PRIVACY POLICY

All of the personal information handled by the Korea Health Industry Development Institute (hereinafter referred to as “KHIDI”) is collected, retained, and processed in compliance with the provisions concerning the protection of personal information of applicable laws, including the Personal Information Protection Act (hereinafter referred to as “Act”).

KHIDI has established this privacy policy (hereinafter referred to as “Privacy Policy”) as described below, in order to protect the users’ personal information and rights, as well as to facilitate the handling of users’ complaints related to their personal information, pursuant to the provisions of applicable laws. Furthermore, in case of a revision of this Privacy Policy, KHIDI will announce such revision hereof by comparing the content of this Privacy Policy before and after such revision, so as to help the subject of personal information to readily identify the effective date and content of such revision.

Article 1 (Purposes of Processing Personal Information; Items and Retention Period of Personal Information to Be Processed)

  1. The personal information files registered and disclosed pursuant to Article 32 of the Act shall be processed and retained by KHIDI for such purposes during the retention period, as described below, with respect to the following items of such personal information:
    Description Title of personal information file Purposes of processing personal information Items of the personal information to be processed Retention period
    Medical Korea Services Reservation Platform The personal information of reservation applicants for hospital medical services Delivery and management of reservation applicants Name, e-mail address, mobile phone number (contact information), gender, age, and nationality 2 years
  2. The status of personal information files being managed and maintained by KHIDI can be accessed as follows: - Privacy Information Protection Portal (www.privacy.go.kr) → Civil petition concerning personal information → Request for access to personal information, etc. → Retrieval of the list of personal information files → Access by entering “KHIDI” as the name of organization ※ A public I-PIN is required for filing a civil petition on the Privacy Information Protection Portal.

Article 2 (Provision of Personal Information to Third Parties)

  1. In principle, KHIDI shall process the personal information of the subject thereof, to the extent of the specifically defined purposes for collection and use. KHIDI shall not process or provide to a third party any of such personal information beyond the aforementioned original purposes without the subject’s prior consent, except where:
    1. A consent has been separately obtained from the subject;
    2. It is specifically provided in applicable laws;
    3. It is deemed obviously and urgently necessary to do so for the benefit of the subject or a third party, with respect to his/her life, body, or property, whereas the subject or his/her legal representative is not in a position to express his/her intention, nor prior consent can be obtained as the subject’s whereabouts are unknown or otherwise;
    4. Such personal information is needed for any statistical or academic research purposes, etc., and is provided in the form that cannot identify any specific individual person;
    5. It has been duly deliberated and resolved by the Personal Information Protection Commission (PIPC), whereas KHIDI cannot execute any of its duties delegated or assigned to it pursuant to other laws without using such personal information, other than for the original purposes or providing the same to a third party;
    6. Such personal information is needed to be provided to a foreign government or international organization in compliance with any treaty or other international agreement;
    7. Such personal information is needed in order to investigate crimes, initiate, and maintain a public prosecution thereof;
    8. Such personal information is needed in order to conduct trials at a court; or
    9. Such personal information is needed in order to execute sentences and protective custody orders.
  2. KHIDI provides personal information to third parties, as follows:
    Recipients of personal information Purposes of using the personal information by recipients Items of the personal information to be provided Recipients’ retention and usage period of the personal information
    Responsible departments of platform-registered hospitals / concierge-connected vendors To provide patient information to the hospital selected by patients for appointment To provide patient information to the hospital selected by patients for appointment 2 years

Article 3 (Entrustment of the Processing of Personal Information)

  1. KHIDI entrusts the processing of personal information to the following service provider in order to facilitate the processing of such personal information:
    Service provider Description of entrusted activities Entrustment period
    H&Consulting Development and management of platform From December 1, 2017 through December 31, 2018
  2. In entrusting the processing of personal information, KHIDI entrusts such personal information in accordance with the relevant documents containing the following matters pursuant to Article 26 (Restrictions on the Processing of Personal Information under Entrustment) of the Act:
    1. Matters related to the prohibition of the processing of personal information other than for the purpose of carrying out the entrusted activities;
    2. Matters related to administrative and/or technical measures taken to protect personal information; or
    3. Other matters prescribed by the Presidential Decree to protect personal information in a safe manner, including:
      The purpose and scope of the entrusted activities; restrictions on the second-tier entrustment; safety measures for personal information; supervision, including inspections of the management condition of the personal information retained in relation to the entrusted activities; and the service provider’s liability for damages, in case of a breach in its obligations.
  3. In case of changes of the entrusted activities or the service provider, KHIDI shall promptly announce the content of such changes through this Privacy Policy without delay.

Article 4 (Rights and Obligations of the Subject of Personal Information and Methods of Exercise Thereof)

  1. The subject of personal information (or his/her legal representative, if the subject is a minor under 14 years of age) may exercise any of the following rights, concerning the protection of personal information at any time:
    1. To request access to his/her personal information;
    2. To request corrections thereto, in case of errors, omissions, etc.;
    3. To request deletion thereof; or
    4. To request suspension of the processing thereof.
  2. The subject’s rights set forth in subsection 1 above may be exercised by preparing a written request in the form (Form No. 8) attached to the Enforcement Ordinance of the Act and by sending or transmitting the same to KHIDI in writing, via e-mail or fax, or otherwise. Upon receipt of such request, KHIDI shall promptly take the proper actions without delay.
  3. If the subject has requested for corrections of any errors, omissions, etc. in his/her personal information or deletion of such personal information, KHIDI shall not use or provide the subject’s personal information to a third party until the aforementioned corrections and deletion, as applicable, has been completed.
  4. The rights under subsection 1 above may be exercised by the subject’s legal representative or otherwise authorized representative. In such a case, the legal representative or authorized representative shall present a power of attorney prepared in the form (Form No. 11) attached to the Enforcement Ordinance of the Act.
  5. Should a request be made for access to, or suspension of the processing of personal information pursuant to subsection 1 above, the subject’s rights may be limited pursuant to the provisions of Articles 35.5 and 37.2 of the Act.
  6. If any specific item of personal information is expressly required by other applicable laws to be collected, the subject of such personal information shall not be allowed to request for corrections to or deletion of the aforesaid item.
  7. Upon request for access or corrections to or deletion of personal information in the exercise of the subject’s rights, the person making such a request shall be subject to identification procedures in order to confirm whether the person is the subject or his/her duly authorized representative.
    1. Written request for (access or corrections to, deletion of, or suspension of the processing of) personal information: Form No. 8 attached to the Enforcement Ordinance of the Act
    2. A power of attorney: Form No. 11 attached to the Enforcement Ordinance of the Act

Article 5 (Destruction of Personal Information)

  1. In principle, KHIDI promptly destroys personal information, without delay, once the purpose of processing the same has been attained, unless such personal information has to be preserved, pursuant to the relevant provisions of other applicable laws.
    Procedures and deadlines, including methods of destruction, thereof are as follows:
    1. Destruction procedures
      Unnecessary personal information and personal information files shall be disposed of, as follows, by the Personal Information Manager, as part of his/her own responsibility, and in accordance with the relevant internal policies and procedures:
      1. Destruction of personal information
        Upon expiration of the retention period, the personal information in question shall be immediately destroyed, without delay, on the expiration date thereof.
      2. Destruction of personal information files
        If a personal information file ceases to be needed any longer due to the attainment of purposes of the processing thereof, termination of the corresponding services, closure of the business or otherwise, the personal information file in question shall be immediately destroyed, without delay, on the date when it is deemed that the processing of such personal information is no longer needed.
    2. Destruction methods
      1. Personal information in the form of an electronic file shall be permanently destroyed, using a technological method that renders such file impossible to be regenerated, while the personal information printed on paper shall be shredded with a paper shredder or destroyed through incineration.
      2. Any partial destruction of personal information shall be carried out, as follows:
        Personal information in the form of an electronic file: The personal information shall be deleted. Proper management and monitoring is subsequently required to ensure that the deleted information will not be restored or regenerated at all.
        Personal information in the form of a documentary or printed matter; in writing or stored in any other recording medium: The corresponding portion thereof shall be deleted, by masking, perforating, or otherwise.

Article 6 (Safety Measures for Personal Information)

  1. KHIDI takes the administrative, technical, and/or physical measures to ensure the safety of personal information pursuant to Article 29 of the Act, as follows:
    1. Establishment and implementation of internal control plans
      In order to ensure safe processing of personal information, KHIDI establishes and implements its internal control plans, which contain the following matters:
    2. Management of access rights
      1. Access to the personal information processing system is granted to individual employees who are engaged in processing personal information, in a differentiated manner, to the minimum extent necessary for them to execute their respective duties.
      2. If the Personal Information Representative is replaced by another employee as a result of personnel transfers (including transfer, retirement, etc.), access to the personal information processing system is immediately modified or revoked without delay. In addition, the nature of such access rights granted that had been modified or revoked are recorded and retained for the prescribed period.
      3. Access to the personal information processing system is granted to individual employees who are engaged in processing personal information, in a differentiated manner, to the minimum extent necessary for them to execute their respective duties.
    3. Encryption of personal information
      Personal information is stored and managed in a safe manner, through encryption or otherwise. In addition, additional security functions are also used in processing personal information, including commercial encryption software or other safe password algorithms for significant data.
    4. Preservation and checkup of access log
      The Personal Information Representative maintains and manages the access log, which contains records concerning the access made to the personal information processing system, at least for six months. The aforementioned access log is kept in a safe and secure manner to ensure that it will not be forged, altered, stolen, or lost.
    5. Prevention of malicious computer programs, etc.
      Security programs for computers are installed and used, including and without limitation to vaccine software, which can prevent and treat malicious computer programs.
    6. Physical access control
      Computer rooms, archives, and other physical storage facilities used to store personal information are separately located. Access control procedures for such locations are established and applied.

Article 7 (Personal Information Manager and Personal Information Representative)

  1. KHIDI has appointed a Personal Information Manager and a Personal Information Representative, as follows, in order to protect personal information and deal with complaints related to personal information:
    Personal Information Manager Personal Information Representative
    Department The Office of Operations Support Department The Office of Operations Support
    Name/Title Seungsook Lee / Office Manager Name/Title Suyoung Kim / Team Member
    Phone Number 043-713-8356 Phone Number 043-713-8321
  2. The subject of personal information may make inquiries to the Personal Information Manager and the responsible department, with respect to all matters arising in the course of using the services or business provided or offered by KHIDI, including inquiries concerning the protection of personal information, processing of complaints, remedy of damages, etc. All inquiries will receive KHIDI’s prompt attention, which will be answered and processed without delay.

Article 8 (Request for Access to Personal Information)

  1. The subject of personal information may request access to his/her personal information to the following department of KHIDI, pursuant to Article 35 of the Act. KHIDI will exert its best efforts to ensure that such access request will be dealt with promptly.

    Department responsible for receiving and dealing with requests for access to personal information:
    Department name: The Office of Operations Support; Contact person: Suyoung Kim
    Contact information: (phone number) 043-713-8321, (e-mail address) sykim89@khidi.or.kr
  2. In addition to the responsible department referred to in subsection 1 above, the subject of personal information may also request access to his/her personal information, etc. through the “Privacy Information Protection Portal” website (www.privacy.go.kr) of the Ministry of Government Administration and Home Affairs.

    “Privacy Information Protection Portal” website (www.privacy.go.kr) of the Ministry of Government Administration and Home Affairs (MGAHA).
    Privacy Information Protection Portal (MGAHA) → Civil petition concerning personal information → Request for access to personal information, etc.
    (A public I-PIN is required for identification purposes.)

Article 9 (Remedy for Violations of the Subject’s Rights)

  1. In order to pursue a remedy for violations of personal information, the subject thereof may make a request to the Personal Information Incident Report Center, the Personal Information Dispute Mediation Committee, etc. for the settlement of disputes, remedies of damages, consultations, etc.
    1. Personal Information Incident Report Center (run by Korea Internet & Security Agency (KISA))
      ○ Assigned duties: reports on violations of personal information; requests for consultations
      ○ Home page: privacy.kisa.or.kr
      ○ Phone number: 118 (without telephone exchange number)
      ○ Address: Personal Information Incident Report Center
      (301-2 Bitgaram-dong) 3rd Floor, 9 Jinheung-gil, Naju, Jeollanam-do (58324)
    2. Personal Information Dispute Mediation Committee
      ○ Assigned duties: requests for mediation of disputes involving personal information; mediation of class disputes (civil settlement)
      ○ Home page: www.kopico.go.kr
      ○ Phone number: 1833-6972 (without telephone exchange number)
      ○ Address: 4th Floor, Seoul Government Building, 209 Sejong-daero, Jongro-gu, Seoul (03171)
    3. Cybercrime Investigation Division of the Supreme Prosecutors’ Office: 02-3480-3573 (www.spo.go.kr)
    4. Cyber Bureau of the National Police Agency: 182 (http://cyberbureau.police.go.kr)
    5. Cyber Terror Response Center of the National Police Agency: 1566-0112 (www.netan.go.kr)
    6. Administrative Judgment Commission: Refer to the homepage of Anti-Corruption & Civil Rights Commission (http://www.acrc.go.kr)
      When a person has made a request to a public institution for access or corrections to, deletion of, or suspension of the processing of his/her personal information, the person may file an administrative appeal, pursuant to the provisions of the Administrative Appeals Act, if the person’s rights or interest has been prejudiced as a result of an action or omission on the part of the head of the public institution in response to such request.

Article 10 (Revision of Privacy Policy)

  1. This Privacy Policy shall enter into force on December 1, 2017.