HANPASS Co., Ltd. (www.hanpass.com, hereinafter referred to as ‘HANPASS’) has established the following processing policy to protect the personal information as well as rights and interests of customers and flawlessly process the difficulties of personal information related customers in accordance with Article 30 of the Personal Information Protection Act and Article 27-2 of the Act on Promotion of Information and Communications Network Utilization and Information Protection¸ Etc.
Article 1 (Purpose of Processing Personal Information)
HANPASS processes the personal information for the following purpose. The processed personal information shall not be used for any use other than the following purpose, and when the purpose of use is modified, it plans to seek advance consent.
① Membership subscription and management
The personal information is processed for the following purposes: Membership subscription, service use of membership system, personal confirmation following the limited personal confirmation system, individual identification, prevention of illegal use, prevention of unauthorized use, confirmation of intent to subscribe, confirmation on consent by legal representative when collecting the personal information of child less than 14 years of age, personal confirmation of legal representative at a lter time, accident investigation, dispute resolution, processing of civil complaint, delivery of notice, etc.
② Provision of monetary goods, service publicity, etc.
The personal information is processed for the following purposes: Development of new service through the survey of customer satisfaction and provision of tailored service, provision of service following the demographic characteristics and posting of advertisement, confirmation of service effectiveness, supply of giveaways, provision of gift certificate event and other customer convenience and opportunity to participate, finding out the frequency of link, statistics on service use of members, etc.
③ Purpose related to indirect (online) transaction
The personal information is processed for the purpose of tracing and search of contents of e-financial transaction, statistical data to establish security policy, etc., under Article 21 and Article 22 of the Electronic Financial Transaction Act.
Article 2 (Period of Processing and Possession of Personal Information)
① (Any personal information related to the (indirect financing) transaction shall be possessed and used for the above-referenced purpose of use for 5 years from the date of consent on collection and use to the expiration date of the (indirect financing) transaction. Provided, however, that it is possessed and used only for the investigation of financial accident, dispute resolution, processing of civil complaint, risk management work of the Company and performance of operation under laws and regulations after the expiration date of the (indirect financing) transaction.
② Any personal information collected for the purpose of inquiring the personal information shall be possessed and used from the date of consenting for collection and use to the effective period of the consent for provision and inquiry of credit information on the customer. Provided, however, that it is possessed and used only for the investigation of financial accident, dispute resolution, processing of civil complaint, and performance of operations after the expiration date of providing the credit information, inquiry and others.
③ Any personal information related to the publicity and provision of monetary terms and service shall be possessed and used from the date of consent for collection and use to the withdrawal date of consent. Provided, however, that it is possessed and used only for the investigation of accident related to the purpose under Article 1, dispute resolution, processing of civil complaint, and performance of operations under laws and regulations after the withdrawal date of consent.
④ Any personal information collected for the purpose of membership subscription and management shall be possessed and used from the date of membership subscription of the customer to the withdrawal date of membership. Provided, however, that it is possessed and used only for the investigation of accident related to the purpose under Article 1, dispute resolution, processing of civil complaint, and performance of operations under laws and regulations after the withdrawal date of members.
⑤ Any personal information pertinent to the indirect (online) transaction shall be possessed and used up to the period set forth under Article 12 of the Enforcement Decree of the Electronic Financial Transaction Act.
Article 3 (Notification of Source to Collect Personal Information Etc.)
① When processing the personal information collected from anyone other than the main body of information, HANPASS shall inform the information body with the fact that it has the right to suspend the processing of source, purpose of processing and processing of personal information within 3 days from the date of demand of the information subject unless there is any justifiable cause otherwise.
② Pursuant to Article 20 (2) of the Personal Information Protection Act, in the event that the demand of the information subject following Paragraph 1 is refused, the basis and cause of the refusal shall be informed to the information subject within 3 days from the date of demand of the information subject unless there is any justifiable cause otherwise.
Article 4 (Provision of Personal Information to Third Party)
① HANPASS shall process the personal information of the customers within the scope of purpose specified under Article 1, and it shall not process in excess of the original scope or provide the same to a third party without the consent of the customer in advance. Provided, however, that the personal information may be provided to any third party or use the same for any purpose other than the purpose herein with the exception of having any concern of unjustly interfere with the interests of a customer or third party for the following cases.
1. In the event that the customer agrees to the third party provision and disclosure
2. In the event that there is a special provision in different law or regulation;
3. In the event that the customer or its legal representative is unable to indicate its intent or unable to obtain the advance consent due to the unknown address or the like, and in the event that it is acknowledged as required for the interest of drastic life, body or property of customer or third party; or
4. In the event that it is required for the purpose of statistics, academic research or the like, and in the event that the personal information is provided in the form of unable to specify any specific individual
Article 5 (Consignment of Personal Information Processing)
① HANPASS shall not consign any information of our customers to an external company without the consent of the customer. In the event that there is any such need in the future, it shall be notified to the customer regarding the subject person of consignment and contents of consignment work, and if necessary, the advance consent shall be obtained. When entering into the consignment contract, the compliance of the personal information related law (Article 25 of the Personal Information Protection Act), prohibition to provide any third party with the personal information and burden of responsibility shall be regulated clearly and the applicable contents of the contract shall be kept in writing and electronic file, When changing any company, it shall be notified through the notices and personal information processing policy.
Article 6 (Rights and Obligations of Customer and Exercise Method)
① A customer may request to have the access of personal information of the customer or a child less than 14 years of age (applicable only for the legal representative) that our company processes.
② Any customer that accessed its own personal information may request our company to correct or delete any personal information that is different from the fact or unable to ascertain to our company. However, in the event that other laws and regulations specify the personal information as a subject of collection, the deletion thereof shall not be requested.
③ A customer may request to suspend the processing of his personal information to the Company.
However, in the event that it is applicable to any of the followings, the Company shall inform the applicable cause to customer and refuse to accommodate the request for processing suspension.
1. 1. In the event that there is a special provision in the laws and regulations or in the event that it is inevitable for complying with the obligations under the laws and regulations;
2. In the event that it is concerned to harm life or body of another person or in the event that there is a concern to unjustly interfere with properties of others and other interests; or
3. In the event that it is difficult to carry out the contract, such as, unable to provide the service stipulated with a customer if the personal information is not processed, and in the event that the intent to terminate the contract is not clearly disclosed
④ For inquiring or revising the personal information of any user or child less than 14 years of age, it fills in the ‘personal information modification (or ‘member information revision’, etc.), and for the withdrawal of subscription (withdrawal of consent), click “membership withdrawal” to go through the personal confirmation procedure to personally access, correct or withdraw.
⑤ The Company shall process the personal information terminated or deleted by the request of the user or legal representative in accordance with the matters specified on the “possession and use period of the personal information collected by the Company” and it is processed not to be accessed or used for any other uses.
Article 7 (Categories of Personal Information Processed)
Our company collects the required and selective information for setting, maintenance, performance and management of the indirect transaction and provision of product service as follows.
1. Required information
- Personal identification information: Name, resident registration number and other ID information, business information, deposit account information, nationality, occupation, address, e-mail address, TEL, e-mail and other contacts
- ((Indirect financing) transaction information: Service type, transaction requirement, date and time of transaction, amount and other transaction set and contents information
2. Selective information
- Information recorded on the transaction application in additional to personal ID information, information provided by the customer, address of employment, etc. (fill in only the required information)
3. Collection information following the Electronic Financial Transaction Act (limited to the indirect transaction)
- Customer ID (login ID), contact date, operation system type, browser version, etc.
- Our company does not collect any sensitive information that may interfere with the privacy of our customers in principle.
4. Method of Collection
- Homepage (Web), App, written form, FAX, TEL, bulletin board, e-mail, service application
- Collection through collection tool of generated information
- Collection through inquiries of customer center
Article 8 (Destruction of Personal Information)
① In the event that the period to hold the personal information is lapsed, the Company shall dispose the personal information within 5 business days from the expiration date of the possession period unless otherwise having any of the following causes, and within 5 business days from the date acknowledged as unnecessary to dispose the personal information when the personal information, accomplishment of purpose in processing the personal information, abolition of applicable service, expiration of business, etc, is no longer necessary unless otherwise having any of the following causes.
② Any print out, written document and the like recorded with the personal information shall be destroyed by the method of shredding or incineration, and any personal information in the electronic file form shall be destroyed by the perpetually deleting method with impossible for retrieval.
1. Procedure of disposition
Any information inputted by the users shall be moved to a separate DB after accomplishing the purpose (separate document for papers) and such shall be destroyed after saving for certain period or immediately in accordance with the internal policies or other pertinent laws and regulations. At this time, the personal information moved to the DB shall not be used for any other purpose unless otherwise required by laws and regulations.
2. Period of disposition
In the event that the possession period of the personal information is lapsed, the personal information of the user shall be dispose within 5 days from the expiration date of the possession period, and within 5 business days from the date acknowledged as unnecessary to dispose the personal information when the personal information, accomplishment of purpose in processing the personal information, abolition of applicable service, expiration of business, etc., is no longer necessary unless otherwise having any of the following causes.
3. Method of disposition
Any information in the form of electronic file uses the technical method that cannot be reproducing the record. Any personal information printed out on a paper shall be shredded by the shredder or disposed through the incineration.
Article 9 (Measures to Secure Safety of Personal Information)
Our company undertakes technical, managerial and physical measures required to securing stability as follows in accordance with Article 29 of the Personal Information Protection Act.
① Minimization and education of employees handling personal information
The Company designates a staff to handle the personal information and the work is minimized by limiting the work to the person in charge in a way of implementing the measure to manage the personal information.
② Implementing regular independent audit
For securing the personal information handling related stability the independent audit is implemented regularly (once a term).
③ Access restriction of the personal information processing system
Through the granting, modification or cancellation of the access authority on the DB system that processes the personal information, necessary measures are undertaken for access control to the personal information and the fire-wall system is used to control the unauthorized access from outside.
④ Establishment and implementation of the internal management plan
The Company establishes and implements of the internal management plan for the safe processing of personal information.
⑤ Encryption of the personal information
All personal information and passports of the users are encrypted to save and manage, and only the applicable person know such information that important data shall be encrypted with files and transmitted data or use file locking function to use the separate security functions.
⑥ Technical measure on hacking, etc.
In order to prevent the outflow or damage to the personal information, due to hacking, computer virus or the like, the Company shall install the security program and make periodic renewal inspection, install the system in the access restricted area from outside, and monitor and disconnect technically and physically.
Article 10 (Installation and Operation of Automatic Collection Device for Personal Information and Matters Related to Refusal)
Our company does not operate any device to collect the personal information automatically generated when using the internet service, such as, cookie.
Article 11 (Modification of Policy to Process Personal Information)
In the event that the Company modifies the personal information processing policy, the time of modification and implementation and modified contents shall be disclosed continuously and the modified contents are disclosed with the comparison of before and after the modification for customers to easily confirm.
제12조(Method of Relief from Interference with Rights and Interests)
In the event that there is a need for report of or counseling on interference with personal information, you may inquire to the following agencies.
Personal Information Dispute Mediation Committee (www.kopico.go.kr/02-405-5150)
KISA Electronic Privacy Information Center (http://privacy.kisa.or.kr / (without area code)118)
Information Protection Mark Certificate Committee (www.eprivacy.or.kr / 02-550-9531)
High-Tech and Financial Crimes Investigation Division, Supreme Prosecution Office (www.spo.go.kr / 02-3480-2000)
Cyber Terror Response Center, National Policy Agency (www.ctrc.go.kr / (without area code)182)
Article 13 (Responsible Person to Protect Personal Information and Responsible Person to Manage Personal Information)
The responsible person of personal information protection and person in charge of personal information protection pf the Company under Article 31 (1) of the Personal Information Protection Act and Article 27 (1) of the Act on Promotion of Information and Communications Network Utilization and Information Protection¸ Etc., are shown as follows.
- Responsible person of personal information protection
Name : HYUN, SUNG JOO
Employer : Compliance Office
position : Director
Contact : 1522-0767
- Person in charge of personal information protection
Name : KIM, DONG HYUN
Employer : Compliance Office
position : Assistant Manager
Contact : 1522-0767
- Dept. in charge of personal information/civil service dept.
CS Operation Team