KOREAN NET

Websites subject to integrated authentication data

Table of Contents

1. Purpose of Data Processing
2. Items of Data Processing and Period of Retention
3. Provision of Data to Third Parties
4. Entrustment of Data Processing
5. Destruction of Personal Data
6. Rights and Obligations of Data Subjects
7. Safety of Personal Data
8. Automatic Data Collection and Refusal
9. Chief Data Officer and Data Protection Officer
10. Data Access Requesting/Processing Department
11. Remedies for Infringement of Rights
12. Judgment Criteria for Additional Use and Provision
13. Versions of the Privacy Policy

Purpose of Data Processing

The OKCC shall handle personal data for the following purposes, and may not use it for purposes other than such purposes. If the purpose of the use is changed, the OKCC shall implement necessary measures such as receiving separate consent from the relevant data subject according to Article 18 of the Personal Information Protection Act.

• 1. Website membership registration and management Confirmation of intention of membership registration, user identification and authentication according to the provision of membership service, member qualification maintenance and management, user identity verification according to the limited identity verification system, prevention of fraudulent service use, various notices and notifications, etc.
• 2. Service provision Provision of content (e.g. complaints, group databases) specialized for overseas Koreans, introduction and announcement of the OKCC, membership registration to provide educational content of Korean language schools, participant identity certification for registration of participation in the competition, and provision of other services including recruitment information.
• 3. Complaints processing Confirmation of the complainer's identity, confirmation of complaints, contact and notice for investigation, and notification of processing results.

Items of Data Processing and Period of Retention

Detailed processing purpose items of personal data to be processed, and the processing and holding period of the personal data contained in the personal data kept by the OKCC can be accessed to via the Personal Information Protection Commission website (privacy.go.kr).

Provision of Data to Third Parties

In principle, the OKCC may process the personal data of users within the scope specified for the purpose of operation, and without the user's prior consent, the OKCC shall not process it beyond the scope of the original purpose or provide personal data to third parties. Provided, the OKCC may process personal data in the following cases.

OKCC may provide personal data to third parties

• 1. When the OKCC has obtained prior consent from the data subject;
• 2. If there is a special regulation in relevant laws;
• 3. If it is clearly acknowledged as necessary for the urgent interests of the data subject or a third party including his/her life, body, and property when the data subject or his/her legal representative is in a state where he/she is unable to express his/her intention or it is impossible to obtain prior consent from the data subject due to an address unknown;
• 4. When providing personal data required for the purpose of statistics preparation and academic research in a form that does not allow the user to be able to recognize a certain individual;
• 5. When deliberated and resolved by the Personal Information Protection Committee in a case where the OKCC cannot fulfill the tasks determined in relevant laws if the personal data is not used for a purpose other than the original purpose or not provided to a third party;
• 6. If necessary to provide it to foreign governments or international organizations for the implementation of treaties and other international agreements;
• 7. If necessary for the investigation of a crime and prosecute and maintain a case;
• 8. If necessary for the performance of the court's judicial affairs; and/or
• 9. If necessary for the execution of the sentence and disposition of protective custody.

Entrustment of Data Processing

The OKCC entrusts data processing tasks as follows for smooth processing of personal data.

Companies entrusted with data processing

Companies entrusted with data processing

Trustees	Entrusted tasks	Period of use and retention
BIC&S Co., Ltd.	Integrated entrustment, operation, and maintenance of the OKCC's information system and infrastructure in 2022	Until the end of the entrustment contract
Stormmedia Co., Ltd.	Entrusted operation and maintenance of Study Korean in 2022	Until the end of the entrustment contract
YMCA Busan	Planning and operation of the 2022–2023 training of overseas Korean college students in home country	Until the end of the entrustment contract
National Council of YMCAs of Korea	Planning and operation of the 2022–2023 training of overseas Korean youth in home country	Until the end of the entrustment contract
Ewha Womans University Industry-Academic Cooperation Foundation	25th OKCC Invitational Korean Language Scholarship	Until the end of the entrustment contract
Hankuk University of Foreign Studies (HUFS) Research Affairs/R&DB Foundation	Planning and operation of the 2023 OKFriends Intensive Korean Language Camp	Until the end of the entrustment contract

A. Management and supervision of entrustment contract conclusion

In accordance with Article 26 of the Personal Information Protection Act, when concluding the entrustment agreement, in addition to the purpose of entrustment, the OKCC specifies the trustee's responsibilities, such as prohibition of data processing, technical and administrative protection measures, restrictions on re-entrustment, management and supervision of trustee, and compensation for damages, in documents such as contracts, and oversees the trustee’s safe handling of personal data.

B. Disclosure of entrustment

If the contents of entrustment or the trustee are changed, it shall be disclosed through this Privacy Policy without delay.

Destruction of Personal Data

The OKCC shall destroy the personal data without delay when it becomes unnecessary for reasons such as the elapse of the data retention period or achievement of the purpose of processing.

A. Destruction procedures

• - A plan for the destruction of personal data (or files) shall be established.
• - The personal data (or files) for which the reason for destruction occurred shall be selected and destroyed with the approval of the data protection officer of the OKCC.

B. Destruction method

• - Electronic files: Recorded and stored personal data shall be destroyed so that the record cannot be reproduced.
• - Printed matter: Personal data recorded and stored in paper documents shall be shredded with a shredder.
• - In the event that personal data must be kept continuously in accordance with other laws and regulations despite the expiration of the data retention period consented to by the data subject or the achievement of the purpose of processing, the personal data (or files) shall be moved to a separate database (DB) or stored in a different storage location.

Rights and Obligations of Data Subjects

Data subjects may exercise the following rights, and in the case of a minor under the age of 14, his/her legal representative may exercise the rights to the minor's personal data.

A. Request for access to personal data

Personal data files held by the OKCC may be requested to access in accordance with Article 35 (Access to Personal Information) of the Personal Information Protection Act. Provided, in the following cases, access to personal data may be restricted in accordance with Article 35(4) of the Act upon request:

Restriction of access to personal data

• 1. When access to personal data is prohibited or restricted by law;
• 2. If there is a risk of harming the life or body of another person or unfairly infringing on the property and other interests of another person;
• 3. If it causes a significant impediment when a public institution performs any of the following tasks:
  • A. Affairs related to the imposition, collection or refund of taxes;
  • B. Affairs related to the evaluation of grades or selection of students to be admitted by schools at each level in accordance with the Elementary and Secondary Education Act and the Higher Education Act, lifelong education facilities in accordance with the Lifelong Education Act, and higher education institutions established pursuant to other acts;
  • C. Affairs related to the examination for academic background, skills, and recruitment as well as qualification review;
  • D. Affairs related to the evaluation or judgment in progress regarding the calculation of compensation and benefits, etc.;
  • E. Affairs related to ongoing audits and investigations under other laws.

B. Request for correction/deletion of personal data

You may request correction or deletion in accordance with Article 36 (Correction and Deletion of Personal Information) of the Personal Information Protection Act. Provided, if the corresponding personal data is specified as a collection target in other laws, the deletion cannot be requested.

C. Request for suspension of processing (withdrawal of consent)

• - You may withdraw your consent to the collection, use and provision of personal data through membership registration at any time. Provided, if the OKCC is required to preserve personal data in accordance with the provisions of laws or terms and conditions, the concerned processing may be restricted.
• - To withdraw consent, you may apply through the “Membership Withdrawal Application” on the site or request the data protection officer in writing, by phone or via email.
• - In order to identify yourself, you must disclose your ID and membership information. Due to withdrawal, there may be restrictions on the service or some services may not be available.

Rejection of request for suspension of data processing

• 1. If there are special provisions in the law or it is unavoidable to comply with statutory obligations;
• 2. If there is a risk of harming the life or body of another person or unfairly infringing on the property and other interests of another person;
• 3. If a public institution does not process personal data, it is unable to perform its duties as stipulated in other laws;
• 4. When it is difficult to fulfill the contract, such as not being able to provide the service agreed upon with the data subject if personal data is not processed, and the data subject does not clearly indicate its intention to terminate the contract.

D. Refusal of consent

When registering as a member, you may refuse to agree to the Terms of Use and this Privacy Policy, and if you refuse to agree thereto, the use of some services may be restricted.

Safety of Personal Data

The OKCC is taking the following measures to ensure the safety of personal data it holds.

A. Administrative measures

• - Establishment and implementation of internal management plans (regular inspection, security, etc.), regular education for data personnel, etc.;
• - Regular self-inspection (once semi-annually) and implementation of necessary measures.

B. Technical measures

Management of access rights of personal data processing system, etc., installation of the access control system, installation and operation of personal data management program (PCFILTER), installation and operation of personal data output management program (ePrint), encryption of unique identification information, etc., installation of security programs, technical measures against hacking, etc.

C. Physical measures

• Restricting access to computer rooms and data storage rooms, controlling access by unauthorized persons, etc.

Automatic Data Collection and Refusal

• ① The OKCC shall use cookies that store and retrieve usage data to identify users' website visit records, and shall not use the data for any other purpose or provide it to a third party.
• ② Cookies are a small amount of data that the server (http) used to operate the website sends to the user's computer browser, and is also stored on the hard disk of the user's PC.

• A. Purpose of using cookies: Provision of optimized data to users by identifying website usage patterns and visitor statistics processing.
• B. Installation, operation and rejection of cookies: You may refuse to save cookies by setting the options in the Tools > Internet Options > Privacy menu at the top of the web browser.
• C. All services are available regardless of whether cookies are stored.

Chief Data Officer and Data Protection Officer

The OKCC designates a chief data officer and data protection officer as follows to manage overall affairs including processing of personal data, handling complaints of data subjects related to personal data processing, relieving damage, and dealing with the request for access to personal data.

A. Chief Data Officer

A. Chief Data Officer

Chief Data Officer	Data Protection Officer
Department: Data Team (Administration Planning Office)	Department: Data Team (Administration Planning Office)
Officer: Lee Ju-youn	Officer: Kim Jeong-hee
Contact: +82-2-3415-0151	Contact: +82-2-3415-0100
Email: ljy78@okocc.or.kr	Email: johnny@okocc.or.kr

B. Data Protection Personnel

The OKCC designates divisional officers for personal data protection for each business division so that they manage and handle all personal data-related inquiries and complaints resulted from use of services (or programs) and that you may make an inquiry such matters to the data protection personnel.

Data Protection Personnel

Category	Position	Department	Contact
Chief officer	Head of the Data Team	Administration Planning Office	+82-2-3415-0151
Personnel	Head of the Administration Planning Office	Administration Planning Office	+82-2-3415-0121
	Head of the Administration Management Team	Administration Planning Office	+82-2-3415-0100
	Head of the Education and Culture Training Department	Education and Culture Training Department	+82-2-3415-0191
	Head of the Overseas Koreans Cooperation Department	Overseas Koreans Cooperation Department	+82-2-3415-0100
	Head of the Hansang Project Team	Overseas Koreans Cooperation Department	+82-2-3415-0100
	Head of the Next Gen Human Rights Department	Next Gen Human Rights Department	+82-2-3415-0100
	Head of the Records and Exhibition Department	Records and Exhibition Department	+82-2-3415-0100
	Examiner	Examiner	+82-2-3415-0100

Data Access Requesting/Processing Department

• ① In accordance with the Personal Information Protection Act, the data subject may request the following departments to access to personal information. Please refer to 'Detailed inquiry on personal information file' → 'Departments that receives and handles requests for access to personal information' via the Personal Information Protection Commission website (privacy.go.kr).
• ② In addition to the above departments for receiving and processing requests for access, the data subject may request access to personal data via the Personal Information Protection Commission website (privacy.go.kr).

Remedies for Infringement of Rights

In the event that the rights or interests related to personal data are infringed, data subjects may report the infringement to relevant organizations, such as the KISA Personal Information Infringement Report Center. In addition, if the rights or interests of the data subject are infringed due to the disposition or omission taken by the head of a public institution in response to the request of the data subject for access, correction, deletion, suspension of processing, etc., you may file an administrative appeal in accordance with the Administrative Appeals Act.

Reporting and consulting organizations for data infringement

• 1. Personal Information Infringement Report Center: +82-118 (privacy.kisa.or.kr)
• 2. Personal Information Dispute Mediation Committee: +82-1833-6972 (kopico.go.kr)
• 3. Korean National Police Agency Cyber Bureau: +82-182 (cyberbureau.police.go.kr)

Judgment Criteria for Additional Use and Provision

The OKCC may additionally use or provide personal information without the consent of the data subject in accordance with Articles 15(3) and 17(4) of the Personal Information Protection Act and in consideration of matters under Article 14-2 of the Enforcement Decree of the Personal Information Protection Act. Accordingly, the OKCC has considered the following matters.

Judgment criteria for additional use and provision

• 1. Whether the purpose of additional use or provision of personal data is related to the original purpose of collection;
• 2. Whether additional use or provision is foreseeable in light of the circumstances in which personal data was collected or processing practices;
• 3. Whether the additional use or provision of personal data has unreasonably infringed upon the interests of the data subject; and
• 4. Whether necessary measures have been taken to ensure safety, such as encryption.

Versions of the Privacy Policy

This Privacy Policy shall be effective as of June 27, 2023.

Previous versions of the Privacy Policy are as below

• - Disclosure: June 20, 2023
• - Effective: June 27, 2023

Previous versions of the Privacy Policy (February 21, 2023 - June 26, 2023)