skip to main contents skip to main menu
KOTRA Trade-Investment Promotion Agency buy korea For Seller Inverst KOREA
Korean

FOREIGN INVESTMENT OMBUDSMAN

FOREIGN INVESTMENT OMBUDSMAN

Korean

Government Legislation

  • [IT & IPR] Draft Standards for Cross-Border Privacy Rules Certification
    • Competent Ministry : Personal Information Protection Commission
    • Advance Publication of Legislation :
    • Opinion Submission Deadline :

[Background]

- To support domestic companies in obtaining the Cross-Border Privacy Rules (CBPR) certification, which is a voluntary certification for businesses developed and operated by the international collaborative Global CBPR Forum, necessary guidance will be provided for the operation of CBPR certification in South Korea.
- To assess the privacy protection system of certification applicants, the essential requirements and documents that personal data controllers must prepare during the application process will be defined.

[Regulatory Content]

- (Applicant’s Preparatory Requirements) During the certification application process, the necessary privacy protection management system, evidence, facilities, and other requirements that personal data controllers must meet will be defined.
- (Required Documents) The necessary documents that the applicant must submit to the certification body during the application process will be outlined.

1. Purpose of the Amendment
To support the smooth acquisition of CBPR certification for domestic companies by providing guidance on the necessary matters for operating the Cross-Border Privacy Rules (CBPR) certification, which is a voluntary certification developed and operated by the international collaborative Global CBPR Forum.

2. Key Points

a. Certification Review Criteria (Article 6, Appendix 1)

- The certification review will be conducted according to 50 certification criteria developed by the Global CBPR Forum based on the APEC Privacy Framework's 9 Principles.


b. Operational System (Articles 8, 11 to 14, Appendix 2)

- To ensure efficient operation, the certification body can separate the certification issuance and review tasks, and designate a separate review body to carry out the certification review.

- The certification review team must consist of at least three CBPR certification examiners who meet the following qualifications:

**Must have obtained the ISMS-P certification examiner qualification under Article 32-2 of the Personal Information Protection Act and have participated in at least 20 days of combined ISMS-P certification reviews within the last 2 years, and completed the CBPR certification examiner training.
- The certification body must establish and operate a certification committee with individuals possessing relevant expertise and experience to review and decide on the certification suitability.


c. Fee Standards (Article 7)

- The certification body (or review body) may apply the fee calculation standards used for the Information Security Management System & Personal Information Protection Management System (ISMS-P) certification for charging fees, considering the certification period, number of review items, etc.
- Small businesses, companies applying for certification renewal, and companies that have applied for or obtained ISMS-P certification may receive fee reductions by adjusting the review days and the number of examiners.
Regulatory effect assessment
  • 국경 간 개인정보 보호 규칙 인증에 관한 기준(규제영향분석서)_20250725.hwp [download]
Legislative proposal (draft)
  • 개인정보보호위원회공고제2025-호(국경 간 개인정보 보호 규칙 인증에 관한 기준 제정(안) 행정예고).pdf [download]
Kotra - Korea Trade-Investment Promotion Agency
Foreign Investor Aftercare Office, 6th floor, Invest Korea Plaza, 7, Heolleungno, Seocho-gu, Seoul, 06792, Republic of Korea TEL : 1600-7119
Copyight(c) All Rights Reserved. OFFICE OF FOREIGN INVESTMENT OMBUDSMAN [OFIO], KOTRA