개인정보 국외이전 관련 EU GDPR 위반 사례 분석 및 기업에의 시사점

This study conducts a case analysis on four breach cases of EU GDPR on cross-border transfer of personal data, and derives implications for both EU and non-EU firms subject to the GDPR. All of the four cases took place in the course of business activities between EU controller firms and non-EU processer firms whose country has not received the adequacy decision by the European Data Protection Board(EDPB), All four processor firms belong to the information and communication industry such as telemarketing, image reading, and education service support. This case analysis is of great significance in that it can capture some significant phenomena of cross-border transfer of personal data that may occur frequently in the wave of increasing digital goods and services trade. In order to comply with the GDPR, EU controller firms should check all personal data transfers through a review of existing or planned business operations, and pay more attention to ensure that the firm is equipped with a proper data transfer mechanism. In this regards, each controller firm should have so called ‘personal data protection governance' which works as a central data protection system for customer response and crisis management. Non-EU processor firms should actively communicate with EU controller firms, strengthen training for in-house workers in relation to personal data protection, and secure organizational, technical methods or means to verify pre-filtering in customer data management.