※ This Policy, as partially modified and updated, goes into effect on November 9 2020.
Article 1 Purpose of Processing Personal Information
The Company processes personal information for the following purposes.
- To provide the Company's services: Provision of the Company's services owing to offline product purchase and purchase inquiry; prevention of service misappropriation; sending of notifications including e-mailing; product delivery; dispatch of contracts and invoices; payment and settlement of fees; provision of customized services including newsletters; etc.
- To deal with collaborative tasks and external activities concerning research and public relations: Sharing information on products and product demonstration events organized by the Company; preliminary review of identification and other matters to entrust services such as research, speeches and consultation; signing and fulfillment of the pertinent contracts; tax withholding; product-related marketing and research activities; etc.
- To recruit employees: Execution of applicant screenings and sending of notifications for each step of the pertinent process; review of job candidates for year-round hiring who agree to register for VUNO Talent Pool; handling of complaints and sending of notifications on the results thereof in the event of inquiries being made on recruitment; etc.
- To handle complaints and product information including safety thereof: Answering product inquiries; identification check of a person who lodges a complaint; review of complaint details; contacting the said person for fact-finding inspection and notifications on the pertinent results; reporting, assessment and handling of matters on product safety and quality complaints; etc.
- To fulfill legal and administrative obligations: Fulfillment of obligations to report and submit documentation of clinical testing and post-market safety management including post market surveillance pursuant to relevant statutes including the Medical Service Act, the Medical Devices Act and the Bioethics and Safety Act; declaration and payment of taxes such as corporate tax and value added tax; issuance and transfer of bills, receipts and tax invoices; delivering on legal and administrative obligations according to relevant statutes, and orders and commands issued by administrative authorities and other related agencies; etc.
- To manage visual data processing: Provision of on-premises security; prevention of fire and crime; etc.
The Company processes de-identified data for the purpose of research and development of AI software programs. Health and medical records that are used for research purposes do not include any personally identifiable information such as a full name and phone number. The Company uses such data for scientific research only.
The Company may use and provide personal information of a data subject within the scope reasonably related to the purposes for which the said personal information was initially collected, in accordance with the Personal Information Protection Act taking into consideration whether disadvantages are caused to the data subject; whether necessary measures to secure safety such as encryption have been taken; etc. Use and provision of personal information is firmly based on the Company's comprehensive consideration into miscellaneous circumstances: The Personal Information Protection Act and other relevant statutes; The purposes and methods of using and providing personal information; Particulars of personal information to be used and provided;
Particulars of personal information in the event that consent for use and provision thereof is obtained from a data subject; or that any notification or disclosure has been made to a data subject thereon; The impact on the privacy of a data subject due to use and provision of personal information thereof; Measures that are in place to protect personal information to be used and provided.
- Whether there is any relevance to the purposes for which the personal information was initially collected;
- Whether there is any predictability of additional use or provision of personal information considering circumstances under which the said personal information is collected or the processing practices thereof;
- Whether the interests of a data subject are unfairly infringed on;
- Whether necessary measures to secure safety such as pseudonymization or encryption have been taken.
Article 2 Period for Processing and Retaining Personal Information
- The Company may retain and use personal information until the purposes of processing the said personal information are fulfilled within the period for retaining and using personal information: prescribed by statutes; or for which consent is obtained from a data subject at the time of personal information collection. Such data shall be destroyed without delay when the aforementioned purposes of processing are attained.
- General information concerning medical professionals including doctors: Until a service agreement regarding product purchase expires;
- Data concerning user complaints and reports on adverse events and other safety and quality issues: Three years from the date of reporting;
- General data on job candidates: Three years from the date of the submission of a job application document;
- General data regarding subcontractors and suppliers: Until the execution of services regarding a contract, project or proposal finishes;
- Sending of newsletters: Three year from the date of the subscription to newsletters.
- In the event that personal information protection is deemed necessary pursuant to relevant statutes including the Commercial Act and the Protection of Communications Secrets Act, the Company may share personal information within the period for retaining and using personal information prescribed by the aforesaid statutes.
- All important documents relating to the Company's business
Legal grounds for retention: The Commercial Act
Retention period: Ten years
Legal grounds for retention: The Protection of Communications Secrets Act
Retention period: Three months
Article 3 Provision of Personal Information to Third Parties
- The Company may in principle process personal information within the scope prescribed by Article 1 of the Policy. Without the consent of a data subject, the Company shall not process the personal information of the said data subject beyond the aforementioned scope, nor provide such data to any third party, except in any of the following circumstances.
- Where prior consent of a data subject is obtained for provision and disclosure of information to third parties;
- Where provision of personal information is deemed mandatory or allowable pursuant to statutes.
- [Researchers who belong to clinical testing organizations]
Purpose of provision
Particulars to be provided
Period for retention and use
Ministry of Food and Drug Safety
To submit clinical testing plans on medical devices; and fulfill the duty to report according to relevant statutes including the Medical Devices Act
Names, organizations, majors, positions and contact points of persons in charge of testing, experimenters and co-researchers
Until the purposes herein stated are attained
Article 4 Outsourcing of Personal Information Processing
- The Company outsources personal information processing to a third party as below to facilitate the execution of processing.
Particulars of outsourced work
MIDAS Information Technology Co., Ltd.
To manage a recruitment webpage and employment procedures
To run a computing system and handle relevant complaints
- In accordance with Article 25 of the Personal Information Protection Act, the Company specifies particulars in a contract in the event of the execution of an outsourcing agreement: prevention of personal information processing for other purposes than the initial purpose of the outsourcing; technical and managerial safeguards of personal information; restriction of re-outsourcing; management and supervision of the outsourcee; and matters on compensation and responsibilities.
- The Company also supervises how the outsourcee processes such personal information safely by inspecting the status of processing.
The Company shall be obligated to make public any modification or update to particulars of the outsourcee and outsourced work via the Policy without delay.
Article 6 Particulars of Personal Information to be Processed and Processing Methods thereof
- The Company processes the following particulars of personal information.
- Subscribers to website newsletters: E-mail address
- General information concerning medical professionals including doctors
- Necessary information to collect: Name, postal address, date of birth, gender, phone number, e-mail address, organization, qualifications, department, specialty, academic background, work experience, publications, theses, etc.
- Optional information to collect: License number, etc.
- Data concerning user complaints and reports on adverse events and other safety and quality issues
- Necessary information to collect: Name, date of birth or age, phone number, postal address, e-mail address, etc.
- Optional information to collect: Health information (area to be treated, field of inquiry, product information, particulars of safety-related information, duration, etc.), in-charge hospital and doctor (field of specialty, employment status and organization), etc.
- General data on job candidates
- Necessary information to collect: Name, postal address, nationality, phone number, eligibility for compensation and benefits for veterans and persons with disabilities, academic background and performance, status of military service, work experience, intellectual property, theses, publications, research performance, overseas experience, professional experience, social activities, community service, language proficiency and other qualifications, cover letter, etc.
- Optional information to collect: ID picture, date of birth, academic background, certificates, work experience, language proficiency, personal information described in a resume and other information that a job applicant consents to the collection thereof
- General data regarding subcontractors and suppliers
- Necessary information to collect: Name, company name, business registration number, bank account number and postal address
- Optional information to collect: Phone number, e-mail address, fax number, login ID, password, etc.
- The Company collects personal information prescribed by Subparagraph 1 by any of the following methods or processes:
- Where clients create an account to use a product
- Where feedback or a complaint on a product is submitted
- Where job candidates apply for the Company and executives or employees work at the Company
- Where an agreement with a subcontractor or supplier is executed
Article 7 Destruction of Personal Information
The Company shall destroy personal information without delay when the personal information becomes unnecessary owing to the expiry of the retention period, attainment of the purpose of processing the personal information, etc. The procedures, deadline and methods of destroying personal data are stated as follows.
- Procedures of destruction
Personal information is transmitted to an independent database (or separate document in the case of personal information written on paper) when the retention period expires or the purposes of retention are attained. Such personal information is destroyed without delay after being retained during a particular period prescribed by internal guidelines or relevant statutes. Once personal information is transmitted to the aforesaid database, the personal information shall not be used for any purpose other than the purpose for which the said personal information is used.
- Methods of destruction
Paper documents containing personal information shall be shredded or incinerated. Personal information in electronic files shall be permanently erased not to restore data.
Article 8 Measures to Ensure Safety of Personally Identifiable Information
The Company has technical, managerial and physical safeguards in place to ensure the safety of personal information in accordance with Article 29 of the Personal Information Protection Act as follows.
- Managerial measures
Establishment and implementation of internal management plans, regular employee training programs, etc.
- Technical measures
Access authority management for personal data processing systems, installation of access control software, encryption of personally identifiable information, installation of security programs, etc.
- Physical measures
Access control to computer rooms, archives, etc.
Article 9 Privacy Officers
- The Company has a privacy officer on duty as follows to ensure comprehensive responsibility for personal information processing; and handle data subjects’ grievances and remedial compensation relevant to personal information.
Privacy officer in charge
- Name: Jae-hyung Park
- Department and position: HR/CHO
- Contact information: 02-515-6646 / firstname.lastname@example.org
- Data subjects may make all types of inquiries arising out of using any of the Company’s services (or projects) on personal information and handling of grievances and remedial compensation to the privacy officer or the department in charge. The Company answers and handles inquiries from data subjects without delay.
Article 10 Matters on Installation, Operation and Rejection of Automatic Collection Equipment for Personal Information
- Purpose of using cookies: To ensure improvements in the Company's services by executing web analytics regarding user connection frequency and visiting times of members and non-members; and by keeping track of user preferences, fields of interest, digital footprints, access to online materials and visiting patterns.
- Type of cookies
Prevention of CSRF (Cross-Site Request Forgery)
Identification of users
Transmission of data regarding user devices and website behaviors
- Cookie rejection: Data subjects have the right to decide upon cookie installation. Cookie settings on a web browser enable data subjects to allow all cookies; be prompted with a window asking about consent for storing cookies; or block all cookies.
- Procedures of setting cookies (Internet Explorer)
- Tools in the browser toolbar > Internet Options > Privacy tab. Provided, if cookie installation is rejected, it may be difficult to use certain services.
Article 11 Installation and Operation of Visual Data Processing Equipment
The Company runs visual data processing equipment and manages the operation thereof.
- Purpose of installing visual data processing equipment: To provide on-premises security, prevent fire and crime and provide cooperation in case of crime investigation
- The number of equipment installed, locations and scope of recording thereof: One device for each entrance on each floor, where the Company's headquarters offices are situated, keeps record of each lobby area and corridor (two for the fifth and sixth floors each; one for the eighth and tenth floors each).
- Person and department in charge and with access to visual data: Jin-young Lee, HR/GA Part
- Recording time, retention period, storage place and management method of visual data
- Recording hours: 24 hours non-stop recording
- Retention period: 90 days from the date of recording
- Storage place and management method: HR/GA part in charge of management that is located on the eighth floor destroys stored personal data upon the expiration of retention period.
- Method and place of visual data confirmation: Contact the person in charge measures to deal with the request of data subjects for inspection of visual data: Request for inspection of visual data or request for checking the existence of data may be made to the operator of the visual data processing equipment. In such a case, an inspection of visual data may be allowed only if the person requesting it has been recorded as the subject of such recording, or if it is deemed obviously necessary in the physical safety and property interest thereof.
- Technical, administrative and physical measures to protect visual data:
- Establishment and implementation of internal management plans, access control and restriction of access authority, introduction of storage and transmission technology to secure visual data, storage of processed data, forgery prevention, installation of storage space and security locks, etc.
- Other matters concerning installation, operation and management of visual data processing equipment: The Company shall not operate any visual data processing device outside the scope reasonably related to the purposes for which visual data was initially collected according to relevant statutes; nor so as to look into the places which is likely to noticeably threaten individual privacy, such as a bathroom, restroom, sauna, and dressing room used by multiple unspecified persons. The Company shall not arbitrarily handle the visual data processing devices for other purposes than the initial one; nor use sound recording functions.
Article 12 Matters on Third Party Links
- The Policy was modified and updated as follows.
- Modified on January 1 2020; March 10 2020; and November 9 2020.