By Shon Ga-ram
The European Union’s General Data Protection Regulation (GDPR) came into effect on May 25, 2018. The purpose of this law is to regulate the storage, processing and transfer of the personal data of individuals living in the EU, but it also affects companies outside the EU who have anything to do with the data of EU residents, which is why it is relevant to Korean businesses.
The article will discuss the differences between the Korean Personal Information Protection Act (PIPA) and the GDPR. First of all, companies subject to the GDPR must designate agents within the EU, unlike the PIPA, which does not require foreign companies to designate agents in Korea.
Under the PIPA, employers are required to nominate a data protection officer (DPO) among authorized employees, such as company representatives or executives, whereas GDPR allows for external DPOs or joint DPOs.
Regarding the rights of a data subject (any person whose data or information is stored or processed by a company), the PIPA guarantees the right of access, correction and deletion. In addition to these rights, the GDPR prescribes the right to limit personal information processing, the right to transfer personal information to other companies, the right to be forgotten (deleted from storage) and the right to refuse profiling.
If a company wishes to transfer personal information in its possession to a location outside of its legal jurisdiction, the PIPA asks that company to obtain agreement from data subjects for transferring his or her information. The GDPR, on the other hand, allows the transfer of personal information to an overseas country even without the data subject’s approval, as long as there is an adequacy decision or appropriate safeguards.
In terms of detailed procedures, differences exist between the PIPA and the GDPR. While the PIPA requires only public institutions to receive an impact assessment, the GDPR also requires private companies that handle large-scale information to do so.
In case of personal information leakage, a company must inform the data subject about the leakage before notifying the relevant authority, according to the PIPA. However, under the GDPR, a company must notify the relevant authority first and then notify the data subject. Finally the company may be subject to a fine of up to about 40,000 euro under the PIPA, whereas the GDPR may impose a fine of up to 20 million euro.
The terms of the GDPR and the PIPA differ. However, it is yet unclear how strictly the GDPR will be applied to companies. Companies that are subject to the GDPR,
such as those that have business sites in the EU or provide goods or services to EU residents, should carefully monitor specific regulatory examples or interpretations of regulatory bodies.
Shon Ga-ram has been a member of the Corporate & Finance Practice Group at HMP Law since 2016. He specializes in personal information protection, corporate governance, finance, litigation, tax, etc.