[Company Name] (hereinafter referred to as "the Company") establishes and discloses the following personal information handling policy in accordance with Article 30 of the Personal Information Protection Act, in order to protect the personal information of data subjects and to ensure the prompt and smooth resolution of any related complaints.
Article 1 (Purpose of Processing Personal Information)
The Company processes personal information for the following purposes. The personal information being processed will not be used for any purpose other than those stated below. If the purpose of use is changed, the Company will take necessary measures, such as obtaining separate consent in accordance with Article 18 of the Personal Information Protection Act.
1. Membership Registration and Management
Personal information is processed for the following purposes: to confirm the intent to register as a member; to identify and authenticate individuals for membership-based services; to maintain and manage membership status; to verify identity under the limited identity verification system; to prevent unauthorized use of services; to verify legal guardian consent when processing personal information of children under the age of 14; to provide various notices and announcements; and to handle customer inquiries and complaints.
2. Provision of Goods or Services
Personal information is processed for purposes including product delivery, service provision, sending contracts and invoices, providing content and customized services, verifying identity and age, processing payments and settlements, and collecting outstanding debts.
3. Handling Complaints
Personal information is processed for purposes such as verifying the identity of the complainant, confirming the details of the complaint, contacting and notifying for fact-checking, and providing notifications of the results.
Article 2 (Retention and Use Period of Personal Information)
① The company retains and uses personal information within the period specified by law or within the period agreed upon when collecting the personal information from the data subject.
② Each period for processing and retaining personal information is as follows.
Membership Registration and Management on the Website: Until the member (individual/business/organization) withdraws from the website.
However, in the following cases, personal information will be retained until the relevant issue is resolved:
1) If an investigation related to a violation of applicable laws is in progress, until the investigation is completed.
2) If there are remaining obligations such as debts or claims arising from the use of the website, until such obligations are settled.
2. Provision of Goods or Services: Until the goods or services have been fully delivered and payment and settlement have been completed.
However, in the following cases, personal information will be retained until the end of the specified period:
1) Records related to transactions such as advertisements, contracts, and performance under the Act on Consumer Protection in Electronic Commerce, etc.:
- Records of advertisements and notifications: 6 months
- Records of contracts or withdrawal of subscription, payment, and supply of goods: 5 years
- Records of consumer complaints or dispute resolution: 3 years
2) Retention of communication data pursuant to Article 41 of the Protection of Communications Secrets Act:
- Subscriber’s telecommunication date and time, start and end times, counterpart subscriber numbers, usage frequency, and location tracking data of the base station used: 1 year
- Computer communications, internet log records, and access location tracking data: 3 months
Article 3 (Provision of Personal Information to Third Parties)
① The company processes the personal information of data subjects only within the scope specified in Article 1 (Purpose of Processing Personal Information), and provides personal information to third parties only with the consent of the data subject or in cases prescribed by law, as stipulated in Article 17 of the Personal Information Protection Act.
② The company provides personal information to third parties as follows:
- Recipient of personal information:
- Purpose of using the personal information by the recipient:
- Personal information items provided:
- Retention and usage period by the recipient:
Article 4 (Outsourcing of Personal Information Processing)
① The company outsources personal information processing tasks as follows to ensure smooth handling of personal information operations.
- Outsourcing Recipient (Processor): OOO Co., Ltd.
- Outsourced Tasks: Providing systems for shopping mall hosting services, mobile app services, marketing services and additional partnership services, as well as notification services such as AlimTalk, FriendTalk, and SMS message dispatching agency services.
- Outsourcing Recipient (Processor): OOO PG
- Outsourced Tasks: Payment processing and escrow services.
- Outsourcing Recipient (Processor): OOO Delivery
- Outsourced Tasks: Product delivery services.
- Outsourcing Recipient (Processor): OOO Customer Center
- Outsourced Tasks: Customer consultation services.
- Outsourcing Recipient (Processor): OOO
- Outsourced Tasks: Identity verification services.
② When entering into an outsourcing contract, the company specifies in the contract or related documents, in accordance with Article 25 of the Personal Information Protection Act, the prohibition of processing personal information beyond the scope of the outsourced tasks, technical and managerial protective measures, restrictions on subcontracting, supervision and management of the outsourcee, liability for damages, and other responsibilities. The company also monitors whether the outsourcee safely handles personal information.
③ If there are any changes to the contents of the outsourced tasks or the outsourcee, the company will promptly disclose them through this Privacy Policy.
Article 5 (Rights of Users and Legal Representatives and How to Exercise Them)
① The data subject may exercise the following rights related to personal information protection with the company at any time:
1. Request access to personal information
2. Request correction if there are errors
3. Request deletion
4. Request suspension of processing
② The exercise of rights under paragraph 1 can be made to the company by written request, telephone, email, fax, etc., and the company will promptly take action.
③ If the data subject requests correction or deletion of personal information due to errors, the company will not use or provide the relevant personal information until the correction or deletion is completed.
④ The exercise of rights under paragraph 1 may be done through the data subject’s legal representative or an authorized agent. In this case, a power of attorney according to Form No. 11 of the Enforcement Rules of the Personal Information Protection Act must be submitted.
⑤ The data subject shall not infringe upon the personal information or privacy of themselves or others that the company processes in violation of the Personal Information Protection Act or related laws.
Article 6 (Items of Personal Information Processed)
The company processes the following personal information items.
1. Website Membership Registration and Management
Mandatory items:
Optional items:
2. Provision of Goods or Services
Mandatory items:
Optional items:
3. During the use of internet services, the following personal information may be automatically generated and collected:
IP address, cookies, MAC address, service usage records, visit records, records of improper use, etc.
Article 7 (Destruction of Personal Information)
① The company shall promptly destroy personal information when the retention period expires or when the purpose of processing the personal information has been achieved, making it unnecessary to retain the information.
② If the retention period consented to by the data subject has expired or the purpose of processing has been achieved, but personal information must still be retained pursuant to other laws, the company shall transfer such personal information to a separate database (DB) or store it in a different place to preserve it.
③ The procedures and methods for destroying personal information are as follows:
1. Destruction Procedure
The company selects personal information to be destroyed based on the reasons for destruction and destroys the information after obtaining approval from the company’s Personal Information Protection Officer.
2. Destruction Method
Personal information recorded or stored in electronic file form shall be destroyed using methods such as low-level formatting to prevent data recovery. Personal information recorded or stored on paper documents shall be destroyed by shredding or incineration.
Article 8 (Measures to Ensure the Security of Personal Information)
The company takes the following measures to ensure the security of personal information:
1. Administrative measures: Establishment and implementation of internal management plans, regular employee training, etc.
2. Technical measures: Management of access rights to personal information processing systems, installation of access control systems, encryption of unique identification information, installation of security programs, etc.
3. Physical measures: Access control to data centers, document storage rooms, etc.
Article 9 (Installation, Operation, and Refusal of Automatic Personal Information Collection Devices)
① The company uses “cookies” that store and frequently retrieve user information to provide personalized services to users.
② Cookies are small pieces of information sent from the server (http) operating the website to the user’s computer browser and may be stored on the user’s hard disk.
a. Purpose of using cookies: Cookies are used to identify the visiting and usage patterns of users on each service and website, popular search terms, security connection status, etc., to provide users with optimized information.
b. Installation, operation, and refusal of cookies: Users can refuse the storage of cookies by configuring the options under Tools > Internet Options > Privacy menu in their web browser.
c. If cookies storage is refused, it may cause difficulties in using personalized services.
Article 10 (Person in Charge of Personal Information Protection)
① The company is fully responsible for the overall management of personal information processing and has designated the following person in charge of personal information protection to handle complaints and remedy damages related to personal information processing:
▶ Person in Charge of Personal Information Protection
Name: OOO
Position: OOO
Contact: , ,
※ This contact connects to the personal information protection department.
▶ Personal Information Protection Department
Department Name: OOO Team
Person in Charge: OOO
Contact: , ,
② Data subjects may contact the person in charge of personal information protection or the department above regarding any inquiries, complaints, or requests for remedy related to personal information protection arising from the use of the company’s services (or business). The company will respond and take action without delay.
cle 11 (Request for Access to Personal Information)
Data subjects may request access to their personal information pursuant to Article 35 of the Personal Information Protection Act at the following department. The company will make efforts to promptly process requests for access to personal information.
▶ Department for Receiving and Processing Personal Information Access Requests
Department: OOO
Person in Charge: OOO
Contact: , ,
Article 12 (Remedies for Infringement of Rights and Interests)
Data subjects may contact the following organizations to report and seek remedies for personal information infringements or for consultation:
▶ Personal Information Infringement Report Center (operated by Korea Internet & Security Agency)
- Responsibilities: Reporting personal information infringements, consultation requests
- Website: privacy.kisa.or.kr
- Phone: 118 (no area code needed)
- Address: 3rd Floor, Personal Information Infringement Report Center, 9 Jinheung-gil, Naju-si, Jeollanam-do, 58324, Korea
▶ Personal Information Dispute Mediation Committee
- Responsibilities: Application for personal information dispute mediation, collective dispute mediation (civil resolution)
- Website: www.kopico.go.kr
- Phone: 1833-6972 (no area code needed)
- Address: 4th Floor, Government Complex Seoul, 209 Sejong-daero, Jongno-gu, Seoul, 03171, Korea
▶ Supreme Prosecutors’ Office Cyber Crime Investigation Division: 02-3480-3573 (www.spo.go.kr)
▶ National Police Agency Cyber Safety Bureau: 182 (http://cyberbureau.police.go.kr)
Article 13 (Enforcement and Amendment of Privacy Policy)
This privacy policy shall take effect from [Year] [Month] [Day].
