Some companies that have chosen us

Privacy Officer and Privacy Consultant
CDP Scheme according to ISO/IEC 17024:2012
European Privacy Auditor
ISDP©10003 Certification Scheme according to ISO/IEC 17065:2012
According to standard UNI 11697:2017
Lead Auditor ISO/IEC 27001:2022
According to standard ISO/IEC 17024:2012
Data Protection Officer
According to standard ISO/IEC 17024:2012
Anti-Bribery Lead Auditor Expert
According to standard ISO/IEC 17024:2012
ICT Security Manager
According to standard UNI 11506:2017
IT Service Management (ITSM)
According to the ITIL Foundation
Ethical Hacker (CEH)
According to the EC-Council
Network Defender (CND)
According to the EC-Council
Computer Hacking Forensics Investigator (CHFI)
According to the EC-Council
Penetration Testing Professional (CPENT)
According to the EC-Council

Professional qualifications

Stay up-to-date with world news!

Select your topics of interest:


Home / News
EUROPEAN DATA PROTECTION BOARD: EDPB adopts opinion on draft South Korea Adequacy Decision

EUROPEAN DATA PROTECTION BOARD: EDPB adopts opinion on draft South Korea Adequacy Decision

The EDPB adopted its opinion on the European Commission’s draft adequacy decision for the Republic of Korea. The EDPB focused on general GDPR aspects and access by public authorities to personal data transferred from the European Economic Area (EEA) to the Republic of Korea for the purposes of law enforcement and national security, including the legal remedies available to individuals in the European Economic Area (EEA). The EDPB also assessed whether the safeguards provided under the Korean legal framework are effective.

Opinion 32/2021 regarding the European Commission Draft Implementing Decisionpursuant to Regulation (EU) 2016/679 on the adequate protection of personal data in the Republic of Korea:


This adequacy decision is of paramount importance, as it will cover transfers in both the public and the private sector. A high level of data protection is essential to support our long-standing ties with South Korea and to safeguard the rights and freedoms of individuals. While we underline that core aspects of the Korean data protection framework are essentially equivalent to those of the European Union, we call on the Commission to further clarify certain aspects and to closely monitor the situation.

On the general data protection framework, the EDPB notes that there are key areas of alignment between the EU and South Korean data protection frameworks with regard to certain core provisions, such as:

  • data protection concepts (e.g. personal information; processing; data subject);
  • grounds for lawful processing for legitimate purposes;
  • purpose limitation;
  • data retention, security and confidentiality; and
  • transparency.

The EDPB welcomes the efforts made by the European Commission and the Korean Authorities to ensure that the Republic of Korea provides a level of data protection essentially equivalent to that of the GDPR. Such as, for example, the adoption of notifications by the South Korea data protection authority (PIPC), which aim to fill the gaps between the GDPR and the Korean data protection framework, like the additional protections provided by Notification No 2021-1.

The EDPB invites the European Commission to provide further information on the binding nature, the enforceability and validity of Notification No 2021-1, and would recommend an attentive monitoring of this in practice.

On the access by public authorities to data transferred to the Republic of Korea, the EDPB notes that PIPA’s provisions apply without limitation in the area of law enforcement. The EDPB further notes that data processing in the area of national security is subject to a more limited set of provisions enshrined in PIPA, although PIPA’s core principles, as well as the fundamental guarantees for data subject rights and the provisions on supervision, enforcement and remedies, do apply to the access and use of personal data by national security authorities. The South Korean constitution also enshrines essential data protection principles, which are applicable to the access to personal data by public authorities in the areas of law enforcement and national security. In addition, the EDPB agrees with the Commission’s conclusion that South Korea can be considered to have an independent and effective supervisory system.

Finally, regarding effective remedies and rights of redress, the EDPB asks the Commission to clarify the substantive and/or procedural requirements, such as a burden of proof, to which a complaint with the PIPC or any action before a court is subject, and whether EU individuals would be able to meet such a precondition.

For its assessment, the EDPB used the GDPR Adequacy Referential and the EDPB Recommendations 2/2020 on the European Essential Guarantees for surveillance measures, as well as existing CJEU and ECtHR case law concerning access by public authorities.

GDPR Adequacy Referential:

🇬🇧: English

EDPB Recommendations 2/2020 on the European Essential Guarantees for surveillance measures:

🇬🇧: English


Recommended to you

Advanced Research