1. Collection of Personal Information
① The Company will only collect minimum personal information necessary to provide the Services.
② The Company will handle the essential information necessary for the provision of the Services based on the user’s consent.
③ The Company may collect personal information without obtaining the user’s consent to collect and use personal information if there is a special provision under the laws or if the Company must do so in order to comply with certain legal obligations.
④ The Company will process personal information during the period of retention and use of personal information as set forth under the relevant laws, or the period of retention and use of personal information as agreed by the user when the collection of personal information from such user is made. The Company will immediately destroy such personal information if the user requests membership withdrawal, the user withdraws consent to the collection and use of personal information, the purpose of the collection and use has been fulfilled, or the retention period ends.
⑤ The types of personal information that are collected by the Company from the user during the membership registration process, and the purpose of the collection and use of such information are the following:
- Mandatory information: name, address, gender, date of birth, email address, mobile phone number, and encrypted identification verification information
- Purpose of collection/use: prevention of misuse of Services, and handling of complaints and resolving disputes.
- Period of retention and use: destroy without delay when the purpose of collection/use has been fulfilled as a result of membership withdrawal, termination of the user agreement or other reasons (provided that, however, limited to certain information that is required to be retained under related laws such will be retained for a set period).
2. Purpose of Personal Information Use
The personal information collected by the Company will be collected and used for the following purposes only. Personal information will not be used for any purpose other than the following. However, in the event the purpose of use has changed, necessary measures will be taken by the Company such as separately obtaining advance consent from the user.
① Provision of the Services, maintenance and improvement of the Services, provision of new Services, and provision of a secure environment for the use of Services.
② Prevention of misuse, prevention of violations of the law and the terms of service, consultations and handling of disputes related to the use of the Services, preservation of records for the resolution of disputes, and individual notice to members.
③ Provision of customized services by analyzing the statistical data of the use of the Services, the access/use logs of the Services and other information.
④ Provision of marketing information, opportunities for participation, and advertising information.
3. Matters relating to the Provision of Personal Information to Third Parties
As a principle, the Company does not provide the personal information of users to third parties or disclose such information externally. However, the following cases are exceptions:
- The user has consented in advance to such provision of personal information for the use of the Services.
- If there is a special rule under law, or if such is inevitable in order to comply with the obligations under law.
- When the circumstances do not allow consent to be obtained from the user in advance but it is recognized that the risk concerning the life or safety of the user or a third party is imminent and that such provision of personal information is needed in order to resolve such risks.
4. Consignment of Personal Information
① Consignment of the processing of personal information means consigning personal information to an external consignee in order to process the work of the person providing the personal information. Even after the personal information is consigned, the consignor (the person who provided the personal information) has the responsibility to manage and supervise the consignee.
5. Determination Criteria for Additional Use and Provision of Personal Information
In the event the Company uses or provides personal information without the consent of the information subject, the personal information protection officer will determine whether additional use or provision of personal information is being made based on the following criteria:
- Whether it is related to the original purpose of collection: determination will be made based on whether the original purpose of collection and the purpose of additional use and provision of personal information are mutually related in terms of their nature or tendency.
- Whether it was possible to predict additional use or provision of personal information based on the circumstances in which personal information was collected or the processing practices: predictability is determined based on the circumstances pursuant to the relatively specific situations such as the purpose and content of personal information collection, the relationship between the personal information controller processing information and the information subject, and the current technology level and the speed of development of the technology, or the general circumstances in which the processing of personal information were established during a relatively long period of time.
- Whether the information subject’s interests are unfairly infringed: this is determined based on whether the purpose and intention of additional use of the information infringe the information subject’s interests and whether the infringement is unfair.
- Whether necessary measures were taken to ensure security through pseudonymization or encryption: this is determined based on the 「Personal Information Protection Guideline」 and 「Personal Information Encryption Guideline」 published by the Personal Information Protection Committee.
6. Rights of Users and Methods of Exercising Rights
As the personal information subject, the user may exercise the following rights.
① The user may exercise his/her rights to request access, correction, deletion, or suspension of processing concerning the user’s personal information at any time through a written request, email request, and other means to the Company. The user may exercise such rights through the user’s legal representative or authorized person. In such cases, a valid power of attorney under relevant laws has to be submitted.
② If the user requests for the correction of an error in personal information or suspension of processing personal information, the Company will not use or provide the personal information in question until the corrections are made or the request for a suspension of processing personal information has been withdrawn. If incorrect personal information has already been provided to a third party, the results of the processed correction will be notified to such third party without delay.
③ The exercise of rights under this Article may be restricted by laws related to personal information and other laws and regulations.
④ The user will not infringe the user’s own or other person’s personal information and privacy handled by the Company by violating related laws such as the Personal Information Protection Act.
⑤ The Company will verify whether the person who made the request to access information, correct or delete information, or suspend information processing pursuant to the user’s rights is the user himself/herself or the legitimate representative of such user.
7. Exercise of Rights by Users that are Children under 14 years of age and their Legal Representative
① The Company requires the consent of the legal representative of the child user in order to collect, use, and provide personal information of the child user.
8. Destruction and Retention of Personal Information
① The Company will, in principle, destroy the personal information of the user without delay when the purpose of processing such information is fulfilled.
② Electronic files will be securely deleted so that they cannot be recovered or restored and with respect to personal information recorded or stored on paper such as records, publications, documents and others, the Company will destroy such materials by means of shredding or incineration.
③ The types of personal information that are retained for a set period and thereafter destroyed in accordance with internal policy are as set forth below.
④ In order to prevent misuse of Services and to minimize damages to the user as a result of identity theft, the Company may retain the information necessary for personal identification for up to 1 year after membership withdrawal.
⑤ In the event the related laws prescribe a set retention period for personal information, the personal information in question will be stored securely for the set period as mandated by the law.
[The Act on the Consumer Protection in Electronic Commerce, etc.]
- Records on withdrawal of agreement or subscription, etc.: 5 years
- Records on payments and provision of goods, etc.: 5 years
- Records on customer complaints or dispute resolutions: 3 years
- Records on labelling/advertising: 6 months
[Electronic Financial Transactions Act]
- Records on electronic financial transactions: 5 years
[Framework Act on National Taxes]
- All ledgers and evidentiary materials regarding transactions prescribed by tax laws: 5 years
[Protection of Communications Secrets Act]
- Records on Services access: 3 months
[Act on Promotion of Information and Communications Network Utilization and Information Protection, etc.]
- Records on user identification: 6 months
10. Measures to Ensure the Security of Personal Information
The Company takes the following technical/administrative, and physical measures necessary to ensure the security of personal information pursuant to the relevant laws.
① Minimizing the number of employees processing personal information and training such employees
② Establishment and implementation of the internal management plan
An internal management plan has been established and implemented for the safe processing of personal information.
Technical measures against hacking
To prevent personal information from being leaked or damaged as a result of hacking, computer viruses and others, the Company has installed security programs, regularly conducts updates/inspections, and frequently performs data backups.
Use of firewall system
The Company controls unauthorized external access by installing a firewall system in areas where external access is restricted. The Company monitors and restricts such unauthorized access through technical/physical means.
Encryption of personal information
The Company stores and manages important personal information of users by encrypting such information, and utilizes separate security functions such as encryption of files and transmitted data or use of file locking functions.
Retention of access records and prevention of falsification/alteration
The Company retains and manages the access records of the personal information processing system for a minimum of 6 months. The Company utilizes security measures to prevent the access records from being falsified, altered, lost or stolen.
① Restrictions on access to personal information
The Company is taking necessary measures to control personal information access by granting, changing and terminating access rights to the database system that processes personal information. The Company uses an intrusion prevention system physically to restrict unauthorized external access.