GDPR Compliance Guide
General Data Protection Policy
For the purpose of data protection of its users, the Company maintains a record of processing activities (Article 30 of GDPR), designates a Data Protection Officer (DPO) to operate its business in accordance with GDPR (Article 37), implements Data Protection Impact Assessment (DPIA) under the supervision of the DPO and trains its employees for data protection (Article 39).
The Company formulates legal framework to process personal data including sensitive data (Articles 6 and 9) and has the explicit consent of the data subject to the processing of his or her personal data (Article 7). It has the explicit consent of a data subject in case of automated individual decision-making, including profiling (Article 22), and has the consent of the holder of parental responsibility over a child for the child’s data processing, in which case it makes reasonable efforts to verify if such consent is given or authorized by the lawful person, taking into consideration available technology (Article 8). Additionally, in case of transfer of personal data to third countries, the company has the explicit consent of a data subject (Article 49).
The Company allows a data subject to exercise his or her rights guaranteed by GDPR as follows: the right to receipt of his or her data (Articles 13 and 14), the right to access (Article 15), the right to rectification (Article 16), the right to erasure (Article 17), the right to restriction of processing (Article 18), the right to data portability (Article 20), the right to object (Article 21) and the right not to be subject to an automated individual decision-making, including profiling (Article 22).
The Company is in compliance with the obligations of data protection by design and by default (Article 25) and implements technical and operational measures reasonably necessary to prevent the data from leakage and breach (Article 32). It notifies a personal data breach to the supervisory authority within 72 hours after having become aware of it (Article 33) and communicates a personal data breach to a data subject without undue delay if the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons (Article 34).
About Privacy Notice
The Company notifies a data subject of the Privacy Notice in order to explain the methods and procedures of processing his or her data including his or her certain data if it collects such personal data from the data subject (Article 12 and 13).
The Company notifies its members of this Privacy Notice as follows: ().
- If the Company directly collects personal data from a data subject, the Company is in compliance with the obligations of Article 13.
- In case of a transfer of personal data to a third country for the provision of services, the Company complies to Article 49 by obtaining the explicit consent of the data subject.
Controller and Contact Information
The service provider and controller of personal data is as follows:
AssembleCircle Corporation (“Company”)
411-ho, 4th floor, 240, Pangyoyeok-ro, Bundang-gu, Seongnam-si, Gyeonggi-do, Republic of Korea
The DPO of the Company is as follows:
- If you have questions about your account in general, how to contact customer service for assistance, questions specifically about this Privacy Notices, or our use of your personal data, cookies or similar technologies, please contact our Data Protection Officer. If you contact us for assistance, we may need to authenticate your identity before fulfilling you request for your safety and ours.
Representation for data subjects in the EU
We value your privacy and your rights as a data subject and have therefore appointed Prighter as our privacy representative and your point of contact.
Prighter gives you an easy way to exercise your privacy-related rights (e.g. requests to access or erase personal data). If you want to contact us via our representative Prighter or make use of your data subject rights, please visit: https://prighter.com/q/19778462190
Collection and Use of data
We collect personal data users provide to us which includes:
- To verify of user identity, link SSO, contact to user (for notification of violation of policy and change of terms and conditions), confirm user's intention, and handle of customer complaints; Name, ID, password, nickname, mobile phone number, e-mail address, nationality, foreigner registration number (for foreigners)
- To provide order, payment and delivery services; Name, ID, phone number, nationality, address, e-mail address, bank account information, mobile phone number (when paying by mobile phone), cash receipt information (when applying for a cash receipt), payment information
- To verify of user identity·age, prevent illegal use and operate integrated services such as customized services (ID/PW search and WebCeph service); Name, ID, password, nickname, gender, date of birth, mobile phone number, e-mail address, nationality, occupation, profile or work experience, hospital name, hospital address, hospital contact information, CI/DI, i-PIN authentication result, cellular service provider information, domestic/foreigner information, service usage record, device information
- To handle of customs clearance for products directly delivered overseas; PCCC (Personal Customs Clearance Code)
- To develop new services, provide customized services, conduct marketing, service usage statistics and surveys, e-mail address; gender, date of birth, mobile phone number, e-mail address
Method of collection
The Company collects the personal data of users in the following manner (Article 6(1)(a)):
- Collection through mobile devices with the prior consent of the users
Disclosure of Personal Data
We may disclose users’ personal data for certain purposes and to third parties, as described below:
- Service Providers: We use other companies, agents or contractors ("Service Providers") to perform services on our behalf or to assist us with the provision of services to you. For example, we engage Service Providers to provide marketing, advertising, communications, infrastructure and IT services, to personalize and optimize our service, to process credit card transactions or other payment methods, to provide customer service, to collect debts, to analyze and enhance data (including data about users' interactions with our service), and to process and administer consumer surveys. In the course of providing such services, these Service Providers may have access to your personal data or other information. We do not authorize them to use or disclose your personal data except in connection with providing their services.
- Partners: Users may have a relationship with one or more of our Partners, in which case we may share certain data with them in order to coordinate with them on providing the service to members and providing information about the availability of the service.
- Promotional offers: We may offer joint promotions or programs that, in order for your participation, will require us to share your data with third parties. In fulfilling these types of promotions, we may share your name and other data in connection with fulfilling the incentive. Please note that these third parties are responsible for their own privacy practices.
- Business transfers: In connection with any reorganization, restructuring, merger or sale, or other transfer of assets, we will transfer data, including personal data, provided that the receiving party agrees to respect your personal data in a manner that is consistent with our Privacy Statement.
Whenever in the course of sharing information we transfer personal data to countries outside of the European Economic Area and other regions with comprehensive data protection laws, we will ensure that the information is transferred in accordance with this Privacy Notice and as permitted by the applicable laws on data protection. Personal data transferred (such as name and contact information) may be saved electronically on servers operated by our Service Providers for record keeping purposes and other purposes as set out in this Privacy Notice.
Necessity of personal data
The personal data provided by users is necessary for the service use contract between a user and the Company and the smooth delivery of the services therein. Users are restricted from using the Company’s services unless they give consent to the collection of essential personal data. However, users may refuse to provide optional personal data, and in such case, they will still be able to use the Company’s services except those that require the provision of optional personal data.
Transfers of Personal Data to Third Countries
The Company may transfer users’ personal data to companies located in other countries or other companies for any purpose specified in this Policy. It will take reasonable measures to the companies where the information is transmitted, retained or processed in order to protect the information.
Based on the above notice, the Company may transfer users’ personal data to the United States and the Republic of Korea after obtaining explicit consent for transfer of personal data to third countries (Article 49 Paragraph 1 (a)).
Users or their legal representatives, as data subjects, can exercise the following rights regarding the collection, use and disclosure of personal data by the Company:
- Right to withdraw prior consent (Article 7(3))
- Right of access by the data subject (Article 15);
- Right to rectification (Article 16)
- Right to erasure (‘right to be forgotten’) (Article 17)
- Right to restriction of processing (Article 18)
- Right to data portability (Article 20)
- Right to object (Article 21)
- Rights related to automated individual decision-making, including profiling (Article 22)
- Right to lodge a complaint with a supervisory authority (Article 77)
In order to exercise any of the foregoing rights, users may use the ‘Edit Profile’ menu on the Company website, make a written request to the Company (or the DPO, representative) using the data subject request form provided by the Company. In such case, the Company shall immediately make actions accordingly: provided, however, that the Company may reject such request if and to the extent there are reasonable grounds prescribed in law or equivalent thereto.
Upon the request from a data subject, the Company must take the following actions:
- To take actions regarding a request only after authenticating the identity of the data subject (or his or her legal representative);
- To ask if a subject requires the information to be provided in writing or whether he or she will accept it in an electronic form;
- To have a standard process for the company to effectively inspect all relevant systems and to communicate with other departments;
- To notify a data subject if there is no information that he or she has requested;
- To formulate reasonable criteria to determine whether to correct or disclose personal data if the personal data requested by a data subject includes the information of other individuals; provided however, such data can be disclosed if the other individuals explicitly give the consent thereto. The company should consider the impact of such disclosure and the possible breach of others’ personal data if no explicit consent is available, in which case, it should document the justification of such disclosure;
- To take actions in accordance with the request of a data subject in such a manner as he or she can understand, including the requirements under Article 15;
- To make no available the transfer system which can be traceable in case of providing a data subject with the information he or she has requested. Such information should be disclosed in a safe electronic means if individually agreed upon with the data subject; or
- To document the actions which have been taken for the request of a data subject.
Also users or their legal representatives have the right to lodge a complaint with a supervisory authority (Article 13(2) and 14(2)(e)).
The Company takes the security of personal data seriously. It has the following security measures to prevent the unauthorized access to, or disclosure, use or change of the personal data (Article 32).
- To formulate countermeasures against hacking
- To install a system in the zone to which the external access is strictly restricted so as to prevent users' personal data from leakage or damage by hacking or computer viruses
- To establish and implement internal management plans
- To conduct regular internal audit (semiannual) to safely process personal data
- To keep minimal the number of employees processing personal data and educate them
- To install and operate access control systems
- To take necessary actions to restrict the access to the personal data, such as the grant, change or termination of the right to access the data base system of personal data processing
- To keep the documents, storage devices, etc. which include personal data in a safe place with a lock
- To designate a physical place of storing personal data to restrict the access by unauthorized persons and to establish and operate such access control procedure
- Enterprise-wide DLP solution installation and operation
- Take measures to prevent forgery or alteration of access records and store and collect log records through the installation of Endpoint Protector, a security program.
Data Breach Escalation and Checklist
It is specified in Articles 33 and 34 that in case of a personal data breach, the controller should without undue delay notify the personal data breach to supervisory authority and communicate the personal data breach to the data subject. To this end, the Company takes actions regarding personal data breach before and after the occurrence of such incidence in accordance with the following checklist:
- Preparing for a data breach
- To prepare a method to recognize a data breach;
- To prepare a detailed response plan for addressing any personal data breach that may occur;
- To allocate responsibility for managing breach to a dedicated person or team; and
- To train staff to knows how to escalate a security incident to the appropriate person or team in its organization that can determine whether a breach has occurred
- Response to a data breach
- To have in place a process to assess the likely risk to data subjects as a result of a breach;
- To have in place an internal process to notify the Information Commissioner’s Office (ICO) of a breach within 72 hours of becoming aware of it;
- To have Breach Notification Form to be submitted to the Supervisory Authority ICO if a data breach occurs;
- To have a process to communicate the personal data breach to the affected individuals without undue delay;
- To know what information about a breach the company must provide to individuals, and to provide advice to help them protect themselves from its effects; and
- To document all breaches
- Process of report and notification of data breach
- To contact the relevant supervisory authority of a breach within 72 hours after having become aware of it;
- To directly contact the individuals affected by a breach if it is likely to result in a high risk to their rights and freedoms; and
- To have in place a Breach Notification Form to the Supervisory Authority and a Breach Notification Form to the Data Subject.
- The United Kingdom: under 13
- Germany: under 16
- France: under 15
Our products and services are intended for use by individuals 17 years of age and older, and those under the age of 17 are not eligible to use any of our service. In principle, the Company does not collect any personal data from children. However, if the Company learns that any personal data of children has been collected through WebCeph application, it will take the appropriate steps to delete this data.
However, if the Company collects, for the provision of its services, any personal data of children, it will comply will comply with the following procedures for the protection of children’s personal data (Article 8):
- To verify if a child is subject to the guardian’s consent and such guardian is authorized, within the scope of reasonable efforts;
- To have the consent from a child’s parent or guardian to collect the child’s personal data or to provide the child with product information and the Company’s services directly;
- To grant a child’s legal representative the right to access, correct or delete or temporally suspend the processing of, the child’s personal data or the right to withdraw the prior consent of the representative; and
- To limit the collection of personal data to the extent solely required for the participation in online activities
The Company may use users’ personal data to create individual or collective profiles (hereinafter referred to as “profiling”) for the purpose of identifying how to provide the users with better services, for example, providing the users with customized content of services by analyzing which aspect of the Company and/or services most attracts users, and the patterns in which users use the services. In addition, the Company uses the personal data for the following purposes: to create user clusters to identify the users’ interest in the Company’s products and/or services; to analyze the market and statistics or; to enhance the Company’s services (all websites, etc.). It may integrate the data provided by all its websites and applications with the users’ personal data provided by Learning Lab. The processing of personal data for profiling is carried out in line with the guarantees and measures specified in applicable law (Article 22).
Data Retention Policy
For the purpose of protecting users’ data, the Company complies with the principle of Data Minimisation where the processing of personal data should be appropriate and limited to the extent solely necessary for the purposes for which the data are processed (Article 5 Paragraph 1 (c)). To this end, the Company abides by the following retention policy:
- All personal data processed by the Company is subject to and protected by the Company’s Members’ retention policy.
- Personal data are retained for no longer than is necessary for the purposes for which the personal data are processed. The Company will immediately destroy the personal data once the user deletes his or her account on WebCeph application. However, the personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (Article 5 Paragraph 1 (e));
- The Data Protection Officer designates the strict retention period regarding the storage of users’ personal data and does not retain the data more than the period which requires the data. The Company monitors the compliance regarding the data retention on a regular basis and deletes the data, if no longer necessary, in a safe manner (Recital Article 39);
- The company schedules regular review of stored data to determine whether the data is still required;
- The company immediately destroys especially sensitive data including sexual orientation, race, beliefs, health information, etc. and does not retain the data for no longer than is necessary;
- The company is in compliance with relevant regulations such as GDPR, etc. in relation to the retention of users’ personal data;
The Company educates and monitors employees including the HR department that handle personal data of the Company’s employees not only to handle users’ personal data but also employees’ personal data in compliance with the GDPR (Article 39). The Company documents the records that manage all training-related contents for employees (date, time, list of subjects, list of attendees, contents of training, subject of training, role of DPO).
The Company may collect collective impersonal data through ‘cookies’ or ‘web beacons.’
Cookies are substantially small text files to be sent to the browser of the users by the server used for the operation of the Company’s websites and are stored in hard-disks of the users' computers.
Web beacons are a small quantity of code which exists on websites and e-mail. By using web beacons, we can identify whether a user has interacted with certain webs or the contents of email.
These functions are used for evaluating, improving services and customizing user experience so that the Company provides way improved services for the users.
The items of cookies to be collected by the Company and the purpose of such collection are as follows:
- Required cookies: This kind of cookies is indispensably necessary for the users to use the functions of the Company’s website. No services such as shopping cart or electronic bill payment can be provided for a user unless he or she accepts these cookies. These cookies do not collect any data which can be used for marketing or store the sites that the users have visited.
- To retain the data entered in an order form while searching other webpages during the web browser session
- To retain the purchased services for the webpage of products and checkout
- To verify whether a user logs onto the website
- To ensure that a user is connected to a correct service on the v’s website if The Company makes any change in the operation of the Company’s website.
- To connect the users to a certain application or server of the services
- Analytics cookies: This kind of cookies collects data of how the users use the Company's website such as the webpages most frequently visited by the users. Such data helps the v optimize its website so that the users can search more conveniently on its website. Such cookies do not collect any data regarding users’ identification. All or any data collected by this kind of cookies is anonymous since the data is collectively processed.
- Web analysis: to provide statistical data on how to use the website;
- Advertisement response fee: to confirm the effect of the Company's advertisement;
- Tracing affiliates; to provide the Company's affiliates with the feedback of anonymous data that one of the visitors to the Company's website has visited an affiliate’s website;
- Error management: to identify errors which have occurred in order to improve the Company's website; or
- Design testing: to test other designs of the Company's website
The users have an option for cookie installation: accepting all cookies, making each cookie confirmed whenever it is saved, or refusing the storage of all cookies: Provided that, such refusal may limit the user from using the parts of services provided by the Company.
The latest update date: August 23, 2021