Cross-border data transfers affect all organizations that engage online IT services, cloud-based services, remote access services and global HR databases. Understanding the applications of lawful data transfer mechanisms is essential to validate recipients located in other nations.
Under the Personal Information Protection Act (PIPA), employers are not required to obtain the consent of employees when outsourcing the processing of personal information. Similarly, consent is not required if the processing of personal information is outsourced to a foreign entity, but employers must include information on the specific tasks to be outsourced and the name(s) of the outsourced processor(s) in their privacy policy, so that such information is readily available to employees. Additionally, the outsourced processor must comply with specific obligations set out in the PIPA.
For employers that transfer personal information to a foreign entity for the benefit and use of such entity, obtaining consent is the only approved method to transfer personal data overseas, even in cases where consent would not otherwise be required. When obtaining employee consent, inform employees of:
HR Best Practices: The use of applications in the cloud frequently results in the international transfer of employee data. Employees should be clearly informed before any of their personal data is transferred outside of South Korea. In addition, all entities that will receive the data must comply with the PIPA.