The Data Protection (Adequacy) (Republic of Korea) Regulations 2022

Made21st November 2022

Laid before Parliament23rd November 2022

Coming into force19th December 2022

The Secretary of State makes these Regulations in exercise of the powers conferred by section 17A(1), (3), (5) and (6) of the Data Protection Act 2018 (“the 2018 Act”)1.

In accordance with section 17A(1) and (3) of the 2018 Act, the Secretary of State considers that the Republic of Korea ensures an adequate level of protection of personal data for certain transfers.

In accordance with section 182(2) of the 2018 Act, the Secretary of State has consulted the Commissioner2 and such other persons as the Secretary of State considers appropriate.

Citation, commencement and extent1

1

These Regulations may be cited as the Data Protection (Adequacy) (Republic of Korea) Regulations 2022.

2

These Regulations come into force on 19th December 2022.

3

These Regulations extend to England and Wales, Scotland and Northern Ireland.

Adequate level of protection2

1

For the purposes of Part 2 of the Data Protection Act 20183 and the UK GDPR4, the Secretary of State specifies the Republic of Korea as ensuring an adequate level of protection of personal data5 for a transfer described in subsection (2).

2

A transfer described by this subsection is a transfer of personal data to a person in the Republic of Korea who is subject to the Personal Information Protection Act as that Act forms part of the law of the Republic of Korea and has effect from time to time6.

Independent supervisory authorities3

The independent supervisory authorities7 in the Republic of Korea are—

a

the Personal Information Protection Commission established by Article 7 of the Personal Information Protection Act as it forms part of the law of the Republic of Korea; and

b

the Financial Services Commission established by Article 3 of the Act on the Establishment of Financial Services Commission as it forms part of the law of the Republic of Korea8.

Michelle DonelanSecretary of StateDepartment for Digital, Culture, Media and Sport21st November 2022

Explanatory Note

(This note is not part of the Regulations)

These Regulations specify the Republic of Korea as a country which provides an adequate level of protection of personal data for the purposes of Part 2 of the Data Protection Act 2018 (“the 2018 Act”) and the UK GDPR (defined in section 3 of the 2018 Act). This means that personal data can be transferred to natural or legal persons in the Republic of Korea who are subject to Korean data protection legislation (specifically the Personal Information Protection Act) without the need for any specific authorisation. “Personal data” is defined in Article 4(1) of the UK GDPR and has the same meaning in Part 2 of the 2018 Act by virtue of section 5 of that Act.

A full impact assessment of the effect that this instrument will have on the costs of business, the voluntary sector and the public sector is published with the explanatory memorandum alongside this instrument on www.legislation.gov.uk. Hard copies can be obtained from the offices of the Department for Digital, Culture, Media and Sport, 100 Parliament Street, London SW1A 2BQ.