Data protection: European Commission launches process for adoption of adequacy decision for the Republic of Korea

Today, the Commission launches the process towards adoption of the adequacy decision for the transfer of personal data to the Republic of Korea. It will cover transfers of personal data to the Republic of Korea’s commercial operators as well as public authorities. If adopted, this decision would provide Europeans with strong protections of their personal data when it is transferred to the Republic of Korea. At the same time, it would complement the EU-Republic of Korea Free Trade Agreement (FTA) and boost cooperation between the EU and the Republic of Korea as leading digital powers. The trade agreement has led to a considerable rise in bilateral trade of goods and services. Ensuring the free flow of personal data to the Republic of Korea through an adequacy decision based on a high level of data protection will support this trade relationship worth nearly € 90 billion.

The draft adequacy decision was published and transmitted to the European Data Protection Board (EDPB) for its opinion. In the past months, the Commission has carefully assessed the Republic of Korea’s law and practices on personal data protection, including the rules on access to data by public authorities. It concludes that the Republic of Korea ensures an essentially equivalent level of protection to the one guaranteed under the General Data Protection Regulation (GDPR).

Věra Jourová, Vice-President for Values and Transparency, said: “This agreement with the Republic of Korea will improve the protection of personal data for our citizens and support business in dynamic trade relations. It is also a sign of an increasing convergence of data protection legislation around the world. In the digitalised economy, free and safe data flows are not a luxury, but a necessity.”

Didier Reynders, Commissioner for Justice said: ”Two years ago, we created the world’s largest area of free and safe data flows with Japan. Soon the Republic of Korea should follow – another important partner in East Asia and another big achievement. The Republic of Korea has a strong track record in the area of data protection. The fact that the EU and the Republic of Korea have similar privacy standards is beneficial to both companies and citizens.”

Key elements

In the Republic of Korea, the processing of personal data is governed by the Personal Information Protection Act (PIPA), which provides similar principles, safeguards, individual rights and obligations as EU law. A major step in the adequacy talks was the recent reform of PIPA, which strengthened the investigatory and enforcement powers of the Personal Information Protection Commission (PIPC), the independent data protection authority of the Republic of Korea. This reform entered into force in August 2020. It confirms the importance of an independent data protection authority vested with effective powers as a central component of a modern data protection system as well as a key element of the growing international convergence in privacy standards.

As part of the adequacy talks, the two sides also agreed on several additional safeguards that will increase the protection of personal data processed in the Republic of Korea. These safeguards will provide for stronger protection with respect, for example, to transparency, sensitive data and onward data transfers. These rules will be binding and enforceable by the PIPC.

As regards possible access to data by public authorities of the Republic of Korea, in particular for law enforcement and national security purposes, the framework established under the adequacy decision will notably rely on the strong oversight role of the PIPC and facilitate EU individuals’ access to redress.

Next Steps

The Commission is now waiting for the opinion of the EDPB and will seek the approval from a committee composed of representatives of the EU Member States. Only once these two steps are completed, could the Commission proceed to adopt the adequacy decision.


Article 45(3) of the General Data Protection Regulation grants the Commission the power to decide, by means of an implementing act, that a non-EU country ensures “an adequate level of protection”, i.e. a level of protection for personal data that is essentially equivalent to the level of protection within the EU. The effect of adequacy decisions is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary. In others words, transfers to the country in question will be assimilated to intra-EU transmissions of data.

As announced in January 2017 in its Communication on Exchanging and Protecting Personal Data in a Globalised World, the Commission has launched a dialogue with the Republic of Korea with the aim of reaching an adequacy decision under the General Data Protection Regulation (GDPR).

An adequacy decision would complement the Free Trade Agreement between the European Union and the Republic of Korea that entered into force in July 2011 and was the EU’s first trade deal of this type with an Asian country. Moreover, in 2010, the EU and the Republic of Korea upgraded their broader relationship to a Strategic Partnership by signing a Framework Agreement, which entered into force on 1 June 2014. This is an overarching political cooperation agreement with a legal link to the EU-RoK Free Trade Agreement.

For more information

Link to draft decision

Joint press statement on the conclusion of the talks

Adequacy Decisions