LG CNS Co., Ltd. (hereafter referred to as the “company”) is doing its best to protect the rights and interests of the user by complying with the personal data protection regulations specified in the law, which should be observed by the information and communications service provider, and setting up the handling policy, based on the “Act on Promotion of Information and Communications Network Utilization and Information Protection, etc.”.
1. Personal data items to collect
(1) The company collects the minimum necessary personal data as follows, to provide sign-up and basic services while providing this service.
- The ID, password, name, and e-mail address are collected for sign-up as required items. The mobile phone number is collected as an optional item.
Purpose of collection: Information to sign up/use the service.
Method of collection: Manual input by the member
Collecting items: ID, password, name, e-mail, mobile phone number
Retention and use period: To be destroyed immediately after achieving the purpose (membership withdrawal, etc.)
- (2) The member has the right of refusing to agree to the collection and use of the personal data. If the member refuses to agree, the use of some service functions can be restricted.
(3) The following personal data can be automatically created and collected while using the service.
Purpose of collection: Recording the service use history
Method of collection: Automatic collection when using the service
Collecting items: IP address, service access date and time, service use history
Retention and use period: 6 months
- (1) The company collects the minimum necessary personal data as follows, to provide sign-up and basic services while providing this service.
2. Method of person data collection
- - The user can manually input on the web site operated by the company.
- - The service access log is automatically created and collected while using the information and communications service provided by the company.
3. Purpose of collecting and using the personal data
The company uses the collected personal data for the following purposes. The processing personal data will not be used for other than the purpose intended. If the use purpose needs to be changed, necessary actions will be taken in accordance with the Act, such as receiving separate consent.
(1) For sign-up and service
- Identifying a customer and re-issuing when the ID/password has been lost.
(2) Service inquiry and consultation
- Using as the contact information to respond to the service inquiry
(3) User statistics management
- Improving service quality
- (1) For sign-up and service
4. Sharing and providing the collected personal data
The company will use the user’s personal data within the limits specified in “3, Purpose of collecting and using the personal data”, and will not use the data by exceeding the limit without the prior consent of the user and disclose the user’s personal data to the outside, in principle. However, the followings can be an exception.
- - If the member has agreed with the company regarding personal data provision to the third party.
- - If the personal data is required to carry out the agreement regarding the provision of the information and communications service but it is quite difficult to obtain usual consent from the member due to economic and technical reasons.
- 5. Personal data retention and use period The user’s personal data without exception will be destroyed without delay once the purpose of collecting and using the personal data is obtained.
6. Personal data destruction procedure and method
In principle, the company will destroy the user’s personal data without delay once the purpose of collecting and using the personal data is obtained. The procedure and method of personal data destruction are as follows.
- Destruction procedure
The information that the user has entered will be moved to a separate DB after the purpose is obtained and destroyed after retaining for a certain period of time according to the reason of information security in accordance with the internal policy and other related laws (see the retention and use period).
The personal data moved to a separate DB will not be used for the purpose other than retention, unless required by the law.
- Destruction method
The personal data saved in an electronic file form will be deleted, using the technical method that purges the data permanently..
The personal data printed on paper will be shredded by a shredder or incinerated.
- Destruction of the personal data for the long-term inactive user
The company destroys the personal data of the member who has not logged into the service for a long time, to protect the personal data. In addition, the destruction of the personal data, date and time, and personal data item will be notified to the member via an e-mail 30 days before the expiration date.
Service inactivity period: 1 year
Personal data to delete: All personal data of the member including the name and e-mail address
Deletion basis: Last connection date and time
- - Destruction procedure
7. The rights of the user and legal representative, and exercising method
- - The user can look up or modify their registered personal data at any time, or request deletion.
- - Actions will be taken immediately after passing through the identification procedure, if the user contacts the privacy manager using a letter, phone, or e-mail.
- - If the user requests the correction of incorrect personal data, the company should not use or provide the personal data in question until correction is complete. In addition, if the wrong personal data has been already provided to a third party, the correction processing result will be notified to the third party immediately so that correction can be made.
- - The company processes the personal data that has been canceled or deleted by the request of the user or legal representative as specified in “6. Personal data retention and use period”, and ensure that the information is not retrieved or use for other purposes.
- 8. Protecting minors’ personal data The company requires that the user should be at least 14 years old to sign up the service, to protect the personal data of those who are under the age of 14.
- 9. Matters related to the installation, operation, and refusal of the automatic personal data collecting device The company doesn’t collect user’s cookies.
10. Technical/Administrative protection measures of the personal data
The company takes the following technical/administrative measures to secure the safety of user's personal data, in order to prevent the loss, theft, disclosure, alteration, or distortion.
(1) Personal data encryption
All collected personal data items including the password will be encrypted and managed safely.
(2) Technical measures against hacking, etc.
The company is doing its best to prevent the personal data leak or damage by hacking or external viruses.
The member’s personal data and transaction details are backed up on a regular basis, and latest vaccine programs are distributed using the application, and the member information is safely transmitted on the network by establishing encrypted communications between the application and server.
In addition, an external attack is blocked using the non-stop server/network monitoring system. Also, mock hacking is conducted regularly to identify a vulnerability and understand its impacts on the system, and security measures are taken to prevent the breach incident and secure service stability.
(3) Access control of the personal data processing system
The company is taking all the necessary actions to control access to the personal data, such as the establishment of the standard procedure (granting, change, cancellation) about the access right to the database system, which is composed systematically to process the personal data, as well as the regulations about password creation and change period.
(4) Training of the employee who handles personal data
This company limits the number of employees who can process the personal data, and assigns a separate password for personal data handling and updates it periodically, and implements security training for those employees.
(5) Operation of the organization dedicated to personal data protection
- (1) Personal data encryption
11. Contact information of the privacy manager and person in charge
The company has designated the privacy department and manager as described below, to protect the personal data of the user and process complaints related to the personal data.
Privacy manager: Lee Sangyoon, Security/IoT Unit
Person in charge of privacy: Lee Hyungju, Security/IoT Unit
Please contact the following government agency if you need to report or consult about personal data infringement.
- Report Center for Personal Information Infringement (privacy.kisa.or.kr/82-118)
- Information Protection Mark Certification Committee (www.eprivacy.or.kr/82-2-580-0533~4)
- Internet Crime Investigation Center of the Supreme Prosecutor's Office (www.spo.go.kr/82-2-3480-3600)
- Cyber Terror Response Center of the National Police Agency (http://cyberbureau.police.go.kr/82-2-392-0330)
- Privacy manager: Lee Sangyoon, Security/IoT Unit