Effective Date : May 12, 2022
General Data Protection Policy
For the purpose of data protection of our users in compliance with the Personal Information Protection Act of the Republic of Korea as well as the General Data Protection Regulation (the “GDPR”) of the EU, Company maintains a record of processing activities (Article 30, GDPR), designates a Data Protection Officer (DPO) to operate our business in accordance with the GDPR (Article 37, GDPR), implements Data Protection Impact Assessment (DPIA) under the supervision of the Data Protection Officer (Article 35, GDPR) and trains our employees for data protection (Article 39, GDPR).
Company has established a legal framework to process personal data including sensitive data (Articles 6 and 9, GDPR) and is acquiring the explicit consent of the data subject in processing user’s personal data (Article 7, GDPR). We have the explicit consent of a data subject in case of automated individual decision-making, including profiling (Article 22, GDPR) and the consent of the holder of parental responsibility over a child for a child’s data processing, in which case we make reasonable efforts to verify whether such consent is given or authorized by the lawful person, taking into consideration available technology (Article 8, GDPR). Additionally, in case of transferring personal data to other countries, Company has the explicit consent of a data subject (Article 49, GDPR).
Company enables a data subject to exercise user’s rights guaranteed by the GDPR as follows: the right to receive data (Articles 13 and 14, GDPR), the right to access (Article 15, GDPR), the right to rectification (Article 16, GDPR), the right to erasure (Article 17, GDPR), the right to restriction of processing (Article 18, GDPR), the right to data portability (Article 20, GDPR), the right to object (Article 21, GDPR) and the right not to be subject to an automated individual decision-making, including profiling (Article 22, GDPR).
Company is in compliance with the obligations of data protection by design and by default (Article 25, GDPR). And Company implements technical and operational measures reasonably necessary to prevent data from leakage and breach (Article 32, GDPR). We notify personal data breach to the supervisory authority within 72 hours after having become aware of a breach (Article 33, GDPR) and communicate a personal data breach to a data subject without delay if the personal data breach is likely to result in a high risk to the rights and freedom of data subjects (Article 34, GDPR).
If Company directly collects personal data from a data subject, we will comply with the obligations of Article 13 of the GDPR.
In case of transferring personal data to other countries for the provision of services, Company will comply with Article 49 of the GDPR by obtaining the explicit consent of the data subject.
Data Protection Officer (DPO) and Contact
The service provider and controller of personal data is as follows:
- Controller of Personal Data (“Controller”)
- 4by4 Inc.
- 12-14F, 479, Gangnam-daero, Seocho-gu, Seoul, Korea 06541
- Company is Controller and is responsible for data protection of users and designates Data Protection Officer (DPO) as stated below to handle the user’s data protection related complaint and resolve issues, if any. The contact information of Data Protection Officer (DPO) and Company’s Data Protection Department are as follows.
- Data Protection Officer (DPO)
- -Name: MinHee Jung
- -Department: KEYCUTstock HQ
- -Position: Head Director
- -Tel.: +82 2-545-9953
- -Email: firstname.lastname@example.org
- Data Protection Department
- -Name: Kyungsub Kim
- -Department: Platform Development Team
- -Position: Manager
- -Tel.: +82 2-545-9953
- -Email: email@example.com
- ※ You will be directed to the Data Protection Department.
Users can submit all personal data protection related complaints that may arise when using Company’s services to the DPO or the Platform Development Team, which is the Data Protection Department. Company will give users sufficient responses to inquiries.
If a user contacts Company for assistance related to data protection, Company may need to authenticate the identity of the user before resolving the request for the user’s and our safety.
Personal Data to be Processed and Purpose of Process
The personal data of users to be processed by Company and the purpose of processing each personal data are as follows. The personal data being processed shall not be used for any purpose other than the following, and if the purpose of using the personal data is changed, Company will take the necessary measures such as obtaining individual consent from users.
Personal data requested to be provided to Company are classified into required data and optional data depending on the activity details. When required data regarding certain activities are not provided, users cannot participate in such activities.
- Personal data provided by users to Company
- -For the purposes of verifying identity, providing age-restricted services, processing complaints, etc. for use of Company’s services :
(Required data) Name, date of birth, ID, password
- -For the purpose of providing services to our corporate member, etc. :
(Required data): Company name, department, title, industry, company phone number, fax number, company address
- -For the purposes of securing accurate delivery address for bills, products, and giveaways, delivery of notice, confirmation of intent, securing effective communication method such as complaint processing and new service development:
(Required data) Email address, phone number, mobile number, address
- -For the purpose of marketing and advertisement:
(Optional data): Email address, phone number, mobile number, address
- -For the purpose of using paid information and contents, payment and refund for product purchase/lease:
(Required data): Bank account number, credit card information, transaction records
- Personal data produced or automatically collected by Company
- Company may collect the personal data of users listed below for the specified purposes while using the service. If a user refuses to do so, there may be inconveniences in using the service or difficulties for Company in providing the service.
- -For the purposes of preventing improper use, preventing unauthorized use, developing new service, and providing custom service:
Access log, access IP information, cookies, service use records, frequently used websites
- -For the purpose of providing services and settling payment:
Profile data such as user’s name and password, detailed purchase information and information on licensed contents
Use of Personal Data
Company uses personal data to provide, analyze, administer, enhance and personalize services and marketing, to process registration, orders and payments, and to communicate with user on these and other topics.
Company uses personal data for:
- -Authentication and provision of access authority for KEYCUTstock website, mobile applications, and services
- -Processing financial transactions for users
- -Transmission or order, renewal confirmation
- -(If applicable) Registration of authority for users for technical support provided to registered users or other benefits
- -Response to customer service requests, inquiries and considerations
- -User account management
- -Transmission of product or service information requested by users
- -Provision of data regarding benefits and services of KEYCUTstock and designated third party
- -Provision of promotion, giveaway management and results participated by users
- -Investigation into illegal activities in breach of KEYCUTstock service agreement, prevention and actions against such activities
- -Research and product service development, and improvement of KEYCUTstock website, service and product
- -Provision of customized services such as service, search results, and product provision appropriate for users
Method of Collection and Grounds for Collection
Company collects personal data of users in the following manner in compliance with Article 6(1)(a) of the GDPR and Article 15 Paragraph 1 Item 1 of the Personal Information Protection Act:
- -Collection when users enter personal data or provide personal data to Company through website, mobile devices, document, fax, phone, customer center inquiry, and event or when Company creates personal data in the process of using the service, with the prior consent of the users
- -Collection through provision of personal data through affiliated services or organizations
- -Collection through Company’s automatic collection system, such as cookie
Processing and Retention Period of Personal Data
Personal data shall be destroyed immediately after attaining its purpose of processing as a general rule. Processing and retention period of each personal data are as follows.
- - Membership data: By membership cancellation date
- - Payment data: By payment completion date or debt repayment date, whichever comes later
- - Data collected for surveys or events: By the time of concluding the surveys or events
In addition, Company shall destroy personal data without delay if we close our business, or if users request the destruction of personal data or withdraw their consent to collection and use of personal data. Provided that Company shall retain the personal data for a certain period of time as specified in the relevant laws when there is a necessity to retain the data due to relevant laws.
- - Processing and retention under the Act on the Consumer Protection in Electronic Commerce
- · Records of contract or subscription withdrawal: 5 years
- · Records on payment and contents supply: 5 years
- · Records on marks and advertisements: 6 months
- -Records of website use and visit, access log, access IP under the Protection of Communications Secrets Act: 3 months
- -Records on electronic financial transactions under Electronic Financial Transactions Act: 5 years
Even when the retaining period of user’s personal data has elapsed or the purpose of processing it has been achieved, if it is necessary for Company to continue to retain the personal data in accordance with internal policies or other laws, Company shall move the personal data concerned to a separate database or store it in a different storage place.
Company shall store and manage the personal data of users who have not used the service for one (1) year separately from other users’ personal data in accordance with the ‘personal data validity period plan’ pursuant to Article 39-6 of the Personal Information Protection Act and Article 48-5 of the Enforcement Decree of the same Act.
Company shall notify the users of the fact that the users’ personal data will be stored and managed separately, the scheduled date of separate storage and management, and the items of personal data to be stored and managed separately, by available methods such as in writing or by e-mail thirty (30) days prior to the separate storage and management of users’ personal data. If users do not wish to store and manage the personal data separately, users should use Company's services by logging in before we implement the separate storage. Company will keep the separated personal data for four (4) years and then destroy it without delay, but the user may log in to Company's service before it is destroyed and restore the separated personal data.
In addition, the following personal data may be retained by Company for the minimum period specified below to attain its purpose of preventing other significant damages to Company or in preparation for other criminal and legal proceedings even if there are no legal basis.
- - Identity data to prevent re-joining after the membership has been cancelled: Until 7 days after cancellation
- - Identity data for transaction refusal when the member has been dismissed according to user agreement: Until 1 year after dismissal
- - Draft service records: Until the end of 3 years for protection of copyrights and licenses
- - Download service records: Until the end of 15 years for protection of copyrights and licenses
Disclosure of Personal Data (Provision of Personal Data to Third Party and Consignment of Personal Data Processing)
• Provision of personal data to third party
Company processes personal data for the limited purpose of processing personal data and will, in principle, neither process it beyond such scope nor disclose or provide it without user’s prior consent. However, if Company discloses/provides personal data of users to any third party, Company will notify the user of and obtain user’s consent to the following:
recipients, purpose to use personal data, items to be disclosed, a period during which data is retained and used, the notice that a user can disagree to disclosure, and disadvantage, if any as a result of such disagreement.
Provided that personal data of a user may be disclosed/provided to any third party if and to the extent that it falls under Article 17 and Article 18 of the Personal Information Protection Act.
• Consignment of personal data processing
Company has consigned the process of personal data as follows for the provision of certain services necessary for smooth processing of personal data. Company has stipulated matters on prevention of personal data processing for purposes other than the outsourced purpose, technical and managerial safeguards of personal data, restriction on re-consignment, management, supervision of the consigned company, responsibility for compensation, etc. in a written agreement in accordance with the relevant laws such as the Personal Information Protection Act, and Company manages and supervises the consigned company so that it will not violate the laws related to protection of personal data in order to ensure the safe management of personal data.
The consigned companies and the details of the consigned work are as follows:
||Retention and use period of personal data
|KG INICIS, PAYPAL
||Provide payment method
||Until membership cancellation or termination of consignment agreement
||Provide user analysis tool
|Amazon Web Service
||Provide Cloud IT infrastructure
Need to Collect Personal Data
Company needs the personal data of users for the service use contract between a user and Company and the smooth delivery of the services therein.
Users are restricted from using Company’s services unless they give consent to the essential personal data that Company collects. However, users may refuse to provide optional personal data, and even if users do not consent to the collection of such data, they will still be able to use Company’s services except those that require the provision of optional personal data.
Cross-border Transfer of Personal Data
Entities that are transferred the personal data and its subject shall be as follows.
|Transferred entities and Contact information of the Controller
||Personal data to be transferred
||Purpose of transferee, retention, use period and transferring date and time, and method
|PAYPAL Pte. Ltd.
(General Agent Co., Ltd., firstname.lastname@example.org)
||Purpose : To provide payment system
Period : Until membership withdrawal or termination of consignment agreement
Date, time and method of Transfer :
From time to time through information and communication networks during the service provision process
||Access date and time, records on service use, access IP information, Cookie
||Purpose : To compile website user statistics and improve service
Period : Agreement termination date or 36 months from collection date, whichever comes first
Date, time and method of Transfer :
Transfer through an encrypted network when providing services
|Amazon Web Service(email@example.com)
||Personal information and log information collected during use of the service
||Purpose : Data storage for providing services and operation of services
Period : For the duration of user’s membership
Date, time and method of Transfer :
Transferred through telecommunications network from time to time when providing services
Procedure and Method of Destruction of Personal Data
Company shall immediately destroy the personal data when it is no longer required, such as expiration of retention period of personal data and attainment of the purpose of personal data processing. Procedure and method of destruction of personal data are as follows:
• Procedure of destruction
Company selects the personal data for which the reasons for destruction occurred and destroys the personal data with the approval of DPO of Company.
Provided that even after the retention period of personal data has expired or the purpose of processing the personal data has been achieved, any personal data which is required to be retained under other laws will be transferred to a separate database or stored in a different storage place and will be destroyed immediately after such reasons are resolved. Personal data moved to separate database are not used for any other purpose than retainment of personal data aside from instances due to relevant laws.
• Method of destruction
- - Personal data stored in electronic file format are deleted using a technical method where records cannot be recovered once deleted
- - Personal data printed on paper are destroyed using shredder/incinerator
Rights and Duties of Users and Legal Representatives, and How to Exercise
Users or their legal representatives, as data subjects, can exercise the following rights regarding the collection, use and disclosure of personal data by Company:
- - Right of access by data subject
- - Right to rectification
- - Right to erasure (‘right to be forgotten’)
- - Right to restriction of processing (right to request the suspension of processing)
- - Right to data portability
- - Right to object
- - Rights related to automated individual decision-making, including profiling
- - Right to withdraw prior consent
In order to exercise any of the foregoing rights, users may (i) use the 'My Account', ‘Change My Profile’ menu on Company website or (ii) contact Company (Data Protection Department) in writing or via email. In such case, Company shall take immediate measures, provided, however, that Company may reject such request if and to the extent there are reasonable grounds prescribed in the laws and regulations, including Article 35 Paragraph 4 and Article 37 Paragraph 2 of the Personal Information Protection Act.
If a user exercises the above-mentioned rights through an agent such as a legal representative or a proxy, the user should submit a power of attorney in the form separately noticed by the Data Protection Committee. Company will verify whether the person requesting for the exercise of rights of the data subject is actually the data subject or a lawful proxy.
Security and Measures to Ensure Safety
Company takes the security of personal data seriously. We have in place the following security measures to prevent unauthorized access to, or disclosure/provision, use or change of the personal data (Article 32 of the GDPR, Article 29 of the Personal Information Protection Act, and Article 31 Paragraph 1 Item 3 and Article 48-2 of Enforcement Decree of the same Act).
• Encryption of personal data
Passwords are encrypted for storage and management and only the person who knows the password can check and change personal data. Password rules to avoid use of predictable password will be applied.
•Plan for hacking
Company is putting forth our best effort to prevent leakage or damage of personal data of users from hacking, computer virus, etc.
• Minimization and training of personal data handlers
Company restricts the number of personal data handlers to a minimum and we also emphasize the importance of personal data protection through managerial actions such as training of personal data handlers.
Data Breach Escalation and Checklist
In case of a personal data breach, Articles 33 and 34 of the GDPR requires the Controller to notify the personal data breach to the supervisory authority and communicate the personal data breach to the data subject without delay. To this end, Company takes actions regarding personal data breach before and after the occurrence of such incident in accordance with the following checklist:
- Preparing for a data breach
- -To prepare methods to recognize data leak and infringement;
- -To prepare detailed response plan for addressing any personal data breach that may occur;
- -To allocate responsibility for managing accident to a dedicated person or team; and
- -To train staff to know how to escalate a security incident to the appropriate person or team in our organization that can determine whether a breach has occurred.
- Response to a data leakage and breach
- -To have in place a process to assess the likely risk to data subjects as a result of a breach;
- -To have in place an internal process to notify the Information Commissioner’s Office (ICO) of a breach within 72 hours of becoming aware of it;
- -To have in place a Breach Notification Form to be submitted to the Supervisory Authority ICO if a data breach occurs;
- -To have a process to communicate the personal data breach to the affected individuals without delay;
- -To provide information on the leakage and infringement to data subjects, and to advise them to enable them to protect themselves from its effects; and
- -To document all leakage and breach.
- Process of report and notification of data breach
- -To contact the relevant supervisory authority of a breach within 72 hours after having become aware of it;
- -To directly contact the data subjects affected by a breach if it is likely to result in a high risk to their rights and freedoms; and
- -To prepare and submit/notify a Breach Notification Form to the Supervisory Authority and a Breach Notification Form to the Data Subject.
However, if Company collects, for the provision of our services, any personal data of children, it will comply with the following procedures for the protection of children’s personal data- (Article 8, GDPR).
- - To verify if a child is subject to the guardian’s consent and such guardian has a parental authority, within the scope of reasonable efforts;
- - To have the consent from a person with parental authority on collection of the child’s personal data or to provide the child with product information and Company’s services directly;
- - To grant a person with parental authority the right to access, correct or delete or temporally suspend the processing of, the child’s personal data or the right to withdraw the prior consent of the representative; and
- - To limit the collection of personal data to the extent solely required for the participation in online activities.
(i) Company may use users’ personal data such as IP address of user, location information and data (“profiling”) to create individual or collective profiles for the purpose of identifying how to provide the users with better services, for example, providing the users with customized content of services by analysing which aspect of Company and/or services most attracts users, and the patterns in which users use the services or (ii) to create user clusters to identify the users’ interest in Company’s products and/or services, to analyse the market and statistics or to enhance Company’s services (all websites, etc.).
It may integrate the data provided by all our websites and applications with the users’ personal data provided by Company. The processing of personal data for profiling is carried out in line with the guarantees and measures specified in applicable law (Article 22, GDPR).
Instalment, Operation and Rejection of Personal Information Auto Collection Device (Cookies), Internet Advertising
Company uses ‘Cookies’ which frequently stores and discovers users’ personal data. Cookies are substantially small text files to be sent to the browser of the users by the server used for the operation of Company’s websites and are stored in hard disks of the users' computers. These functions are used for evaluating, improving services and customizing user experience so that Company provides way improved services for the users. The purpose of collection of cookies collected by Company is as follows:
- Purposes of cookies, etc.: To provide targeted marketing and personal services through analysis of access frequency/visit hours of members and non-members, tracking of interests and tastes of users, counting of various event participations and visits, etc.
The users have an option for cookie installation and operation: accepting all cookies, making each cookie confirmed whenever it is saved, or refusing the storage of all cookies. Provided that, such refusal may limit the user from using the parts of services provided by Company.
- Example of configuration method (It may be different depending on the version used)
. For Internet Explorer: Tools on top of the web browser > Internet Options > Personal Information > Setting > Advanced
. For Chrome: Settings on the right side of the web browser > Advanced settings menu at the bottom of the screen > Content settings for personal information > Cookies
. For Android: Internet setting > Advanced-personal information protection and security > Set-Cookie
. For iOS: Settings menu> personal information and security > Cookies and other site data> Content settings of personal information > Cookies
Social Media Widget
KEYCUTstock website may include social media functions such as Facebook like buttons and widgets (e.g., share button or mini chat program launched from KEYCUTstock website).
When Company transfers, is acquired or merged with another company, Company may transfer the personal data relevant to the business of such transfer, acquisition or merger without consent from the users but Company shall announce the necessary matters through our website, and notify our users of it in accordance with the relevant laws and regulations such as the Personal Information Protection Act.