Review of Additional Consent Regarding Overseas Transfer of Personal Information
Article posted in 2024-08-01 15:05:32 | VEAT
Law firm Veat received a request from a global site operator A (hereinafter referred to as "the client") to review whether to obtain additional consent related to overseas transfer of personal information.
Companies operating global businesses must satisfy various legal requirements when transferring personal information overseas. Law firm Veat’s personal information team reviewed whether additional consent from the data subject was required regarding the overseas transfer of personal information when the Korean branch provides or entrusts personal information collected with the data subject's consent to the global headquarters.
Law firm Veat’s personal information team reviewed legal issues arising from the process of the Korean branch providing personal information collected with the data subject's consent to the global headquarters located in Europe. In particular, the team focused on whether separate consent from the data subject was required when the headquarters re-entrusted the personal information to a sub-contractor.
Method of Overseas Transfer of Personal Information
The method of transferring personal information can generally occur in two ways.
1. Provision to a Third Party, meaning the transfer of personal information for the benefit or purpose of the 'recipient';
2. Entrustment of Personal Information Processing, meaning that the transfer of personal information occurs in the process of achieving the purpose or benefit of the original personal information processor.
The distinction between these methods of personal information transfer, and the legally mandated obligations that apply accordingly, are equally applicable when personal information is transferred overseas rather than domestically. Law firm Veat distinguished these two methods and reviewed whether additional consent was required for each.
Recently Amended "Personal Information Protection Act"
The recently amended Article 28(8) of the "Personal Information Protection Act" more clearly defines the requirements for overseas transfer of personal information, to prevent personal information from being transferred overseas against the will of the data subject in the global era, and to ensure that personal information is safely transferred and managed.
The amended "Personal Information Protection Act" integrates the personal information overseas transfer regulations that previously distinguished between online and offline, requiring all personal information processors, including information and communication service providers, to comply with the same obligations.
Furthermore, two additional items were added to the requirements for overseas transfer of personal information. The first is when the personal information overseas transfer has received certification from the Personal Information Protection Committee (Article 28(1)(4)), and the second is when the Personal Information Protection Committee recognizes that the personal information recipient country or international organization has personal information protection standards equivalent to our law (Article 28(1)(5)).
Previously, when entrusting personal information processing or storing it overseas, overseas transfer was only possible without the data subject's consent if the personal information processing policy included relevant information. However, with this amendment, personal information can now be transferred overseas without the data subject's consent not only when entrusting or storing it, but also when the Personal Information Protection Committee certifies it or when it is a country or international organization recognized by the committee. However, overseas transfer is still limited without the data subject's consent in the case of entrustment or storage, only when it is for the purpose of concluding and performing a contract.
We thoroughly reviewed this amended "Personal Information Protection Act" to minimize legal risks, protect the rights of data subjects, and provide advice so that the Korean branch and global headquarters can comply with the Personal Information Protection Act while carrying out operations smoothly. This is crucial for understanding the complexities of personal information protection and overseas transfer, and for developing appropriate legal response measures.
Law firm Veat supports companies in minimizing legal risks and protecting the rights of data subjects based on our understanding of the Personal Information Protection Act’s regulations regarding overseas transfer of personal information. If you are facing legal issues related to personal information protection, please feel free to contact Law firm Veat so that you can resolve them safely and legally.
Personal information protection laws are constantly amended, and Law firm Veat’s personal information team monitors the latest legal trends related to personal information and applies them to clients’ business models to minimize legal risks and ensure legal stability.
Law firm Veat’s partners, Jo Eun-byeol and Baek Seung-cheol, have been reappointed as advisors to the Personal Information Protection Committee, providing practical assistance to companies based on their deep understanding and expertise in the Personal Information Protection Act. In particular, Jo Eun-byeol was selected as an outstanding external counsel by the Personal Information Protection Committee and received an award, further highlighting her expertise in personal information related matters.
If you need legal advice regarding overseas transfer of personal information, please contact Law firm Veat at any time.
Thank you.
Law firm Veat