Most Popular
-
1
[Exclusive] Korean military set to ban iPhones over 'security' concerns
![[Exclusive] Korean military set to ban iPhones over 'security' concerns](//res.heraldm.com/phpwas/restmb_idxmake.php?idx=644&simg=/content/image/2024/04/23/20240423050599_0.jpg&u=20240423183955)
-
2
Korean, Romanian leaders discuss defense tech, nuclear energy
-
3
S. Korea calls on Japan to confront history amid Yasukuni Shrine visit
-
4
Yoon’s jailed mother-in-law excluded from latest parole list
-
5
Hybe and Min Hee-jin, CEO of Hybe sublabel Ador, lock horns
![[Exclusive] Korean military set to ban iPhones over 'security' concerns](http://res.heraldm.com/phpwas/restmb_idxmake.php?idx=644&simg=/content/image/2024/04/23/20240423050599_0.jpg&u=20240423183955)
-
6
[Pressure points] Leggings in public: Fashion statement or social faux pas?
![[Pressure points] Leggings in public: Fashion statement or social faux pas?](//res.heraldm.com/phpwas/restmb_idxmake.php?idx=644&simg=/content/image/2024/04/23/20240423050669_0.jpg&u=)
-
7
Korea’s homegrown nanosatellite successfully launches into space
-
8
Aging population to drive down Korea's housing prices from 2040: experts
-
9
Over-50s, men, single-person households take up majority of those filing for bankruptcy
-
10
[Herald Interview] 'Amid aging population, Korea to invite more young professionals from overseas'
![[Herald Interview] 'Amid aging population, Korea to invite more young professionals from overseas'](//res.heraldm.com/phpwas/restmb_idxmake.php?idx=644&simg=/content/image/2024/04/24/20240424050844_0.jpg&u=20240424200058)
![[Pressure points] Leggings in public: Fashion statement or social faux pas?](http://res.heraldm.com/phpwas/restmb_idxmake.php?idx=644&simg=/content/image/2024/04/23/20240423050669_0.jpg&u=)
![[Herald Interview] 'Amid aging population, Korea to invite more young professionals from overseas'](http://res.heraldm.com/phpwas/restmb_idxmake.php?idx=644&simg=/content/image/2024/04/24/20240424050844_0.jpg&u=20240424200058)
[On the Bar] GDPR compliance basics: What businesses need to know
By Korea HeraldPublished : Oct. 3, 2018 - 15:46
On the Bar is a regular column written by attorneys at Yoon & Yang LLC on various laws and regulations that affect running a business in Korea. The content provided here is general legal information. -- Ed.
The European Union’s General Data Protection Regulation 2016/679, popularly known as GDPR, was adopted in 2016 and took effect May 25, 2018. GDPR differs in many ways from Korean statutes such as the Personal Information Protection Act and tends to be vague about the tasks required of those who handle personal data (called “data processors”).
GDPR also contains stronger penalties for noncompliance, which can include fines of as much as 20 million euros ($23 million) or 4 percent of annual worldwide revenue, whichever is higher. Considering these severe consequences, Korean companies need to prepare appropriately. Below is a brief GDPR compliance checklist outlining the main points you need to know.
The European Union’s General Data Protection Regulation 2016/679, popularly known as GDPR, was adopted in 2016 and took effect May 25, 2018. GDPR differs in many ways from Korean statutes such as the Personal Information Protection Act and tends to be vague about the tasks required of those who handle personal data (called “data processors”).
GDPR also contains stronger penalties for noncompliance, which can include fines of as much as 20 million euros ($23 million) or 4 percent of annual worldwide revenue, whichever is higher. Considering these severe consequences, Korean companies need to prepare appropriately. Below is a brief GDPR compliance checklist outlining the main points you need to know.
The first step is to check the scope of GDPR’s application. If a company or business neither resides in the EU nor provides products or services to an entity residing in the EU, GDPR is not applicable.
Companies must then determine whether their role falls under the category of “controller” (Article 24) or “processor” (Article 28) of data. If the company can determine the method and purpose of personal data processing, it may be deemed a controller.
Also, companies need to have a firm understanding of the legal basis and principles of personal data processing. As GDPR interprets “consent” in a narrow sense, companies should arrange a separate bases for data processing, such as contract implementation.
Most of all, companies should guarantee the rights of all “personal data subjects,” or people who may be identified by a particular set of data.
For example, various types of information should be promptly provided to all data subjects (Articles 13 and 14). Companies are obligated to implement appropriate measures to protect personal data right from the stage when they design their services (Article 25); to take appropriate measures to ensure that only those personal data that are necessary for each specific purpose of the processing are processed; to faithfully maintain records on their personal data-processing activities (Article 30); and to take proper measures to ensure the security of personal data processing (Article 32).
For the security of personal data, companies are advised to refer to the technical and managerial security measures under Korean statutes as well as ISO 27002 and 29151. The data protection officer designation requirement in GDPR also requires attention.
Meanwhile, since many Korean companies need to transfer the personal data of EU data subjects to Korea, they need to find viable methods for making such “overseas transfers.”
In our view, the most effective method is to transfer data on the basis of an adequacy decision (Article 45). Unfortunately, the EU Commission has not yet adopted an adequacy decision for Korea and talks are still ongoing, in contrast with the situation in Japan.
Transfers may be made subject to appropriate safeguards (Article 46), in which case companies would use standard personal data-protection clauses approved by the EU Commission and binding corporate rules approved by supervisory authorities (Article 47), among others.
For companies not subject to GDPR, views diverge on whether to comply right away or watch to see how GDPR is implemented while maintaining the status quo.
However, considering the global trend toward stronger personal-data protection and control in the age of the “fourth industrial revolution,” GDPR compliance may soon become an unavoidable necessity.
It would thus be advisable for Korean companies to understand personal data-processing methods and determine their level of compliance with Korean statutes and GDPR, paying particular attention to requirements within GDPR not found in Korean statutes.
Companies must then determine whether their role falls under the category of “controller” (Article 24) or “processor” (Article 28) of data. If the company can determine the method and purpose of personal data processing, it may be deemed a controller.
Also, companies need to have a firm understanding of the legal basis and principles of personal data processing. As GDPR interprets “consent” in a narrow sense, companies should arrange a separate bases for data processing, such as contract implementation.
Most of all, companies should guarantee the rights of all “personal data subjects,” or people who may be identified by a particular set of data.
For example, various types of information should be promptly provided to all data subjects (Articles 13 and 14). Companies are obligated to implement appropriate measures to protect personal data right from the stage when they design their services (Article 25); to take appropriate measures to ensure that only those personal data that are necessary for each specific purpose of the processing are processed; to faithfully maintain records on their personal data-processing activities (Article 30); and to take proper measures to ensure the security of personal data processing (Article 32).
For the security of personal data, companies are advised to refer to the technical and managerial security measures under Korean statutes as well as ISO 27002 and 29151. The data protection officer designation requirement in GDPR also requires attention.
Meanwhile, since many Korean companies need to transfer the personal data of EU data subjects to Korea, they need to find viable methods for making such “overseas transfers.”
In our view, the most effective method is to transfer data on the basis of an adequacy decision (Article 45). Unfortunately, the EU Commission has not yet adopted an adequacy decision for Korea and talks are still ongoing, in contrast with the situation in Japan.
Transfers may be made subject to appropriate safeguards (Article 46), in which case companies would use standard personal data-protection clauses approved by the EU Commission and binding corporate rules approved by supervisory authorities (Article 47), among others.
For companies not subject to GDPR, views diverge on whether to comply right away or watch to see how GDPR is implemented while maintaining the status quo.
However, considering the global trend toward stronger personal-data protection and control in the age of the “fourth industrial revolution,” GDPR compliance may soon become an unavoidable necessity.
It would thus be advisable for Korean companies to understand personal data-processing methods and determine their level of compliance with Korean statutes and GDPR, paying particular attention to requirements within GDPR not found in Korean statutes.
By Lee Keun-woo, Kim Yoon-sun
Lee Keun-woo is an attorney and partner at the law firm Yoon & Yang LLC, with a special interest in intellectual property and data protection.
Kim Yoon-sun is a US-licensed attorney (foreign attorney) at the law firm Yoon & Yang LLC, with a special interest in intellectual property and data protection.
Lee Keun-woo is an attorney and partner at the law firm Yoon & Yang LLC, with a special interest in intellectual property and data protection.
Kim Yoon-sun is a US-licensed attorney (foreign attorney) at the law firm Yoon & Yang LLC, with a special interest in intellectual property and data protection.
-
Articles by Korea Herald
