongoing, in which case the latter will be suspended (see Article 48(2) PIPA) (166). Annual figures issued by the PIPC show that individuals regularly make use of the procedure before the Dispute Mediation Committee, which often leads to a successful outcome. For example, in 2020, the Committee handled 126 cases, of which 89 were resolved before the Committee (with 77 cases where the parties already reached an agreement before the mediation process ended and 12 cases where the parties accepted the mediation proposal), leading to a 70,6 % mediation rate. (167) Similarly, in 2019, the Committee handled 139 cases, of which 92 were resolved, leading to a 62,2 % mediation rate.

(134)

Moreover, where at least 50 individuals suffer damage, or their data protection rights have been violated in the same or similar manner following from the same (type of) incident (168), a data subject or a data protection organisation may apply for collective dispute mediation on behalf of such a collectivity; other data subjects may apply to join such mediation, which will be publicly announced by the Dispute Mediation Committee (Article 49(1) to (3) of PIPA in conjunction with Articles 52 to 54 of the PIPA Enforcement Decree) (169). The Dispute Mediation Committee may select at least one person who most appropriately represents the common interest as a representative party (Article 49(4) PIPA). Where the controller rejects collective dispute mediation or does not accept the mediation award, certain organisations (170) may file a class-action lawsuit to address the violation (Articles 51 to 57 PIPA).

(135)

Thirdly, in case of a privacy violation causing ‘damage’ to the individual, the data subject has a right to appropriate redress in a ‘prompt and fair procedure’ (Article 4 lit. 5 with Article 39 PIPA) (171). The controller may exculpate itself by proving the absence of fault (‘wrongful intent’ or negligence). Where the data subject suffers damage as a result of loss, theft, divulgence, forgery, alteration or damage of/to his or her personal data, the Court may determine compensation of up to three times the actual damage, taking into account a number of factors (Article 39(3), (4) PIPA). Alternatively, the data subject may claim a ‘reasonable amount’ of compensation not exceeding 3 million won (Article 39-2(1), (2) PIPA). Moreover, in accordance with the Civil Act, compensation may be claimed from any person ‘who causes losses to or inflicts injuries on another person by an unlawful act, intentionally or negligently’ (172) or from a person ‘who has injured the person, liberty or fame of another or has inflicted any mental anguish to another person’ (173). Such tort liability following from the violation of data protection rules has been confirmed by the Supreme Court (174). If damage has been caused by unlawful action of a public authority, a claim for compensation may furthermore be filed under the State Compensation Act (175). A claim under the State Compensation Act may be filed with a specialised ‘Compensation Council’, or directly with the Korean courts (176). State liability also covers non-material damage (such as mental suffering) (177). If the victim is a foreign national, the State Compensation Act applies as long as his or her country of origin equally ensures state compensation for Korean nationals (178).

(136)

Fourthly, the Supreme Court has recognised that individuals have a right to claim injunctive relief for infringements of their rights under the Constitution, including the right to the protection of personal data (179). In this context, a court may for instance order controllers to suspend or stop any unlawful activity. In addition, data protection rights, including the rights protected by PIPA, can be enforced via civil actions. This horizontal application of the constitutional protection of privacy to relationships between private parties has been recognised by the Supreme Court (180).

(137)

Finally, individuals may file a criminal complaint pursuant to the Criminal Procedure Act (Article 223) with a public prosecutor or judicial police officer (181).

(138)

The Korean system therefore offers various avenues to obtain redress, from easily accessible, low cost options (for instance by contacting the Privacy Call Centre or through (collective) mediation) to administrative (before the PIPC) and judicial avenues, including with the possibility to obtain compensation for damages.

(139)

The Commission also assessed the limitations and safeguards, including the oversight and individual redress mechanisms available in Korean law as regards the collection and subsequent use by Korean public authorities of personal data transferred to controllers in Korea in the public interest, in particular for criminal law enforcement and national security purposes (government access). In this respect, the Korean government has provided the Commission with official representations, assurances and commitments signed at the highest ministerial and agency level that are contained in Annex II to this Decision.

(140)

In assessing whether the conditions under which government access to data transferred to Korea under this Decision fulfil the ‘essential equivalence’ test pursuant to Article 45(1) of Regulation (EU) 2016/679, as interpreted by the Court of Justice of the European Union in light of the Charter of Fundamental Rights, the Commission took into account in particular the following criteria.

(141)

Firstly, any limitation to the right to the protection of personal data must be provided for by law and the legal basis which permits the interference with such a right must itself define the scope of the limitation on the exercise of the right concerned (182).

(142)

Secondly, in order to satisfy the requirement of proportionality, according to which derogations from and limitations to the protection of personal data must apply only in so far as is strictly necessary in a democratic society to meet specific objectives of general interest equivalent to those recognized by the Union, the legislation of the third country in question which permits the interference must lay down clear and precise rules governing the scope and application of the measures in question and impose minimum safeguards so that the persons whose data has been transferred have sufficient guarantees to protect effectively their personal data against the risk of abuse (183). The legislation must, in particular, indicate in what circumstances and under which conditions a measure providing for the processing of such data may be adopted (184) as well as subject the fulfilment of such requirements to independent oversight (185).

(143)

Thirdly, that legislation and its requirements must be legally binding under domestic law. This concerns first of all the authorities of the third country in question, but these legal requirements must also be enforceable before courts against those authorities (186). In particular, data subjects must have the possibility of bringing legal action before an independent and impartial tribunal in order to have access to their personal data, or to obtain the rectification or erasure of such data (187).

(144)

The limitations and safeguards that apply to the collection and subsequent use of personal data by Korean public authorities follow from the overarching constitutional framework, specific laws that regulate their activities in the areas of criminal law enforcement and national security, as well as the rules that specifically apply to the processing of personal data.

(145)

Firstly, access to personal data by Korean public authorities is governed by general principles of legality, necessity and proportionality that follow from the Korean Constitution (188). In particular, fundamental rights and freedoms (including the right to privacy and the right to privacy of correspondence) (189) may only be restricted by law and when necessary for national security, or the maintenance of law and order for public welfare. Such restrictions may not affect the essence of the right or freedom at stake. With respect to searches and seizures specifically, the Constitution provides that they may only take place as provided by law, on the basis of a warrant issued by a judge and in respect of due process (190). Finally, individuals can invoke their rights and freedoms before the Constitutional Court if they believe that they have been infringed by public authorities in the exercise of their powers (191). Similarly, individuals that have suffered damages because of an unlawful act committed by a public official in the course of official duties have a right to claim just compensation (192).

(146)

Secondly, as described in more detail in sections 3.2.1 and 3.3.1, the general principles mentioned in recital (145) are also reflected in the specific laws that regulate the powers of law enforcement and national security authorities. For example, with respect to criminal investigations, the Criminal Procedure Act (CPA) provides that compulsory measures may only be taken where explicitly provided for in the CPA and to the least extent necessary to achieve the purpose of the investigation (193). Similarly, Article 3 of the Communications Privacy Protection Act (CPPA) prohibits access to private communications except on the basis of the law and subject to the limitations and safeguards set out therein. In the area of national security, the National Intelligence Service Act (NIS Act) provides that any access to communications or location information must comply with the law and subjects abuse of power and violations of the law to criminal sanctions (194).

(147)

Thirdly, the processing of personal data by public authorities, including for law enforcement and national security purposes, is subject to data protection rules under PIPA (195). As a general principle, Article 5(1) PIPA requires public authorities to develop policies to prevent ‘abuse and misuse of personal information, indiscrete surveillance and tracking, etc. and to enhance the dignity of human beings and individual privacy.’ In addition, any controller must process personal data in a manner which minimises the possibility of infringing upon the privacy of the data subject (Article 3(6) PIPA).

(148)

All PIPA requirements, as described in detail in section 2, apply to the processing of personal data for law enforcement purposes. This includes the core principles (such as lawfulness and fairness, purpose limitation, accuracy, data minimisation, storage limitation, security and transparency), obligations (for instance with respect to data breach notification and sensitive data) and rights (to obtain access, correction, deletion and suspension).

(149)

While the processing of personal data for national security purposes is subject to a more limited set of provisions under PIPA, the core principles, as well as the rules on oversight, enforcement and redress, apply (196). More specifically, Articles 3 and 4 PIPA lay down the general data protection principles (lawfulness and fairness, purpose limitation, accuracy, data minimisation, security and transparency) and individual rights (the right to be informed, the right of access, and the rights to correction, deletion and suspension) (197). Article 4(5) PIPA furthermore provides individuals with the right to appropriate redress for any damage arising out of the processing of their personal data in a prompt and fair procedure. This is complemented by more specific obligations to only process personal data to the minimum extent necessary to attain the intended purpose and for the minimum period, to put in place the necessary measures to ensure safe data management and appropriate processing (such as technical, managerial and physical safeguards), as well as to put in place measures for the appropriate handling of individual grievances (complaints) (198). Finally, the general principles of legality, necessity and proportionality from the Korean Constitution (see recital (145)) also apply to the processing of personal data for national security purposes.

(150)

These general limitations and safeguards can be invoked by individuals before independent oversight bodies (e.g. the PIPC and/or the National Human Rights Commission, see recitals (177) - (178)) and courts (see recitals (179) - (183)) to obtain redress.

(151)

The law of the Republic of Korea imposes a number of limitations on the access and use of personal data for criminal law enforcement purposes, and provides oversight and redress mechanisms which are in line with the requirements referred to in recitals (141) to (143) of this Decision. The conditions under which such access can take place and the safeguards applicable to the use of those powers are assessed in detail in the following sections.

(152)

Personal data processed by Korean controllers that would be transferred from the Union under this Decision (199) may be collected by Korean authorities for criminal law enforcement purposes in the context of a search or seizure (on the basis of the CPA), by accessing communication information (on the basis of the CPPA), or by obtaining subscriber data through requests for voluntary disclosure (on the basis of the Telecommunications Business Act, TBA) (200).

(153)

The CPA provides that a search or seizure may only take place if a person is suspected of a crime, it is necessary for the investigation and a connection is established between the investigation and the person to be searched or article to be inspected or seized (201). Moreover, a search or seizure (as any compulsory measure) may only be authorised/carried out to the least extent necessary (202). If a search concerns a computer disc or other data storage medium, in principle only the necessary data itself (copied or printed out) will be seized rather than the entire medium (203). The latter may only be seized when it is considered substantially impossible to print out or copy the required data separately, or when it is considered substantially impracticable to otherwise accomplish the purpose of the search (204). The CPA therefore lays down clear and precise rules on the scope and application of these measures, thereby ensuring that the interference with the rights of individuals in case of a search or seizure will be limited to what is necessary for a specific criminal investigation and proportionate to the pursued purpose.

(154)

In terms of procedural safeguards, the CPA requires that a warrant is obtained from a court to carry out a search or seizure (205). A warrantless search or seizure is only exceptionally allowed, namely in urgent circumstances (206), in loco at the moment of arrest or detention of a criminal suspect (207), or where an article is discarded or voluntarily produced by a criminal suspect or third person (as regards personal data, by the concerned individual him/herself) (208). Illegal searches and seizures are subject to criminal sanctions (209) and any evidence that is obtained in violation of the CPA is considered inadmissible (210). Finally, the concerned individuals must always be notified about a search or seizure (including a seizure of their data) without delay (211), which will in turn facilitate the exercise of the individual’s substantive rights and the right to redress (see in particular the possibility to challenge the execution of a seizure warrant, see recital (180)).

(155)

On the basis of the CPPA, Korean criminal law enforcement authorities may take two types of measures (212): on the one hand, the collection of ‘communication confirmation data’ (213), which includes the date of telecommunications, their start- and end-time, the number of outgoing and incoming calls as well as the subscriber number of the other party, the frequency of use, log files on the use of telecommunication services and location information (for instance from transmission towers where signals are received); and, on the other hand, ‘communication-restricting measures’, which cover both the collection of the content of traditional mail and the direct interception of the content of telecommunications (214).

(156)

Communication confirmation data may only be accessed when necessary to conduct a criminal investigation or execute a sentence (215), on the basis of a warrant issued by a court (216). In this respect, the CPPA requires that detailed information is provided both in the application for the warrant (e.g. on the reasons for the request, the relation with the target/subscriber and the necessary data) and in the warrant itself (e.g. on the objective, target and scope of the measure) (217). Warrantless collection may only take place when grounds of urgency make it impossible to obtain court permission, in which case the warrant must be obtained and communicated to the telecommunication provider immediately after requesting the data (218). If the court refuses to grant subsequent permission, the collected information must be destroyed (219).

(157)

In terms of additional safeguards with respect to the collection of communication confirmation data, the CPPA imposes specific record-keeping and transparency requirements (220). In particular, both criminal law enforcement authorities (221) and telecommunication providers (222) must keep records of requests and disclosures made. In addition, criminal law enforcement must in principle notify individuals of the fact that their communication confirmation data has been collected (223). Such notification may only be deferred in exceptional circumstances, on the basis of an authorisation from the director of a competent district public prosecutors’ office (224). Such an authorisation may only be provided when notification is likely to (1) endanger national security, public security and order, (2) cause death or bodily injury, (3) impede fair judicial proceedings (for instance leading to the destruction of evidence or threatening of witnesses), or (4) defame the suspect, victims or other persons related to the case, or invade their privacy. In those cases, notification must be provided within 30 days once the ground(s) for deferral cease to exist (225). Upon notification, individuals have a right to obtain information about the reasons for the collection of their data (226).

(158)

Stricter rules apply with respect to communication-restricting measures, which may only be used when there is substantial reason to suspect that certain serious crimes specifically listed in the CPPA are being planned, are being committed, or have been committed (227). Moreover, communication-restricting measures may only be taken as a measure of last resort and where it is difficult to otherwise prevent the commission of a crime, arrest a criminal, or collect evidence (228). They must immediately be discontinued once they are no longer necessary, to ensure that the infringement of the privacy of communications is as limited as possible (229). Information that has been illegally obtained by means of communication-restricting measures is not admitted as evidence in judicial or disciplinary proceedings (230).

(159)

In terms of procedural safeguards, the CPPA requires that a court warrant is obtained in order to carry out communication-restricting measures (231). Again, the CPPA requires that the application for a warrant and the warrant itself contain detailed information (232), including on the justification for the request, as well as the communications to be collected (which must be those of the suspect under investigation) (233). Such measures may only be taken without a warrant in case of an imminent threat of organised crime or where another serious crime that may directly cause death or serious injury is imminent, and an emergency exists that makes it impossible to go through the regular procedure (234). However, in that case an application for a warrant must be filed immediately after the measure is taken (235). Communication-restricting measures may only be carried out for a maximum period of two months (236) and may only be extended with court approval if the conditions for carrying out the measures continue to be met (237). The extended period may not exceed a total of one year, or three years for certain particularly serious crimes (such as crimes related to insurrection, foreign aggression, national security) (238).

(160)

As is the case for the collection of communication confirmation data, the CPPA requires telecommunication providers (239) and law enforcement authorities (240) to keep records of the execution of communication-restriction measures, and provides for notification of the concerned individual, which may exceptionally be deferred where necessary on important public interest grounds (241).

(161)

Finally, non-compliance with several of the limitations and safeguards of the CPPA (including for instance the obligations for obtaining a warrant, record-keeping and notification of the individual), both with respect to the collection of communication confirmation data and the use of communication-restricting measures, are subject to criminal sanctions (242).

(162)

The powers of criminal law enforcement authorities to collect communications data on the basis of the CPPA (both the content of communications and communication confirmation data) are therefore circumscribed by clear and precise rules, and are subject to a number of safeguards. These safeguards in particular guarantee oversight of the execution of such measures, both ex ante (through prior judicial approval) and ex post (through record-keeping and reporting requirements), and facilitate individuals’ access to effective remedies (by ensuring that they are informed about the collection of their data).

(163)

In addition to relying on the compulsory measures described in recitals (153) - (162), Korean law enforcement authorities may ask telecommunication providers for ‘communications data’ on a voluntary basis, in support of a criminal trial, investigation or the execution of a sentence (Article 83(3) TBA). This possibility only exists with respect to limited datasets, i.e. the name, resident registration number, address and phone number of users, the dates on which users subscribe or terminate their subscription as well as user identification codes (meaning codes used to identify the rightful user of computer systems or communication networks) (243). Since only individuals that directly contract services from a Korean telecommunications provider are considered ‘users’ (244), EU individuals whose data has been transferred to the Republic of Korea would normally not fall within this category (245).

(164)

Different limitations apply to such voluntary disclosures, both to the exercise of powers by the law enforcement authority and the response of the telecommunication operator. As a general requirement, law enforcement authorities must act in accordance with the constitutional principles of necessity and proportionality (Articles 12(1) and 37(2) of the Constitution), including when they request information on a voluntary basis. In addition, they have to comply with PIPA, in particular by only collecting minimum personal data, to the extent necessary to achieve a legitimate purpose, in a manner to minimise the impact on the privacy of individuals (such as Article 3(1), (6) PIPA). More specifically, requests to obtain communications data on the basis of the TBA must be made in writing and state the reasons for the request, the link to the relevant user and the scope of the requested data (246).

(165)

Telecommunication providers are not required to comply with such requests and may only do so in accordance with PIPA. This means, in particular, that they must balance the different interests at stake and may not provide the data if doing so would likely infringe unfairly on the interests of the individual or a third party (247). This would for example be the case if it is clear that the requesting authority abused its authority (248). Telecommunication operators must keep records of disclosures under the TBA and report twice per year to the Minister of Science and ICT (249).

(166)

In addition, in accordance with Section 3 of Notification No 2021-5 (Annex I), telecommunication providers in principle have to notify the concerned individual when they voluntarily comply with a request (250). This will in turn enable the individual to exercise his/her rights and, in case his/her data is disclosed unlawfully, obtain redress, either against the controller (for instance for disclosing the data in violation of PIPA or for responding to a request that was clearly disproportionate) or against the law enforcement authority (for instance for acting beyond the limits of what is necessary and proportionate or for not respecting the procedural requirements of the TBA).

(167)

The processing of personal data collected by Korean criminal law enforcement authorities is subject to all requirements of PIPA, including with respect to purpose limitation (Article 3(1)-(2) PIPA), lawfulness of use and provision to third parties (Articles 15, 17 and 18 PIPA), international transfers (Articles 17 and 18 PIPA, in conjunction with Section 2 of Notification 2021-5) (251), proportionality/data minimisation (Article 3(1),(6) PIPA) and storage limitation (Article 21 PIPA) (252).

(168)

With respect to the content of communications acquired through the execution of communication-restricting measures, the CPPA specifically limits the possible use thereof to the investigation, prosecution or prevention of serious crimes (253); disciplinary proceedings for the same crimes; claims for damages raised by a party to the communications or where this is specifically allowed by other laws (254). Moreover, collected content of telecommunications transmitted over the internet may only be retained with the approval from the court that authorised the communication-restricting measures (255), with a view of using it for the investigation, prosecution or prevention of serious crimes (256). More generally, the CPPA prohibits the disclosure of confidential information obtained from communication-restricting measures, and the use of such information to damage the reputation of those that were subject to the measures (257).

(169)

In Korea, the activities of criminal law enforcement authorities are supervised by different bodies (258).

(170)

Firstly, the police is subject to internal oversight by an Inspector-General (259), which carries out legality control, including with respect to possible human rights violations. The Inspector-General was established to implement the Act on Public Sector Audits, which encourages the creation of self-auditing bodies and lays down specific requirements for their composition and tasks. In particular, the Act requires that the head of a self-auditing body is appointed from outside the relevant authority (such as former judges, professors) for a period of two to five years (260), can only be dismissed for justified reasons (for instance when unable to perform duties due to health reasons, or when subject to disciplinary action) (261) and is guaranteed independence to the largest extent possible (262). The obstruction of a self-audit is subject to administrative fines (263). Audit reports (which may include recommendations, requests for disciplinary action, and requests for compensation or correction) are communicated to the head of the relevant public authority, the Board of Audit and Inspection (BAI) (264) and, generally, made public (265). The results of the implementation of the report must also be notified to the BAI (266) (see recital (173) on the oversight role and powers of the BAI).

(171)

Secondly, the PIPC oversees compliance of data processing by criminal law enforcement authorities with PIPA and other laws that protect the privacy of individuals, including the laws that regulate the collection of (electronic) evidence for criminal law enforcement purposes, as described in section 3.2.1 (267). In particular, as the oversight of the PIPC extends to the lawfulness and fairness of data collection and processing (Article 3(1) PIPA), which will be infringed if personal data is accessed and used in violation of those laws (268), the PIPC can also investigate and enforce compliance with the limitations and safeguards described in section 3.2.1 (269). In exercising this oversight role, the PIPC can make use of all of its investigatory and remedial powers, as described in detail in section 2.4.2. Already before the recent reform of PIPA (i.e. in its previous supervisory role for the public sector), the PIPC carried out several oversight activities into the processing of personal data by criminal law enforcement authorities, e.g. in the context of the interrogation of suspects (Case No. 2013-16, 26 August 2013), with respect to the provision of notices to individuals about the imposition of administrative fines (Case No. 2015-02-04, 26 January 2015), the sharing of data with other authorities (Case No. 2018-15-146, 9 July 2018, Case No. 2018-25-308, 10 December 2018; Case No. 2019-02-015, 29 January 2019), the collection of fingerprints or photographs (Case No. 2019-17-273, 9 September 2019), the use of drones (Case No. 2020-01-004, 13 January 2020). In those cases, the PIPC investigated compliance with several provisions of PIPA (e.g. lawfulness of processing, the principles of purpose limitation and data minimisation) but also relevant provisions of other laws such as the Criminal Procedure Act, and, where necessary issued recommendations to bring the processing in line with data protection requirements.

(172)

Thirdly, independent oversight is provided by the National Human Rights Commission (NHRC) (270), which can investigate violations of the rights to privacy and privacy of correspondence as part of its general mandate to protect the fundamental rights of Articles 10-22 of the Constitution. The NHRC is comprised of 11 Commissioners that have to meet specific qualifications (271) and are appointed by the President in accordance with procedures laid down by law. In particular, four commissioners are appointed upon nomination by the National Assembly, four upon nomination by the President and three upon nomination by the Chief Justice of the Supreme Court (272). The Chairperson is appointed by the President from among the Commissioners and must be confirmed by the National Assembly (273). Commissioners (including the Chairperson) are appointed for a renewable term of three years and may only be dismissed when they are sentenced to imprisonment or are no longer capable of performing their duties due to prolonged physical or mental weakness (in which case two thirds of the Commissioners must agree to the dismissal) (274). As part of an investigation, the NHRC may request the submission of relevant materials, conduct inspections and summon individuals to testify (275). In terms of remedial powers, the NHRC may issue (public) recommendations to improve or correct specific policies and practices, to which public authorities must respond with a proposed implementation plan (276). If the concerned authority fails to implement recommendations, it must inform the Commission thereof (277), which may in turn disclose such failure to the National Assembly, and/or make it public. According to the official representation from the Korean government (section 2.3.5 of Annex II), Korean authorities generally comply with NHRC recommendations and have a strong incentive to do so as their implementation has been assessed as part of a general, continuous evaluation under the authority of the Prime Minister’s Office. Annual figures on its activities show that the NHRC is actively overseeing the activities of criminal law enforcement authorities, either on the basis of individual petitions or by means of ex officio investigations (278).

(173)

Fourthly, general oversight of the legality of activities of public authorities is carried out by the BAI, which examines the revenue and expenditure of the State, but also, more generally, oversees compliance with the duties of public authorities with a view to improving the operation of public administration (279). The BAI is formally established under the President of the Republic of Korea, but retains an independent status with respect to its duties (280). In addition, it is granted full independence with respect to the appointment, dismissal and organisation of its staff, and the compilation of its budget (281). The BAI consists of a Chairperson (appointed by the President, with the consent of the National Assembly) (282) and six commissioners (appointed by the President upon recommendation of the Chairperson) (283), which must meet specific qualifications laid down by law (284) and may only be dismissed in case of impeachment, sentencing to imprisonment or inability to perform their duties due to long-term mental or physical weakness (285). The BAI conducts a general audit on an annual basis, but may also conduct specific audits on matters of special interest. In carrying out an audit or inspection, the BAI may request the submission of documents and request the attendance of individuals (286). The BAI may issue recommendations, request disciplinary actions, or file a criminal complaint (287).

(174)

Finally, the National Assembly carries out parliamentary oversight of public authorities through investigations and inspections (288) of their activities (289). It may request the disclosure of documents, compel the appearance of witnesses (290), recommend corrective measures (if it concludes that unlawful or improper activities have taken place) (291) and make the results of its findings public (292). Where the National Assembly requests that corrective measures are taken – which may, for instance, include awarding compensation, taking disciplinary action or improving internal procedures – the concerned public authority is required to act without delay and report on the outcome to the National Assembly (293).

(175)

The Korean system offers different (judicial) avenues to obtain redress, including compensation for damages.

(176)

Firstly, PIPA provides individuals with a right of access, correction, deletion and suspension with respect to the personal data processed for criminal law enforcement purposes (294).

(177)

Secondly, individuals can make use of the different redress mechanisms offered by PIPA if their data has been processed by a criminal law enforcement authority in violation of PIPA or in violation of the limitations and safeguards governing the collection of personal data in other laws (i.e. the CPA or CPPA, see recital (171)). In particular, individuals may lodge a complaint with the PIPC (including through the Privacy Call Centre operated by the Korea Internet and Security Agency (295)) or the Personal Information Dispute Mediation Committee (296). These redress possibilities are not subject to further admissibility requirements. On the basis of the Administrative Litigation Act, individuals may furthermore appeal/challenge the decisions or inaction of the PIPC (see recital (132)).

(178)

Thirdly, any individual (297) may lodge a complaint before the NHRC concerning a violation of the right to privacy and data protection by a Korean criminal law enforcement authority. The NHRC may recommend the rectification or improvement of any relevant statute, institution, policy or practice (298), or the implementation of remedies such as mediation (299), cessation of the human rights violation, compensation for damages and measures to prevent recurrence of the same or similar violations (300). According to the official representation from the Korean government (section 2.4.2 of Annex II), this may also include the deletion of unlawfully collected personal data. While the NHRC does not have the power to issue binding decisions, it offers a more informal, low cost and easily accessible redress avenue, in particular because, as explained in Annex II, section 2.4.2, it does not require demonstrating an injury in fact for a complaint to be investigated (301). This ensures that complaints of individuals concerning the collection of their data can be investigated, even if an individual is not in a position to demonstrate that his/her data was in fact collected (e.g. because notification of the individual has not yet taken place). The NHRC’s annual activity reports show that individuals are also making use of this avenue in practice to challenge activities of criminal law enforcement authorities, including with respect to the handling of personal data (302). If an individual is not satisfied with the outcome of a procedure before the NHRC, it may challenge the NHRC’s decisions (such as a decision not to continue the investigation of a complaint (303)) and recommendations before the Korean courts under the Administrative Litigation Act (see recital (181)) (304). Moreover, a procedure before the NHRC can further facilitate access to courts, as an individual could seek further redress against the public authority that unlawfully processed his/her data on the basis of the findings of the NHRC, in accordance with the procedures described in recitals (181)-(183).

(179)

Finally, different judicial remedies are available, allowing individuals to invoke the limitations and safeguards described in section 3.2.1 to obtain redress (305).

(180)

With respect to seizures (including of data), the CPA provides for the possibility to object to or challenge the execution of a warrant through a ‘quasi-complaint’, by petitioning the competent court with a request to cancel or alter a disposition made by a prosecutor or police officer (306).

(181)

More generally, individuals may challenge the actions (307) or omissions (308) of public authorities (including criminal law enforcement authorities) under the Administrative Litigation Act (309). Administrative action is considered a ‘challengeable disposition’ if it directly impacts on civil rights and duties (310), which, as confirmed by the Korean government (section 2.4.3 of Annex II), is the case for measures to collect personal data, be it directly (for instance by intercepting communications), by way of binding disclosure requests (for instance to a service provider) or requests for voluntary cooperation. For a complaint under the Administrative Litigation Act to be admissible, an individual must have a legal interest in pursuing the claim (311). According to case law of the Supreme Court, ‘legal interest’ is interpreted as a ‘legally protected interest’, i.e. a direct and specific interest protected by laws and regulations on which administrative dispositions are based (meaning not general, indirect and abstract interests of the public) (312). Individuals have such a legal interest in case of any violation of the limitations and safeguards that apply to the collection of their personal data for criminal law enforcement purposes (under specific laws or PIPA). On the basis of the Administrative Litigation Act, a court may decide to revoke or alter an illegal disposition, issue a finding of nullity (i.e. a finding that the disposition does not have legal effect or its non-existence in the legal order) or issue a finding that an omission is illegal (313). A final judgment under the Administrative Litigation Act is binding on the parties (314).

(182)

In addition to challenging government action via administrative litigation, individuals may also file a constitutional complaint with the Constitutional Court regarding any infringement of their fundamental rights due to the exercise or non-exercise of governmental power (excluding judgments of the courts) (315). If other remedies are available, these must be exhausted first. According to the case law of the Constitutional Court, foreign nationals may file a constitutional complaint to the extent their basic rights are recognised under the Korean Constitution (see the explanations in section 1.1) (316). The Constitutional Court may invalidate the exercise of governmental power that caused the infringement or confirm that a certain failure to act is unconstitutional (317). In that case, the relevant authority is required to take measures to comply with the decision of the Court.

(183)

Moreover, individuals may obtain compensation for damages before the Korean courts. This first of all includes the possibility to claim compensation for violations of PIPA committed by criminal law enforcement authorities, in accordance with Article 39 (see also recital (135)). More generally, individuals may apply for compensation for damages inflicted by public officials in performing their official duties in violation of the law, on the basis of the State Compensation Act (see also recital (135)) (318).

(184)

The mechanisms described in recitals (176) - (183) provide data subjects with effective administrative and judicial remedies, enabling them in particular to enforce their rights, including the right to have access to their personal data, or to obtain the rectification or erasure of such data.

(185)

The law of the Republic of Korea contains a number of limitations and safeguards with respect to the access and use of personal data for national security purposes, and provides oversight and redress mechanisms which are in line with the requirements referred to in recitals (141) to (143) of this Decision. The conditions under which such access can take place and the safeguards applicable to the use of these powers are assessed in detail in the following sections.

(186)

In the Republic of Korea, personal data may be accessed for national security purposes on the basis of the CPPA, the TBA and the Act on Anti-Terrorism for the Protection of Citizens and Public Security (Anti-Terrorism Act) (319). The main authority (320) with competences in the area of national security is the National Intelligence Service (NIS) (321). The collection and use of personal data by the NIS must comply with relevant legal requirements (including PIPA and the CPPA) (322) and general guidelines prepared by the President and reviewed by the National Assembly (323). As a general principle, the NIS must maintain political neutrality and protect the freedom and rights of individuals (324). In addition, NIS staff must not abuse their official authority to force any institution, organisation or individual to do anything they are not obligated to do (under law), nor obstruct any person’s exercise of his or her rights (325).

(187)

On the basis of the CPPA, Korean public authorities (326) may collect communication confirmation data (i.e. the date of telecommunications, their start- and end-time, the number of outgoing and incoming calls as well as the subscriber number of the other party, the frequency of use, log files on the use of telecommunication services and location information, see recital (155)) and the content of communications (by means of communication-restricting measures, see recital (155)) for national security purposes (as determined by the mandate of the NIS, see footnote 322 earlier). These powers extend to two types of information: (1) communications to which one or both parties are Korean nationals (327); and (2) communications of a) countries hostile to the Republic of Korea, b) foreign agencies, groups or nationals suspected of engaging in anti-Korean activities (328), or c) members of groups operating within the Korean Peninsula but effectively beyond the sovereignty of the Republic of Korea and their umbrella groups based in foreign countries (329). Communications of EU individuals transferred from the Union to the Republic of Korea on the basis of this Decision can therefore only be collected under the CPPA for national security purposes (subject to the conditions set out in recitals (188) - (192)) if, either, they are between an EU individual and a Korean national, or, if they concern communications exclusively between non-Korean nationals, fall within one of the three mentioned categories 2a), b) and c).

(188)

In both scenarios, the collection of communication confirmation data may only take place for the purpose of preventing threats to national security (330) while communication-restricting measures may only be taken when there is a grave risk to national security and the collection is necessary to prevent it (331). In addition, the content of communications may only be accessed as a measure of last resort and efforts must be made to minimize the violation of the privacy of communications (332), thereby ensuring that it remains proportionate to the national security objective pursued. The collection of both the content of communications and communication confirmation data may only last for a maximum period of four months, and must be discontinued immediately if the pursued objective is achieved earlier (333). If the relevant conditions continue to be fulfilled, the period may be extended, with the prior permission of a court (for the measures described in recital (189)) or the President (for the measures described in recital (190)) (334), for up to four months.

(189)

The same procedural safeguards apply to the collection of communication confirmation data and the content of communications (335). In particular, where at least one of the individuals involved in the communication is a Korean national, the intelligence agency must submit a written request to the High Prosecutors’ Office, which in turn must apply for a warrant from a senior Chief Justice of the High Court (336). The CPPA lists the information that must be provided in the request to the Prosecutor, the application for the warrant and the warrant itself, which includes, in particular, the justification for the request and main grounds for suspicion, supporting materials, as well as information on the objective, target (i.e. the targeted individual(s)), scope and duration of the proposed measure (337). Warrantless collection may only take place if there is an act of conspiracy that threatens national security and an emergency exists that makes it impossible to go through the aforementioned procedures (338). However, also in that case an application for a warrant must be filed immediately after the measure is taken (339). The CPPA therefore clearly defines the scope and conditions of these types of collection, and subjects them to specific (procedural) safeguards (including prior judicial approval), which ensures that the use of such measures is limited to what is necessary and proportionate. Moreover, the requirement to provide detailed information in both the application for a warrant and the warrant itself rules out the possibility of indiscriminate access.

(190)

For communications between non-Korean nationals that fall within one of the three specific categories listed in recital (187), an application must be filed with the Director of the NIS, who, after a review of the appropriateness of the proposed measures, must request prior written approval from the President of the Republic of Korea (340). The application prepared by the intelligence agency must include the same detailed information as an application for a court warrant (see recital (189)), in particular on the justification for the request and the main grounds for suspicion, supporting materials and information on the objectives, targeted individual(s), scope and duration of the proposed measures (341). In emergency situations (342), prior approval from the Minister to whom the relevant intelligence agency belongs must be obtained, although the intelligence agency must apply for the approval of the President immediately after the emergency measures have been taken (343). Also with respect to the collection of communications between exclusively non-Korean nationals, the CPPA therefore limits the use of such measures to what is necessary and proportionate, by clearly circumscribing the limited categories of individuals that may be subject to such measures and by laying down detailed criteria that intelligence agencies have to demonstrate to justify an application for the collection of information. Moreover, this again rules out the possibility of indiscriminate access. While there is no prior independent approval of such measures, independent oversight is ensured ex post by, in particular, the PIPC and NHRC (see for instance recitals (199) - (200)).

(191)

The CPPA furthermore imposes several additional safeguards that contribute to ex post oversight and facilitate individuals’ access to effective remedies. Firstly, with respect to any type of collection for national security purposes, the CPPA provides for different record-keeping and reporting requirements. In particular, when requesting the cooperation of private operators, intelligence agencies have to provide the court warrant/presidential permission or a copy of the cover of an emergency censorship statement, which the compelled entity must keep in its files (344). Where private operators are compelled to cooperate, records must be kept by both the requesting public authority and the relevant operator on the purpose and object of the measures, as well as the date of execution (345). In addition, intelligence agencies have to report on the information they have gathered and the outcome of the surveillance activity to the Director of the NIS (346).

(192)

Secondly, individuals have to be notified about the collection of their data (communication confirmation data or the content of communications) for national security purposes if it concerns communications where at least one of the parties is a Korean national (347). This notification must be provided in writing within 30 days from the date on which the collection ended (including where the data was obtained in accordance with the emergency procedure) and may only be deferred if and as long as it would put national security at risk or would harm people’s life and physical safety (348). Irrespective of such notification, individuals may obtain redress via different avenues, as explained in more detail in section 3.3.4.

(193)

The Anti-Terrorism Act provides that the NIS may collect data on terrorist suspects (349) in accordance with the limitations and safeguards laid down in other laws (350). In particular, the NIS may obtain communications data (on the basis of the CPPA) and other personal information (through a request for voluntary disclosure) (351). With respect to the collection of communications information (i.e. the content of communications or communication confirmation data), the limitations and safeguards described in section 3.3.1.1 apply, including the requirement of obtaining a court approved warrant. As regards requests for voluntary disclosure of other types of personal data of terrorist suspects, the NIS must comply with the requirements under the Constitution and PIPA on necessity and proportionality (see recital (164)) (352). Controllers receiving such requests may comply on a voluntary basis under the conditions set out in PIPA (for instance in accordance with the principle of data minimisation and by limiting the impact on the privacy of the individual) (353). In this case, they also have to comply with the requirement to notify the concerned individual following from Notification No 2021-5 (see recital (166)).

(194)

On the basis of the TBA, telecommunication providers may voluntarily disclose subscriber data (see recital (163)) upon request of an intelligence agency that intends to collect such information to prevent a threat to national security (354). As regards such requests from the NIS, the same limitations (following from the Constitution, PIPA and the TBA) apply as in the area of criminal law enforcement, as set out in recital (164) (355). Telecommunication providers are not required to comply and can only do so under the conditions set out in PIPA (in particular in accordance with the principle of data minimisation and by limiting the impact on the privacy of the individual, see also recital (193)). The same requirements with respect to record-keeping and notification of the concerned individual apply as in the area of criminal law enforcement (see recitals (165) and (166)).

(195)

The processing of personal data collected by Korean authorities for national security purposes is subject to the principles of purpose limitation (Article 3(1)-(2) PIPA), lawfulness and fairness of processing (Article 3(1) PIPA), proportionality/data minimisation (Articles 3(1), (6) and 58 PIPA), accuracy (Article 3(3) PIPA), transparency (Article 3(5) PIPA), security (Article 58(4) PIPA) and storage limitation (Article 58(4) PIPA) (356). Possible disclosure of personal data to third parties (including third countries) can only take place in accordance with these principles (in particular purpose limitation and data minimisation), after having assessed compliance with the principles of necessity and proportionality (Article 37(2) of the Constitution) and taking into account the impact on the rights of the individuals concerned (Article 3(6) PIPA).

(196)

As regards the content of communications and communication confirmation data, the CPPA further limits the use of such data to judicial proceedings, where a party relating to the communication relies on them in a claim for damages; or allowed uses under other laws (357).

(197)

The activities of Korean national security authorities are supervised by different bodies (358).

(198)

Firstly, the Anti-Terrorism Act provides for specific oversight mechanisms for counterterrorism activities, including the collection of data on terrorism suspects. In particular, at the level of the executive, counterterrorism activities are overseen by the Counterterrorism Commission (359), to which the Director of the NIS is required to report on investigations and the tracing of terrorist suspects to collect information or materials necessary for counterterrorism activities (360). In addition, the Human Rights Protection Officer (HRPO) specifically oversees compliance of counterterrorism activities with fundamental rights (361). The HRPO is appointed by the Chairperson of the Counterterrorism Commission among individuals that meet specific qualifications listed in the Enforcement Decree of the Anti-Terrorism Act (362) for a (renewable) term of two years and may only be removed from office on specific, limited grounds and for good cause (363). In exercising its oversight function, the HRPO may issue general recommendations for improving the protection of human rights (364) and specific recommendations for corrective measures if a human rights violation has been established (365). Public authorities are required to inform the HRPO of the follow-up provided to its recommendations (366).

(199)

Secondly, the PIPC oversees compliance by national security authorities with data protection rules, which includes both the applicable provisions of PIPA (see recital (149)) and the limitations and safeguards that apply to the collection of personal data under other laws (the CPPA, Anti-Terrorism Act and TBA, see also recital (171)) (367). In exercising this oversight role, the PIPC can make use of all of its investigatory and remedial powers, as described in detail in section 2.4.2.

(200)

Thirdly, the activities of national security authorities are subject to the independent oversight of the NHRC, in accordance with the procedures described in recital (172) (368).

(201)

Fourthly, the oversight function of the BAI also extends to national security authorities, although the NIS may, in exceptional circumstances, refuse to provide certain information or materials, i.e. when they constitute state secrets and public knowledge would have a serious impact on national security (369).

(202)

Finally, parliamentary oversight of the activities of the NIS is carried out by the National Assembly (through a specialised Intelligence Committee) (370). The CPPA establishes a specific oversight role for the National Assembly with respect to the use of communication-restricting measures for national security purposes (371). In particular, the National Assembly may conduct on-the-spot inspections of wiretapping equipment and may require both the NIS and telecommunication operators that have disclosed the content of communications to report thereon. The National Assembly may also carry out its general oversight functions (in accordance with the procedures described in recital (174)). The NIS Act requires the Director of the NIS to respond without delay when the Intelligence Committee requests a report on a specific matter (372), with specific rules for certain particularly sensitive information. Concretely, the Director of the NIS may only refuse to reply or testify before the Committee in exceptional circumstances, i.e. if the request relates to state secrets concerning military, diplomatic or North Korea-related issues where public knowledge could have a serious impact on the country’s ‘national destiny’ (373). In this case, the Intelligence Committee may request an explanation from the Prime Minister and, if no explanation is provided within seven days, the reply or testimony may not be refused.

(203)

Also in the area of national security, the Korean system offers different (judicial) avenues to obtain redress, including compensation for damages. These mechanisms provide data subjects with effective administrative and judicial remedies, enabling them in particular to enforce their rights, including the right to have access to their personal data, or to obtain the rectification or erasure of such data.

(204)

Firstly, pursuant to Articles 3(5) and 4(1), (3) and (4) PIPA, individuals can exercise their rights of access, correction, deletion and suspension vis-à-vis national security authorities. Section 6 of Notification No 2021-5 (Annex I to this Decision) further clarifies how these rights apply in the context of data processing for national security purposes. In particular, a national security authority may only limit or deny the exercise of the right to the extent and for as long as necessary and proportionate to protect an important objective of public interest (for instance to the extent that, and for as long as, granting the right would jeopardise an ongoing investigation or threaten national security), or where granting the right may cause damage to the life or body of a third party. Invoking such a restriction therefore requires a balancing of the rights and interests of the individual against the relevant public interest and may not, in any event, affect the essence of the right (Article 37(2) of the Constitution). Where the request is denied or restricted, the individual must be notified of the reasons without delay.

(205)

Secondly, individuals have a right to obtain redress under PIPA if their data has been processed by a national security authority in violation of PIPA or the limitations and safeguards in other laws governing the collection of personal data (in particular the CPPA, see recital (171)) (374). This right can be exercised through a complaint to the PIPC (including via the Privacy Call Centre operated by the Korea Internet and Security Agency) (375). Moreover, to facilitate easier access to redress against Korean national security authorities, EU individuals may submit a complaint to the PIPC through their national data protection authority. (376) In this case, the PIPC will notify the individual via the national data protection authority once the investigation is concluded (including, where applicable, with information about the corrective measures imposed). On the basis of the Administrative Litigation Act, individuals may furthermore appeal/challenge the decisions or inaction of the PIPC (see recital (132)).

(206)

Thirdly, individuals may lodge a complaint with the HRPO about the infringement of their right to privacy/data protection in the context of counterterrorism activities (i.e. pursuant to the Anti-Terrorism Act) (377), which can recommend corrective action. As there are no admissibility requirements before the HRPO, a complaint will be handled even if the concerned individual cannot demonstrate that (s)he has in fact been injured (for instance because of the alleged unlawful collection of his/her data by a national security authority) (378). The relevant authority must inform the HRPO of any measures taken to implement its recommendations.

(207)

Fourthly, individuals may lodge a complaint with the NHRC concerning the collection of their data by national security authorities and obtain redress in accordance with the procedure described in recital (178) (379).

(208)

Finally, different judicial remedies are available (380), allowing individuals to invoke the limitations and safeguards described in section 3.3.1 to obtain redress. In particular, individuals may challenge the legality of actions of national security authorities on the basis of the Administrative Litigation Act (in accordance with the procedure described in recital (181) or the Constitutional Court Act (see recital (182)). In addition, they may obtain compensation for damages on the basis of the State Compensation Act (as described in more detail in recital (183)).

(209)

The Commission considers that the Republic of Korea – through PIPA, the special rules applicable to certain sectors (as analysed in Section 2) and the additional safeguards provided in Notification No 2021-5 (Annex I) – ensures a level of protection for personal data transferred from the European Union that is essentially equivalent to the one guaranteed by Regulation (EU) 2016/679.

(210)

Moreover, the Commission considers that, taken as a whole, the oversight mechanisms and redress avenues in Korean law enable infringements of the data protection rules by controllers in Korea to be identified and addressed in practice and offer legal remedies to the data subject to obtain access to his/her personal data and, eventually, the rectification or erasure of such data..

(211)

Finally, on the basis of the available information about the Korean legal order, including the representations, assurances and commitments from the Korean government contained in Annex II, the Commission considers that any interference in the public interest, in particular criminal law enforcement and national security purposes, by Korean public authorities with the fundamental rights of individuals whose personal data are transferred from the European Union to the Republic of Korea will be limited to what is strictly necessary to achieve the legitimate objective in question, and that effective legal protection against such interference exists.

(212)

Therefore, in the light of the findings of this Decision, it should be decided that the Republic of Korea ensures an adequate level of protection within the meaning of Article 45 of Regulation (EU) 2016/679, interpreted in light of the Charter of Fundamental Rights of the European Union, for personal data transferred from the European Union to the Republic of Korea to personal information data controllers in the Republic of Korea subject to PIPA, with the exception of religious organisations to the extent they process personal data for their missionary activities; political parties to the extent they process personal data in the context of the nomination of candidates and controllers that are subject to oversight by the Financial Services Commission for the processing of personal credit information pursuant to the Credit Information Act, to the extent they process such information.

(213)

Member States and their organs are required to take the measures necessary to comply with acts of the Union institutions, as the latter are presumed to be lawful and accordingly produce legal effects until such time as they are withdrawn, annulled in an action for annulment or declared invalid following a reference for a preliminary ruling or a plea of illegality.

(214)

Consequently, a Commission adequacy decision adopted pursuant to Article 45(3) of Regulation (EU) 2016/679 is binding on all organs of the Member States to which it is addressed, including their independent supervisory authorities. In particular, transfers from a controller or processor in the European Union to controllers in the Republic of Korea may take place without the need to obtain any further authorisation.

(215)

It should be recalled that, pursuant to Article 58(5) of Regulation (EU) 2016/679 and as explained by the Court of Justice in the Schrems judgment (381), where a national data protection authority questions, including upon a complaint, the compatibility of a Commission adequacy decision with the fundamental rights of the individual to privacy and data protection, national law must provide it with a legal remedy to put those objections before a national court which may be required to make a reference for a preliminary ruling to the Court of Justice (382).

(216)

According to the case law of the Court of Justice, (383) and as recognised in Article 45(4) of Regulation (EU) 2016/679, the Commission should continuously monitor relevant developments in the third country after the adoption of an adequacy decision in order to assess whether the third country still ensures an essentially equivalent level of protection. Such a check is required, in any event, when the Commission receives information giving rise to a justified doubt in that respect.

(217)

Therefore, the Commission should on an on-going basis monitor the situation in the Republic of Korea as regards the legal framework and actual practice for the processing of personal data as assessed in this Decision, including compliance by the Korean authorities with the representations, assurances and commitments contained in Annex II. To facilitate this process, the Korean authorities are invited to promptly inform the Commission of material developments relevant to this Decision, as regards the processing of personal data by business operators and public authorities, as well as the limitations and safeguards applicable to access to personal data by public authorities.

(218)

Moreover, in order to allow the Commission to effectively carry out its monitoring function, the Member States should inform the Commission about any relevant action undertaken by the national data protection authorities, in particular regarding queries or complaints by EU data subjects concerning the transfer of personal data from the European Union to data controllers in the Republic of Korea. The Commission should also be informed about any indications that the actions of Korean public authorities responsible for the prevention, investigation, detection or prosecution of criminal offences, or for national security, including any oversight bodies, do not ensure the required level of protection.

(219)

In application of Article 45(3) of Regulation (EU) 2016/679 (384), and in the light of the fact that the level of protection afforded by the Korean legal order may be liable to change, the Commission, following the adoption of this Decision, should periodically review whether the findings relating to the adequacy of the level of protection ensured by the Republic of Korea are still factually and legally justified.

(220)

To this end, this Decision should be subject to a first review within three years after its entry into force. Following that first review, and depending on its outcome, the Commission will decide in close consultation with the Committee established under Article 93(1) of Regulation (EU) 2016/679 whether the three-year-cycle should be maintained. In any case, the subsequent reviews should take place at least every four years (385). The review should cover all aspects of the functioning of this Decision, and in particular the application of the additional safeguards contained in Annex I to this Decision, with special attention paid to protections afforded in case of onward transfers; relevant case law developments; the rules on the processing of pseudonymised information for purposes of statistics, scientific research and archiving in the public interest, as well as the application of the exceptions under Article 28(7) PIPA; the effectiveness of the exercise of individual rights, including before the recently reformed PIPC, and the application of exceptions to those rights; the application of the partial exemptions under PIPA; as well as the limitations and safeguards with respect to government access (as set out in Annex II to this Decision), including the cooperation of the PIPC with EU data protection authorities on complaints from individuals. It should also cover the effectiveness of oversight and enforcement, as regards PIPA and in the area of criminal law enforcement and national security (in particular by the PIPC and NHRC).

(221)

To perform the review, the Commission should meet with the PIPC, accompanied, where appropriate, by other Korean authorities responsible for government access, including relevant oversight bodies. The participation in this meeting should be open to representatives of the members of the European Data Protection Board. In the framework of the review, the Commission should request the PIPC to provide comprehensive information on all aspects relevant for the adequacy finding, including on the limitations and safeguards concerning government access (386). The Commission should also seek explanations on any information relevant for this Decision that it has received, including public reports by Korean authorities or other stakeholders in Korea, the European Data Protection Board, individual data protection authorities, civil society groups, media reports, or any other available source of information.

(222)

On the basis of the review, the Commission should prepare a public report to be submitted to the European Parliament and the Council.

(223)

Where available information, in particular information resulting from the monitoring of this Decision or provided by Korean or Member States’ authorities, reveals that the level of protection afforded by the Republic of Korea may no longer be adequate, the Commission should promptly inform the competent Korean authorities thereof and request that appropriate measures be taken within a specified, reasonable timeframe.

(224)

If, at the expiry of that specified timeframe, the competent Korean authorities fail to take those measure or otherwise demonstrate satisfactorily that this Decision continues to be based on an adequate level of protection, the Commission will initiate the procedure referred to in Article 93(2) of Regulation (EU) 2016/679 with a view to partially or completely suspend or repeal this Decision.

(225)

Alternatively, the Commission will initiate that procedure with a view to amend the Decision, in particular by subjecting data transfers to additional conditions or by limiting the scope of the adequacy finding only to data transfers for which an adequate level of protection continues to be ensured.

(226)

In particular, the Commission should initiate the procedure for suspension or repeal in case of indications that the additional safeguards contained in Annex I are not complied with by business operators receiving personal data under this Decision and/or are not effectively enforced, or that the Korean authorities fail to comply with the representations, assurances and commitments contained in Annex II to this Decision.

(227)

The Commission should also consider initiating the procedure leading to the amendment, suspension or repeal of this Decision if, in the context of the review or otherwise, the competent Korean authorities fail to provide the information or clarifications necessary for the assessment of the level of protection afforded to personal data transferred from the European Union to the Republic of Korea, or as regards compliance with this Decision. In this respect, the Commission should take into account the extent to which the relevant information can be obtained from other sources.

(228)

On duly justified imperative grounds of urgency, the Commission will make use of the possibility to adopt, in accordance with the procedure referred to in Article 93(3) of Regulation (EU) 2016/679, immediately applicable implementing acts suspending, repealing or amending the Decision.

(229)

The European Data Protection Board published its opinion (387), which has been taken into consideration in the preparation of this Decision.

(230)

The measures provided for in this Decision are in accordance with the opinion of the Committee established under Article 93(1) Regulation (EU) 2016/679.