On 17 December 2021, the European Commission found by means of an adequacy decision that the Republic of Korea ensures an adequate level of protection with regard to the protection of personal data, in accordance with the General Data Protection Regulation.
Such a decision means that the personal data protection regime in South Korea, as complemented by additional guarantees, assurances and official commitments obtained by the European Commission, offers guarantees "essentially equivalent" to those of the European Union and that transfers of personal data to that country can be carried out as if they were a transfer within the European Economic Area.
It should be noted that this adequacy decision does not apply, however, to transfers of personal credit data to South Korean entities subject to the supervision of the Financial Services Commission, nor to transfers of data to religious organizations or political parties. In such cases, the general regime applicable to transfers of data to third countries not enjoying an adequate level of data protection will continue to apply.
The CNPD contributes to the activities of the European Data Protection Board (EDPB). In this regard, the Luxembourg authority was involved in the evaluation of the European Commission's decision and assessed the impact of the free flow of personal data between the European Union and South Korea on the guarantees and the degree of protection conferred by both economies on European citizens. On 24 September 2021, the EDPB adopted its opinion on the adequacy decision, which is the third to have been adopted under the aegis of the GDPR after that of Japan and the United Kingdom.