Soom Korea Co., Ltd. (‘www.dollsoom.com’ hereinafter referred to as ‘the Company’) has established the following processing policy in accordance with the Personal Information Protection Act to protect the personal information and rights of users and to smoothly process user complaints related to personal information. If the Company revises the Personal Information Processing Policy, it will notify users through the website notice (or individual notice).

○ This policy will be effective from January 1, 2017.

1. Purpose of Personal Information Processing
The Company collects only the minimum amount of information necessary to smoothly provide optimized customized services. Additional information required for payment, product delivery, and refunds for service use may be collected.
The Company will not use personal information for purposes other than the collection and use purposes or provide it to third parties without the consent of the member. Personal information will not be used for purposes other than the following, and prior consent will be obtained if the purpose of use is changed.

A. Website membership registration and management
We process personal information for the purposes of confirming membership registration intent, personal identification and authentication for the provision of membership services, maintaining and managing membership qualifications, personal identification in accordance with the implementation of the limited personal identification system, preventing unauthorized use of services, confirming consent of legal representatives when collecting personal information of children under the age of 14, preserving records for various notifications, complaints handling, and dispute resolution.

B. Provision of goods or services
We process personal information for the purposes of delivering goods, providing services, sending bills, providing content, providing customized services, personal authentication, age authentication, payment and settlement, etc.

C. Use in marketing and advertising
We process personal information for the purposes of developing new services (products) and providing customized services, providing event and advertising information, and providing opportunities for participation.

2. Personal information collection items
The company collects and processes the following personal information for membership registration, shopping mall use, service application and provision, etc. The company does not receive personal resident registration numbers and i-PIN information.

A. Personal information items
① Mandatory items for members: Email address, Facebook ID and information provided by Facebook, Twitter ID and information provided by Twitter, Google+ ID and information provided by Google
② Mandatory items for non-members: Name of the orderer, address of the orderer, name of the recipient, delivery information, contact information, customer memo, password for non-member order inquiry
③ Additional items: Name of the orderer, address of the orderer, name of the recipient, delivery information, contact information, refund account number when requesting a refund
④ Service usage records, access logs, cookies, access IP information, payment records, etc. may be automatically generated and collected during the service use and processing process.

B. Collection method: Membership registration information when registering as a member of the shopping mall, telephone and online consultations through the customer center, order forms for non-members

3. Processing and retention period of personal information
The company processes and retains personal information within the retention and use period of personal information stipulated by law or the retention and use period of personal information agreed upon by the information subject when collecting personal information.
In principle, the company destroys the relevant personal information without delay after the purpose of collecting and using personal information has been achieved. However, in cases where preservation is necessary in accordance with the provisions of relevant laws, the company will retain member personal information for a certain period of time as specified in the relevant laws.
The processing and retention periods for each personal information are as follows:

A. In cases where preservation is necessary according to laws such as the Commercial Act
① Records on display and advertisement
Basis for preservation: Act on Consumer Protection in E-commerce, etc.
Retention period: 6 months
② Records on contracts or withdrawal of subscription, etc.
Basis for preservation: Act on Consumer Protection in E-commerce, etc.
Retention period: 5 years
③ Records on payment and supply of goods, etc.
Basis for preservation: Act on Consumer Protection in E-commerce, etc.
Retention period: 5 years
④ Records on consumer complaints or dispute resolution
Basis for preservation: Act on Consumer Protection in E-commerce, etc.
Retention period: 3 years
⑤ Records on collection, processing, and use of credit information
Basis for preservation: Act on the Use and Protection of Credit Information
Retention period: 3 years
⑥ Preservation of records on identity verification
Basis for preservation: Article 44-5 of the Act on Promotion of Information and Communications Network Utilization and Information Protection and Article 29 of the Enforcement Decree
Retention period: 6 months
⑦ Records on access Record Preservation
Basis for Preservation: Article 15-2 of the Communication Secret Protection Act and Article 41 of the Enforcement Decree
Retention Period: 3 months

B. In other cases where there is individual consent from members, the information is stored for the period specified in the individual consent.

4. Matters regarding provision of personal information to third parties
The company provides personal information to third parties only in cases falling under Articles 17 and 18 of the Personal Information Protection Act, such as consent from the information subject or special provisions of the law.
The company provides personal information to third parties as follows.

A. The company uses members’ personal information within the scope notified in the purpose of collection and use of personal information, and does not use it beyond that scope or provide members’ personal information to third parties without prior consent from members, in principle. However, the following cases are exceptions.

① When members have agreed to disclosure or provision to third parties in advance
② When there is a request from an investigative agency or supervisory authority in accordance with the procedures and methods stipulated by law for the purpose of investigation or inquiry, based on the provisions of the law

B. In the event that an order or payment is made through the service provided by the company, relevant information is provided to the transaction parties to the extent necessary for smooth communication between the transaction parties, such as consultation, and for transaction performance, such as delivery.
① Courier: Post Office, CJ Logistics
② Information provided: Orderer name, recipient name, delivery address information, contact information, customer memo

In other cases where personal information needs to be provided to a third party, personal information may be provided to a third party with the consent of the member through appropriate procedures.

5. Rights, obligations, and methods of exercising such rights of the information subject
Users may exercise the following rights as the personal information subject.

A. The information subject may exercise the following rights related to personal information protection against the company at any time.
① Request to view personal information
② Request for correction in case of errors, etc.
③ Request for deletion
④ Request for suspension of processing

B. The exercise of rights under Paragraph 1 may be made to the company in writing, by e-mail, facsimile (FAX), etc. in accordance with the format of Appendix 8 of the Enforcement Regulations of the Personal Information Protection Act, and the company will take action without delay.

D. If the information subject requests correction or deletion of personal information due to errors, etc., the company will not use or provide the personal information until the correction or deletion is completed.

D. The rights under Paragraph 1 may be exercised through an agent, such as the information subject’s legal representative or an authorized person. In this case, a power of attorney in the format of Appendix 11 of the Enforcement Regulations of the Personal Information Protection Act must be submitted.

6. Destruction of Personal Information
In principle, the company destroys the relevant personal information without delay when the purpose of processing personal information has been achieved. The procedures, deadlines, and methods for destruction are as follows.

① Destruction Procedure
The information entered by the user is transferred to a separate DB (separate documents in the case of paper) after the purpose has been achieved and stored for a certain period of time or immediately destroyed in accordance with internal policies and other relevant laws. In this case, the personal information transferred to the DB will not be used for any other purpose unless required by law.
② Destruction Period
When the retention period of personal information has expired, the user’s personal information will be destroyed within 5 days from the end of the retention period. When the personal information becomes unnecessary due to the achievement of the purpose of processing the personal information, the discontinuation of the relevant service, or the termination of the business, the personal information will be destroyed within 5 days from the date when the processing of the personal information is deemed unnecessary.

7. Collection of Personal Information through Cookies
The company partially operates cookies in order to provide better services. Cookies are small pieces of information that the service provider’s website server transmits to the information subject’s computer browser, and contain information about the website the information subject visited and personal information. Cookies identify the information subject’s computer browser, but cannot personally identify the information subject. The company collects encrypted personal information through cookies. Each information subject has the option to accept all cookies, to receive a separate notification when installing cookies, or to reject all cookies by adjusting the web browser options. However, if the information subject rejects cookie installation, there may be difficulties in using the website.

8. Measures to ensure the safety of personal information
In accordance with Article 29 of the Personal Information Protection Act, the Company is taking the following technical/administrative and physical measures necessary to ensure safety.

① Regular self-audits
To ensure the stability of personal information handling, we are conducting self-audits on a regular basis (once per quarter).
② Minimization and training of employees handling personal information
We are implementing measures to manage personal information by designating employees handling personal information and limiting them to those in charge.
③ Establishment and implementation of an internal management plan
We are establishing and implementing an internal management plan to ensure the safe processing of personal information.
④ Technical measures against hacking, etc.
In order to prevent personal information leakage and damage due to hacking or computer viruses, the Company installs security programs and conducts periodic updates and inspections, and installs systems in areas with controlled access from the outside and monitors and blocks them technically/physically.
⑤ Encryption of personal information
Users’ personal information is stored and managed in encrypted form, and only the user can know it. Important data uses separate security functions such as encrypting files and transmission data or using file locking functions.
⑥ Storage of access records and prevention of falsification and alteration
We store and manage access records to the personal information processing system for at least 6 months, and use security functions to prevent falsification, theft, and loss of access records.
⑦ Restriction of access to personal information
We take necessary measures to control access to personal information by granting, changing, and deleting access rights to the database system that processes personal information, and we control unauthorized access from outside using an intrusion prevention system.
⑧ Use of locking devices for document security
Documents and auxiliary storage media containing personal information are stored in a safe place with a locking device.
⑨ Access control for unauthorized persons
We keep the physical storage location where personal information is stored separate.

9. Appointment of Personal Information Protection Officer
① The company is responsible for the overall management of personal information processing, and has appointed a Personal Information Protection Officer as follows to handle complaints and provide relief for damages related to personal information processing.

▶ Personal Information Protection Officer
Name: Seong Nam-sik
Position: Team Manager
Contact: +82-2-2038-2935, Email: support@dollsoom.com, Fax: +82-2-2-2038-2936
※ Connected to the Personal Information Protection Department.

▶ Personal Information Protection Department
Department Name: Customer Center
Person in Charge: Lee Kyu-sik
Contact: +82-70-4607-6584, Email:support@dollsoom.com, Fax: 02-2038-2936

② The information subject may inquire about all personal information protection-related inquiries, complaints, damage relief, etc. that arise while using the company’s services to the personal information protection manager and the department in charge. The company will respond to the information subject’s inquiries without delay.

10. Request to View Personal Information
① The information subject may request to view personal information in accordance with Article 35 of the Personal Information Protection Act to the department below. The company will endeavor to promptly process the information subject’s request to view personal information.

▶ Department in charge of receiving and processing requests for personal information access
Department name: Customer Center
Person in charge: Lee Kyu-sik
Contact: +82-70-4607-6584, Email: support@dollsoom.com, Fax: +82-2-2038-2936

② In addition to the department in charge of receiving and processing requests for access in Paragraph 1, the information subject may also request access to personal information through the Ministry of the Interior and Safety’s ‘Personal Information Protection Comprehensive Support Portal’ website (www.privacy.go.kr).

▶ Ministry of the Interior and Safety’s Personal Information Protection Comprehensive Support Portal → Personal Information Complaints → Request for access to personal information, etc. (I-PIN is required for identity verification)

11. Changes to the Personal Information Processing Policy
① This personal information processing policy is applied from the date of enforcement, and in the event of additions, deletions, or corrections to the contents due to changes in laws and policies, notice will be given through a notice 7 days prior to enforcement of the changes.

Last updated on 15/01/2018