Korea Information Certificate Authority Inc. (hereinafter “KICA”) abides by relevant laws such as the Electronic Signature Act, Personal Information Protection Act, etc. for the protection of personal information submitted by the customer to the public certification service and other services (provided by KICA such as security server certification service, domain registration agency service, mobile key services, transaction certification service, etc.), and hereby notifies that the Privacy Policy has been established and executed as follow.
1. Personal information collection and collection method
KICA collects the personal information listed hereinafter when a customer is going to use the public certification service and may also request additional information from the customer
1) Personal information collected
A. Public certification service
① Legal information and essential information collection under the Electronic Signature Act
- Individual: Name, Resident registration number, Email, Phone # (home/work, mobile #)
- Corporate: Business name / Company name, Business registration number, President name, Resident registration number of the president, Name of representative, Resident registration number, Employment period, Information of the person-in-charge of certificate (department, phone #, fax #, email), Phone # of the representative Tax bill issuing information: Address of the business site, Category of business, Type of business
② Optional information
- Individual: Address
B. Security server certification service (SSL)
① Essential information
- Corporate: Business name / Company name, Business registration number, President name, Name of representative, Address
② Optional information
- Business: Information of the person-in-charge of certificate (department, phone #, fax #, email), Phone # of the representative
C. Domain registration agency service
① Information collected when subscribing to a general membership
- Essential information: ID, Password, Name/Company name, Resident registration number / Business registration number, Name of person-in-charge (in case of corporate member), Email address, Address, Phone #, Mobile #, Legal representative information if under 14 years old
- Optional information: Fax #, Name/Address in English (to secure the essential information under the domain’s management regulations
- Payment method for use of paid information and services: Bank details, Credit card details
② Information collected when subscribing to i-PIN membership
- Essential information: ID, Password, Name/Company name, Name of person in charge (if corporate member), Email address, Address, Phone #, Mobile #, Legal representative information if under 14 years old
- Optional information: Fax #, Name/Address in English (to secure the essential information under the domain’s management regulations)
- Payment method for use of paid information and services: Bank details, Credit card details
③ The following information can be created and collected in the service using process and business process treatment
- Service use log, connection log, cookie, connection IP information, payment record, Delinquent use record
- Corporate: Information on the person-in-charge of certification (department, phone #, fax #, email), Phone # of the representative
D. Mobile key service
① Essential information
- Individual: Name, Resident registration number, Mobile #, Mobile key password, Mobile service company name
② Optional information
- Individual: Email
E. Certified email service (#mail)
① KICA may collect and use personal information as provided below that is required for registration of certified email address as an registration agency pursuant to Act. 18 para. 4 and Art. 1 para. 3 of the Framework Act on Electronic Documents and Transactions.
- Individual: name, address, ID/password, phone number, mobile phone number, email Privately owned business: business name, name, place of business, business registration number, business registration number, ID/password, phone number, mobile phone number, email Corporate: company name (entity name), representative name, business registration number (unique number), place of business, ID/password, phone number, mobile phone number, email, person-in-charge information(name, phone number, mobile phone number, email, address) Government organization (local government, local government association): corporate name (entity name), representative name, business registration number (unique number), place of business, ID/password, phone number, mobile phone number, email, person-in-charge information(name, phone number, mobile phone number, email, address) Aged under 14: (information of legal representative) name, relationship with an applicant, mobile phone number, subscription certification information
② Information of public certificate, records of service usage, access records, log, cookies, information of access IP and records of bad use may be automatically generated and collected in the course of serve usage or in the middle of business process.
F. Bid information service (KICABID)
KICA collects and uses the following personal information to provide bid information service:
① Mandatory information.
- Individual: ID, password, name, email address, contact information (select one from home/workplace/mobile phone), subscription authentication information Business: mailing address, information of person in charge of bid information (name, department, phone number, email) Members subscribing fee-based service - Payment by credit card : name of credit card company, credit card number, etc.- Payment by mobile phone: mobile phone number, telecommunication company, payment approval number, etc. - Account transfer : Bank name, bank account number, etc. - Information collected to issue a tax invoice : address of business location, business type, business condition, email address, etc. - Information collected to issue a cash receipt: name, resident registration number
② Optional information
- Individual: ID, password, name, email address, contact information (select one from home/workplace/mobile phone), subscription authentication information Business: mailing address, information of person in charge of bid information (name, department, phone number, email) Members subscribing fee-based service - Payment by credit card : name of credit card company, credit card number, etc.- Payment by mobile phone: mobile phone number, telecommunication company, payment approval number, etc. - Account transfer : Bank name, bank account number, etc. - Information collected to issue a tax invoice : address of business location, business type, business condition, email address, etc. - Information collected to issue a cash receipt: name, resident registration number
③ Records of service usage, access log, cookies, information of access IP and records of bad use may be automatically generated and collected in the course of serve usage or in the middle of business process.
2) Personal information collection method
A. Public certification service
Service home page (including the bulletin board, etc.), document submitted by the customer who visited KICA, a registration agency institution, etc.
B. Other services
Service homepage (including bulletin board, etc.), document submitted to KICA, etc.
2. Purpose of personal information processing
KICA processes collected personal information for the following purposes.
1) Contract execution and charge settlement
Service provision, purchasing and payment of charges, delivery of information required tor use the service, etc.
2) Customer management
Personal verification of customer, personal identification, prevention of delinquent use by corrupt customers and prevention of unauthorized use, age verification, civil affair processing such as complaint processing, customer response and consultation, delivery of notification, etc.
3) Marketing and advertisement (publicity)
Provision of advertising information for an event, etc., publicity and marketing of the public certification service and other services, use for connection frequency or statistics of customer’s service usage, etc.
4. Installation, operation and refusal of a mechanism (a cookie) that automatically collects personal information
1) What is a cookie?
① KICA uses cookies that can store and retrieve personal information of customer to provide services tailored to and customized for an individual.
② A cookie is a small text file sent from a website server to a user‘s web browser and stored in the hard disc of the user‘s computer. Every time the user loads the website, the website server reads the cookie information saved in the user‘s hard disc, maintains the user‘s configuration setup and provides tailored service.
③ Cookies do not collect person identifiable information automatically/dynamically and a user may refuse to save cookies or delete cookies at any time.
2) Purpose of using cookies
Cookies are used to provide service tailored to a user by identifying the user’s login status, change of ID, records of website visit, a legal representative’s approval for a minor, shipping information of an ordered product, etc.
3) Installation, operation and refusal of a cookie
① A user may or may not install a cookie. That is, a user can allow all cookies by setting up options in the web browser or configure the browser to require the user’s confirmation everytime a cooke is saved, or refuse the saving of all cookies. In the event a user refuses the saving of cookies, the user may encounter difficulties to use part of the services of the website that requires a user login.
② How a user can allow cookies (in the case of Internet Explorer) is provided below. In the [Tools] menu, select [Internet option]Click [personal information] tab Configure whether or not to allow cookies in the [personal information handling level]
5. Provision of personal information to a 3rd party
1) KICA does not provide or reveal customer personal information to a 3rd party without the subscribers’ consent. However, personal information can be provided without a subscriber’s consent in accordance with relevant laws when requested by government institutions, the Information & Communication Ethics Committee for criminal investigations, and when required to settle charges, and provided after processing so that a specific individual may remain anonymous.
KICA may share the customer’s personal information with business partners or cooperative companies to provide better services, but it will pass by the member consent request procedure after informing them of the purpose, content, reason, etc., and is the information is not shared when the subscriber does not consent. Also, it passes by separate consent request procedures when the provision of personal information exceeds the previous consent’s scope. In case the provision of personal information is subsequently cancelled, KICA requests the relevant company to delete the corresponding personal information.
2) Public certification service
KICA provides SG Service Co. Ltd., KICA’s customer satisfaction center, to survey customer satisfaction by optimizing customer consultation work relating to the public certification service. It may cause difficulty in public certificate fee payment, unless consent for the provision of personal information has been obtained, and it may cause inconvenience in using the service as the consultant is not able to verify the customer’s personal information when counseling. Also, public certificate renewal and event information services cannot be provided, which may result in criminal exposure. Receivers Purpose Information provision Retention and use period SG Service, the KICA Customer Satisfaction Center Customer response work such as customer consultant, telemarketing, etc. All information collected for the public certification service Partnership term Koscom, KFTC, CrossCert, Ktnet Emergency deletion when illegal issuance, abuse, etc. is reported Name, resident registration number, DN information, etc. Immediate deletion if not a KICA customer Terminate public certificate validity and store for 10 years if a KICA customer
3) Mobile key service
KICA notifies the following list of personal information provided by SG Service Co. Ltd. partnership work for KICA’s public certificate, customer consultation, marketing, etc. registration agency work for customer consent. Customers can refuse the provision of personal information, but mobile key services using information, event information, event winning information, etc. services cannot be provided for those customers.
Receivers Purpose Information provision Retention and use period SG Service, the KICA Customer Satisfaction Center Customer response work such as consultation, etc. Mobile #, Mobile communication company name Service use period Mobile communication companies (SKT, KTF, LGT) Verification of mobile phone owners Resident registration number, Mobile # Service use period
4) Security server certification service
KICA notifies the following list of personal information required to issue certificates under the relevant laws for customer consent. If the customer does not consent to the provision of personal information they cannot obtain membership, certificate issuance and renewal services, and any other additional services.
A. Company names: Korea Internet & Security Agency, VeriSign, Comodo, Thawte, and Inicis
B. Purpose: Provision of certificate issuance information
C. Information Provision: All information provided by the owner and person-in-charge of certification (Refer to the personal information collection)
D. Retention and use period
It is being retained for the duration of the effective period for the customer’s certificate’s use and is automatically deleted upon termination.
5) Domain registration agency service
KICA notifies the following list of personal information for domain registration in accordance with the relevant laws for customer consent. If a customer does not consent, they cannot receive membership subscription, registration and domain extension services nor any other additional services.
A. Company names: Korea Internet & Security Agency, VeriSign, PIR, ASIA, and Inicis
B. Purpose: Provision of the information for domain registration
C. Providing information: All information provided by the owner and management person-in-charge of the domain
D. Retention and use period
It is retained for the duration of the customer’s certificate’s effective use period and is automatically deleted upon termination.
6) Certified email address service (#mail)
KICA provides personal information as provided below with a customer’s consent to register and manage certified email addresses. A customer may not agree to the offering of personal information, but if so, the customer is denied the certified email address service.
a. Business name: National IT Industry Promotion Agency (NIPA)
b. Purpose: information offering for certified email address registration and management
c. Provided information: name, business registration number, address, email address
d. Preservation and usage period: personal information is preserved until the validity of a customer’s certified email address registration period expires and thereafter, discarded automatically
6. 3rd party personal information commissioning
1) KICA does not provide or reveal customer personal information to a 3rd party without the subscribers’ consent. However, personal information can be provided without a subscriber’s consent in accordance with relevant laws when requested by government institutions, the Information & Communication Ethics Committee for criminal investigations, and when required to settle charges, and provided after processing so that a specific individual may remain anonymous. KICA may share the customer’s personal information with business partners or cooperative companies to provide better services, but it will pass by the member consent request procedure after informing them of the purpose, content, reason, etc., and is the information is not shared when the subscriber does not consent. Also, it passes by separate consent request procedures when the provision of personal information exceeds the previous consent’s scope. In case the provision of personal information is subsequently cancelled, KICA requests the relevant company to delete the corresponding personal information.
2) Public certification service
To provide public certification services and to improve customer access and convenience, KICA has signed a consignment agreement with 3rd party businesses for registration agency work to secure face-to-face confirmation windows for public certificate issuing. The face-to-face confirmation windows (registration agency institutions) visited by customers are therefore commissioned to collect and manage customer information before dispatch to KICA. Registration agency institutions do not use or store the customer information for any other purpose than those for public certificate registration agency work unless the customer has expressly consented to this or it is defined in other laws. To consult KICA registration agency institutions, click here.
Go to consult registration agency institutions ? Click here!
In addition, personal information is consigned as provided below to confirm a person’s identity at the time of offering the public certification service
Receiver | Purpose | Offered information | Preservation and usage period |
---|---|---|---|
Korea Credit Bureau | confirm identify | name, date of birth, gender, mobile phone number, telecommunication company | alliance period |
Dream Security Co., Ltd | confirm identify | name, date of birth, gender, mobile phone number, telecommunication company | alliance period |
3) Domain registration agency service
In the case of international domains, KICA consigns the personal information data of a registrant to a foreign escrow company for preservation pursuant to the agreement with ICANN. The consignment of personal information is intended to protect a registrant’s rights and interests in preparation for an bankruptcy of an international domain registration company and the personal information is not used for profit-taking.
4) Certified email address service (#mail)
KICA consigns personal information as below to provide certified email address service (#mail).
Receiver | Purpose | Offered information | Preservation and usage period |
---|---|---|---|
Korea Credit Bureau | confirm identify | name, date of birth, gender, mobile phone number, telecommunication company | alliance period |
Dream Security Co., Ltd | confirm identify | name, date of birth, gender, mobile phone number, telecommunication company | alliance period |
Daou Technology Inc. | payment for service usage | name, resident registration number, credit card number, account number, mobile phone number, telecommunication company | alliance period |
5) Bid information service (KICABID)
KICA consigns personal information as provided below to provide bid information service.
Receiver | Purpose | Offered information | Preservation and usage period |
---|---|---|---|
Hankook Gunsul | provide bid information service | entire personal information | alliance period |
7. Right/Obligation of information subject and its exercise method
1) Public certificate service
KICA is doing its utmost to protect customer personal information. It strictly observes the individual’s authority for personal information, and their personal information can be read and corrected at any time on the homepage menu. In accordance the Electronic Signature Act (Article 22 of the Electronic Signature Act), the customer’s public certificate and records of its termination and deletion must be stored safely for 10 years from the public certificate’s expiry date.
2) Other services
KICA is doing its utmost to protect customer personal information. It strictly observes the individual’s authority for personal information, and their personal information can be read and corrected at any time on the homepage menu. The customer can withdraw their consent for the use of personal information by KICA, when cancelling membership achieved through the application menu.
8. Deletion of personal information
1) Public certification service
KICA immediately deletes corresponding information at the end of the 10 year retention period. The deletion procedure and method are as follows.
A. Deletion procedure: Documents submitted by the customer to use the service are deleted after being retained for 10 years from the public certificate’s expiry date under the Electronic Signature Act.
B. Deletion method: Documents such as applications stored in a physical area are destroyed using a shredder, etc. by an authorized person in a controlled area. Personal information stored as an electronic file is deleted using a technical method that makes it impossible to restore the record.
2) Other services
KICA immediately deletes the corresponding information in principle when the purpose of collecting and using the personal information has been achieved. The deletion procedure and method are as follows.
A. Deletion procedure
The information provided by the customer for membership subscription, etc. is moved to a separate DB (to a separate file, in case of paper) when its purpose has been achieved, and deleted after having been stored for a certain period of time (refer to the retention and use period) according to internal policy and any other relevant legal information protection measures. The personal information moved to the separate DB is not used for any other purposes unless it is legally required.
B. Deletion method
The personal information saved as an electronic file is deleted using a technical method making it impossible to cannot restore the record.
9. Personal information securing measures
1) Public certification service, Mobile key service
KICA uses a firewall (invasion quarantine system) to block the theft, leak, forgery, deformation of personal information by cracking (malicious hacking) and so on. The firewall is installed on each server to track illegal invasions. We also regularly back up the customer’s personal information to prepare against any possible accidents.
2) Other services
KICA does its utmost to take technical and administrative measures to prevent customers’ personal information from leaking. The subscriber can access their personal information using their password and can modify their own personal information using the membership ID and password. Therefore, the customer must ensure that this password is not revealed to other persons. The customer is liable for membership ID, password, and personal information leaks. Therefore, KICA does not take any responsibility unless there is liability attributable. To protect the membership ID and password, when using in the public areas such as an internet cafe or when sharing the computer with other persons, pay particular attention to not revealing personal information by always log out after using the service and close the browser window that has been used. Also, create an ID and password by combining characters and digits, and change the password frequently to prevent accidental leaking of ID and password. KICA uses a firewall (invasion quarantine system) to block the theft, leak, forgery, deformation of personal information by cracking (malicious hacking) and so on. The firewall is installed on each server to track illegal invasions 24 hours a day. We regularly back up the subscriber’s personal information to prepare against any possible accidents. In addition, KICA has minimized and controls staff handling personal information, and takes corrective actions immediately when any problem is found.
10. User and legal representative rights and exercise method
The subscriber or legal representative (for children under 14) can inquire about and correct the subscriber’s personal information or request the service’s cancellation. Inquiries about or correction of personal information can be performed using the ‘Correct subscriber information’ menu. When contacting the person-in-charge of personal information management to cancel the service by letter, telephone, or email, we will immediately process the cancellation request after processing the personal identification procedure.
11. Privacy Policy Amendment
The contents of this Privacy Policy can be read at any time on the homepage and as they may be amended according to the changing in relative laws or for the provision of better service, visit the homepage periodically to check the contents. When the Privacy Policy is amended, KICA notifies it on the each service’s homepage.
12. Person-in-charge of personal information management
Personal information inquiries should be sent to the following contact points and we will respond promptly.
- Person-in-charge of the personal information protection
- Name: Jaejung Kim
- Department: Chief of Technology Research Institute
- Phone #: +82 2 1577-8787
- Address: (463-400) 5th Floor, Pangyo Digital Center 242, Pangyo-ro, Bundang-gu, Seongnam-si, Gyeonggi-do, Korea
- Email: privacy@signgate.com
[Service information phone numbers]
- Public certification service: +82 1577-8787
- Security server certification service (SSL): +82 2 360-3065
- Domain registration agency service: +82 2 360-3093
- Mobile key service, Transaction certification service: +82 2 360-3097
- Certified email address service (#mail): +82-2-360-3097
- Bid information service: +82-2-360-3072
13. Notification obligation
When the Privacy Policy contents are amended, KICA notifies it on its homepage at least 7 days prior to the amendment’s execution.
- Notification date: Dec. 15, 2014
- Effective date: Dec. 22, 2014