KLRI’s Privacy Policy

KLRI’s Privacy Policy

All personal information that the Korea Legislation Research Institute (“KLRI”) processes is collected, retained and processed under relevant statutes or with the consent of each person whose information becomes subject to this Policy (“data subject”). The Personal Information Protection Act provides for general norms concerning management of personal information. KLRI will lawfully and properly manage the information collected, retained and processed under the provisions of such statutes to properly perform public services and appropriately protect the rights and interests of citizens.

Futhermore, we, at the KLRI, respect your rights, including the right to request inspection or correction of your personal information retained by us, pursuant to the relevant statutes. You also have a right to file a petition for an administrative hearing to seek remedies for a violation of any of such rights under the Administrative Appeals Act.

KLRI’s Policy for Processing Personal Information

1. Purposes of Processing Personal Information

Most services provided by the KLRI on its web-site are accessible by any user at any time without user registration.
However, we, at the KLRI, collect and use personal information of users to provide more advanced, higher quality services, including mailing services. Only users who have registered with us as members are permitted to post messages and comments on our message boards. This policy aims to prevent reckless and defamatory or libelous expressions and strengthen the effects of opinions collected.

Your personal information processed by us are not used for any purpose other than the following purposes specified below, and we will take necessary measures when any change occurs in the purposes of use, such as obtaining additional consent in accordance with Article 18 of the Personal Information Protection Act.

1.1. Personal Information Automatically Collected and Stored

When you access the web-site of the KLRI, the following information is automatically collected and stored:

Users' Internet domain names and URLs of web-sites from which our web-site is accessed;

Browsers and operating systems (OS) used by users;

Date and time of visit, etc.

To provide higher quality services to users, HTTP cookies are used as a means of storing and retrieving user information from time to time. An HTTP cookie is a small piece of data that a server uses to operate a web-site that is sent to the web browser of a user’s personal computer which may store it on a hard drive.
The information automatically collected and stored is used for statistical analysis to improve and supplement web pages and to facilitate communications between users and the web-site to provide better services to users. Please note and understand that relevant statutes may require us to provide such information to a relevant authority in certain cases.

1.2. Personal Information Collected when Additional Services are Used

Personal information of a user is collected when the user uses our regular mailing services or to post a message or comment on the message board and is limited to the minimum extent necessary.

Subscription

Table on Personal Information Collected when Additional Services are Used
Legal Basis for Collection Purpose of Handling Major Items Period of Retention
Consent of a data subject Sending newsletters, using additional services, etc. Required items : User ID, password, e-mail address and request to receive newsletters
Optional items : None (users’ resident registration number will not be collected.)
Subscriber to the web-site: Two years (until a user withdraws subscription)
2. Period of Processing and Retaining Personal Information

(a) KLRI processes and retains personal information for the duration provided for by relevant statutes for the retention and use of personal information or the period to which each data subject consents when personal information is collected.

(b) The period during which personal information is processed and retained is as follows:
Subscriber to the web-site: Two years (or until a user withdraws subscription).

3. Matters pertaining to Provision of Personal Information to Third Parties

No personal information collected and retained by KLRI is provided to any third party without the consent of a user except in the following cases:

(a) Where a data subject specifically consents to provision of personal information;

(b) Where special provisions exist in other statutes;

(c) Where it is deemed necessary explicitly to protect, from impending danger, the life, body or economic profits of a data subject or a third party when the data subject or such
person’s legal representative is incapable of communicating intention or it is impossible to obtain prior consent due to unknown addresses, etc.;

(d) Where personal information is provided in a manner that makes it impossible to identify a specific person, as necessary for compiling statistics, academic research, etc.;

(e) Where it is impracticable to perform relevant duties provided for in other statutes unless personal information is provided for any purpose other than its original purpose or is
provided to a third party, with the relevant case having been deliberated on and determined by the Personal Information Protection Commission;

(f) Where it is necessary to provide personal information to a foreign government or an international organization to implement treaties or other international agreements;

(g) Where it is necessary to investigate a crime and to file and undergo prosecution;

(h) Where it is necessary for a court to proceed with a trial;

(i) Where it is necessary to enforce a sentence, custody or protective order that has been imposed.

(j) When we, at the KLRI, provide personal information to a third party, we will inform the respective person of the following facts to obtain consent:

The name of a person to receive the personal information (if the recipient is a corporation or organization, the name thereof) and the contact information;

The recipient’s purpose of use of the personal information and the items of the personal information to be provided;

The duration during which the personal information will be retained and used by the recipient;

The fact that the data subject has a right to refuse consent and details of the disadvantages due to such refusal, if any.

4. Matters pertaining to Outsourced Processing of Personal Information

KLRI partially outsources the processing of the following user personal information that is collected and retained to maintain its web-site:

Table on Outsourcing Processing of Personal Information
Company Outsourced function Outsourcing Period
Mayeye Co., Ltd. Project to Upgrade the Web-site June 24, 2020 - June 23, 2021 (including complimentary maintenance period)
5. Rights and Obligation of Data Subjects; Exercise of Rights and Performance of Obligation

Any user, as a data subject, may exercise the following rights:

(1) A data subject (if the data subject is under the age of 14, referring to his/her legal representative) may exercise the following rights at any time in relation to the protection of
personal information:

(a) The right to request permission to inspect personal information;

(b) The right to request correction of personal information if there is any error, etc.;

(c) The right to request deletion of personal information;

(d) The right to request suspension of processing personal information.

(2) A data subject can exercise the rights provided in paragraph (1) by completing the form specified in attached Form 8 of the Enforcement Rule of the Personal Information
Protection Act and submitting it to KLRI by post, email or fax. In such cases, the KLRI will take necessary measures promptly.

(3) Where a data subject requests the correction or deletion of any error, etc., to the data subject’s personal information, the relevant information will not be used or provided until
such information is corrected or deleted.

(4) A data subject may exercise the rights provided in paragraph (1) through an agent, including a legal representative and a power of attorney. In such cases, the data subject is
required to submit a letter of delegation as specified in attached Form 11 of the Enforcement Rule of the Personal Information Protection Act.

(5) Where a data subject requests permission to inspect one’s personal information or suspension of processing personal information, such subject’s rights may be limited in the
following cases under Article 35 (4) or 37 (2) of the Personal Information Protection Act:

1. Where any Act prohibits or restricts such inspection;

2. Where it is likely to harm another person’s health or safety or to unfairly violates another person’s property or interests;

3. Where it substantially interferes with a public institution performing any of the following business affairs:

(a) Affairs concerning imposing, collecting or refunding taxes;

(b) Affairs concerning assessing academic achievements or selecting new enrollees at schools of each level established under the Elementary and Secondary Education Act
or the Higher Education Act; lifelong education facilities established under the Lifelong Education Act; and higher education facilities established under other Acts;

(c) Affairs concerning the testing of academic skills, aptitudes, skills for employment and examination of qualifications;

(d) Affairs concerning evaluating or determining calculation, etc. of damages or benefits;

(e) Affairs concerning audits and investigations in progress under any other Act.

(6) With respect to a request for correction or deletion of personal information, a data subject cannot request the deletion of personal information of such subject if the relevant
personal information is provided for as information subject to collection under any statute.

(7) Upon receipt of a request to inspect, correct or delete personal information or a request to suspend processing of personal information, KLRI will verify whether the requesting
person is the data subject or a legitimate representative.

* A written request to inspect personal information [attached Form 8 of the Enforcement Rule of the Personal Information Protection Act]

* A letter of delegation [attached Form 11 of the Enforcement Rule of the Personal Information Protection Act]

6. Personal Information to be Processed

KLRI collects and retains personal information only in compliance with the provisions of relevant statutes or with the consent of data subjects. The personal information collected and retained by KLRI are as follows:

Subscription

Personal Information to be Processed Table
Legal Basis Purpose of Processing Key Information Collected Retention Period
Consent of a data subject Sending newsletters, using additional services, etc. Required items : User ID, password, e-mail address and whether to receive newsletters
Optional items : None (resident registration numbers of users will not be collected.)
Subscriber to the web-site: Two years (until a user withdraws subscription)
7. Destruction of Personal Information

KLRI destroys user personal information immediately after the period of retaining personal information ends or the purposes of processing personal information are attained, except where it is required to preserve the personal information under other statutes. The procedures, deadlines and methods for destroying personal information are as follows:

(a) Procedures for destruction: The personal information that a user provides is destroyed in accordance with our internal policies and relevant statutes after the retention period of
the relevant information expires or the purposes of processing such information are attained;

(b) Methods for destruction: The personal information recorded and stored in electronic files will be destroyed by means of low-level formatting or other similar methods to prevent
the recovery of the records, while personal information recorded and preserved in paper documents will be destroyed by a shredder.

8. Measures for Ensuring Safety of Personal Information

KLRI, in accordance with Article 29 of the Personal Information Protection Act, takes the following technical, administrative and physical measures necessary to ensure safety:

(a) Formulation and implementation of internal management plans: KLRI formulates and implements internal management plans in accordance with the guidelines on measures for ensuring
the safety of personal information;

(b) Minimizing and educating personnel authorized to process personal information: The number of personnel authorized to process personal information is minimized and regular
educational programs are implemented for such personnel;

(c) Restrictions on access to personal information: Access to personal information is controlled by granting, amending or cancelling the authority to access the database system that
processes personal information. Unauthorized external access is controlled by operating firewalls for blocking and preventing invasion and intrusion, while personnel authorized to
process personal information are precluded from accessing the personal information processing system externally via information and communications networks. Furthermore,
details about granting, amending or cancelling authority are recorded and such records are preserved for at least three years;

(d) Preserving access logs and preventing forgery and alteration of access logs: Log data about access to the personal information processing system (including web logs
and summary information) are retained and managed for at least two years, and access logs are maintained properly to prevent forgery, alteration, theft and loss;

(e) Encryption of personal information: Passwords and identification numbers for the personal information of each user are encoded for storage and management. Furthermore,
additional means, such as encrypting essential data for storage and transmission, are used for security.

(f) Technical measures against hacking, etc.: KLRI has installed security programs and updates and inspects the programs to protect personal information from being leaked externally
or destroyed by hacking or computer viruses and the systems have been installed in an area with restricted access to technically and physically monitor and block external access.

(g) Controlling access by unauthorized persons: The area for the physical storage of the personal information system that retains personal information is separated from other areas
and a procedure for controlling access to this area is established and implemented.

9. Linked Web-sites and Web-pages

When visiting any other web-site or web-page by clicking a link or banner on our web-site, the privacy policies of the web-site that you visit will apply. Please check the privacy policies posted by the operator of such web-site.

10. Acquisition of Third Party’s Personal Information while Using Web-site

No one shall acquire any personally identifiable information, including any e-mail address, from the web-site operated by KLRI.
Any person who inspects or obtains such personal information by fraud or other illegal manner is punishable under Article 59 of the Personal Information Protection Act.

11. Managers and Officers in Charge of Processing Personal Information

To protect the rights and interests of the public and to properly perform public services, by ensuring the legality of personal information and the appropriateness of procedures, KLRI appoints and manages a personal information protection manager.

(a) Personal Information Protection Manager

Office : Administration Office of the Korea Legislation Research Institute

Name and position : Hyon Jun Won, Head Administrator

Tel. : 044-861-0387, Fax: 044-868-9913

E-mail : Send e-mail (kyung@klri.re.kr)

Address : 15 Gukchaegyeonguwon-ro (Bangok-dong), Sejong-si, 30147, Republic of Korea

If you have any questions or inquiries regarding personal information held by the KLRI or its privacy policies, etc., please contact us at:

(b) Personal Information Protection Officer

Office : Knowledge and Information Team, Administration Office of the Korea Legislation Research Institute

Name and position : Kim Hyun-kyoung, Head Administrator

Tel. : 044-861-0313, Fax: 044-868-9913

E-mail : Send e-mail (webmaster@klri.re.kr)

Address : 15 Gukchaegyeonguwon-ro, Sejong-si (Bangok-dong), Sejong-si, 30147, Republic of Korea

12. Requests to Inspect Personal Information

A data subject may request permission to inspect one’s personal information under Article 35 of the Personal Information Protection Act at the office of KLRI provided below. We will strive to ensure that your request is processed without delay.

Office : Knowledge and Information Team, Administration Office of the Korea Legislation Research Institute

Name and position : Kim Hyun-kyoung, Head Administrator

Tel. : 044-861-0313, Fax: 044-868-9913

E-mail : Send e-mail (webmaster@klri.re.kr)

Address : 15 Gukchaegyeonguwon-ro (Bangok-dong), Sejong-si, 30147, Republic of Korea

13. Amendment of Privacy Policy
14. Withdrawing Consent to the Collection, Use and Provision of Personal Information

As a data subject, you may withdraw your consent to the collection, use and provision of personal information to KLRI at any time.
Click on [Sign up/Log in>Member Services>Sign out] or contact the Personal Information Officer in writing, by phone or e-mail, to withdraw your consent. The Officer will take necessary measures immediately, including the deletion of your personal information.
We, at KLRI, will guide and supervise our personnel to ensure that personal information collected under the provisions of relevant statutes are used appropriately for the purposes of collection and processing.

15. Remedies for Violation of Rights and Interests

A data subject may file a petition for settlement of a dispute, consultation, etc. with the Personal Information Dispute Mediation Committee, the Korea Internet and Security Agency or the Personal Information Infringement Reporting Center to seek remedies for the breach of privacy. In addition, you may contact any of the following agencies to report or receive counselling on the breach of privacy:

(a) The Personal Information Dispute Mediation Committee : 1833-6972 (http://www.kopico.go.kr)

(b) Personal Information Infringement Reporting Center (Korea Internet and Security Agency) : 118 (without dialing an area code) (https://privacy.kisa.or.kr)

(c) The Cyber Crime Investigation Team of the Supreme Prosecutors’ Office : 1301 (without dialing an area code) (http://www.spo.go.kr)

(d) The Cyber Terrorism Response Center of the National Police Agency: 182 (without dialing an area code) (http://cyberbureau.police.go.kr)

Any person whose rights or interests are violated by any disposition or inaction of the head of a public agency with regard to a request made under the provisions of Article 35, 36 or 37 of the Personal Information Dispute Mediation Committee, may file a petition for an administrative hearing in accordance with the Administrative Appeals Act.

※ Please refer to the information on telephone numbers provided by the Central Administrative Appeals Commission (http://www.simpan.go.kr)