General Data Protection Policy
For the purpose of data protection of its users, the Company records processing activities (Article 30 of GDPR), designates a Data Protection Officer (DPO) to operate its business in accordance with GDPR (Article 37), and trains its employees for data protection (Article 39).
The Company formulates legal framework to process personal data (Articles 6) and has the explicit consent to the data processing from a data subject (Article 7).
Additionally, in case of overseas transfer of the data, the Company concludes a contract under Standard Contractual Clauses adopted by a supervisory authority and approved by the Commission (Article 46.2 (c)), and has the explicit consent of a data subject (Article 49).
The Company allows a data subject to exercise his or her rights guaranteed by GDPR as follows: the right to receipt of his or her data (Articles 13 and 14), the right of access (Article 15), the right to rectification (Article 16), the right to erasure (Article 17), the right to restriction of processing (Article 18), the right to data portability (Article 20), the right to object (Article 21) and the right regarding automated individual decision-making including profiling (Article 22).
The Company is in compliance with the obligations of data protection by design and by default (Article 25) and implements technical and organizational measures reasonably necessary to prevent the data from leakage and breach (Article 32). It notifies a personal data breach to the supervisory authority within 72 hours after having become aware of it (Article 33) and communicates a personal data breach to a data subject without undue delay if the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons (Article 34).
About Privacy Notice
The Company notifies a data subject of the Privacy Notice within the reasonable period not later than one month in order to explain the methods and procedures of processing his or her data including his or her certain data if it collects such personal data from the data subject or any third party discloses such personal data (Article 12, 13, and 14)
The Company notifies its users of this Privacy Notice as follows:
The data controller of personal information is the Company. If the user contacts us to assist him/her, for safety of users and our safety, the Company may need to authenticate identity of the user before fulfilling the request.
Collection of Information
The Company collects and retains information about users such as:
• Information collected automatically by the Company:
- Records of service use and access, information on access IP, device identification number, OS information (country, language), etc.
- Log information such as IP address, log data, use time, search words input by users, internet protocol address, cookies and web beacons, etc.
Method of collection
The Company collects the information of the users in the following manner (Under GDPR 6(1)(a)):
• Collection through websites with the prior consent of the users
Use of Information
The Company uses information to provide, analyze, administer, enhance and personalize services and marketing efforts, and to communicate with users on these and other topics. For example, the Company uses information to:
• To detect and deter unauthorized or fraudulent use of or abuse of the services
• To improve the existing services and develop new services
• To use the users’ information with their prior consent; or
• To comply with applicable law or legal obligations
Disclosure of Information
The Company discloses user’s information for certain purposes and to third parties, as described below:
• Service Providers: The Company uses other companies, agents or contractors (hereinafter referred to as "Service Providers") to perform services on our behalf or to assist the Company with the provision of services to users. For example, the Company engages EASEL DESIGN (Wono Building 2F, 380-6 Seogyo-dong, Mapo-gu, Seoul, Republic of Korea. 157-87-00275) to provide infrastructure and IT services to optimize Company’s service. In the course of providing such services, these Service Providers may have access to user’s personal or other information. The Company does not authorize service providers to use or disclose user’s personal information except in connection with providing their services.
• Partners: Users may have a contractual relationship with one or more of our Company’s Partners, in which case the Company may share certain information with them in order to coordinate with them on providing the service to users and providing information about the availability of the service.
• Promotional offers: The Company may offer joint promotions or programs that, in order for user participation, will require the Company to share user’s personal information with third parties. In fulfilling these types of promotions, the Company may share user’s personal information in connection with fulfilling the incentive. In addition, these third parties are also responsible for their own privacy policies.
Need to disclose Personal Information
information provided by users is the requirement for the service use contract
between a user and the Company so that the Company provides the users with
great services. The users may be restricted to use the Company’s services
unless they give consent to the collection of required personal information
while they can use the Company’s services except the services which require the
consent to the collection of the optional information if they refuse to give
consent to the collection of such optional information.
Overseas Transfer of Information
The users or their legal representatives, as subjects of the information, can exercise the following rights regarding the collection, use and disclosure of personal information by the Company:
• the right to access by the data subject (Under GDPR 15);
• the right to rectification (Under GDPR 16)
• the right to erasure (Under GDPR 17)
• the right to restriction of processing (Under GDPR 18)
• the right to data portability (Under GDPR 20)
• the right to object (Under GDPR 21)
• the right regarding automated individual decision-making, including profiling (Under GDPR 22); and
• the right to request the withdrawal of prior consent (Under GDPR 7(3))
In order to exercise any of the foregoing rights, the users submit written documents using Data Subject Form provided by the Company to the Company (or DPO, agent) or contact by email, and the Company will immediately take actions for the request by the data subject. Provided, that, however, the Company may refuse such request if and to the extent there are reasonable grounds prescribed in the law or equivalent thereto.
Upon the request from a data subject, the Company takes actions as follows:
• To take actions for a data subject’s request after asking proof of his or her ID (or his or her legal representative);
• To ask if a subject requires the information to be provided in writing or whether he or she will accept it in an electronic form;
• To have a standard process for the Company to effectively inspect all relevant systems and to communicate with other departments;
• To notify a data subject if there is no information that he or she has requested;
• To formulate reasonable criteria to determine whether to correct or disclose personal information if the personal information requested by a data subject includes the information of other individuals; provided however, such information can be disclosed if the other individuals explicitly give the consent thereto. The Company should consider the impact of such disclosure and the possible breach of others’ personal information if no explicit consent is available, in which case, it should document the justification of such disclosure;
• To take actions in accordance with the request of a data subject in such a manner as he or she can understand, including the requirements under Article 15 of GDPR;
• To make no available the transfer system which can be traceable in case of providing a data subject with the information he or she has requested. Such information should be disclosed in a safe electronic means if individually agreed upon with the data subject; or
• To document the actions which have been taken for the request of a data subject
Also, the users or their legal representatives have the right to lodge a complaint with a supervisory authority (Under GDPR 13(2)(d), GDPR 14(2)(e)).
The Company takes the security of personal information seriously. It has the following security measures to prevent the unauthorized access to, or disclosure, use or change of the personal information (Under GDPR 32).
• Take appropriate security measures to protect against unauthorized access to or unauthorized alteration, disclosure or destruction of data these include internal reviews of our data collection, storage and processing practices.
• restrict access to personal information to YUPOONG employees, agents who need to know that information in order to operate, develop or improve the service
Checklist to Respond to Data Leakage and Breach
It is specified in Articles 33 and 34 of GDPR that in case of a personal data breach, the controller should without undue delay notify the personal data breach to a data subject and a supervisory authority. To this end, the Company responds to personal data leakage and breach before and after the occurrence of an incidence in accordance with the following checklist:
• Preparing for a data breach
- To know how to recognize a data breach;
- To have prepared a response plan for addressing any personal data leakage and breach that occur;
- To have allocated responsibility for managing breaches to a dedicated person or team; and
- To train staff to knows how to escalate a security incident to the appropriate person or team in its organization to determine whether a breach has occurred
• Response to a data breach
- To have in place a process to assess the likely risk to individuals as a result of a leakage;
- To have a process to notify the supervisory authority of a breach within 72 hours of becoming aware of it;
- To have Breach Notification Form to be submitted to the Supervisory Authority if a data leakage and breach occur;
- To have a process to inform an affected data subject about a breach without undue delay;
- To know what information about a breach the Company must provide to data subjects, and to provide advice to help them protect themselves from its effects; and
- To document all breaches
• Process of report and notification of data leakage
- To contact the relevant supervisory authority of a breach within 72 hours after having become aware of it;
- To directly contact the individuals affected by a breach if it is likely to result in a high risk to their rights and freedoms; and
- To have Breach Notification Form to the Supervisory Authority and Breach Notification Form to the Data Subject
The Company does not collect any information of the children under 13 or those of minimum age under law. The Company’s service is not intended for, nor does the Company believe they are appealing to, children.
The Company may use the users’ personal information to create individual or collective profiles (hereinafter referred to as “profiling”) for the purpose of identifying how to provide the users with better services, for example, providing the users with customized content of services by analyzing what attracts the users most regarding the Company and the services rendered by the Company, and how the users use the services. In addition, the Company uses the personal information for the following purposes: to create user clusters to identify the users’ interest in the Company’s services; to analyze the market and statistics or; to enhance the Company’s services (all websites, etc.). It may integrate the data provided by all its websites and applications with the users’ personal information that the Company receives. The processing of personal information for profiling is carried out in line with the guarantees and measures specified in applicable law (Under GDPR 22).
For the purpose of protecting its users’ personal information, the Company complies with the principle of Data Minimization where the processing of personal information should be appropriate and limited to the extent solely necessary for the purposes for which the data are processed (GDPR 5.1.(c)). To this end, the Company abides by the following retention policy:
• Users’ personal information protected by the Company’s retention policy are subject to the all personal information processed by the Company;
• Personal information are retained for no longer than is necessary for the purposes for which the personal information are processed. The Company will destroy the personal information one year after the expiry of such period. However, the personal information may be stored for longer periods insofar as the personal information will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (Article 5.1 (e) of GDPR);
• The Data Protection Officer designates the strict retention period regarding the storage of users’ personal information and does not retain the data more than the period which requires the data. The Company monitors the compliance regarding the data retention on a regular basis and deletes the data, if no longer necessary, in a safe manner (Recital Article 39 of GDPR);
• The Company schedules regular review of stored data to determine whether the information is still required;
• The Company is in compliance with relevant regulations such as GDPR, etc. in relation to the retention of users’ personal information;
The Company trains and monitors its staff members including the ones in the HR team who handle personal information of the Company’s employees as well as the staff members involving user’s personal information, in order for them to process personal information in compliance with GDPR (Article 39 of GDPR). The Company documents training-related details (date, time, list of employees to be trained, list of participants, training content, training conductor, DPO’s role) of training for employees.
The Company may collect collective and impersonal information through 'cookies' or 'web beacons'.
Cookies are substantially small text files to be sent to the browser of the users by the server used for the operation of the Company’s websites and are stored in hard-disks of the users' computers.
Web beacons are a small quantity of code which exists on websites and e-mail. By using web beacons, the Company can identify whether a user has interacted with certain webs or the contents of email.
These functions are used for evaluating, improving services and customizing user experience so that the Company provides way improved services for the users.
The items of cookies to be collected by the Company and the purpose of such collection are as follows:
• Required cookies: This kind of cookies is indispensably necessary for the users to use the functions of the Company’s website. No services can be provided for a user unless he or she accepts these cookies. These cookies do not collect any information which can be used for marketing or store the sites that the users have visited.
• Performance cookies: This kind of cookies collects information of how the users use the Company's website such as the webpages most frequently visited by the users. Such data helps to optimize the Company’s website so that the users can search more conveniently on its website. Such cookies do not collect any information regarding users’ identification. All or any information collected by this kind of cookies are anonymous since the information is collectively processed.
• Functionality cookies: This kind of cookies is used to store the set-ups so as to provide services and improve the user experience. No information collected by these cookies identifies individual user.
The users have an option for cookie installation: accepting all cookies, making each cookie confirmed whenever it is saved, or refusing the storage of all cookies. However, such refusal by a user may result in the limit to the part of the Company's services.
The latest update date: AUG 27, 2020