Article 1 (Purpose of Collection/Use of Personal Information, Personal Information Items to be Collected, and Method of Collection)
1. Purpose of Processing Personal Information and Personal Information Items to be Collected “Personal Information"
means any information related to a living individual that is either the information containing any matters that may identify such individual, such as name, resident registration number, etc., or the information which, even if it is impossible to identify such individual only by the information itself, may be easily combined with other information to identify such individual.
The Company may collect the following Personal Information of Users. Each Personal Information item processed by the Company is the minimum Personal Information necessary for the purpose of processing Personal Information. The Company will not process each item for any purpose other than those listed below and will take necessary measures such as obtaining consent pursuant to Article 18 of the Personal Information Protection Act, etc.
|[Information Collected Upon Joining the Membership] (Required Information Items)|
|Personal identification, membership management,
User verification to resolve any login related problems,
guidance to important matters related to services,
management of Users’ grievances including complaints
|Email address, password|
|[Information Collected During Use of Service] (Required Information Items for Use of Service)|
|To link social media accounts||User name (profile information), User identifier, email address|
|To establish two-factor authentication||OTP serial number, verification code|
|To perform User authentication required for provision of services such as content services, etc., to provide the Company’s services including purchase and payment, etc., to its members and to perform contracts, and to prevent illicit use of services *1||Name, date of birth, cellular phone number, gender, the User’s age group, whether the User is Korean or foreigner, information for User authentication, information to verify whether a person has duplicate accounts, related information|
|to ship products to its members||Name, address, cellular phone number|
|To carry out eCash related works including withdrawal of eCash||Bank account information (name of bank, account number, account holder’s name)|
|To obtain consent from legal guardian for children under 14 years old,
to verify such User or his/her legal guardian’s identity
|Personal information of legal guardians (name, date of birth, email address)|
|[Information Collected During Use of Services] (Optional)|
|To development new services,
to provide customized services and carry out marketing,
to obtain its members’ service use statistics and to conduct survey*2
|Gender, date of birth, cellular phone number, email address|
|[Consent from Legal Guardians for Children Under 14 Years Old]|
|To verify the legal guardian’s intention to consent to the processing of Personal Information of children under 14 years old||Legal guardian’s name, his/her relationship with the children under 14 years old (Personal Information items within the scope of those related to the foregoing in the Certificate of Family Relation)|
|[Provision of Customized Services to Users]|
|To analyze service use records and access frequency,
to obtain statistics related to service use,
to provide customized services based on the foregoing analysis and statistics related to the services*3
|IP address, cookies, service use records, device information|
|[Information Collected During the Participation of the Company’s Events]|
|To use the information for the purpose of marketing by disclosing customer reviews on the Company’s services *4||Nickname, customer review on the Company’s services|
|[Unique Identifier (Resident Registration Number)]|
|To deduct withholding tax from other incomes and to issue withholding receipts pursuant to the Income Tax Act,
, to submit a detailed statement of disbursement to the competent tax office, etc.
|Name, resident registration number, address|
2. Method to Collect Personal Information
The Company shall collect the Personal Information as follows:
(1) If its members have consented to the collection of Personal Information and input their Personal Information in the process of joining the membership and using services, the Company may collect such Personal Information.
(2) The Company may be provided with the Personal Information from its partner companies or any third party to which its members have expressed its intention to directly give their Personal Information, and may collect the Personal Information through the process of customer service call through the customer center or the members’ participation in events, etc.
Article 2 (Provision of Personal Information to a Third Party)
The Company shall not provide the Personal Information to a third party without prior consent of its members; provided that if the member has already consented to the provision of it is Personal Information, and to the extent in any case not falling under specific provisions under applicable laws such as Article 17 and Article 18 of the Personal Information Protection Act, the Company shall not process the Personal Information in excess to the specified scope nor provide such information to a third party.
Article 3 (Outsourcing of Personal Information Processing)
With respect to the processing of Personal Information, the Company has outsourced part of its business necessary for the provision of services to external entities as follows:
|ATON||Partnership with prepaid points enterprises, etc.|
|Dahyeon Tax||Tax adjustment related to corporate tax, tad advisory service|
|KPMG Samjong Accounting Corp||External audit, preparation of audit report|
|EY Hanyoung Corp||IFRS conversion, preparation of separate/consolidated financial statements|
|Kakao Corp||KakaoTalk notification service and event information message service, etc.|
|LG Uplus Corp||Customer service|
|Ppurio||Operation of the system for short message service|
|NICE Payments co., Ltd./NHN Payco Corp||Processing of payment (real-time wire transfer, creation of virtual bank accounts) and prevention of identity theft for payment transaction|
|SCI Information Service Inc||User verification|
The Company and the Outsourcee shall enter into an outsourcing agreement in writing. Pursuant to Article 26 of the Personal Information Protection Act, matters related to their responsibilities such as prohibition of processing of Personal Information for any purposes other than the purpose of performing outsourced work, technological and managerial protective measures, restriction of re-entrustment, management and supervision of Outsourcees, and compensation for damages, etc. are specified in writing, in documents including contracts entered into between the parties, etc. In addition, the Company manages and supervises the Outsourcees to ensure that they process the Personal Information only for the purpose of performing the outsourced work and that do not process Users’ Personal Information for any other purposes, and that they securely process the Personal Information.
If there is any change of the details of the outsourced work or the Outsourcees, the Company will promptly disclose such change through this Policy.
Article 4 (Period of Processing/Retention of Personal Information and Procedure and Method to Destroy Personal Information)
1. Period of Processing/Retention of Personal Information
The Company shall process and retain Personal Information within (i) the period of retention and use of the Personal Information under applicable laws or (ii) the period of retention and use of the Personal Information as consented by Users upon collection of such Personal Information. In addition, the Company shall promptly destroy such Personal Information when it fulfills the purpose of processing the Personal Information, when it closes its business, or when Users request the Company to destroy their Personal Information or withdraws its consent to the collection and use of the Personal Information, except any of the following cases:
- Period of Processing/Retention of Personal Information Under Bylaws of the Company
① If the service use agreement is terminated due to a member’s application for withdrawal from membership, to the extent it is acknowledged to be materially necessary for the protection of investors and prevention of arbitrary termination to avoid the restrictions hereunder, the Company shall retain minimum necessary information such as such member’s ID (including e-mail address), name, phone number, transaction details and any data related to breaches of the terms and conditions for one (1) year from the termination date.
② With respect to members whose service use agreement is terminated by the Company or who has received a service use restriction from the Company, for the purpose of verifying whether there is any reason to refuse to approve such person from joining its membership, the company shall retain minimum necessary information such as such member’s ID (including e-mail address), name, phone number, address, and information related to the termination and the membership suspension, etc. for one (1) year from the termination date.
③ The Company shall retain its members’ illicit use records for one (1) year from such members’ illicit use of services in order to prevent any illicit use of services.
- Period of Processing/Retention of Personal Information Under Applicable Laws
In the case any applicable laws provide for retention of information for a specified period, the Company shall retain the Personal Information in compliance with such laws and shall not use such information for other purposes.
- Act on the Consumer Protection in Electronic Commerce, Etc.
① Records related to cancellation of a contract or an order, etc.: 5 years
② Records related to payment and supply of goods, etc.: 5 years
③ Records related to response to the consumers’ grievances or resolve disputes: 3 years
- Electronic Financial Transactions Act
① Records related to electronic financial transactions: 5 years
- Protection of Communications Secrets Act
① Log-in records: 3 months
In accordance with the ‘expiration date for Personal Information’ system under the Personal Information Protection Act, the Company separately classifies and stores Personal Information of its members who has not used its services for one (1) year.
If the Company is required to continue to retain the Personal Information in accordance with its bylaws or other applicable laws even after the Personal Information retention period expires or the Company fulfills its purpose of processing Personal Information, the Company shall transfer such Personal Information to a separate database or store it in a different place.
2. Procedure and Method of Destruction
If the Personal Information becomes unnecessary due to the expiration of the retention period or the Company’s fulfillment of its purpose of processing Personal Information, etc., the Company shall promptly destroy such Personal Information. The procedure and method to destroy the Personal Information shall be as follows:
A. Procedure to Destroy Personal Information
The Company shall select the Personal Information to be destroyed and destroy such Personal Information after obtaining approval from the privacy officer.
B. Destruction Due Date
The Company shall destroy the Personal Information without delay (within five (5) days unless there is no reasonable ground) (i) from the expiration date of the Personal Information period, in the case the Personal Information retention period expires, or (ii) from the date when it is acknowledged to be unnecessary to process the Personal Information, in the case it is unnecessary to process such Personal Information due to the Company’s fulfillment of its processing purpose or the Company closes its business, etc.
C. Method of Destruction
The Personal Information recorded and stored in the electronic form shall be destroyed to make sure that the records cannot be restored, and the Personal Information recorded and stored in the form of written documents shall be shredded by a shredder or incinerated in order to be destroyed.
Article 5 (Rights and Obligations of Users and Legal Guardians and Methods of Exercising them)
1. Users’ Rights
At any time, Users may exercise their rights related to the protection of Personal Information against the Company as follows:
① To request access to their Personal Information
② To request modification of any errors, if any
③ To request deletion of the Personal Information
④ To request suspension of the processing of the Personal Information
2. Methods to Exercise Users’ Rights
The Rights specified in Paragraph 1 above may be exercised against the Company through a written document, e-mail, and facsimile, etc. and the Company shall take necessary measures in response to the exercise of rights without delay. If a User requests the Company to modify or delete any errors, etc. in his/her Personal Information, the Company shall not use or provide such Personal Information until it modifies or deletes such errors, etc.
① At any time, Users and legal guardians may request the Company to modify or delete the collected information or withdraw its consent to the use of such information, etc; provided that if Users and legal guardians withdraw their consent to the use of such information or request the Company to delete such information, they may be restricted from using all or part of the services.
② (Access/Modification and Revision) The Users and legal guardians may access to, and modify the Personal Information by visiting ‘My Muca>Personal Information Management’ on the Company’s website or through a contact channel for customer service. The Company will not use the Personal Information or provide it to any third party until it completes the modification/revision. In addition, if the Company has already provided the erroneous Personal Information to a third party due to a reasonable ground, the Company shall notify such third party of the result of the foregoing modification/revision to ensure that such third party modify it.
③ (Consent Withdrawal/Request for Deletion) The Users and legal guardians may withdraw their consent to the use of the Personal Information and make a request for deletion thereof by using the Company’s contact channel for customer service; provided that they may be restricted from using all or part of the services once their consent towards the collected information is withdrawn or the collected information is deleted and it may be difficult to withdraw their consent to the use of the information that is collected under other applicable laws, etc.
④ (Membership Withdrawal) The Users may easily withdraw their membership by visiting ‘My Muca -> Personal Information Management’ on the Company’s website and click the ‘Membership Withdrawal’ button on the bottom of the page. *In the case a User has a copyright and eCash, he/she may withdraw the membership after selling the copyright through the market and completing the withdrawal of his/her eCash amount.
⑤ (Reuse of Services) A person may check whether he/she is an existing User or not through ‘Find ID’ and may use his/her existing account, if any, again after changing the password. If a User has any questions, he/she may contact the Company’s customer service center by calling at 1522-6101.
⑥ (Contact/Enquiry) The Company may record the telephone conversation between Users and the customer service operator for the purpose of the collection and use of Personal Information. The Users are informed of the Company’s recording of customer service calls for enquiries through the pre-connection announcement of the customer service center.
Provided that if a User requests the Company to stop accessing to and processing his/her Personal Information, such User’s right may be restricted pursuant to Article 35 (4) and Article 37 (2) of the Personal Information Protection Act. With respect to Users’ request to modify or delete their Personal Information, Users may not request the Company to delete their Personal Information if such information is specified as the information to be collected under other applicable laws. If the Company has already provided any erroneous Personal Information to a third party, the result of correction shall be promptly notified to the relevant third party to ensure the correction.
3. Rights of Legal Guardians
The Users’ rights may be exercised through their legal guardians or a proxy such as a person entrusted by the User, etc. In this case, the User shall submit a power of attorney in the form specified in [Appendix Form No. 11] in the Enforcement Rules of the Personal Information Protection Act. The Company shall verify whether a person who has requested access to, or modify or delete the Personal Information, or to suspend the Company’s processing of the Personal Information in accordance with Users’ rights is the User himself/herself or his/her valid attorney.
Article 6 (Installation/Operation of the Means of Automatically Collecting Personal Information and the Refusal Thereof)
The Company shall install and operate cookies which store and frequently retrieve Users’ information. A cookie means a small-sized text file that the server used for the operation of the website sends to Users’ computer browsers. Cookies may be stored in the hard disks of Users’ computers.
Cookies are used to provide customize personal services and target marketing to Users by analyzing access frequency and staying time of Users, etc., identifying Users’ preferences and interest and tracking such Users activities, and identifying Users’ participation in various events and visiting frequency, etc.
2. Installation, Operation, and Refusal of Cookies:
Users may reject the storage of each cookie by clicking “Tools on the upper menu bar of a web browser > Internet Option > Personal Information” and changing the setting in the case of Internet Explorer, and by clicking “Setting on the right menu bar of a web browser > Advanced > Privacy and Security > Cookies and Other Site Data” and changing the setting in the case of Chrome; provided that the Company may find it difficult to provide some services to Users who have rejected to install cookies.
Article 7 (Technical/Managerial Measures for Protection of Personal Information)
In handling the Personal Information of Users, the Company shall take following technical and managerial measures pursuant to Article 29 of the Personal Information Protection Act to ensure security and prevent any loss, theft, leakage, falsification, or damage of the Personal Information:
1. Establishment and implementation of the internal management plan to securely process the Personal Information
2. Installation and operation of an access control system such as intrusion prevention system, etc. to prevent any illicit access to the Personal Information.
3. Measures to prevent any forgery and falsification of log-in records
4. Security measures which adopt encryption technology, etc. to safely store and transmit Personal Information
5. Measures to prevent any infringement by computer viruses such as installation and operation of vaccine software programs
6. Other protective measures necessary for attaining security of the Personal Information
Article 8 (Privacy Officer and Responsible Employee)
The Company has appointed the privacy officer as follows in order to designate an employee who is in charge of all works related to the processing of Personal Information and to respond to any grievances of Users and relieve damages with respect to its processing of Personal Information:
|Privacy Officer||Responsible Employee|
Name: SEO, Seong Ryul
Position (Title): CTO
Phone Number: 02-6928-0221
Name: JUNG, Rae Sun
Position (Title): Development Team
Phone Number: 02-6928-0221
The Users may enquire about any matters related to Personal Information protection and grievances arising during the use of the Company’s services, as well as matters related to damage relief, etc. to the privacy officer and responsible employee. The Company shall promptly respond to Users’ enquiries and take necessary measures.
Article 9 (Amendment and Notification Obligation)
*1 The Company will use Personal Information to protect its Users and operate the services, such as to restrict its members in breach of applicable laws and the service use agreement from using its services, to prevent and restrict any acts that may interfere with sound operation of its services including any illicit use of service, to deliver notifications such as amendments to the terms and conditions, to maintain records for dispute mediation, and to deal with grievances, etc.
*2 The Company will use the Personal Information for the purpose of marketing and promotion such as provision of its event information and opportunity to participate in the events and offering advertising information.
*3 The Company may use its Users’ behavior information automatically collected during their use of services such as service use records, transaction information, payment and settlement records, and information related to royalties, etc.
*4 The Company will use the Personal Information for the purpose of marketing and promotion such as provision of its event information and opportunity to participate in the events, and provision of advertising information.