Personal Information Protection Policy

Transcription

1 Personal Information Protection Policy Thank you very much for visiting yessign website of Korea Financial Telecommunications & Clearings Institute (KFTC). KFTC values the personal information of users more than anything else and exerts the best effort to protect the personal information of users. KFTC promises to provide the highest level of security for the service users. Moreover, we established the following guideline on the personal information processing as required by related laws such as the Personal Information Protection Act, Act on Promotion of Information and Communication Network Utilization and Information Protection, etc. 1. Consent for Collection of Personal Information KFTC is preparing a procedure through which the users can decide to give consent or not for collection and use of their personal information or to agree upon the terms and conditions of the service, etc. Users who clicked the Agree button, are considered to have agreed upon the collection of their personal information. 2. Purpose of Collection and Use of Personal Information KFTC collects the minimum amounts of information as specified below in accordance with the Electronic Signature Act, etc., for the purposes of issuing and managing the certificates, making various announcements related to the certification service, preventing illegal issuance and/or illegal use of certificates, designating the terminal, and making additional certifications. No personal information which may infringe the basic rights and human rights of user is collected. A. Items of Personal Information to Be Collected 1) Certificate authentication service A) The information contained in the user identification verification table, such as the name, resident registration number, address, etc., is collected and used without separate consent of the user as stipulated in the Article 15 of the Electronic Signature Act and Paragraph 2 and 3 of Article 13 of the Enforcement Decree of the same Act. B) Other Essential Information - Common : IP and MAC address, HDDSerial, USB Serial, OS version, web browser version,

2 device information such as the unique information of smartphone, etc - Individual: address, telephone number(including the mobile phone number) - Businesses: Information related to the person in charge of the matters relative to the certificate(department, telephone number, fax number, address), information about the representative(copy of identification verification table, department, telephone number) 2) Electronic Signature Service via Mobile Phone (Mobisign) A) Essential Information : Resident registration number, mobile phone number, mobile communication service provider of the user B) Optional Information : None B. Method for the Collection of Personal Information 1) Certificate authentication service The personal information is collected through the documents that the users submitted to KFTC or the agencies registered with KFTC. The personal information is collected through the service websites(including the websites of the agencies registered with KFTC). 2) Electronic Signature Service via Mobile Phone(Mobisign) The personal information is collected through the service websites(including the websites of the same service). 3. Rights of the Personal Information & Exercising Method A. Certificate authentication service

3 KFTC collects the personal information through the registered agencies when the users sign up for the service. Users may make request to access, revise, or delete their registered personal information, and suspension of processing or withdrawal of their consent. In addition, legal representative of children under the age of 14 may request the access to the children s personal information. In the event that the user makes request for the deletion of his/her personal information, asks their personal information processing to be suspended, or demands the withdrawal of their consent, KFTC processes such request of users after the expiration date of the personal information retention period in accordance with the Article 22(Management of Records Related to the Certification) of the Electronic Signature Act is passed. When the information cannot be terminated as of the date of the user s request, KFTC notifies the user with such information and notifies the user again when the termination is complete. To check the method for accessing, revising, deleting the personal information and withdrawing the consent. < Click Here > B. Electronic Signature Service via Mobile Phone(Mobisign) KFTC collects personal information via service website, etc(including the organization using the same service) when the users sign up for the service. Users may request for the access, revision and deletion to their personal information, suspension of their personal information processing, and withdrawal of their consent on the use of their registered personal information. To check the method for accessing, revising, deleting the personal information and withdrawing the consent. < Click Here > 4. Period of the Retention and Use of Personal Information KFTC keeps the personal information of the user safely for ten(10) years from the expiry of the certificate in accordance with the Article 22(Management of the Records Related to the Certification) of the Electronic Signature Act and immediately destroys the personal information that passed the retention period. 5. Method of Destroying the Personal Information The personal information printed in paper is destroyed through shredder or incinerated. The person

4 information records saved in the form of electronic file are deleted permanently in such a way that they cannot be restored. 6. In case that the personal information is provided to the third party: The personal information of the user will be provided to the third party as specified below only when the user gives his/her consent or when the provision of such information does not go beyond the related law. - KFTC may share the personal information of the user with other authenticated certificate organizations and/or registered agencies, Korea Financial Information Sharing and Analysis Center, supervisory authorities, investigative agency, etc., for the purpose of preventing illegal issuance and/or illegal use of the certificate. - No personal information of user will be provided to any third party without the consent of the user, and the certificate will not be issued unless the user agrees upon the provision of personal information. - The personal information provided by the user includes the name, resident registration number, telephone number(including the mobile phone number), and device information which are related to the issuance of authenticated certificate. - The personal information which was provided will be deleted permanently in such a way that it cannot be restored if the intended purpose was achieved after keeping the personal information in accordance with the internal policy and related law. - KFTC provides the personal information of customer as specified below to mobile communication service providers and clearing agencies for the purpose of the subscription to the services and the settlement of the fee charged for services, etc., after obtaining the consent of the user in connection with the electronic signature service that is offered via mobile phone(mobisign). Users may refuse to provide their personal information, and in which case, they cannot use the electronic signature service via mobile phone(mobisign). Information receiving third party Purpose of the provision Provided items Verification of the name of the person who Mobile communication service Mobile phone number has the ownership of mobile phone

5 provider(skt, KT, LGU+) KG Mobilians Co., Ltd. Payment of the fee charged for the service Resident registration number, Mobile phone number 7. Security Measures for the Personal Information KFTC designates the minimum number of users for the access to the users personal information and is managing the information strictly with passwords. KFTC is operating the following security programs related to the services in order to prevent the loss, theft, leakage, tempering or damage. - By applying encrypted algorithm, etc., KFTC is ensuring the security of the storage of customer information and the transmission/reception network. - Provision of vaccine program to prevent damage caused by computer virus. - Installation and management of keyboard security program to prevent hackers from hacking the keyboard input value 8. Use of Cookie yessign website does not use the cookie. 9. Personal Information Protection for Children KFTC obtains the consent of legal representative of children under the age of 14 who sign up for the service. The legal representative may request the access to and revision of the child s personal information and withdrawal of the child s subscribership(elimination of the certificate, etc). Although the children under the age of 14 face restriction in subscribing to the electronic signature service via mobile phone(mobisign), they may sign up for the service based on the terms and conditions set forth by the mobile communication service providers. 10. Revision of the Policy Related to the Person Information KFTC will inform the users of the details of revision and date of effectiveness via the website from at least seven(7) days before the scheduled date of revision if the personal information processing policy is revised(added, deleted, amended) as a result of the changes in the law, government policy and

6 security technology. 11. Personal Information Processing-related duties entrusted to third parties KFTC operates the registered agencies to ensure the security and effectiveness in processing the tasks related to the authenticated certificate, such as the acceptance of the application for the certificate and applicant identification, etc. - The registered agencies with KFTC are the banking institutes(including National Agricultural Cooperative Federation, National Federation of Fisheries Cooperatives) such as Kookmin Bank, Korean Central Association of Community Credit Cooperatives, National Credit Union Federation of Korea, National Forestry Cooperative Federation, etc., which are posted on the website. Other organizations may be added to the list of agencies registered with KFTC, which is also posted on the website. - The scope of duties related to the personal information processing, which are entrusted to the agencies registered with KFTC, covers the issuance and management of certificate, monitoring of illegal issuance and/or illegal use of certificate, provision of information on the expiry date of certificate, applicant identification necessary for the notification of the details related to the issuance of certificate, designation of terminal or additional certification, etc., and the related necessary supplementary tasks. - The registered agencies shall not use the personal information for any purpose other than to perform the duties entrusted to them. - The registered agencies manage the personal information safely in accordance with the Personal Information Protection Act and the Electronic Signature Act, etc. - Other works related to the personal information processing are entrusted in accordance with the related law 12. Handling of Grievances & Counseling In Relation to Personal Information KFTC designated the staffs who is responsible for protecting the personal information as specified below. Contact us using the following telephone numbers or addresses if you have any grievance

7 or want counseling in relation to the protection of personal information in using the service. We will immediately take action and notify you with the results. Person in charge of Personal Information Protection - Kim Yun Soo, General Manager of Electronic Certification Department of Korea Financial Telecommunications & Clearings Institute(KFTC) Person in Charge of Person Information Management - Lee Sung June, Certification Planning Team of Electronic Certification Department of Korea Financial Telecommunications & Clearings Institute(KFTC) - Telephone No. : yessign@kftc.or.kr