Innisfree Corporation (hereinafter referred to as the "Company") values the personal information of users (hereinafter referred to as "users") of the Innisfree global shopping mall service (hereinafter referred to as the "service") provided by the Company, and endeavors to do all it can to protect the personal information of users.
- 01 Consent to the collection of personal information and the method of collection
- 02 Personal information items collected and purposes of collection and use
- 03 Provision of personal information
- 04 Consignment of personal information processing
- 05 Personal information retention and use period, and procedure for and method of destroying personal information
- 06 Department processing personal information protection and related complaints
- 07 Using the automatic personal information collection system to collect personal information
- 08 Viewing and correcting personal information, etc.
- 09 Withdrawal of consent to the collection, use and provision of personal information
- 10 Administrative, technical and physical measures for protection of personal information
- 11 The rights of users and legal representatives and the method of exercising such rights
- 12 Obligation to notify changes to the protection policy
- 13 Governing laws
Article 1 (Consent to collection of personal information and collection method)
- ①"Member" refers to a user who became a member by providing personal information to the Company for member registration.
- ②"Non-member" refers to a person who uses the service provided by the Company without becoming a member of the Company's site.
Article 2 (Personal information items collected and purpose of collection and use)
- ①The Company collects the minimum personal information necessary for the provision of the service when users become members. However, to provide high-quality customized service for users, the Company optionally collects additional personal information from users.
- ②The Company will not collect sensitive personal information that may infringe basic human rights, such as information pertaining to ideology, creed, labor union membership, political views, health, sex life, medical history, religion, ethnicity and criminal records, without the explicit consent of users.
- ③The personal information items that the Company collects during membership registration and the purpose of collecting and using such information are as follows:
||Purpose of collection and use
||Use and retention period
||Name, ID, password (P/W)
||Identification for service use, prevention of bad members' illegal use
||Until membership is cancelled See Article 5.
|Address, cell phone number, e-mail address, and whether to receive e-mail
||Shipping goods, securing communication channels for the delivery of notices/checking members' intention/handling complaints
Provision of information on new services/new products/other events and shipping prizes if members consent
||Managing shipping and membership data when users use services and purchase products
||Customized services, such as the provision of beauty solutions by skin type (birthday events and events customized for gender)
||Holding mobile site events customized for the weather
- ④If users purchase goods or services from the Company, they must enter the following additional information for the payment and delivery of goods.
- * By payment method
- In the case of card payment: the minimum information necessary for payment, such as the type of card, the card number and its expiration date
- * The contact information of senders and receivers necessary for shipping goods, such as names, addresses and phone numbers
- ⑤The Company collects personal information in the following cases in addition to the personal information required for membership signup, and clarifies the purpose of collecting personal information and receives users' consent.
- * In the case of customer counseling: preparing customer cards to keep records for customer counseling and dispute mediation
- * In the case of surveys or giveaways: selectively entering personal information for statistical analysis or giveaways
- * In the case of selecting prosumers for monitoring: filling out application forms for monitoring and prosumer activities
- ⑥The Company collects and uses users' personal information to provide an optimal service for users as marketing data for user identification, shipping prizes and statistical analysis. Without the prior consent of the user or unless stipulated by law, the Company does not use personal information for purposes other than as specified to users in advance, or disclose it to a third party.
Users may refuse to consent to the collection and use of personal information. However, if users refuse to consent to the collection and use of mandatory information, they cannot sign up for membership, and if they refuse to consent to the collection and use of optional information by not entering such information, membership signup is possible, but they may be restricted in the use of services and the benefits they can receive based on the optional information.
Article 3 (Provision of personal information)
- ①The Company may not use users' personal information or provide it to a third party beyond the scope mentioned in Article 2 unless users have given their prior consent to it or related laws stipulate it.
- ②In the following cases, however, users' personal information may be provided without users' consent.
- * If such information is necessary to charge the fees for the services provided
- * If personal information is processed in such a way that personal identification is impossible and provided to research organizations, survey firms and research institutes for the purpose of statistical analysis, academic research or market research
- * If there are special regulations, such as the Personal Information Protection Act, the Protection of Communications Secrets Act, the Framework Act on National Taxes, the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc., the Act on Real Name Financial Transactions and Confidentiality, the Use and Protection of Credit Information Act, the Framework Act on Telecommunications, Telecommunications Business Act, the Local Tax Act, and the Consumer Protection Act, Criminal Procedure Act.
- ③Users may refuse to consent to the provision of personal information to a third party, and if they refuse to consent, they may be restricted in the use of services requiring the provision of personal information to a third party.
- ④When the Company provides personal information to a foreign third party, it must notify this fact to users and receive their prior consent for it.
Article 4 (Consignment of personal information processing)
- ①The Company may consign the management of users' personal information to external agencies for the purposes of service improvement and efficient data processing.
- ②When consigning the processing of personal information, the Company will enter into a consignment contract and manage and supervise the protection of users' personal information to ensure that the service provider will comply with the instructions related to the protection of personal information, keep personal information confidential, and not provide personal information to a third party without users' consent.
- ③The personal information consignees and the details of consignment are as shown below:
||Member recruitment and membership information management, execution and notification of various events and promotion, and delivery of products and free gifts
||Computational processing and management of personal data and sending emails
||Operation of web systems and data management / Production of product and promotion designs
||Payment gateway service
||web log analytics
||Online marketing agency via social channel (facebook & google search engine)
||Store, packing and delivery service
|Korea Post (K-packet, EMS)Pantos, DHL
||Overseas delivery service
||Customer claim handling and counseling service
Article 5 (Personal information retention and use period, and procedure for and method of destroying personal information)
- ①The Company will retain users' personal information while they use the services provided by the Company, and use it for the provision of services, etc. Only the personal information manager and the Chief Privacy Officer or those who are designated by them can print users' digitally registered personal information as documents.
- ②The Company must act immediately to fulfill user requests in the event that users request their own personal information be deleted or that their membership be cancelled, and make sure that the deleted information will be completely deleted from the disk in such a way that the records cannot be recovered, reproduced, viewed or used later.
- ③In the event that the purpose of collecting or using personal information is nullified as shown below, the Company must delete all such information from the disk according to the Company's internal destruction procedure, and if personal information is printed, the Company must immediately destroy users' personal information by using a shredder.
- * Membership signup information: when users withdrew their membership or they were expelled from membership
- * Payment information: when payment is completed or the extinctive prescription of accounts payable expires
- * Shipping information: when goods or services are delivered or provided
- * Personal information collected for surveys and events: when such surveys and events end
- ④Even after the purpose of collection and use is accomplished, if it is necessary to retain personal information according to the legal requirements stipulated in the Act on the Consumer Protection in the Electronic Commerce Transactions, Etc., the Personal Information Protection Act, the Commercial Act and the Framework Act on National Taxes, the Company may retain users' personal information for the permitted period, as described below:
- * Records on contracts or withdrawal of subscription: 5 years
- * Records on payment and supply of goods, etc.: 5 years
- * Records on handling consumer complaints or disputes: 3 years
Article 6 (Department processing personal information protection and related complaints)
- ①To protect users' personal information and handle related complaints, the Company has a department that handles personal information protection and related complaints. In addition, the Company has a Chief Privacy Officer and personal information managers who promptly handle users' inquiries and complaints regarding personal information.
- [Chief Privacy Officer]
- Name: Lee Seong-hwan, team leader
- Affiliation: Business Support Team
- [Department responsible for managing personal information]
- Responsible department: Business Support Team of Innisfree
- Phone number: [Customer call center] 080-360-0119 (toll free)
- [Business Support Team] 02-6040-7492 (Mon~Fri: 09:00~18:00, excluding holidays)
- E-mail : firstname.lastname@example.org
- FAX: 02-2186-7108
- ②If users need to report an instance of personal information intrusion or if users require a consultation regarding the use or related of personal information, they may contact the department responsible for personal information protection mentioned in Paragraph 1 above and the following.
- - Privacy Invasion Reporting Center, Korea Internet Security Agency (privacy.kisa.or.kr/02-405-5118)
- - e-Privacy Mark Certification Council (www.eprivacy.or.kr/02-580-0533~4)
- - Online Service Center, Supreme Prosecutors' Office (www.spo.go.kr/minwon/02-3480-2000)
- - Cyber Terror Response Center, National Police Agency (www.ctrc.go.kr/1566-0112)
Article 7 (Using the automatic personal information collection system to collect personal information)
- ①The Company may use 'cookies (a mechanism for automatically collecting personal information, such as Internet connection information files)' for storing user information and retrieving such information when necessary. A cookie is a small token of information that the server hosting the Company's website sends to users' browsers (Safari, Internet Explorer, etc.). It is stored on the hard disks of user's computers. If users connect to a website, the Company's computer reads the cookie in the user's browser, retrieves additional information about the user from the computer, and provides a service without requiring the user to enter additional information. Cookies identify users' computers, but not the actual users.
- ④Users have a choice regarding whether to install cookies. Accordingly, they can choose to allow all cookies, some cookies or refuse all cookies by setting an option in the web browser.
- 1. How to specify whether to allow cookie installation (if Internet Explorer 6.0 is used): Click [Tools] on the task bar in the Internet screen, select [Internet options] and then choose the [Personal Information Tab]; specify whether to allow cookies in the [Personal Information Protection Level].
- 2. How to view cookies (if Internet Explorer 6.0 is used): Click [Tools] on the task bar in the Internet screen, select [Internet options] and [Settings] for the temporary Internet file in the general tab (default tab), and select [View File].
Article 8 (Viewing and correcting personal information, etc.)
- ①Users can always log into the Company's website and click [Modify Member Information] to directly view or correct personal information, or users can request those who are consigned with personal information handling, such as merchants, or contact the Company's personal information protection department by phone, e-mail or in writing to request the viewing, correction, deletion or suspension of processing. The Company will take necessary actions immediately to comply with users' requests.
- ②If users request that errors in personal information be corrected, the Company will not use or provide such personal information until the correction is completed. In addition, if the Company has already processed incorrect personal information, it will take measures to reflect the result of such correction immediately.
- ③In the following cases, the Company may restrict the viewing and correction of personal information.
- 1. in cases where the rights and interests of a third party are highly likely to be damaged;
- 2. in cases where the business of the service provider is highly likely to be hindered; and
- 3. in cases where there is a violation of the law.
Article 9 (Withdrawal of consent to the collection, use and provision of personal information)
- ①Users may withdraw their consent to the collection, use and provision of personal information at any time. Users may withdraw their consent (withdraw their membership) after logging into the Company's website, or request those who are consigned with personal information handling, such as merchants, or contact the Company's personal information protection department in writing, by phone or e-mail. The Company will take necessary measures immediately at the request of users, e.g. handling users' withdrawal of membership and the destruction of personal information.
- ②The Company endeavors to make the withdrawal of consent to the collection of personal information (withdrawal of membership) easier than the collection of personal information.
Article 10 (Administrative, technical and physical measures for protection of personal information)
- ①The Company will establish and carry out internal management plans for the safe handling of personal information, and provide training to strengthen its capabilities in this area.
- ②When handling users' personal information, the Company carries out the requisite technical measures to ensure that personal information will not be lost, stolen, leaked, altered or damaged.
- ③Users' personal information is managed using the internal network that cannot be accessed or infiltrated by external networks, and the Company is using a separate security function to thoroughly protect important files, e.g. encrypting files and transmission data or using a file lock function.
- ④The Company has installed an intrusion detection system in each server to prevent network intrusions, such as hacking, to guarantee the security of the internal network, and it has installed an access control system to reinforce security.
- ⑤The Company has installed vaccine programs to prevent the infringement of personal information so that it is possible to always check whether the information systems used by personal information processing systems and personal information handlers for personal information processing have malicious programs, including computer viruses and spyware.
- ⑥The Company limits access rights to users' personal information to a minimum number of people and has established an internal procedure for accessing and managing personal information to ensure the safety of such personal information. In addition, it has installed access control and lock systems, and it ensures that all its employees are familiar with these regulations and comply with them.
- ⑦Transfer of duties and responsibilities between personal information handlers is done thoroughly in a secure environment, and the Company clearly stipulates the responsibility for personal information incidents when they join the Company and after they leave the Company.
- ⑧Users must make sure their personal information is correct by checking and managing the personal information they provided to the Company, and if they use others' personal information without permission or infringe others' rights in the process of using the Internet site, they may be sanctioned by the Company, and they shall bear civil and criminal responsibility for such act.
- ⑨The Company will not be held responsible for problems due to the leakage of personal information, such as ID, password (P/W) and resident registration number, due to users' negligence or Internet problems. Accordingly, users must thoroughly manage their IDs and passwords to protect their own personal information, and take responsibility for it. However, if users' personal information was lost, leaked, altered or damaged due to an error by the Company's internal managers or technical management accidents, the Company will immediately notify this to users, and take appropriate measures and provide compensation.
Article 11 (The rights of users and legal representatives and the method of exercising them)
- ①Users and their legal representatives may exercise their rights related to the viewing, modification and change of personal information and withdrawal of membership against the Company.
- ②To protect the personal information of children, the Company will collect the personal information of children under 14 years old only with the consent of their legal representatives (parents, etc.).
- ③Users and their legal representatives may contact the Company by phone or in writing to exercise their rights with regard to personal information, and the Company will take necessary measures immediately.
Article 12 (Obligation to notify changes to the protection policy)
Article 13 (Governing laws)
[Supplementary provisions] August 27, 2014
Article 1 (Enforcement date) This policy is effective from August 27, 2014.