National Museum Foundation of Korea

The foundation collects personal data for the purposes outlined below. The personal data will not be used for any other purposes, andprior consent will be obtained from members before any changes in the purpose of collection of personal data.A. Personal data shall be collected for the purpose of fulfilling service obligations and transactions including, but not limited to, provision of content services, transactions, payments, delivery of products, delivery of bills, authentication (financial transactions, financial services).
B. Personal data is collected for the purposes of membership registration, authentication, personal identification, prevention of unauthorized access and/or use, confirmation of registration, determination of age, confirmation of consent from legal representative for the collection of personal data of youths under age 14, preservation of records for dispute arbitration, resolution of complaints and grievances, and notifications.
C. Personal data is collected for the purposes of marketing and promotion, development of new services (products) and targeted services, notifications of events and promotions and opportunities to participate, service provision and promotions based on demographics, assessment of service quality, assessment of website traffic, and statistical analysis of service use by members.

The types of personal data collected for purposes of membership registration and service provision, and the methods used in collection, are as follows:
1.Personal Information File Name: Member (member of foundation’s website)
Personal Information Items:
Name, birth date, gender, user ID, password, e-mail, home telephone, home address, cellphone, access logs, login IP, name of legal representative, cellphone of legal representative, e-mail of legal representative, home telephone of legal representative
Method of Collection: foundation’s website
2. Personal Information File Name:Renter
Personal Information Items:
Name, cellphone number, name, e-mail, company, company telephone number, bank account number, transaction history
Method of Collection: written form (registration form)

The personal data shall be deleted immediately once the purpose of its collection is fulfilled. The following types of personal data shall be stored for a set period of time, as detailed below, for the following reasons.
1. Personal Information File Name: Member (member of foundation’s website)
. Personal Information Items:
Name, birth date, gender, user ID, password, e-mail, home telephone, home address, cellphone, access logs, login IP, name of legal representative, cellphone of legal representative, e-mail of legal representative, home telephone of legal representative
Grounds for Storage: consent from member
Duration of Storage: from registration to cancellation of membership account (In case of the existence of a transaction history or payment history, 5 years from last transaction or payment)

2. Personal Information File Name: Renter
Name, cellphone number, name, e-mail, company, company telephone number, bank account number, transaction history
. Grounds for Storage: consent from member
. Duration of Storage: 5 years (from last application to rent theater)

The foundation collects and handles the personal data of users in accordance with Article 1 Aims, and shall not share personal data with third parties in a manner that exceeds the scope of the original aims unless prior consent from the member is obtained. Personal data may be shared to third parties in the following cases:
1.Consent is obtained from the user.
2.Regulations within the law exist to allow sharing of personal information
3.In case of an emergency where there is a clear risk of loss of life, physical injury, or financial damage to a member or third party, and consent is unobtainable because the user or the legal representative thereof is unable to express intent, or the address of the user or the legal representative is unknown.
4.The personal data is necessary for purposes of statistical analysis and academic research, and the personal data is rendered in such a way as to prevent identification of any individual.
5.A privacy protection commission has deliberated and determined that it is impossible to fulfill obligations under the governing law unless personal data is used for purposes other than the original aims or is shared with a third party
6.The personal data must be shared with foreign intelligence agencies or international organizations under existing national treaties or international treaties.
7.The personal data is necessary for criminal investigation and indictments.
8.The personal data is necessary court proceedings.
9.The personal data is necessary for sentencing, custody, and probation.
The foundation provides personal data to the following types of organizations and individuals and the aims and scope of personal data sharing is as follows:
. Recipient of personal data: customer satisfaction research companies
. Personal information file name: renter
. Shared personal data items: name, telephone, company, company telephone
. Aim of sharing personal data: customer satisfaction research conducted by government
. Duration of storage of personal data: personal data is deleted once the purpose of sharing information with a third party is fulfilled

The foundation delegates personal data processing to a subprocessor as follows, for the purpose of facilitating personal data processing.
Subprocessor: CultureTech Korea, Inc.
Subprocessing Details: ticket reservations at the foundation’s website

If subprocessing is required, clear regulations shall be established on the adherence to privacy protection laws, prohibition of sharing information with third parties, and accountability, and the yearly contracts shall be stored both in print and digital form. Any changes in subprocessing activities or subprocessor shall be made public in accordance with the Personal Data Processing Statement.

The data subject (In the case of children under the age of 14, the legal representative) may exercise the following rights at any time with regards to personal data protection.
A. Access to personal data
B. Request changes of inaccuracies in personal data
C. Delete personal data
D. Request a cease to data processing

The exercise of rights in accordance to Article 1 can be accomplished by completing the form in Addendum 8 and submitting it in print form, e-mail, or fax. The foundation shall execute the request immediately.

If a data subject requests a change to or the deletion of an inaccuracy in personal data, the personal data shall not be used or shared until after the change or deletion has happened.

A legal representative or a third party entrusted with legal power may exercise the rights outlined in Article 1 on behalf of the data subject. In such case, the data subject must submit a Power of Attorney form in accordance with the form provided in Addendum 11.

The data subjects right to request access to personal data and to cease the processing of personal data may be limited under Personal Information Protection Act Article 35 Clause 5 and Article 37 Clause 2

A data subject may not request changes or deletion of personal data if the collection of the data is required by governing law.

Only the data subject and legal representatives of the data subject may request access to personal data, changes or deletion of personal data, and cease of processing of personal data, and the foundation will verify that the data subject is making the request in person or through a legitimate legal representative.

The data subject has the right to refuse the collection and use of personal data, and the sharing of personal data with a third party. However, in such case, the data subject will not be able to register as a member at the National Museum Cultural Foundation website or use any related services.

The foundation will immediately delete personal data upon completion of the purpose set out for the collection of personal data. The process, duration, and method of deletion is as follows:
A. Deletion Process
When the aim of the collection of personal data input by the user has been achieved, the personal data is moved to a separate database (if in print form, in a separate file) and stored for a set duration in accordance with foundation policy and governing law. The personal data that has been moved to a separate database is not used for any other purpose except in accordance with governing law.
B. Deletion Duration
If the personal data of a user is stored beyond the set duration, the personal data is deleted within 5 days of the duration. If the personal data is no longer required for processing as a result of the achievement of the aims of personal data collection, the cancellation of services, or cease of business activity, the personal data is deleted within 5 days of the date on which the processing of the personal data becomes unnecessary.
C. Deletion Method
Personal data stored in print form is destroyed by means of a paper shredder or incineration, and personal data stored in digital form is destroyed by means of technologies that prevent reconstruction of data.

The foundation shall employ the following measures in accordance the Article 29 of the Personal Information Protection Act for the purpose of ensuring safety of personal data.
A. Management Measures
Development and execution of internal management plans, periodic employee education etc.
B. Technical Measures
Management of access rights to personal data processing systems, implementation of access restriction systems, encryption of personally identifiable data, installation of security programs
C. Physical Measures
Restriction of access to data processing facilities and data storage rooms

For purposes of processing complaints concerning personal data and to ensure protection of personal data, the foundation shall designate a privacy officer. (Personal Information Protection Act Article 31 Clause 1, Designation of Privacy Officers)

• Privacy Head Officer : Kim, Young-gyun, Management Planning Team (02-2077-2900 / young0055@nmf.or.kr)
• Privacy Officer : Lee, Min-seok, Management Planning Team(02-2077-2904 / harang@nmf.or.kr)

The Personal Data Processing Statement is effective 25 March 2016.

The data subject may request remedies or consultation regarding infringement of privacy from the following organizations:

Personal Information Dispute Mediation Committee (Korea Internet & Security Agency)

• Function : mediation of personal data disputes, mediation of group disputes (civil law mediation)
• Website : privacy.kisa.or.kr
• Telephone : 118
• Address : (138-950)Korea Internet & Security Agency Personal Information Dispute Mediation Committee, Jungdae-ro 135, Songpa-gu, Seoul

Personal Information Infringement Reporting Center (Korea Internet & Security Agency)

• Function : accepting reports on personal data infringement, consultation services - website : www.kopico.or.kr
• Cybercrime Investigation Division, Supreme Prosecutor’s Office : 02-3480-3578 (www.spo.go.kr)
• Cyber Terror Response Center, Police Department : 1566-0112(www.netan.go.kr)
• Telephone : 118
• Address : (138-950)Korea Internet & Security Agency Personal Information Infringement Reporting Center, Jungdae-ro 135, Songpa-gu, Seoul

Infringements of rights as a result of actions or omissions by the foundation in response to requests from data subjects to access personal data, change or delete personal data, or cease processing of personal data may file and administrative appeal at the Central Administrative Appeals Commission Corporation (www.simpan.go.kr) in accordance with governing laws.