- BIONOTE
- Personal Information Processing Policy
The purpose of this policy is for BioNote Co. (hereinafter referred to as "Company") to protect users' valuable personal information and rights and to facilitate handling of users' grievances related to personal information. Company collects, uses, and provides personal information based on the user's consent and complies with the relevant laws and regulations.
1. Collection of personal information
① Company collects the minimum personal information necessary only for purpose of providing services.
② Company handles mandatory items required to provide services under user's consent.
③ In case of special provisions under the law or purpose to comply with the obligations under the law, it may be collected without obtaining consent for the collection and use of personal information of users.
④ Company shall process personal information within period of possession and use of personal information according to relevant laws or within period of possession and use of personal information agreed upon with information subjects when collecting.
⑤ Personal information items company collected from users, and purpose of collection/use are as follows.
- Mandatory items: name, address, gender, date of birth, email address, mobile phone number, encrypted identification information
- Purpose of collection/use: prevention of fraudulent use of services, handling grievances, and mediation of disputes
- Period of possession and use: information shall be destroyed without delay when the purpose of collection/use is achieved (provided, that necessary items are stored for a certain period in accordance with relevant laws).
2. Purpose of personal information use
Users' personal information collected by the company is be collected and used only for the following purposes. Personal information will be not used for purposes other than the following purposes, and when the purpose of use changes, necessary measures such as obtaining consent from the user separately in advance will be implemented.
① Providing services, maintaining and improving services, providing new services, and providing a stable service use environment
② Prevention of fraudulent use, restrictions on violations of legal and service terms, consultation and dispute settlement related to service use, preservation of records for dispute settlement, and individual notifications
③ Providing customized services through analysis such as service use statistics and service access and usage records
④ Providing marketing information guide and participation opportunity, and providing advertising information
3. Provision of personal information to a third party
Company does not provide users' personal information, in principle, to third parties or disclose it to the outside. However, exceptions are as follows.
- Where the consent is obtained from a user in advance for the service use
- Where special provisions in the law or inevitable obligation compliance under the law exist
- Where it deems necessary explicitly for the protection from impending danger on life or safety of a user or of a third party in case that user's prior consent cannot be obtained
4. Consignment of personal information
① Consignment of personal information processing means entrusting personal information to an external trustee for business process of who provides personal information. Even after personal information is entrusted, the consignor (one provides personal information) is responsible for managing and supervising the trustee.
② Company processes and entrusts the user's personal information to the following specialized companies to implement the service, and if the contents of the consignment work or the trustee changes, will disclose it through this processing policy without delay.
| Trustee | Contents of consignment work | Consignment items | Period of possession and use of personal information. |
|---|---|---|---|
| UL Design Co. | System HW maintenance to provide IT services | Website development and operation/management of maintenance system | At termination of consignment contract |
5. Criteria for determining the additional use/provision
Where the company uses or provides personal information without the consent of the data subject, information protection responsible shall check whether additionally using or providing personal information is in consideration of the following.
- Whether it is related to the original purpose of collection: It is judged based on whether the original purpose of collection and the purpose of additional use and provision are related to each other in their nature or tendency.
- Whether it has any predictability of the additional use or provision of personal information considering the circumstances in which personal information was collected or practical processing: The predictability is judged based on the relatively specific circumstances such as the purpose and content of personal information collection, the relationship between data subject and the personal information controller of additional processing, and the current technology level and the speed of technology development. And also judged on the general circumstances in which personal information processing has been established for a relatively long time.
- Whether it unfairly infringes on the interests of the data subject: It is judged based on whether the interests of the data subject are actually infringed and whether the infringement of the interests is unfair, in relation to the purpose and intention of additional use.
- Whether the required measures for securing safety, such as pseudonym processing or encryption, is provided: It is judged based on the "Pseudonym Processing Guideline" and "Personal Information Encryption Measures Guide" published by the Personal Information Protection Committee.
6. User's right and its exercise
Users can exercise the following rights as personal data subjects.
① Users can exercise their rights to read, correct, delete, and suspend processing of their personal information at any time through written or e-mail to the company. The exercise of the rights can also be done through the user's legal representative or delegated person. In this case, user must submit a power of attorney in accordance with the relevant laws and regulations.
② When users request correction or suspension of processing for an error in personal information, the company does not use or provide the relevant personal information until the correction is completed or until the withdrawal of the correction request. In addition, when incorrect personal information has already been provided to a third party, the correction result will be notified to the third party without delay.
③ The exercise of rights in this article may be restricted in accordance with the provisions of personal information-related laws and other laws and regulations.
④ Users shall not infringe on the personal information and privacy of users themselves and others, handled by the company, in violation of relevant laws such as the Personal Information Protection Act.
⑤ The company shall check the ones who requesting of access according to the user's rights, requesting of viewing, correction/deletion, or suspension of processing, is oneself or a legitimate agent.
7. The right exercise of a child under the age of 14 and his/her legal representative
① The company shall request the consent of its legal representative in order to collect, use, and provide personal information of child users.
② Children users and their legal representatives may request the company to take necessary measures to protect personal information, such as viewing, correction, and deletion of children's personal information by themselves or representatives, in accordance with relevant laws and this personal information processing policy. And the company must respond to this without delay.
① The company shall destroy the personal information without delay, in principle, when the purpose of processing the user's personal information is achieved.
② In the case of electronic file type, it shall be deleted safely to prevent recovery and reproduction, and in the case of personal information recorded/stored on paper such as records, prints, and documents, it shall be destroyed by crushing or incineration.
③ According to the internal policy, personal information that is stored for a certain period of time and then destroyed is as follows.
④ In order to prevent illegal use of services and minimize damage to users caused by identity theft, the company can store the minimum information required for personal identification for up to one year.
⑥ When the storage of information is stipulated for a certain period of time by the relevant laws and regulations, personal information shall be kept safely according to the regulations during that period.
[Act on the Consumer Protection in Electronic Commerce]
- Records of contract or withdrawal of subscription, etc.: 5 years
- Records of payment, supply of goods, etc.: 5 years
- Records of consumer complaints or disputes: 3 years
- Records of indication/advertisement: 6 months
[Electronic Financial Transactions Act]
- Records of electronic financial transactions: 5 years
[Framework Act on National Taxes]
- Books and evidentiary documents for all transactions prescribed by the Tax Act: 5 years
[Protection of Communications Secrets Act]
- Records of service access: 3 months
[Act On Promotion of Information and Communications Network Utilization and Information Protection]
- Records of oneself identification: 6 months
9. Measures to secure the safety of personal information
The company is securing the following technical/management measures to ensure stability during processing users' personal information so that personal information is not lost, stolen, leaked, altered or damaged.
① Management measures for personal information
The company's personal information handlers are limited to the persons in charge, and it always emphasizes compliance with the personal information processing policy through frequent training for persons in charge.
② Technical measures for personal information.
- In processing users' personal information, the company is securing the following technical measures to ensure safety so that personal information is not lost, stolen, leaked, altered or damaged.
- The company is executing the personal information encryption for legal essential encryption.
- In preparation for external intrusion such as hacking, the company is making every effort to ensure security by using intrusion blocking systems and vulnerability analysis systems.
10. Matters of installation and operation of an automatic collection device of personal information and its refusal.
The company operates "cookie" that stores and finds user information frequently. Cookie is a very small text file sent to user's browser by the server used to run the company's website and is stored on user computer's hard disk. The company uses cookies for the following purposes.
▶ Purpose of using cookies, etc.
The purpose of cookies using by the company is to maintain the service of members and non-members (session management and moving to the previous page). Since users may allow all cookies by setting options in a web browser, or go through confirmation whenever they are saved, or refuse to save all cookies.
▶ How to reject cookie settings.
For example, by choosing the option of the web browser using, users can allow all cookies, or go through verification every time when saving cookies, or refuse to save all cookies.
Setting example (for Explorer)
: Tools at the top of the web browser > Internet Options > Personal Information
When the user refuses to install cookies, it may be difficult to provide services.
11. Personal information protection responsible
① The company is in responsibility of all personal information processing, and designates a person in charge of personal information protection as follows for handling complaints and remedy for damage related to personal information processing.
Personal information protection responsible: Park Choa.
Position: Assistant manager.
Contact number: 031-4066-6999.
Email: seoret@bionote.co.kr
② Users can inquire about all personal information protection inquiries, complaints, and damage remedy incurred while using the company's services.
12. Report and consultation on personal information infringement.
The data subject may contact the agency below when needs report or consult on personal information infringement.
[Personal Information Infringement Report Center]
privacy.kisa.or.kr
Phone dial 118 without area number
[Supreme Prosecutor's Office, Cybercrime Investigation Division]
spo.go.kr
Phone dial 1301 without area number
[National Police Agency, Cyber Investigation Bureau]
cyberbureau.police.go.kr
Phone dial 182 without area number
13. Changes in the personal information processing policy
The company's processing policy can be changed according to relevant laws and internal policies. When the company changes its personal information processing policy, such as addition, modification, deletion, etc., it will notify on its website or through a separate notification method 7 days before the effective date. However, when there is an important change in user rights, it will be notified 30 days before the effective date.
14. Addenda.
This personal information processing policy will be effective from December 1, 2021.