<ILSSAM> (hereinafter referred to as the "Company") establishes the following Privacy Policy in accordance with the Personal Information Protection Act to protect users’ personal information and rights, and to handle users’ complaints related to personal information in a smooth and timely manner.
If the Company amends this Privacy Policy, such changes will be announced through the website notice (or individual notice).
○ This Policy is effective as of July 14, 2022.
1. Purpose of Processing Personal Information
The Company processes personal information for the following purposes. The processed personal information will not be used for purposes other than those stated below. In the event of any changes in the intended use, the Company will obtain prior consent from the user.
A. Membership Registration and Management on the Website
Personal information is processed for the purposes of user identification and authentication in relation to the provision of membership-based services, identity verification required under the limited identification system, and prevention of unauthorized use of services.
B. Handling of Civil Complaints
Personal information is processed for the purposes of verifying the identity of the complainant, checking complaint details, contacting and notifying for fact-finding, and communicating the result of the processing.
C. Provision of Goods or Services
Personal information is processed for the purpose of providing services and related matters.
D. Use for Marketing and Advertising
Personal information is processed for purposes such as verifying the effectiveness of services, analyzing access frequency, and compiling statistics on service usage by members.
2. Status of Personal Information Files
1. File Name: Personal Information
Items Collected: Email address, mobile phone number, company phone number, job title, department, company name, access logs, access IP information, name of legal representative
Collection Method: Through the website
Legal Basis for Retention: Consent to the collection of personal information
Retention Period: 3 years
Relevant Laws: Records on collection, processing, and use of credit information: 3 years, Records on consumer complaints or dispute resolution: 3 years, Records on contracts or withdrawal of subscription: 5 years
3. Period of Retention and Use of Personal Information
A. The Company retains and uses personal information within the period specified by applicable laws or within the period agreed upon by the data subject at the time of collection.
B. The specific periods for processing and retaining personal information are as follows:
1.<Handling of Civil Complaints>
Personal information related to the handling of civil complaints is retained and used for the stated purpose from the date of consent to collection and use, for a period of 3 years.
Legal Basis for Retention: Consent to personal information collection
Relevant Laws:
1)Records on consumer complaints or dispute resolution: 3 years
2) Records on contracts or withdrawal of subscription: 5 years
Exceptions:
4. Provision of Personal Information to Third Parties
A. The Company provides personal information to third parties only in cases where the data subject has given consent, or when permitted under specific provisions of the law, such as Articles 17 and 18 of the Personal Information Protection Act.
B. The Company provides personal information to third parties as follows:
1. 'Company'
Recipient of Personal Information: The Company Purpose of Use by the Recipient: Email address, mobile phone number, gender, date of birth, name, company phone number, job title, department, company name, legal representative's name, legal representative's mobile phone number
Retention and Use Period by the Recipient: 3 years
5. Users, as data subjects, have the right to exercise the following rights regarding their personal information, either directly or through their legal representatives.
A. Data subjects may, at any time, exercise their rights to request access to, correction, deletion, or suspension of processing of their personal information from the Company.
B. The rights in Paragraph 1 may be exercised through written request, email, or fax in accordance with Article 41, Paragraph 1 of the Enforcement Decree of the Personal Information Protection Act. The Company will take prompt action in response.
C. The rights in Paragraph 1 may also be exercised through a legal representative or an authorized agent. In such cases, the power of attorney shall be submitted in accordance with Form No. 11 of the Enforcement Rules of the Personal Information Protection Act.
D. Requests for access to personal information or suspension of processing may be restricted under Article 35(5) and Article 37(2) of the Personal Information Protection Act.
E. Requests for correction or deletion of personal information cannot be made if the information is specified by other laws as required to be collected.
F. The Company verifies whether the requester is the data subject or a legitimate representative when a request for access, correction, deletion, or suspension of processing is made.
6. Items of Personal Information Processed
A. The Company processes the following items of personal information:
1<Handling of Civil Complaints>
Required Items: Email address, mobile phone number, company phone number, job title, department, company name, legal representative’s name, legal representative’s mobile phone number
- Optional Items: [Not specified]
7. Destruction of Personal Information
The Company, in principle, promptly destroys personal information once the purpose of processing has been achieved. The procedures, timing, and methods of destruction are as follows:
-Destruction Procedure
Information entered by the user is transferred to a separate database (or stored in separate physical documents, in the case of paper) and retained for a certain period in accordance with internal policies and relevant laws, or immediately destroyed. Personal information transferred to the database is not used for any purpose other than that required by law.
-Destruction Timing
If the retention period for personal information has expired, the user’s personal information will be destroyed within 5 days from the date the retention period ends. If the information becomes unnecessary due to the fulfillment of the processing purpose, discontinuation of the relevant service, or termination of business, it will be destroyed within 5 days from the date it is deemed no longer necessary.
-Destruction Method
Information in electronic file format is destroyed using technical methods that make the records unrecoverable.
8. Matters Concerning the Installation, Operation, and Refusal of Automated Data Collection Devices
The Company does not use cookies that store and periodically retrieve users' information.
9. Personal Information Protection Officer
A. The Company appoints the following person as the Personal Information Protection Officer, who is responsible for overseeing personal information processing, handling complaints from data subjects, and ensuring remedies for damages.
▶ Personal Information Protection Officer
Name: Mok Jeong-kyu
Contact: +82-2-756-1313
B. Data subjects may contact the Personal Information Protection Officer or the relevant department regarding any inquiries, complaints, or requests for relief related to personal information protection that arise while using the Company’s services (or business operations). The Company will respond to and handle such inquiries without delay.
10. Changes to the Privacy Policy
A. This Privacy Policy is effective from the date of implementation. If any changes are made — including additions, deletions, or modifications — in accordance with legal requirements or internal policies, the Company will notify users at least 7 days before the changes take effect via its website notice board.
11. Measures to Ensure the Security of Personal Information
In accordance with Article 29 of the Personal Information Protection Act, the Company takes the following technical, administrative, and physical measures necessary to ensure the security of personal information:
A. Minimization and Training of Personnel Handling Personal Information
The Company designates specific employees to handle personal information and limits their number to the minimum necessary to ensure its security.
B. Technical Measures Against Hacking and Other Threats
To prevent leakage or damage of personal information caused by hacking or computer viruses, the Company installs and regularly updates security programs. Systems are placed in areas with restricted external access and are monitored and blocked through technical and physical security measures.
C. Encryption of Personal Information
User passwords are stored and managed in encrypted form, ensuring that only the user can access them. Important data is protected using encryption or file locking features, along with other security functions.
D. Retention of Access Records and Prevention of Tampering
Access records for the personal information processing system are retained and managed for at least six months and are protected against tampering, theft, and loss through security measures.
E. Access Control for Unauthorized Persons
The Company maintains separate physical storage locations for personal information and has established and operates access control procedures to restrict entry by unauthorized personnel.