2019.03.14 ~ 2019.04.11 Privacy Policy
1. Collection and retention of personal information
a. Collection and retention of personal information by the National Museum of Modern and Contemporary Art, Korea (hereinafter “MMCA,” “we,” “us” or “our”) are compliant with statutory provisions and only made upon prior consent of the data subject (hereinafter “data subject,” “user,” “you,” or “your”). Statutory provisions authorize MMCA to collect and retain personal information files as followings:
Planning & General Management Department
Planning & General Management Dept. (File name, Data, Purpose of retention, Legal basis, Retention period)
File name |
“MMCA website user”
|
Data |
E-mail, Password, Name, Date of birth, Address, Phone number, Mobile phone number
|
Purpose of retention |
Exhibition and learing program booking
booking confirmation mailing service(Paid-up member, Regidency, Webzine, and Exhibition, learning & event newsletter etc.)
Notice and sending of event gifts
|
Legal basis |
Data subject’s prior consent
|
Retention period |
Permanent(for selected applicants)
3 years(for non-selected applicants, or your account deletion whichever comes first)
|
Conservation & Art Bank Department
Conservation & Art Bank Dept. (File name, Data, Purpose of retention, Legal basis, Retention period)
File name |
Art Bank & Government Art Bank website user
|
Data |
User ID, E-mail, Password, Name, Date of birth, Address, Phone number, Mobile phone number
|
Purpose of retention |
Art Bank & Government Art Bank competition review, Purchased artwork rental & sales, Art Bank competition event communications
|
Legal basis |
Data subject’s prior consent
|
Retention period |
Permanent (for selected applicants), Semi-permanent (for non-selected applicants)
|
Customer Support Team
Customer Support Team (File name, Data, Purpose of retention, Legal basis, Retention period)
File name |
Volunteer list
|
Data |
Name, Address, Phone number, Mobile phone number, E-mail, Date of Birth
|
Purpose of retention |
Volunteer management
|
Legal basis |
Data subject’s prior consent
|
Retention period |
Period only for volunteer participation
|
※For your access to MMCA personal information files, please visit at www.privacy.go.kr (Personal Information Protection Commission of the Ministry of the Interior and Safety), and browse as follows: Petition → Request for personal information → Personal information files search.
b. Personal information automatically collected and stored when using websites
- ·Your personal information automatically collected and retained for your service usage pattern analysis and better website browsing experiences includes:
- - your internet service domain name, website address you have visited before visiting our website and date & time of your previous visits; and
- - name of browser and operating system you use when you visit our websites.
c. Personal information retained by statutory requirements
-
· We retain your personal information for a specific period of time as required by applicable statutory requirements. In such event, we retrieve and use your personal information only for the purpose specified in respective laws and regulations.
d. Access to personal information files
Access to personal information files (Retention (Control) Organization, Personal Information File, Contact (TEL (FAX), E-mail, Postal Address)
Retention (Control) Organization |
Personal Information File |
Contact |
TEL (FAX) |
E-mail |
Postal Address |
Planning & General Management Department |
MMCA website user |
02-2188-6101 (02-2188-6161) |
kimsy@korea.kr |
Gwangyeong-ro, Gwacheon-si, Gyeonggi-do 13829, Republic of Korea, MMCA Gwacheon
|
Conservation & Art Bank Department |
Art Bank website user |
02-2188-6083 (02-2188-6128) |
Customer Support Team |
Volunteer list |
+82-2-3701-9535 (+82-2-3701-9539) |
· We process your personal information in a legally permitted and appropriate manner to protect your privacy. However, a part of your personal information may be disclosed to or shared with a third party to the extend permitted by the applicable laws and regulations.
2. Use and sharing of personal information
a. Sharing of your personal information with third parties
- · Even if we share your personal information with a third party, such party has no right to disclose your personal information unless explicitly agreed by us.
-
· Your personal information we are permitted to share with third parties under the applicable laws and regulations includes:
Sharing of your personal information with third parties (File name, Third party, Purpose, Data, Period of retention & use)
File name |
Third party |
Purpose |
Data |
Period of retention & use |
Volunteer list |
Gwacheon Volunteer Center |
Volunteer contribution records |
Name, Date of birth, Activities, Service hours
|
Removed immediately after completion of data entry into 1365 system |
-
· Personal information we collect, retain, use, disclose or share with third parties are subject to prior notice and your explicit consent except otherwise required by laws or regulations.
b. Entrusting of your personal information
- · In a case we entrust your personal information to public entities or private entities pursuant to Article 26 (Limited processing of entrusted personal information) of the Personal Information Protection Act, we set out limitations and procedures of such entrusting and ensure that the entrusted entities use the same level of care that we use for protecting your personal information. In addition to that, we conduct inspections to verify how your personal information is being protected at third party’s premises
-
· Your personal information we are permitted to entrust to third parties under the applicable laws and regulations includes:
Outsourcing (Third party, Data, Purpose, Use & retention period)
Third party |
Data |
Purpose |
Use & Retention Period |
EDS Korea |
E-mail, Password, Name, Date of Birth, Address, Telephone number, Mobile phone number |
Website service & maintenance |
Removed upon termination of an outsourcing agreement |
EDS Korea |
E-mail, Password, Name, Date of Birth, Address, Telephone number, Mobile phone number |
Art Bank website service & maintenance |
Removed upon termination of an outsourcing agreement |
TUNESYSTEM |
Member DB |
Website hardware & software maintenance |
Removed upon termination of an outsourcing agreement |
c. Limited use and sharing of personal information Use and sharing of your personal information we collect and retain are subject to privacy laws and regulations.
- · Article 18 (Limited use and sharing of personal information) of the Personal Information Protection Act allows us to use or share your personal information with third parties if such use or sharing is
- 1. explicit agreed by the data subject
- 2. specifically required by other laws or regulations
- 3. necessary to protect the data subject or any third party who is in eminent life-threatening danger, physical harm or property loss while obtaining a prior consent is unavailable because such data subject or his/her legal agent is incapable of expressing its own intention to agree or disagree, or we are unable to contact such data subject or his/her legal agent due to unknown address
- 4. used for statistical survey and academic research as long as personal information is anonymized
- 5. unavoidable as executing statutory obligations require use or sharing of personal information other than specified herein; provided however that such use or sharing is permitted to the extent that is reviewed and approved by the Privacy Protection Commission
- 6. required to be disclosed to a foreign government or international institution for the purpose of executing any treaty or inter-governmental agreement
- 7. necessary for criminal investigation or filing and/or sustainment of a public prosecution
- 8. necessary for judicial proceeding
- 9. necessary for probationary and/or protectionary order execution
3. Disposal of personal information
Your personal information will be removed, deleted, or destructed immediately upon the purpose of collection and use is attained. Removal, deletion, or destruction procedures and methods are as follows:
a. Procedures of removal, deletion, or destruction
- · Personal information you have submitted for accessing to our services including signing-up will be removed, deleted, or destructed after their respective purposes are realized and their respective retention periods as required by applicable laws and regulations and/or our privacy policy (see the period of retention and use) expires.
- · Your personal information retained by us will not be used for any purpose other than specified herein, except otherwise required by laws and regulations.
b. Methods of removal, deletion, or destruction
- · Personal information contained in printed media will be destroyed either by a paper shredder or fire pit.
- · Personal information contained in digital media will be removed, deleted, or destroyed in such manner that no data can be recovered.
4. Data subject’s rights
「Chapter 5 (Ensuring data subject’s rights) of the Personal Information Protection Act specifies that in respect with his or her personal information, the data subject shall be entitled to:
- 1. access to his or her personal information
- 2. correction or deletion of his or her personal information
- 3. suspension of processing of his or her personal information
- 4. exercise of his or her statutory rights
- 5. claim for damages
5. Access to, correction, deletion, and suspended processing of personal information files
The data subject is entitled to request an access to, correction and deletion, and suspended processing of his or her personal information we retain pursuant to Article 35 (Access to personal information), Article 36 (Correction and deletion of personal information), and Article 37 (Suspended processing of personal information) of the Personal Information Protection Act.
Access to, correction, deletion, and suspended processing of personal information files (Personal information controller, Request process)
Personal information controller |
MMCA Planning & General Management Department (Data processing office)
|
Request process |
Submit a request in writing, or visit at www.privacy.go.kr (Personal Information Protection Commission of the Ministry of the Interior and Safety), and browse as follows: Petition → Request for personal information (i-PIN required for verifying your identification)
|
a. Access to personal information
-
· You have the right to access to your personal information files we retain pursuant to the Personal Information Protection Act and other privacy regulations. Access procedures are as follows:
-
· Your access to personal information files may be denied pursuant to the fourth paragraph of Article 35 (Access to personal information) of the Personal Information Protection Act, if such access is:
- 1. prohibited or restricted by the applicable laws and regulations
- 2. likely to cause life-threatening danger, physical harm, property loss, or injury of legitimate interests of another person
- 3. causes interrupted execution of government agency’s administrative operations including
- a. imposition, collection or return of tax.
- b. scoring or admission evaluation at a school established under the Mandatory Education Act and the Higher Education Act, at a lifelong learning center established under the Life-long Learning Act, or at a higher educational institution established under other laws.
- c. academic achievement & skill testing and employment, or qualification review.
- d. evaluation or consideration relating to application either a compensation or benefit.
- e. audit or inspection activities carried out under other laws and regulations.
b. correction, deletion, and suspended processing of personal information.
-
· After accessing to your personal information files, you may request the personal information processor to correct, delete, or suspend processing of your personal information; provided however that your deletion request may not be acceptable if your personal information is subject to mandatory collection & retention under other laws and regulation. Correction, deletion or suspended processing procedures are as follows:
- · “Access, Correction, Deletion or Suspended Processing of Personal Information” [Form No. 8, Enforcement Decree of the Personal Information Protection Act]Download
- · Letter of attorney [Form No. 11, Enforcement Decree of the Personal Information Protection Act]Download
6. Privacy violation report
When you are using our website services, if you find any violation or damage resulting from collection, use, sharing, entrusting of your personal information which is not subject to such collection, use, sharing, entrusting under the applicable laws, or collected, used, shared, entrusted without your prior consent, or if you have reasonable cause to believe that your personal information is breached or your right as the data subject is violated, you can report such violation to competent authorities as follows:
7. Technical and managerial protection measures
We employ technical and managerial measures to protect your personal information from any loss, theft, leakage, falsification, or damage. Our measures include:
a. Password encryption
- · Your password we retain and control is fully encrypted and only known to you. Editing your profile including password change is only made by you.
b. Countermeasures against potential attacks including hacking
- · We use our best efforts to protect your personal information from potential cyber attacks including hacking and virus. In this regard, your personal information is subject a regular back and being protected by the latest anti-virus software which can prevent any leakage or damage of your personal information while we retain. Cryptographic communication between our database and that of third parties realizes safe and secured transferring of your personal information. We employee an advanced firewall system, denying any unauthorized access. We allocate our available resources to acquire and operate the most advanced cyber security assets.
c. Minimization and training of employees handing personal information
- · We permit only our employees to access to your personal information to the extent they need, and undertake additional measures to limit their access to your personal information by assigning them separate passcode which is subject to a regular update. In addition to that, we provide them data security training, including MMCA Privacy Policy.
d. Privacy protection organization
- · We exert our best efforts to ensure that MMCA Privacy Policy is fully observed and followed, and undertake necessary corrective actions to address any found problems. However, we assume no liability for any and all losses and damages arising out of, or relating to breach of your personal information including your user ID or password due to internet service provider’s faults or your own negligence.
8. Remedies for privacy violations
In the event of privacy violations, you as the data subject may seek for remedies, including consultations. If you are not satisfied with our privacy protection measures or remedies for breach of privacy, you can seek assistance from other government authorities as follows:
Privacy Violation Complaint Center: Report a privacy violation case, including consultation
- - Website: privacy.kisa.or.kr (TEL: 118)
- - Address: Privacy Violation Complaint Center, 135 Jungdae-ro, Songpa-gu, Seoul 138-950
Privacy Arbitration Board: File an individual or collective privacy-related arbitration under the Civil Code
- - Website: www.kopico.go.kr (TEL: +82-2-1833-6972)
- - Address: 4F, Government Complex Seoul, 209, Sejongdae-ro, Jongno-gu, Seoul 03171
Public Prosecutors’ Office Cybercrime Investigation Group: Call +82-2-3480-3573 or visit at www.spo.go.kr
National Police Agency Cyber Bureau: Call 1566-0112 or visit at www.netan.go.kr
9. Operation and control of closed-circuit television systems
We have and operate closed-circuit television systems as follows:
- · Purpose and legal basis of closed-circuit television system installations
- - Security, safety and fire-prevention of MMCA facilities
- - Protection of collections from theft, and (if any) evidence collection
- · Units, locations and surveillance range
Units, locations and surveillance range (Location, Unit, Surveillance Range)
Location |
Units |
Surveillance Range |
MMCA Gwacheon |
120 |
Entire premises |
MMCA Seoul |
223 |
MMCA Deoksugung |
26 |
MMCA Cheongju |
180 |
Entire Regidency |
MMCA Residency Goyang |
14 |
MMCA Residency Changdong |
13 |
Total |
576 |
- · Controller, Operating Department and Operator
Controller, Operating Department and Operator (Location, Operating Department, Controller, Operator)
Location |
Operating Department |
Controller |
Operator |
MMCA Gwacheon |
Administration Support Department |
Manager of Administration Support Department |
Security Control room Member |
MMCA Seoul |
Administration Support Department |
Manager of Administration Support Department |
Control RM Member |
MMCA Deoksugung |
Exhibition-3 Team |
Leader of Exhibition-3 Team |
Security Control room Member |
MMCA Cheongju |
Collection Storage Control Team |
Leader of Collection Storage Control Team |
Security Control room Member |
MMCA Residency |
Exhibition-2 Team |
Leader of Exhibition-2 Team |
Security Control room Member |
- · Surveillance hours, and retention period, retention place and disposal of footages
- - Surveillance hours: 24 hours a day
- - Footage retention period: 90 days
- - Footage retention place
Footage retention place (Location, Retention place)
Location |
Retention place |
MMCA Gwacheon |
Security Control room |
MMCA Seoul |
Control RM |
MMCA Deoksugung |
Security Control room |
MMCA Cheongju |
Security Control room |
MMCA Residency |
Security Control room |
- - Disposal of footages: We strictly control and log use, sharing, destruction of, and access to CCTV footages only within permitted purposes, and footages contained in digital media are destroyed in such manner that no data can be recovered (in case of printed media, destroyed either by a paper shredder or fire pit) upon their statutory retention period expires.
- · Footage retention place and access to footages
- - Access to footages: You as the data subject may request a CCTV data controller to disclose CCTV footages containing your personal information.
- - Retention place
Retention place (Location, Retention place)
Location |
Retention place |
MMCA Gwacheon |
Security Control room |
MMCA Seoul |
Control RM |
MMCA Deoksugung |
Security Control room |
MMCA Cheongju |
Security Control room |
MMCA Residency |
Security Control room |
- · Data subject’s request to access to CCTV footages: You must submit a request in writing and your access to CCTV footages will be permitted only when such CCTV footages contain an actual image of you and such access is necessary to protect you from any eminent life-threatening danger, physical harm or property loss.
- · Technical, managerial and physical measures to protect CCTV footages: Our internal procedures to control and restrict access to CCTV footages include secure data storage and data communication technologies, processing history log, anti-forgery and falsification measures, physical anti-breaking facilities and locking devices.
10. Privacy Officer and Security Manager
· MMCA Chief Privacy Officer: Bae yang-hee, Manager of Planning & General Management Dept.
- Phone: (02)2188-6162
- E-mail: yhbae@korea.kr
- Address: MMCA Planning & General Management Department, Gwangyeong-ro, Gwacheon-si, Gyeonggi-do 13829, Republic of Korea
· MMCA Personal Information Security Manager: Joe su-yeun
- Phone: (02)2188-6162
- E-mail: suyeun00@korea.kr
- FAX: (02)2188-6161
- Address: MMCA Planning & General Management Department (Data processing office), Gwangyeong-ro, Gwacheon-si, Gyeonggi-do 13829, Republic of Korea
- • Or you can report to the following infringement of the personal information reporting center operated by the Ministry of Public Administration and Security according to Article 62 of Enforcement Decree of The Personal Information Protection Act.
- Korea Internet & Security Agency Personal Informaation Infringement Report Center(http://kisa.or.kr, Tel : 118)
11. Changes to this policy
- · This Privacy Policy becomes effective on March 14, 2019.