Persnal Information Protection Act

Hankook Cosmetics (‘Company’ hereinafter) values the personal information of “GENERTE” website users (‘Users’ hereinafter), and is in compliance with related laws such as the [Act on the Promotion of Information and Communications Network Utilization and Information Protection] and the [Personal Information Protection Act]. The Company announces the usage and method of the personal information provided by Users and the measures taken for personal information protection through the privacy policy. In the event that the privacy policy is revised, the Company will notify the revisions through a notice on the website (or individual notifications).

This revision shall be effective from April 1, 2017.

1. Purpose of personal information collection and usage The “GENERTE” website of the company utilizes the collected personal information for the following purposes. Personal information that is being processed is not used for any other purpose than the following, and in the event that the purpose of usage is revised, necessary measures such as receiving additional consent according to Article 18 of the [Personal Information Protection Act] will be taken.

ㅡ Purpose of Use : onfirming membership, identification verification for membership registration, membership maintenance and management, preventing fraudulent use of membership services, various notices, grievance handling, identification for purchase/authorization, execution of legal/administrative duties of the Company based on laws including the Act on Door-to-Door Sales, etc., payment of allowances, reporting/submitting various taxes such as income tax and residence tax, issuance of cash receipts and tax invoices, accurate address for delivery, service provision, contract and receipt delivery, contents provision, customized service provision

2. Consent for personal information collection In relation to the Users’ personal information collection, the Company shall provide a procedure for the User to click either the [I agree] button or [I do not agree] button. If the User clicks the [I agree] button, it shall be understood that the User agrees to the collection of personal information.

3. Collected personal information The Company collects the following personal information for consultation, service applications, etc.

ㅡ Collected information : name, bank account information, business registration number, date of birth, address, phone number, mobile number, email address, member ID, password, access IP equipment, cookies, service usage records, access log
ㅡ Method of personal information collection: website

4. Period of personal information retention and usage The Company shall destroy without delay the applicable information after achieving the purpose of personal information collection and usage. However, if reason for retention of the information arises in accordance with the regulations of related laws, the Company shall retain the following membership information for a defined period of time determined by related laws.

ㅡ Records on contract or withdrawal : 5 years
ㅡ Record of payment and goods supply : 5 years
ㅡ Records on consumer complaints and dispute resolution : 3 years
ㅡ Prevention of re-registration within 6 months of membership withdrawal and identification of disqualified members in accordance with internal policies : 3 years

5. Use/Provision other than purpose of personal information The Company shall not use/provide personal information through methods other than the purpose of collection. However, the Company may use/provide the information in special circumstances in accordance with the regulations of related laws including Article 18 of the [Personal Information Protection Act].

6. Procedures and method of destroying personal information The Company shall destroy without delay applicable information after achieving the purpose of personal information collection and usage. The procedures and method of destruction are as follows.

ㅡ Procedures of destruction
The information entered by the User is transferred to a separate DB after achieving the purpose (separately stored if on paper) and retained for a defined period in accordance with the reasons for information protection (refer to Period of Possession and Usage) of internal policies and other related laws before being destroyed. Personal information that has been transferred to a separate DB is not used for any other purpose than possession unless stated otherwise by law.
ㅡ Method of destruction
The personal information, which is stored as an electronic file, is deleted using a technological method so that the record cannot be opened.

7. Consignment of collected personal information The Company is operating services through a professional agency as stated below.

ㅡ Agency:
ㅡ Duties:

When signing the consignment agreement, the Company shall specify the provisions on a document such as a contract in accordance with Article 26 of the Personal Information Protection Act and entrust the obligation of securely processing personal information to the trustee. In the event that the content of the consignment or the trustee is changed, we will reveal this fact without delay through this privacy policy.

8. Rights/Obligations of information subject and method of exercise The User may exercise the following rights as the personal information subject.
The information subject may at any time exercise rights related to personal information protection of the following.

ㅡ Request to view personal information
ㅡ Request revision if there are errors
ㅡ Request deletion
ㅡ Request to stop processing

The rights set forth in Clause 1 may be exercised in writing, via email or fax according to Annex form 8 in Enforcement Regulations of the Personal Information Protection Act and the Company shall take measures without delay. In the event that the information subject requests revision or deletion of erroneous personal information, the Company shall not use or provide the personal information until revision or deletion is complete. The rights set forth in Clause 1 may be exercised through a representative such as a legal representative of the information subject or appointee. In this case, you must submit a letter of appointment according to Annex form 11 in Enforcement Regulations of the Personal Information Protection Act.

9. Measures to ensure safety of personal information The Company is taking the following technological/administrative and physical measures to ensure safety in accordance with Article 29 of the Personal Information Protection Act.

ㅡ Periodic internal audits
The Company conducts periodic internal audits (once per quarter) to ensure safety in relation to personal information handling
ㅡ Establishment and execution of internal management plan
The Company has established and is executing an internal management plan for the safe handling of personal information.
ㅡ Encryption of personal information
Personal information of the User such as the password is only known by the User as it is encrypted before being stored. The Company uses security functions such as encryption or file lock functions for important data.
ㅡ Technological measures in preparation for hacking
The Company has installed a security program, conducts regular inspections, installs the system in areas where external access is restricted and technologically/physically audits/blocks malware to prevent personal information leaks and damage caused by hacking or computer viruses.
ㅡ Restricted access to personal information
Granting, changing, and terminating access privilege to a database that processes personal information is strictly managed, and the firewall system is used to block unauthorized remote access.
ㅡ Storage of access record and prevention of forgery
The records of access to the personal information processing system is stored for a minimum of over 6 months and a security function has been installed so that the access records are not forged, stolen or lost.
ㅡ Use of locking device for document security
Documents including personal information and auxiliary storage mediums are stored in a safe location with a locking device.
ㅡ Restricted access for unauthorized persons
The physical storage location, which stores personal information, is managed by a restricted access procedure.

10. Manager of personal information protection The Company supervises tasks related to personal information processing and has designated the following personal information protection manager to process information subject complaints and damage relief.

ㅡ Personal information protection manager
ㅡ Name: Kyu-dong Kim
ㅡ Position: Head of Management Support Division
ㅡ Email: kd7190@ihkcos.com
ㅡ You will be connected to the department responsible for personal information protection department.

ㅡ Department responsible for personal information protection
ㅡ Department: Hankook Cosmetics First Ever Strategy Team
ㅡ Phone: 02-724-3920
ㅡ Email: sk_suk@ihkcos.com

Information subjects may make inquiries on issues related to personal information protection, complaints and damage relief regarding the use of the Company’s “GENERTE” website services to the personal information protection manager and responsible department. The Company will respond and process inquiries from information subjects without delay.

11. Request for viewing personal information The information subject may file a request for viewing personal information to the following department in accordance with Article 35 of the Personal Information Protection Act. The Company shall make an effort to quickly process the information subject’s request for viewing personal information.

ㅡ Personal information viewing request processing department
ㅡ Department: Computing Team
ㅡ Phone: 02-724-3381
ㅡ Email: poj@ihkcos.com

nformation subjects may file a request to view personal information through the ‘personal information protection integrated support portal’ website (www.privacy.go.kr) of the Ministry of Public Administration and Security in addition to the processing department of Clause 1.
ㅡ Ministry of the Interior and Safety personal information protection integrated support portal → personal information civil complaint → request viewing of personal information (you must have an I-PIN for verification)

12. Revision of privacy policy This privacy policy shall be effective from the enforcement date and in the event that there is an addition, deletion or revision of the content according to the laws and policies, the Company shall give notice seven days before enforcement of the revised content.