On 14 September 2023, the consultation on the draft Implementing Regulation of the Personal Data Protection Act, which includes cross-border data transfer regulation, was closed. The draft Regulation provides expanded details on the cross-border data transfer mechanisms established by the Personal Data Protection Act. The Regulation sets out the responsibility of the data protection agency for carrying out adequacy assessments for countries and stipulates that details of the assessment criteria will be further specified in future regulations. The Regulation also specifies that, in the absence of an adequacy decision, adequate protection is considered to be present if there is, for example, an agreement between countries, binding standard contractual clauses, or company regulations. The Regulation also sets out minimum requirements for SCCs and regulations, with further criteria to be specified in future regulations. Further, the Regulation provides details on when consent is a valid transfer mechanism, namely for limited transfers affecting a limited number of data subjects, with a requirement to carry out a risk assessment and notify both the subjects and the data protection agency.
Original source