News & Insights - BAE, KIM & LEE LLC

2025.10.02

RECOGNITION OF THE EQUIVALENCE OF THE EU PERSONAL DATA PROTECTION FRAMEWORK AND ITS EFFECTS

On September 16, 2025, the Personal Information Protection Commission (PIPC) announced, in accordance with Article 28-8(1)(5) of the Personal Information Protection Act (PIPA), that the European Union (EU) personal data protection framework has been formally recognized as providing a level of protection substantially equivalent to that of the PIPA.

Consequently, personal information controllers are now permitted to provide (including cases of access), entrust processing, or store (collectively, “transfer”) personal information in the 27 EU Member States and the 3 EEA countries (Norway, Liechtenstein, and Iceland) without requiring separate consent from the data subject for cross-border transfers.

I. OVERVIEW OF THE RECOGNITION OF EQUIVALENCE

The EU General Data Protection Regulation (“GDPR”) provides that personal data may be transferred to a third country if the European Commission (“EC”) determines that the country offers an adequate level of personal data protection (Article 45(1)). In December 2021, the EC issued an Adequacy Decision, recognizing that the Republic of Korea’s personal data protection measures are adequate. As a result, personal data originating from the EU can be transferred to Korea without the need for data subject consent for cross-border transfers.

By contrast, prior to the March 2023 amendment of the PIPA, personal information controllers were generally required to obtain consent when providing personal data to an overseas third party or when information and communications service providers sought to transfer users’ personal data abroad. Exceptions were granted only under specific circumstances, such as the entrustment of processing or storage of personal data by such service providers (Article 17(3), Article 39-12(2)). As a result, unlike the GDPR, the PIPA did not permit cross-border transfers of personal data to designated countries without data subject consent.

Following the amendment of the PIPA in March 2023, the grounds for cross-border transfers of personal data were expanded. These now include: separate consent from the data subject, entrustment or storage of personal data necessary for the conclusion or performance of a contract, special provisions under relevant laws, treaties, or international agreements, certifications issued by the PIPC, and recognition of equivalence. The recognition of equivalence means that the PIPC has determined the recipient country’s or international organization’s personal data protection framework provides a level of protection substantially equivalent to that of the PIPA. In such instances, personal data may be transferred to the relevant country without the data subject’s consent (Article 28-8(1)(5) of the PIPA).

This recognition of equivalence for the EU represents the first instance in which the PIPC has granted such recognition under the amended PIPA.

II. EFFECTS OF THE RECOGNITION OF EQUIVALENCE

1. Cross-Border Transfers of Personal Data Without Data Subject Consent

Article 28-8(1) of the PIPA sets out the circumstances in which a personal information controller may transfer personal data overseas. In addition to scenarios where separate consent has been obtained from the data subject (subparagraph 1), the law also covers situations where equivalence has been recognized (subparagraph 5). This provision applies when the PIPC determines that the recipient country or international organization possesses a personal data protection framework, scope of data subject rights, and redress mechanisms that are substantially equivalent to those provided under the Act.

Accordingly, based on this recognition of equivalence, personal information controllers may now transfer personal data to the 27 EU Member States and the 3 EEA countries without obtaining separate consent from the data subject for cross-border transfers. However, consent from the data subject remains necessary where required for the collection and use of personal data or for the provision of personal data to third parties.

2. Scope of Personal Data Transferable Based on Recognition of Equivalence

According to the PIPC’s announcement of recognition of equivalence (PIPC Announcement No. 2025-68), the recognition granted to the EU does not extend to resident registration numbers or personal credit information. Consequently, resident registration numbers and personal credit information may not be transferred abroad based solely on this recognition of equivalence.

3. Onward Transfer of Personal Data Transferred to the EU

Pursuant to Article 28-11 of the PIPA, when a recipient of personal data abroad further transfers such data to a third country, the provisions of the Act relating to cross-border transfers of personal data apply accordingly. Similarly, the GDPR sets out comprehensive rules on cross-border transfers of personal data under Articles 44 and subsequent articles. As a result, personal data transferred to the EU may be further transferred to a third country (“onward transfer”) only if such transfers comply with the requirements of both laws.

To maintain continuity in personal data protection during onward transfers, the PIPC and the European Commission have agreed to mutually inform each other of developments concerning the operation of their respective cross-border transfer systems, including new recognitions of equivalence or adequacy decisions.

4. Remedies for Personal Data Infringements under the GDPR

If a Korean data subject experiences a breach of their personal data that has been transferred to the EU, they may seek remedies under the GDPR. This includes requesting an investigation or enforcement action by the Data Protection Authority (DPA) of the relevant EU Member State.

Separately, if a Korean data subject encounters challenges in seeking remedies through an individual EU Member State’s DPA, they may request redress through the PIPC in Korea and receive the outcome via this channel.

5. Review and Suspension of Cross-Border Transfers

The PIPC will initiate a review of this recognition of equivalence three months prior to September 15, 2028. If it is determined that equivalence is no longer satisfied, the recognition may be amended or revoked.

Furthermore, even when personal data is transferred abroad based on recognition of equivalence, the Commission may suspend such transfers if certain conditions are met. For instance, a suspension order may be issued if there are inadequate safeguards or if the recipient country fails to provide protection equivalent to that required under the PIPA, resulting in actual or potential harm to data subjects.

III. IMPLICATIONS

With both the EU’s prior adequacy decision and the recent recognition of equivalence by the PIPC, personal data can now be transferred between Korea and the EU without the requirement for data subject consent. Consequently, the volume of cross-border personal data transfers between Korea and the EU is expected to rise.

Recent amendments to the PIPA demonstrate a trend toward diversifying legal bases for processing personal data, including the removal of mandatory consent requirements for certain types of collection and use. For organizations transferring personal data to the EU, this development enables reliance on a broader range of legal bases for processing personal data, thereby facilitating more flexible data use. For further information or tailored guidance on this matter, please contact us.

Related Practices

This update is intended as a summary news report only, and not as advice. For legal advice, please inquire with your contact at Bae, Kim & Lee LLC, or the authors of this legal update.

BKL Legal Update AI BASIC ACT GUIDELINE COMMENTARY SERIES (2): SAFETY OBLIGATION FOR AI BUSINESS OPERATORS PREV List BKL Legal Update AI BASIC ACT GUIDELINE COMMENTARY SERIES (4): RESPONSIBILITIES OF HIGH-IMPACT AI BUSINESS OPERATORS NEXT

BKL Legal Update

Share