HyungInJae Korean Medicine Clinic (hereinafter “the Company”) establishes and discloses the following personal information processing policy in accordance with Article 30 of the Personal Information Protection Act, in order to protect the personal information of data subjects and to handle related grievances promptly and smoothly.
Article 1 (Purpose of Processing Personal Information)
The Company processes personal information for the following purposes. The personal information being processed will not be used for any purpose other than those stated below, and if the purpose of use changes, the Company will take necessary measures, such as obtaining separate consent in accordance with Article 18 of the Personal Information Protection Act.
1. Website membership registration and management
Personal information is processed for purposes such as confirming intent to register, identifying and authenticating individuals for membership services, maintaining and managing membership status, verifying identity under the limited identity verification system, preventing fraudulent use of services, confirming the consent of a legal guardian when processing the personal information of children under the age of 14, various notifications, and grievance handling.
2. Provision of goods or services
Personal information is processed for purposes such as delivery of goods, provision of services, dispatch of contracts and invoices, provision of content, provision of customized services, identity verification, age verification, payment and settlement of fees, and debt collection.
3. Grievance handling
Personal information is processed for purposes such as verifying the identity of complainants, confirming the details of complaints, contacting and notifying for fact-finding, and notifying the results of processing.
Article 2 (Processing and Retention Period of Personal Information)
① The Company processes and retains personal information within the retention and use period prescribed by law, or within the retention and use period consented to by the data subject when the personal information was collected.
② The processing and retention period for each type of personal information is as follows.
1. Website membership registration and management: Until withdrawal from the business/organization website
However, in the following cases, until the end of the relevant reason:
1) If an investigation or inquiry is underway due to a violation of relevant laws, until the conclusion of that investigation or inquiry
2) If claims or debts arising from website use remain, until the settlement of those claims or debts
2. Provision of goods or services: Until the completion of the supply of goods/services and the completion of fee payment/settlement
However, in the following cases, until the end of the relevant period:
1) Records of transactions such as labeling/advertising, contract details, and performance under the “Act on Consumer Protection in Electronic Commerce, etc.”
– Records on labeling/advertising: 6 months
– Records on contracts or withdrawal of subscription, payment, and supply of goods, etc.: 5 years
– Records on consumer complaints or dispute handling: 3 years
2) Retention of communication confirmation data under Article 41 of the “Protection of Communications Secrets Act”
– Subscriber telecommunication date and time, start/end time, the other party’s subscriber number, frequency of use, and originating base station location tracking data: 1 year
– Computer communication and internet log records, and access location tracking data: 3 months
Article 3 (Provision of Personal Information to Third Parties)
① The Company processes the data subject’s personal information only within the scope specified in Article 1 (Purpose of Processing Personal Information), and provides personal information to third parties only in cases that fall under Article 17 of the Personal Information Protection Act, such as the consent of the data subject or special provisions of law.
② The Company provides personal information to third parties as follows.
– Recipient of personal information: <e.g., OOO Card Co., Ltd.>
– Purpose of use by the recipient: <e.g., business partnerships such as co-hosting events, and issuance of affiliated credit cards>
– Items of personal information provided: <e.g., name, address, phone number, email address, card payment account information>
– Retention and use period of the recipient: <e.g., during the transaction period under the credit card issuance contract>
Article 4 (Outsourcing of Personal Information Processing)
① For the smooth handling of personal information, the Company outsources personal information processing tasks as follows.
– Outsourcee (trustee): Imweb Corp.
– Details of outsourced tasks: Provision of shopping-mall hosting service systems, mobile app services, marketing services and supplementary/affiliated services, and message dispatch agency services such as AlimTalk, FriendTalk, and text messages
– Outsourcee (trustee): OOO PG
– Details of outsourced tasks: Payment and escrow services
– Outsourcee (trustee): OOO Courier
– Details of outsourced tasks: Product delivery services
– Outsourcee (trustee): OOO Customer Center
– Details of outsourced tasks: Customer consultation services
– Outsourcee (trustee): OOO
– Details of outsourced tasks: Identity verification services
② When concluding an outsourcing contract, the Company specifies in documents such as the contract, in accordance with Article 25 of the Personal Information Protection Act, matters concerning the prohibition of processing personal information beyond the purpose of the outsourced tasks, technical and managerial protective measures, restrictions on re-outsourcing, supervision of the trustee, and liability such as compensation for damages, and supervises whether the trustee processes personal information safely.
③ If the content of the outsourced tasks or the trustee changes, the Company will disclose this without delay through this personal information processing policy.
Article 5 (Rights of Users and Legal Guardians and How to Exercise Them)
① The data subject may exercise the following personal information protection rights against the Company at any time.
1. Request to access personal information
2. Request to correct errors, if any
3. Request for deletion
4. Request to suspend processing
② Rights under Paragraph 1 may be exercised in writing, by phone, by email, or by facsimile (FAX), etc., and the Company will act on them without delay.
③ If the data subject requests correction or deletion of errors in personal information, the Company will not use or provide the relevant personal information until the correction or deletion is completed.
④ Rights under Paragraph 1 may be exercised through the data subject’s legal guardian or an authorized agent. In this case, you must submit a power of attorney in accordance with Form No. 11 attached to the Enforcement Rules of the Personal Information Protection Act.
⑤ The data subject must not infringe upon the personal information or privacy of themselves or others being processed by the Company in violation of relevant laws such as the Personal Information Protection Act.
Article 6 (Items of Personal Information Processed)
The Company processes the following items of personal information.
1. Website membership registration and management
Required items: <e.g., name, date of birth, ID, password, address, phone number, gender, email address, i-PIN number>
Optional items: <e.g., marital status, areas of interest>
2. Provision of goods or services
Required items: <e.g., name, date of birth, ID, password, address, phone number, email address, i-PIN number, credit card number, bank account information, and other payment information>
Optional items: <areas of interest, past purchase history>
3. During the use of internet services, the following personal information items may be automatically generated and collected.
IP address, cookies, MAC address, service usage records, visit records, records of improper use, etc.
Article 7 (Destruction of Personal Information)
① When personal information becomes unnecessary, such as upon the expiration of the retention period or the achievement of the processing purpose, the Company destroys the relevant personal information without delay.
② If personal information must continue to be retained under other laws even though the retention period consented to by the data subject has expired or the processing purpose has been achieved, the Company moves the relevant personal information to a separate database (DB) or stores it in a different location.
③ The procedures and methods for destroying personal information are as follows.
1. Destruction procedure
The Company selects the personal information for which a reason for destruction has arisen, and destroys it with the approval of the Company’s personal information protection officer.
2. Destruction method
The Company destroys personal information recorded and stored in electronic file format using methods such as Low Level Format so that the records cannot be reproduced, and destroys personal information recorded and stored on paper documents by shredding or incineration.
Article 8 (Measures to Ensure the Safety of Personal Information)
The Company takes the following measures to ensure the safety of personal information.
1. Managerial measures: Establishment and implementation of an internal management plan, regular employee training, etc.
2. Technical measures: Management of access rights to personal information processing systems, etc., installation of an access control system, encryption of unique identifying information,
etc., and installation of security programs
3. Physical measures: Access control to the computer room, data storage room, etc.
Article 9 (Matters Concerning the Installation, Operation, and Refusal of Automatic Personal Information Collection Devices)
① The Company uses “cookies” that store usage information and retrieve it from time to time in order to provide individually customized services to users.
② Cookies are a small amount of information that the server (http) used to operate the website sends to the user’s computer browser, and may be stored on the hard disk inside users’ computers.
a. Purpose of using cookies: Cookies are used to provide optimized information to users by identifying the visit and usage patterns of each service and website the user has visited, popular search terms, whether secure access is used, etc.
b. Installation, operation, and refusal of cookies: You can refuse the storage of cookies through the option settings in the Tools > Internet Options > Privacy menu at the top of your web browser.
c. If you refuse to store cookies, you may experience difficulty using customized services.
Article 10 (Personal Information Protection Officer)
① The Company takes overall responsibility for tasks related to personal information processing, and designates a personal information protection officer as below to handle complaints and provide remedies for damages from data subjects related to personal information processing.
▶ Personal Information Protection Officer
Name: OOO
Position: OOO
Contact: <phone number>, <email>, <fax number>
※ You will be connected to the personal information protection department.
▶ Personal Information Protection Department
Department name: OOO Team
Person in charge: OOO
Contact: <phone number>, <email>, <fax number>
② Data subjects may direct all inquiries, complaints, and matters concerning remedies for damages related to personal information protection that arise while using the Company’s services (or business) to the personal information protection officer and the responsible department. The Company will respond to and handle data subjects’ inquiries without delay.
Article 11 (Request to Access Personal Information)
Under Article 35 of the Personal Information Protection Act, data subjects may submit a request to access personal information to the department below. The Company will endeavor to ensure that data subjects’ requests to access personal information are processed promptly.
▶ Department for Receiving and Processing Requests to Access Personal Information
Department name: OOO
Person in charge: OOO
Contact: <phone number>, <email>, <fax number>
Article 12 (Remedies for Infringement of Rights)
Data subjects may inquire about remedies for damages from personal information infringement, consultations, etc., with the agencies below.
▶ Personal Information Infringement Report Center (operated by the Korea Internet and Security Agency)
– Responsibilities: Reporting personal information infringement, requesting consultation
– Website: privacy.kisa.or.kr
– Phone: 118 (no area code)
– Address: 3F Personal Information Infringement Report Center, 9 Jinheung-gil (301-2 Bitgaram-dong), Naju-si, Jeollanam-do (58324)
▶ Personal Information Dispute Mediation Committee
– Responsibilities: Application for personal information dispute mediation, collective dispute mediation (civil resolution)
– Website: www.kopico.go.kr
– Phone: 1833-6972 (no area code)
– Address: 4F Government Complex Seoul, 209 Sejong-daero, Jongno-gu, Seoul (03171)
▶ Supreme Prosecutors’ Office Cyber Crime Investigation Unit: 02-3480-3573 (www.spo.go.kr)
▶ National Police Agency Cyber Bureau: 182 (http://cyberbureau.police.go.kr)
Article 13 (Effective Date and Amendment of the Personal Information Processing Policy)
This personal information processing policy is effective from 20XX. X. X.
