Section 28

In the event that the Data Controller sends or transfers the

Personal Data to a foreign country, the destination country or international organization that
receives such Personal Data shall have adequate data protection standard, and shall be carried
out in accordance with the rules for the protection of Personal Data as prescribed by the
Committee in section 16 (5), except in the following circumstances:

(1)where it is for compliance with the law;

(2)where the consent of the data subject has been obtained, provided that the

data subject has been informed of the inadequate Personal Data protection standards of the
destination country or international organization;

(3)where it is necessary for the performance of a contract to which the data

subjectis a party, or in order to take steps at the request of the data subject prior to entering into a contract;

(4)where it is for compliance with a contract between the Data Controller, and

other Persons or juristic persons for the interests of the data subject;

(5)where it is to prevent or suppress a danger to the life, body, or health of the

data subject or other Persons, when the data subject is incapable of giving the consent at such time;

(6)where it is necessary for carrying out the activities in relation to substantial

public interest.

In the event that there is a problem with regard to the adequacy of Personal

Data protection standards of the destination country or international organization, such problem
shall be submitted to the Committee to decide. The decision made by the Committee may be reviewed
when there is a new evidence convincing that the destination country or international organization
that receives such Personal Data has developed adequate Personal Data protection standards.