个人信息处理指南

Hugel, Inc. (hereinafter referred to as the "Company") complies with the Personal Information Protection Act and related laws and regulations to protect the freedom and rights of information subjects, and process personal information lawfully and securely. In accordance with Article 30 of the Personal Information Protection Act, the Company establishes and discloses a privacy policy to guide information subjects on the procedures and standards for processing personal information and to handle related complaints promptly and smoothly.

Purpose of Personal Information Processing

The Company processes personal information for the following purposes. Personal information processed by the Company will not be used for purposes other than those specified below, and in the event that the purpose of use is changed, the Company will take necessary measures, such as obtaining separate consent in accordance with Article 18 of the Personal Information Protection Act.

1. Service Provision
1) Personal information is processed for the purpose of providing services for various inquiries, including customer inquiries, recruitment inquiries, and business partnerships.
2) Personal information is processed for the purpose of confirming and responding to reports of illegal, unfair, or unethical behavior by executives and employees (including, if necessary, further verification of the report, notification of receipt confirmation, reward for reporting, etc.)

Items of Personal Information Processed

The Company processes the following items of personal information.
1. Inquiry Details: Name, affiliation, (medical facility), telephone number, email address, inquiry content
2. Cyber Sinmungo
- Real Name Report: Full name, Relationship with the company, Phone number, Email, Content of report (Name of the individual being reported, Affiliated company of the individual being reported, Type of the individual being reported, Related business department or division or job, Title of report, Content of report, Attachment)
- Anonymous Report: ID (in email format), Password, Content of report (Name of the individual being reported, Affiliated company of the individual being reported, Type of the individual being reported, Related business department or division or job, Title of report, Content of report, Attachment)

Personal Information Processing and Retention Period

1. The Company processes and retains personal information within the period of personal information retention and use as specified by law or within the agreed-upon the period of personal information retention and use obtained from the information subject at the time of collection.
2. The processing and retention period of personal information is 1 year. (However, in cases where  separate storage is required, such as for reporting rewards, it will be stored until the purpose is achieved.)

Personal Information Destruction Procedure and Method

1. When personal information becomes unnecessary due to the expiration of the retention period of personal information, the achievement of the processing purpose, etc., the Company promptly destroys the relevant personal information.
2. If personal information must be retained pursuant to other laws despite the expiration of the agreed-upon retention period obtained from the information subject or the achievement of the processing purpose, the Company transfers the personal information to a separate database (DB) or stores it in a different location.
3. The procedure and method of personal information destruction are as follows.
1) Destruction Procedure: The department or person in charge responsible for the relevant information selects the personal information for destruction when the reason for destruction occurs and proceeds to destroy the personal information according to the following method of destruction.  
2) Destruction Method: The Company destroys personal information recorded or stored in electronic file from in a manner that the records cannot be regenerated, and shreds or incinerates personal information recorded or stored in paper documents.

Provision of Personal Information to Third Parties

1. The Company processes the personal information of the information subject only within the scope specified for the purpose of processing personal information, and will only provide personal information to third parties in cases the information subject’s consent is obtained or as specifically required by law, in accordance with Articles 17 and 18 of the Personal Information Protection Act. In all other cases, the Company will not provide the personal information of the information subject to third parties.
2. To ensure smooth service delivery, the Company may provide personal information only to the minimum extent necessary, with the information subject’s consent, in the following cases, in accordance with Article 17, Paragraph 1, Item 1 of the Personal Information Protection Act.

Recipient

Purpose of Provision

*Affiliated Companies of the Company related to the report consent 
*Affiliated Companies: Across Co.,  Ltd., J World Co., Ltd.

To review and respond to reports of illegal, unfair, or unethical behavior by executives and employees (including, if necessary, further  verification of the report,  notification of receipt confirmation, reward for reporting, etc.)

Provided Personal Information

Retention and Use Period

- Real Name Report: Full Name, Relationship with the company, Phone number, Email, Content of report (Name of the individual being reported, Affiliated company of the individual being reported, Type of the individual being reported, Related business department or division or job, Title of report, Content of report, Attachment)
- Anonymous Report: ID (in email format), Password, Content of report (Name of the individual being reported, Affiliated company of the individual being reported, Type of the individual being reported, Related business department or division or job, Title of report, Content, Attachment)

1 year(However, in cases requiring  separate retention, such as for reporting rewards, it can be stored until the purpose is achieved.)

Matters Concerning the Outsourcing of Personal Information Processing

1. For efficient handling of personal information tasks, the Company outsources personal information processing tasks as follows:

Recipient of the Outsourcing  (Contractor)

Outsourced Task

FAS Company

System operation and maintenance

2. When entering into outsourcing contracts, the Company specifies in the contract documents matters regarding the prohibition of processing personal information beyond the purpose of performing the outsourced tasks, technical and administrative protective measures, restrictions on re-outsourcing, management and supervision over the Contractor, and liability for damages, in accordance with Article 26 of the Personal Information Protection Act. The Company also supervise the Contractor to ensure that personal information is handled securely.
3. Pursuant to Article 26(6) of the Personal Information Protection Act, the Contractor must obtain the Company’s consent if the Contractor re-outsources the Company’s personal information processing tasks.
4. If there are any changes to the content of the outsourcing tasks or the Contractor, the Company will promptly disclose such changes through this privacy policy.

Rights, Obligations, and Methods of Exercising Rights of Information Subjects and Legal Representatives

1. Information subjects have the right to request access, correction, deletion, or suspension of processing of personal information from the Company at any time.
2. Rights can be exercised by submitting a request to the Company in writing, via electronic mail, facsimile transmission (FAX), etc., in accordance with Article 41(1) of the Enforcement Decree of the Personal Information Protection Act, and the Company will promptly take action upon receipt of such requests.
3. Rights can also be exercised through legal representatives of information subjects or individuals delegated to act on their behalf. In this case, a power of attorney according to Annex 11 of the ‘Guidelines on Personal Information Processing Methods (No. 2023-12)’ must be submitted.
4. Requests for access to personal information or for suspension of processing may be restricted under Article 35(4) and Article 37(2) of the Personal Information Protection Act.
5. Requests for correction and deletion of personal information cannot be made if the personal information is specified as a collection target under other laws.
6. The Company verifies whether the person making a request for access, correction, deletion, or suspension of processing under the rights of the information subject is the information subject themselves or a legitimate representative.

Measures to Ensure the Security of Personal Information

To ensure the security of personal information, the Company has implemented the following measures:
1. Administrative Measures: Establishment and implementation of internal management plans, operation of dedicated organizations, regular employee training, etc.
2. Technical Measures: Management of access rights to personal information processing systems, installation of security programs, etc.
3. Physical Measures: Access control to computer rooms, data storage rooms, etc.

Criteria for Determining Additional Use and Provision of Personal Information

1. In accordance with Article 15(3) and Article 17(4) of the Personal Information Protection Act, the Company may use or provide personal information additionally without the consent of the information subject, considering the matters specified in Article 14-2 of the Enforcement Decree of the Personal Information Protection Act.
2. The Company has considered the following factors to additionally use or provide personal information without the consent of the information subject:
1) Whether the purpose of additional use or provision of personal information is related to the original purpose of collection.
2) Whether there is predictability of additional use or provision in light of the circumstances under which the personal information was collected or processing practices.
3) Whether the additional use or provision of personal information unjustly infringes on the interests of the information subject.
4) Whether necessary measures to ensure safety, such as pseudonymization or encryption, have been taken.

Personal Information Security Officer

1. The Company is responsible for overseeing personal information processing tasks and has designated a personal information protection manager for handling complaints and remedies related to personal information processing. The details are as follows:
1) Personal Information Security Officer
Department, Name, Position: Security Office, Lee Sang Gyu, Director
Contact: privacy@hugel-inc.com / 02-6966-1600
2) Personal Information Security Department    
Department Name: Security Office, Security Team 1
Contact: privacy@hugel-inc.com / 02-6966-1600
※ This department also handles personal information access requests.
2. Information subjects can contact the personal information security officer and the department in charge regarding all inquiries, complaints, and remedies related to personal information protection arising from the use of the Company's services (or business). The Company will promptly respond and address inquiries of information subjects.

Remedies for Rights Infringement

1. Information subjects may apply for dispute resolution or consultation with the Personal Information Dispute Mediation Committee, Korea Internet & Security Agency Personal Information Infringement Report Center, and other relevant institutions, to seek resolution for personal information breaches. For other reports or consultations regarding personal information breaches, please contact the following organizations:
1) Personal Information Dispute Mediation Committee: 1833-6972 (www.kopico.go.kr)
2) Personal Information Infringement Report Center: 118 (privacy.kisa.or.kr)
3) Supreme Prosecutors' Office of the Republic of Korea: 1301 (www.spo.go.kr)
4) National Police Agency: 182 (ecrm.cyber.go.kr)
2. The Company ensures information subjects' right to self-determination of personal information and endeavors to provide consultation and remedy for damages caused by personal information breaches. If reporting or consultation is necessary, please contact the following department:
1) Customer Consultation and Reporting for Personal Information Protection  
Department Name: Security Office, Security Team 1
Contact: privacy@hugel-inc.com / 02-6966-1600
3. According to the provisions of Article 35 (Access to Personal Information), Article 36 (Correction or Deletion of Personal Information), and Article 37 (Suspension of Personal Information) of the ‘Personal Information Protection Act’, individuals who have suffered infringement of rights or interests due to the actions or omissions of a public institution’s head in response to requests based on those provisions may file an administrative appeal in accordance with the Administrative Appeals Act.
1) Central Administrative Appeals Commission: (Without area code) 110 (www.simpan.go.kr)

Privacy Policy Change

1. This Privacy Policy will be effective from August 1, 2024.
2. The previous Privacy Policy can be accessed on the page below:
Applicable from April 1, 2024, to July 31, 2024