All private information handled by Asan Medical Institute of Convergence Science and Technology (hereinafter referred to as “the Institute”) is collected, retained, and managed in accordance with the relevant Acts as well as the consent of a data subject. This policy is effective as of December 1, 2017. 

The Personal Information Protection Act suggests general norms for the processing of the personal information. the Institute shall treat the collected and retained information in compliance with the Act in a legal and appropriate manner in order to conduct public affairs properly and to protect the rights and interests of the users. 

the Institute respects the rights and interests of the users including the request for inspecting, modifying, deleting, and suspending the personal information processing regulated by the relevant Act. The users shall file for an administrative appeal in accordance with the Administrative Appeals Act for the infringements on their rights and interests and if there is any infringement of their legal rights, and also to request settlement or consultation from Personal Information Dispute Mediation Committee and Personal Information Infringement Report Center (run by the Korea Internet & Security Agency; http://privacy.kisa.or.kr). The privacy policy of the Institute is based on the current 「Privacy Protection Act」.This policy is applied to all homepages operated by the Institute, not otherwise specified. However, if there are any separate privacy measures established and implemented by the organizations (university, team, laboratory, etc.) under the Institute for handling the mattes in charge based on relevant laws, they shall be applied and posted on the homepage operated by the organization. 

Contents 

1. Purposes of personal information processing 

2. Processing and retention period of personal information 

3. Provision of personal information to a third party 

4. Consignment of personal information processing 

5. Rights and duties of data subject and exercising methods 

6. Personal Information items 

7. Destruction of personal information 

8. Measures for ensuring the safety of personal information 

9. Chief Privacy Officer 

10. Changes to privacy policy 

11. Remedy for infringement 

1. Purposes of personal information processing The Institute processes personal information for the purposes listed below. Processed personal information will not be used for any purpose other than the following, and if such a purpose changes, the Institute will obtain consent in advance. 

(1) Personal information shall be used for personal identification, certificate issuance (diplomas), national domain registration, spam mail, resident registration number theft, and consultation on overseas affairs. 

(2). Personal information shall be processed for access to personal information, correction, deletion, suspension, report of information leakage, personal information infringement, spam and hacking, etc.  

2. Processing and retention period of personal information 

In accordance with the Act or within the period as consented by the data subject, the Institute shall process and retain the personal information. 

3. Provision of personal information to a third party 

Personal data collected and retained by the Institute shall not be provided to a third party without prior consent of the user except in the following cases. 

(1) When the Institute obtains a separate consent from the data subject; 

(2) When a special regulation is specified under the Act or fulfilling an obligation imposed by or under any statute is inevitable; 

(3) When the data subject or legal representative is in a situation where he/she cannot express his/her intention or I-OMBUDSMAN cannot obtain prior consent of the data subject due to the unclear address and other reasons, and the Institute clearly recognizes the need to provide the personal information to a third party for the interests of life, physical body, or property of the data subject or the third party; 

(4) When personal information is supplied for the purpose of statistics and academic research, in a manner that an individual is not identifiable the Institute shall obtain the consent from a data subject when disclosing his/her personal information to a third party, after notifying the following items; - The recipient of personal information (name of corporate or organization and contact number) - Purposes for which a recipient uses said information and the personal information items to be provided - The period for which a recipient of personal information holds and uses said information - The fact that the data subject has a right to reject to give his/her consent and details of a disadvantage, if any, due to his/her rejection to give consent 

4. Consignment of personal information processing In principle, the Institute does not entrust the user information to others without the consent from the user. However, when consigning a contract, abiding by the Article 26 of the Privacy Protection Act for the prohibition of the provision of personal information to a third party and the responsibilities thereof, the Institute will consign each item below included in documents, and post its contents and the consignee on the homepage of the Institute. 

(1) Prohibition of personal information processing other than consigned assignment 

(2) Technological and managerial protection of personal data 

(3) Other provisions by the Presidential decree for the safety of personal information as follows; 

- The purpose and scope of consignment 

- The limits of reconsignment 

- Security measures such as the accessing limits to personal information 

- Supervision of personal information management concerning consignment 

- Liability for damages resulted from the violation of the consignee in accordance with item 2 of Article 26 

5. Rights and duties of data subject and exercising methods 

As the subject of personal information, the user can exercise the following rights: 

(1) a data subject may request the Institute to allow him/her to inspect his/her personal information managed by the Institute. Request to view their private information files in accordance with the Article 35 of the Privacy Protection Act. However, under item 5 of Article 35 of the same Act, exceptions can be made if: 

a. An inspection is prohibited or restricted by Acts; 

b. It is apprehended that any third person's life and body may be harmed, or any third person's property and other interests may be unduly infringed on; 

c. A public institution causes any inconvenience while carrying out any of the following affairs: 

- Affairs concerning tests of academic ability, functions and employment, and qualification evaluation; 

- Affairs concerning an assessment or decision in progress in connection with the calculation, etc. of compensation or benefits; 

- Affairs concerning an audit and an investigation in progress under other Acts 

(2) The request for correction or deletion of personal information: a data subject may request the Institute to correct or delete his/her personal information under Article 36 of the Privacy Protection Act. However, other statutes stipulates the particular personal information be collected, the subject of information shall not request the deletion thereof. 

(3) The request for suspending the process: a data subject may request the Institute to suspend the processing of his/her personal information files under Article 37 of the Privacy Protection Act. And the legal representative of a child under 14 years of age may file a request for access to, correction, deletion, and suspension of the information of the child with the Institute. However, where any of the following is applicable, the Institute may deny the request under item 2 of Article 37: 

a. When there exists special provisions in any Act or it is inevitable to comply with statutory obligations; 

b. When it is apprehended that any third person's life and body may be harmed, or any third person's property and other interests may be unduly infringed on; 

c. When the public institution cannot perform its work as prescribed by any Act without processing the personal information in question; 

d. When the data subject fails to explicitly express termination of the contract when it is impracticable to perform the contract such as provision of service as agreed upon with said data subject without processing the personal information in question. 

(4) For the request for inspection, correction, deletion, and suspension, a data subject shall be notified within 10 days of the measures taken by the Institute. The personal information shall be accessed, corrected, deleted, or suspended by the assigned department with the request form [appendix 1] 

(5) The legal representative or commissioned person may exercise the right of the above, with the submission of the power of attorney [appendix 2] 

6.Personal information items 

The Institute may collect and retain the information only after obtaining consent from the data subject. The Institute has the following personal information files under the relevant legislation. 

7. Destruction of personal information 

When personal information becomes unnecessary as its holding period expires, its management purpose is achieved and by any other ground, a personal information manager shall destroy the personal information without delay, provided that this shall not apply where the personal information must be preserved pursuant to any other statute. 

The procedures, deadlines, and methods by which information is destroyed are as follows: 

(1) Destruction procedures Personal information provided by users will be destroyed in accordance with the internal policy and other related laws and regulations when its holding period expires or its management purpose is achieved. 

(2) Deadlines When the retention period of the information expires, the Institute will destroy such personal information within 5 days after the expiration of the retention period. When the purposes of processing personal information are fulfilled, or such personal information becomes unnecessary, the Institute will destroy such personal information within 5 days after it is deemed unneeded. 

(3) Destruction methods The Institute will destroy personal information printed on paper by shredding or incinerating it. For electronic files, the Institute will use technical methods that do not allow reproduction of the records. 

8. Measures to ensure the safety of personal information 

The Institute shall implement the following technical, managerial and physical measures to secure the safety of the personal information in accordance with Article 29 of the Personal Information Protection Act. 

(1) Establishment and execution of an internal management plan The Institute establishes and executes an internal management plan(1.6, '14) pursuant to 'Standards of measures to Ensure Safety of Personal Information’(the Minister of the Interior and Safety No.43, 2011). 

(2) Minimum number of staff in charge of the personal information processing and training The Institute shall designate the minimum number of staff to handle the personal information. 

(3) Restricted access to the personal information The Institute shall carry out necessary measures to restrict access to the personal information through empowerment, change, and cancellation of access authorities for the database system that processes the personal information. It shall also operate intrusion prevention systems to deny any unauthorized external access. Personal information controller uses VPN (Virtual Private Network) to access the database system from outside communication network. The records of assigning, changing, and termination shall be kept for a minimum of 3 years. 

(4) Preservation of the access records and prevention of the forgery and falsification The Institute shall store access records (weblog data, summarized information, etc.) to the personal information data system for at least six months. 

(5) Encryption of personal information Personal information of the users are stored and managed in an encrypted manner. The Institute also implements special security measures including encrypting important data when storing or transferring. 

(6) Installation and periodic updates of computer security programs The Institute shall install and periodically update the computer security programs to prevent the personal information from leakage and damage due to hacking or computer viruses. 

(7) Access control of the unauthorized personnel The Institute shall operate a separate physical storage facility for its personal information data systems and establish and operate relevant access control procedures 

9. Chief Privacy Officer 

For more information about personal information protection and reporting/processing about the invasion of privacy, the subject may contact Personal Information Infringement Reporting Centers operated by Korea Internet & Security Agency. 

* Telephone: 118 (ARS extension 2), e-mail: privacy@kisa.or.kr 

To receive help regarding the personal information retained by the Institute, contact the following agencies (numbers).