Effective Date: February 5, 2021
General Data Protection Policy
For the purpose of data protection of its users, the Company maintains a record of processing activities (Article 30 of GDPR), designates a Data Protection Officer (DPO) to operate its business in accordance with GDPR (Article 37 of GDPR), implements Data Protection Impact Assessment (DPIA) under the supervision of the DPO and trains its employees for data protection (Article 39 of GDPR).
The Company formulates legal framework to process personal data including sensitive data (Articles 6 and 9 of GDPR) and has the explicit consent of the data subject to the processing of his or her personal data (Article 7 of GDPR). It has the explicit consent of a data subject in case of automated individual decision-making, including profiling (Article 22 of GDPR), and has the consent of the holder of parental responsibility over a child for the child’s data processing, in which case it makes reasonable efforts to verify if such consent is given or authorized by the lawful person, taking into consideration available technology (Article 8 of GDPR). Additionally, in case of transfer of personal data to third countries, the company has the explicit consent of a data subject (Article 49 of GDPR).
The Company allows a data subject to exercise his or her rights guaranteed by GDPR as follows: the right to receipt of his or her data (Articles 13 and 14 of GDPR), the right to access (Article 15 of GDPR), the right to rectification (Article 16 of GDPR), the right to erasure (Article 17 of GDPR), the right to restriction of processing (Article 18 of GDPR), the right to data portability (Article 20 of GDPR), the right to object (Article 21 of GDPR) and the right not to be subject to an automated individual decision-making, including profiling (Article 22 of GDPR).
The Company is in compliance with the obligations of data protection by design and by default (Article 25 of GDPR) and implements technical and operational measures reasonably necessary to prevent the data from leakage and breach (Article 32 of GDPR). It notifies a personal data breach to the supervisory authority within 72 hours after having become aware of it (Article 33 of GDPR) and communicates a personal data breach to a data subject without undue delay if the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons (Article 34 of GDPR).
- If the Company directly collects personal data from a data subject, the Company is in compliance with the obligations of Article 13 of GDPR.
- In case of a transfer of personal data to a third country for the provision of services, the Company complies to Article 49 of GDPR by obtaining the explicit consent of the data subject.
The service provider and controller of personal data is as follows:
4by4 Inc. (“the Company”)
12th~14th floor, 479, Gangnam-daero, Seocho-gu, Seoul, 06541, Republic of Korea
The DPO of the Company is as follows:
Platform development team
Users can submit all personal data protection related complaints that may occur as users use the services of the Company to the DPO or platform development team responsible. The Company will give users quick and sufficient response to reports from users.
If a user contacts the Company for assistance, we may need to authenticate the identity of the user before fulfilling the request for the user’s safety and ours.
Collection and Use of Personal Data
The personal data about users collected and used by the Company and the purpose of each collection and use of personal data are as follows.
- Personal data provided by users
- -Name, date of birth, ID, password: Identity check, age restricted service provision, complaint processing, etc. for use of services provided by the Company;
- -Company name, department, title, industry, company phone number, fax number, company address: Corporate member service provision, etc.;
- -Email address, phone number, mobile number, address: Securing accurate delivery address for bills, products, and giveaways, delivery of notice, confirmation of intent, securing effective communication method such as complaint processing, new service development, utilization for marketing and advertisements, etc.;
- -Bank account number, credit card information, transaction records: Use of paid information and contents, payment and refund for product purchase/lease, etc.;
- Personal data produced or automatically collected by the Company
- -Access log, access IP information, cookies, service use records, frequently used websites: Prevention of improper use, prevention of unauthorized use, new service development, custom service provision, etc.;
- -Profile data such as user name and password, detailed purchase information, information on licensed contents, etc.
Personal data requested to be provided to the Company are classified into required data and optional data depending on the activity details. When required data regarding certain activities are not provided, users cannot participate in such activities.
Use of personal data
The Company uses personal data to provide, analyze, administer, enhance and personalize services and marketing efforts, to process registration, orders and payments, and to communicate with user on these and other topics. For example, the Company uses personal data to:
- -Authentication and provision of access authority for KEYCUTstock website, mobile applications, and services;
- -Processing financial transactions for users;
- -Transmission or order/renewal confirmation;
- -Registration of authority (if applicable) for user for technical support provided to registered users or other benefits;
- -Response to customer service requests, inquiries, and considerations;
- -Member account management;
- -Transmission of product or service information requested by users;
- -Provision of data regarding special benefits and services of KEYCUTstock and select third party;
- -Notification of promotion, giveaway management and results participated by users;
- -Investigation into illegal activities or actions in breach of KEYCUTstock service agreement, prevention and actions against such actions;
- -Meeting necessities for research and product service development of 4by4 Inc., KEYCUTstock website, service and product improvement;
- -Provision of customized experience such as service, search results, and product provision appropriate for users.
Method of collection
The Company collects personal data of users in the following manner (Article 6(1)(a) of GDPR, Article 15①1. of PERSONAL INFORMATION PROTECTION ACT):
- -Collection through website, mobile devices, document, fax, phone, customer center inquiry, event with the prior consent of the users
Retention and use period of personal data
Personal data shall be destroyed immediately after achieving its purpose of collection and use by principle:
- - Membership data: After membership cancellation;
- - Payment data: After payment completion date or debt expiration period
- - Data collected for surveys, events, etc.: After conclusion of surveys, events, etc.
Provided, that the Company shall retain the personal data for a certain period of time as designated in the following relevant laws when there is necessity to retain the data due to relevant laws.
- - Records of contract, subscription withdrawal, etc.: Five (5) years (Act on the Consumer Protection in Electronic Commerce, Etc.);
- - Records on payment and contents supply: Five (5) years (Act on the Consumer Protection in Electronic Commerce, Etc.);
- - Records on consumer complaints or dispute settlement: Three (3) years (Act on the Consumer Protection in Electronic Commerce, Etc.);
- - Records of website use and visit, access log, access IP: Three (3) Months (Protection of Communications Secrets Act).
Minimum personal data may be retained for the minimum period to achieve its purpose to prevent other significant damages to the Company or for other criminal and legal proceedings even if there are no basis in relevant laws.
- - Identity data to prevent rejoining for seven (7) days after the membership has been cancelled;
- - Identity data for transaction refusal when the member has been dismissed according to user agreement;
- - Draft service records are stored for three (3) years for protection of copyrights and licenses;
- - Download service records are stored for fifteen (15) years for protection of copyrights and licenses.
Disclosure of Personal Data
•Provision of personal data to third party
The Company uses personal data solely to the extent of the purposes of personal data and will, in principle, neither use it beyond such scope nor disclose it without user’s prior consent.
However, if personal data is disclosed to any third party, the Company will notify a user of and have user’s consent to, the following: recipient(s), purpose to use personal data, items to be disclosed, a period during which data is retained and used, the notice that a user can disagree to such disclosure, and disadvantage, if any as a result of such disagreement.
Personal data will be able to be disclosed to any third party if and to the extent:
- - a user gives the prior consent to such disclosure; or
- - the disclosure is required by law or an investigative agency in accordance with the procedures and methods of the laws and regulations provided for investigative purpose
•Consignment of personal data processing
The Company has consigned the personal data as below for service improvement and has designated necessities for safe management of personal data through the consignment agreement according to relevant laws. The consigned institution for personal data processing and the details of consigned work for the Company are as follows:
||Details of Consigned Work
||Retention and use period of personal data
|KG INICIS, PAYPAL
||Provide payment method
||Until membership cancellation or termination of consignment agreement
Necessity of personal data
The personal data provided by users is necessary for the service use contract between a user and the Company and the smooth delivery of the services therein. Users are restricted from using the Company’s services unless they give consent to the collection of essential personal data. However, users may refuse to provide optional personal data, and in such case, they will still be able to use the Company’s services except those that require the provision of optional personal data.
Transfer of personal data to third countries
Procedure and method of destruction of personal data
The Company shall immediately destroy the personal data after achieving the purpose of personal data collection and use by principle. Destroying procedure and method are as follows:
•Procedure of destruction
Personal data will be transferred to a separate database after its purpose has been achieved and will be destroyed immediately after being stored for a certain period of time depending on the retention reasons under inside policy or other applicable laws. Personal data moved to separate database are not used for any other purpose than retainment of information aside from instances due to legal regulations.
•Method of destruction
- - Personal data stored in electronic file format are deleted using technical method where records cannot be recovered once deleted;
- - Personal data printed on paper are destroyed using the shredder or incinerator.
Users or their legal representatives, as data subjects, can exercise the following rights regarding the collection, use and disclosure of personal data by the Company:
- Right of access by the data subject;
- Right to rectification
- Right to erasure (‘right to be forgotten’)
- Right to restriction of processing
- Right to data portability
- Right to object
- Rights related to automated individual decision-making, including profiling
- Right to withdraw prior consent
In order to exercise any of the foregoing rights, users may use the 'My Account', ‘Change My Profile’ menu on the Company website or contact to the Company (or the DPO). In such case, the Company shall immediately make actions accordingly: provided, however, that the Company may reject such request if and to the extent there are reasonable grounds prescribed in law or equivalent thereto.
Security / Measures for ensuring safety
The Company takes the security of personal data seriously. It has the following security measures to prevent the unauthorized access to, or disclosure, use or change of the personal data (Article 32 of GDPR, Article 31①3. of ENFORCEMENT DECREE OF THE PERSONAL INFORMATION PROTECTION ACT.
•Encryption of personal data
Passwords are encrypted for storage and management and only the person who knows the password can check and change personal data. Password rules to avoid use of predictable numbers and such are implemented for passwords.
•Plan for hacking, Etc.
The Company is putting forth its best effort to prevent leak or damage of personal data of users from hacking, computer virus, etc.
•Minimization and training of personal data handlers
The Company restricts the number of personal data handlers to the minimum and it is also emphasizing the importance of personal data protection through managerial actions such as training of personal data handlers, etc.
Data Breach Escalation and Checklist
It is specified in Articles 33 and 34 of GDPR that in case of a personal data breach, the controller should without undue delay notify the personal data breach to supervisory authority and communicate the personal data breach to the data subject. To this end, the Company takes actions regarding personal data breach before and after the occurrence of such incidence in accordance with the following checklist:
- • Preparing for a data breach
- -To prepare a method to recognize a data breach;
- -To prepare a detailed response plan for addressing any personal data breach that may occur;
- -To allocate responsibility for managing breach to a dedicated person or team; and
- -To train staff to knows how to escalate a security incident to the appropriate person or team in its organization that can determine whether a breach has occurred
- Response to a data breach
- -To have in place a process to assess the likely risk to data subjects as a result of a breach;
- -To have in place an internal process to notify the Information Commissioner’s Office (ICO) of a breach within 72 hours of becoming aware of it;
- -To have Breach Notification Form to be submitted to the Supervisory Authority ICO if a data breach occurs;
- -To have a process to communicate the personal data breach to the affected individuals without undue delay;
- -To know what information about a breach the company must provide to individuals, and to provide advice to help them protect themselves from its effects; and
- -To document all breaches
- Process of report and notification of data breach
- -To contact the relevant supervisory authority of a breach within 72 hours after having become aware of it;
- -To directly contact the individuals affected by a breach if it is likely to result in a high risk to their rights and freedoms; and
- -To have in place a Breach Notification Form to the Supervisory Authority and a Breach Notification Form to the Data Subject.
However, if the Company collects, for the provision of its services, any personal data of children, it will comply with the following procedures for the protection of children’s personal data (Article 8 of GDPR):
- - To verify if a child is subject to the guardian’s consent and such guardian is authorized, within the scope of reasonable efforts;
- - To have the consent from a child’s parent or guardian to collect the child’s personal data or to provide the child with product information and the Company’s services directly;
- - To grant a child’s legal representative the right to access, correct or delete or temporally suspend the processing of, the child’s personal data or the right to withdraw the prior consent of the representative; and
- - To limit the collection of personal data to the extent solely required for the participation in online activities
The Company may use users’ personal data to create individual or collective profiles (hereinafter referred to as “profiling”) for the purpose of identifying how to provide the users with better services, for example, providing the users with customized content of services by analyzing which aspect of the Company and/or services most attracts users, and the patterns in which users use the services. In addition, the Company uses the personal data for the following purposes: to create user clusters to identify the users’ interest in the Company’s products and/or services; to analyze the market and statistics or; to enhance the Company’s services (all websites, etc.). It may integrate the data provided by all its websites and applications with the users’ personal data provided by the Company. The processing of personal data for profiling is carried out in line with the guarantees and measures specified in applicable law (Article 22 of GDPR).
Cookies and Internet Advertising
The Company uses ‘Cookies’ which is frequently store and discover users’ personal data. Cookies are substantially small text files to be sent to the browser of the users by the server used for the operation of the Company’s websites and are stored in hard-disks of the users' computers. These functions are used for evaluating, improving services and customizing user experience so that the Company provides way improved services for the users. The purpose of collection of cookies collected by the Company is as follows:
- To provide targeted marketing and personal services through analysis of access frequency/visit hours of members and non-members, tracking of interests and tastes of users, counting of various event participations and visits, etc.
The users have an option for cookie installation: accepting all cookies, making each cookie confirmed whenever it is saved, or refusing the storage of all cookies: Provided that, such refusal may limit the user from using the parts of services provided by the Company.
- Example of configuration method (for Internet Explorer): Tools on top of the web browser > Internet Options > Personal Information
Social Media Widget, Etc.
Notice of modification shall be made at least seven (7) days in advance before enforcement and notice will be made immediately when notice in advance is not possible: Provided, that the significant changes in users’ rights shall be noticed at least thirty (30) days in advance.
When the Company is acquired or merged with another corporate, the Company may provide the data relevant to the business of acquiring or merging company without consent from the users but the Company shall announce the sale, acquisition, or merger of such assets through its website.