Dear Tunza Eco-generation members,

 

In order to protect personal information and comply with the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. of Korea, we would like to update the Personal Information Protection Policy as below.

 

·  Date of notification: February 18, 2016

·  Effective date: March 18, 2016

 

 Personal Information Protection Policy

 

Samsung Engineering Co. Ltd (hereinafter the 'Company') recognizes the importance of protecting users' personal information and makes the utmost efforts to ensure information security by complying with the 'Act on Information and Communications Network Use Promotion and Information Protection' and  Personal Information Protection Act' and developing this Personal Information Protection policy.

 

Here in this policy, the Company notifies its personal information protection policy including the following: the type of personal information to be acquired, purpose of personal information collection, handling of personal information and its duration, and rights of users and how to exercise them.

 

If any change, deletion or addition is made to this policy in accordance with revisions in relevant laws and regulations or the Company's internal policy, the Company will notify its users via Tunza Eco-generation website (https://tunza.eco-generation.org).

 

The contents of this policy are as follows:

1. Purpose of acquisition and use of personal information

2. Types of personal information to be acquired and how to collect it

3. Retention and use period of personal information

4. Provision of personal information to third parties

5. Outsourcing of personal information management

6. Procedure and methods of personal information disposal

7. Rights of users and their legal representatives and how to exercise the rights

8. Installation and operation of automatic collection system of personal information and how to reject its use

9. Measures to protect personal information

10. Personnel in charge of personal information management and response to user complaints

11. How to seek help for security breach

12. Revisions to the Personal Information Protection Policy

 

 

1. Purpose of acquisition and use of personal information

 

The Company acquires and uses personal information for the following purposes. The acquired personal information is not used for any other purposes than the following, and the Company will take legally-required actions such as acquiring prior consents from users when there is any change to the purposes.

 

 1) Providing services to its registered members

- Provide contents and other membership-based services

 

 2) Management of registered members

 - Verify personal identity for membership-based service, prevent illegal or unauthorized use of malignant users, check user's willingness to join, check user's nationality and age, and issue notices

 

 3) Promotion events

  - Provide information on promotion events, develop new and customized services, check validity of services, check the number of access, develop statistics of members' service use

 

2. The type of personal information to be collected and how to collect

 

 1) Collected items

	Collected items
For membership-based service and user management (default)	- Essential items Name, email address, nationality, birthday, mailing address, phone number
For promotion events (Collected after acquiring  consent separately)	- Essential items Phone number, address and other information needed for the event

 

-          The following information can be created and collected while users access and use our services.

Access logs, cookies, IP addresses, service use records

 

 2) How to collect

- The online membership registration webpage, paper-based registration form, phone, e-mail, online bulletin boards, registration for promotion events and other activities

- Live data collection tool (for access logs or cookies)

 

3. How long personal information is retained and used

1)      The Company retains and uses personal information for the following period:

- Personal information inevitably collected and used to comply with separate legal requirements or legal obligations

: During the period the Company needs to retain the information based on the relevant laws and regulations

 

- Personal information inevitably collected and used in order to sign and execute contracts

: Until the Company fulfills the purposes of collecting and using the information

 

- Personal information collected and used by acquiring consents from individual users

: During the period the users consented for

 

2) The Company deletes personal information in its database immediately after the retainment and usage period is over or the purpose of information collection is achieved. However, if the Company needs to retain the information longer in accordance with the relevant laws and regulations or was granted the users' prior consents, it can retain the information exceeding the retainment and usage period.

 

3) For the users who have not accessed for a long period of time (over a year), the Company deletes or separately stores and manages their personal information immediately after 1 year has passed with no access. The period of no access is counted with access records, and users will be notified with e-mails one month before the point of 1 year with no access.

 

4. Provision of personal information to third parties

1)      The Company does not disclose users' personal information to outside, except for the following cases where:

-           The user granted prior consent

-           The law states to disclose certain information or it is inevitable for the Company to release the information in order to fulfill its legal obligation because it is required to disclose the information in order to meet the urgent need of protecting life, physical security or assets of the user or a third party while it is impossible to gain the user's prior consent because the user in question or his/her legal representative is in a state unable to express one's will or cannot be reached because of unknown address (with a scope limited to the purpose of personal information collection.)

 

2)      Users have a right not to allow their personal information to be shared with a third party, while, if they exercise the right, the users may face limits in services available to them.

 

5. Outsourcing of personal information management

 

1) The Company outsources personal information management to specialized vendors as follows in order to provide better services and promote user convenience. The Company ensures safe management of personal information by mandating necessary requirements in accordance with the relevant laws and regulation when signing outsourcing contracts with outside vendors.

       

Outsourcing vendors	Outsourced tasks
Samsung SDS Co.Ltd.	Operation and maintenance of the website

 

2) The Company includes, in its contract with the outsourcing vendors, the requirement to ban handling of personal information except for the purpose of performing the commissioned tasks, ensure technical and managerial protection measures, limit re-commissioning to other vendors and hold the vendors accountable for damages, in accordance with the Article 26 of Personal Information Protection Act and Act on Promotion of Information and Communications Network Utilization and Information Protection, and supervises the outsourcing vendors to ensure they handle personal information safely.

 

3) If the outsourcing vendors or their outsourced tasks are added or changed, the Company releases the information in this policy.

 

6. Procedure and methods of personal information disposal

 

After achieving the purpose of the collecting and retaining personal information or reaching the end of retainment period, the Company disposes of the personal information in the following procedures:

 

1)      Disposal process

-          Dispose of the information immediately after achieving the purpose or reaching the end of retainment period

-          Select the information to be disposed of, execute the disposal, report the disposal and gain approval from personal information manager (before or after the disposal)

2)      How to dispose:

-          Information in electronic format: Delete permanently in a irreparable manner

-          Printed materials, papers and other information in non-electronic format: Destroy by shredding, burning or dissolving

 

7. Rights of users and their legal representatives and how to exercise the rights

 

1) Users and their representatives can always withdraw their consent on collection, use and provision of personal information. They can also demand the Company disclose, provide, revise, delete or dispose of the following information in accordance with the relevant laws and regulations. When requested by users or their legal representatives, the Company will take necessary measures immediately (unless there are reasonable grounds not to do so). 

 

- User's personal information

- The log of using or providing a third party with the user's personal information

- The status of the user's consent to collection, use and provision of their personal information

 

2) If you want to view or modify your personal information, click 'Change User Information.' If you want to withdraw your consent on retainment and use of personal information or cancel your membership, click 'Withdraw Membership.' You can view and modify your personal information or cancel your membership after going through user verification process. Or you can also contact our personal information management personnel via letter, phone or e-mails to make such requests.

 

 3) The Company may limit or reject requests to view, provide, revise, delete or stop handling personal information in the following cases after informing users or their legal representatives of the reasons:

 

- When the Company needs to do so in order to comply with particular legal requirements or fulfill legal obligations

- When there is a risk of harming others physically and/or financially or infringe upon other's interests in an unfair manner

 

4) When the Company rejects requests of users or their legal representatives to view, provide, revise, delete or stop handling personal information, it will notify the users or their legal representatives of its decision to reject, the reasons why and how to raise objections.

 

8. Installation and operation of automatic collection system of personal information and how to reject its use

 

The Company manages 'cookies' to store and find users'information. 'cookies' are small text files the Company's server sends to its users' browsers, and they are stored in the users' hard disk.

 

1)      Purpose of using cookies

The Company uses cookies in order to provide optimized information for users by understanding the way users visit and use the website as well as the number of visits.

2)      Setting for cookies: How to set, check and decline

Users can choose different options for cookies. They can set their web browser to allow all cookies, confirm every time cookies are stored, or decline all cookies from being stored. However, if users disable the use of cookies, services provided by the website can be limited.

 

-          How to set up (for Internet Explorer 8.0)

Go to Tools and click Internet Options. Click Personal Information tab and Setting to set the allowance level of cookies.

-          How to check the cookies stored on your computer (for Internet Explorer 8.0):

Go to Tools and click Internet Options. Click General tab to go to Search Results—Setting—View Files.

-          How to disable cookies (for Internet Explorer 8.0):

Go to Tools and click Internet Options. Click Personal Information tab and Setting to set the allowance level of cookies to 'Disable all cookies'.

 

9. Measures to protect personal information

The Company is taking technical and managerial measure as follows in order to protect personal information to prevent loss, theft, leakage, distortion or damage of information.

 

1)      Development and implementation of internal management plan

-          The Company has developed and implemented an internal management plan to ensure safe handling of personal information.

-          With its dedicated team for protection of personal information, the Company makes sure proper protection measures are implemented, its personnel comply with protection policies and, when problems are identified, corrective measures are taken.

 

2)      Control and limits on access to personal information

-          Installation and operation of access control tools

The Company uses a breach blocking system to block any unauthorized access and is doing its best to secure all possible technical equipment to ensure security on its system.

-          Minimized designation and training of personal information managers

· The Company minimizes designation of personnel in charge of handling personal information and provides regular training with in-house and outside trainers.

· Handover of personal information management tasks is carried out in full security and the Company clearly identifies accountability for security breach after its employees join the Company or resign.

-          Control access to personal information

· The Company controls the access to personal information by granting, changing or terminating access authority to database handling personal information. The Company also records the details of granting, changing or terminating access authority and retains the records for 3 years at minimum.

      

3)      Encoding personal information

-          Users' personal information is protected by passwords, and files and transmitted data is encoded or locked when stored and managed. Important data is protected with additional security functions.

-          The Company is using a security system that utilizes encoded algorithms to transmit personal information on the network (SSL).

 

4)      Storage of access records and measures to prevent record falsification

-          The Company retains and manages the record of access to personal information management system for at 6 months at minimum and uses security functions to ensure access records are not falsified.

 

5)      Installation and renewal of security programs

-          In order to prevent leakage or damage of personal information data caused by hackers or computer virus, the Company runs security programs and regularly updates them and monitors their operation.

-          The Company also runs a hacker blocking system and weakness analysis system in each server to prevent any hacker intrusion and ensure online security.

 

6)      Physical actions including securing storage facilities with locks

- The Company secured a separate physical storage of database that retains personal information and controls the access to the storage.

 

 

10. Personnel in charge of personal information management and response to user complaints

 

The Company designated a responsible personnel and a dedicated staff for personal information management as follows in order to protect the users' personal information and respond to users' complaints regarding personal information. If you have any questions about personal information protection and management, please contact the following personnel.

 

 1) Person in charge of personal information management (protection)

- Name: Vice President Moon Deok Kyu

 - Department: Human Resource Management Department

 - Position: Head of HR Department

 

2) Dedicated personnel for personal information management (protection)

- Name: Manager Lim Ji Hee

- Department: Communications Department

- Contact: +82-2-2053-2288

- E-mail: ecogeneration@samsung.com

 

11. How to seek help for security breach

Users can request mediation or advice to Personal Information Dispute Mediation Committee or Personal Information Breach Report Center run by or Korean Internet & Security Agency to seek help for security breach. For further information, please contact the following institutions:

 

- Personal Information Dispute Mediation Committee (+82-118)

- Personal Information Breach Report Center of Korean Internet & Security Agency (www.kopico.or.kr/1336)

- Personal Information Protection Label Certification Committee

(http://eprivacy.or.kr/+82-2-580-0533~4)

- Supreme Prosecutors' Office Cyber Crime Investigation Center

(http://icic.sppo.go.kr/+82-2-3480-3600)

 - Korean National Police Agency (www.police.go.kr/+82-1566-0112)

 - Personal Information Protection Commission (http://privacy.kisa.or.kr/kor/main.jsp) /+82-2-2180-3000)

 

12. Revisions to the Personal Information Protection Policy

When revisions are made to this Personal Information Protection Policy, the Company will notify the details on the notice board and a pop-up window of this website.

 

· Personal Information Protection Policy (Ver. 1.0) Enforcement: Jul. 27, 2011

· Personal Information Protection Policy (Ver. 2.0) Revision: Jul. 1, 2012

· Personal Information Protection Policy (Ver. 3.0) Revision: Nov. 27, 2014

· Personal Information Protection Policy (Ver. 4.0) Revision: Aug. 17, 2015

· Personal Information Protection Policy (Ver. 5.0) Revision: Mar. 18, 2016