Privacy Policy
Chapter 1. General Provisions
Article 1 (Purpose)
This guideline is established pursuant to Article 29 of the Personal Information Protection Act (duty of safety measures) to define internal management measures. The purpose is to systematically manage personal information handled by the company and to prevent loss, theft, leakage, alteration, damage, misuse, or abuse of such data.
Article 2 (Scope of Application)
This policy applies to personal information collected, used, provided, or managed both online and offline (e.g., by documents, phone, fax). It applies to all internal employees and external personnel who handle such information.
Article 3 (Definitions)
- “Personal Information”: Information identifying a living individual, including name, resident registration number, and video, or information that can be easily combined with other data to identify an individual.
- “Processing”: Collection, creation, recording, storage, retention, editing, use, provision, destruction, etc.
- “Data Subject”: An individual identifiable through processed data.
- “Chief Privacy Officer”: Person in charge of overseeing and deciding the processing of personal information under Article 31 of the law.
- “Handler of Personal Information”: Person authorized to process personal information under the direction of the CPO.
- “Personal Information Processing System”: A database system designed to handle personal information.
- “Video Surveillance Device”: Includes CCTV and network cameras.
- “Operator of Video Surveillance Devices”: Person who installs and operates such devices under Article 25(1).
Chapter 2. Duties and Responsibilities of the Personal Information Protection Officer
Article 4 (Appointment of Chief Privacy Officer)
① The company designates a person in an appropriate executive position as the Chief Privacy Officer in accordance with Article 32(2) of the Enforcement Decree.
- Chief Security Officer responsible for establishing and overseeing security operation plans
- Head of the department in charge of directing and coordinating overall security operations
Article 5 (Duties and Responsibilities of the Personal Information Protection Officer)
① The Personal Information Protection Officer shall perform the following duties to protect the personal information of data subjects:
- Establish and implement personal information protection plans
- Conduct regular assessments and improvements of personal information processing practices
- Handle complaints and provide remedies related to personal information processing
- Establish an internal control system to prevent leakage, misuse, and abuse of personal information
- Develop and implement training plans on personal information protection
- Supervise the protection and management of personal information files
- Establish, revise, and implement personal information protection guidelines in accordance with Article 30 of the Act
- Manage documents related to personal information protection
- Destroy personal information once the processing purpose has been fulfilled or the retention period has expired
② The Personal Information Protection Officer may, if necessary for performing their duties, investigate the current status and system of personal information processing at any time or request reports from relevant personnel.
③ If the Personal Information Protection Officer becomes aware of any violations of this Act or related laws in connection with personal information protection, they must take immediate corrective measures.
Article 6 (Scope, Duties and Responsibilities of Personal Information Handlers)
① The scope of personal information handlers is defined as follows:
- Individuals who perform tasks involving the processing of personal information of data subjects within DY Deokyang Co., Ltd.
② Duties and responsibilities of personal information handlers:
- Comply with and implement the internal management plan
- Fulfill technical and administrative measures for the protection of personal information
- Do not disclose personal information learned in the course of work to third parties
Chapter 3. Technical and Administrative Safeguards for Personal Information
Article 7 (Access Control and Authentication for Personal Information Handlers)
① Access rights to the personal information processing system shall be granted to personal information handlers only to the minimum extent necessary for their duties, and differentiated based on their job responsibilities.
② In the event of personnel changes such as transfers or resignations, the access rights of the relevant personal information handler must be promptly modified or revoked.
③ Records of the granting, modification, or revocation of access rights shall be documented and retained for at least three years.
④ When issuing user accounts for accessing the personal information processing system, each personal information handler shall be issued a unique account that must not be shared with others.
⑤ When a personal information handler accesses the personal information processing system via an external network, a secure connection method such as a virtual private network (VPN) or dedicated line must be used.
Article 8 (Encryption of Personal Information)
① The company shall encrypt resident registration numbers and passwords using secure encryption algorithms. In particular, passwords must be stored using one-way encryption so that they cannot be decrypted.
② When transmitting personal information via communication networks or external storage media, the data must be encrypted.
③ When storing personal information on a work computer (PC), personal information handlers must use commercial encryption software or secure encryption algorithms.
Article 9 (Prevention of Forgery or Tampering with Access Logs)
① Access logs of personal information handlers to the personal information processing system must be retained for at least six months.
② These access logs must be securely stored to prevent forgery, tampering, theft, or loss.
Article 10 (Installation and Operation of Security Programs)
① The company must install and operate security software such as antivirus programs on personal information processing systems and work computers to prevent and remediate malicious code.
② The automatic update function of security programs must be enabled.
③ In the event of security alerts related to malicious code or when software vendors release security updates, those updates must be applied immediately.
Article 11 (Physical Access Control)
① If the company maintains physical locations for storing personal information such as server rooms or data archives, access control procedures must be established and implemented.
② Documents or external storage media containing personal information must be stored in a secure, locked location.
③ When accessing restricted physical facilities or viewing personal information, access logs and records of reviewed content must be maintained.
Chapter 4. Personal Information Protection Training
Article 12 (Establishment of Personal Information Protection Training Plan)
① The Personal Information Protection Officer shall establish an annual personal information protection training plan that includes the following items and report it to the HR team:
- Purpose and target of the training
- Training content
- Training schedule and methods
② The Personal Information Protection Officer shall strive to raise employee awareness regarding the protection of data subjects’ personal information and shall conduct annual personal information protection training for all employees to proactively prevent the misuse, abuse, or leakage of personal information.
Chapter 5. Response to Personal Information Breaches and Remedies
Article 13 (Remedies for Infringement of Rights and Interests)
① If a data subject has suffered harm due to a violation of personal information rights, they may request dispute resolution or counseling from the Personal Information Dispute Mediation Committee or the Korea Internet & Security Agency’s Personal Information Infringement Report Center. In addition, inquiries regarding the reporting and consultation of personal information infringements can be directed to the following organizations:
- Personal Information Dispute Mediation Committee(www.1336.or.kr / 1336)
- ePrivacy Certification Committee(www.eprivacy.or.kr / +82-2-580-0533~4)
- Supreme Prosecutors’ Office Cyber Crime Investigation Center(icic.sppo.go.kr / +82-2-3480-3600)
- National Police Agency Cyber Terror Response Center(www.ctrc.go.kr / +82-2-392-0330)