Personal Information Handling Policy
Todoworks (“Company” or “Todoworks”) sets forth the following handling policy in order to protect personal information and rights of its users in accordance with the Personal Information Protection Act, and to deal properly with the users’ complaints associated with personal information.
Items of Personal Information to Collect and How to Collect
1. Items of Personal Information
Application form for a three-leaf clover : Name, age, guardian’s name, mobile phone number, address, email, disability type
Automatically collected information : IP Address, location information, cookie, visiting date & time, service usage record, poor usage record
The information listed above may be automatically collected in the process of using the
2. Personal Information Collection Method
Homepages, phone, fax, mail, written form and Todo-drive (Todo-care) app
3. Grounds for personal information retention
Under the user agreement
Purposes for Personal Information Collection and Usage
The Company utilizes personal information for the following purposes. The personal information utilized will not be used for any purpose other than those described below and the Company will ask for consent from the users in advance when the purpose of use is changed.
1. Membership Signup and Management
Personal information is utilized for the purposes such as : Confirming their intention to sign up, ID confirmation and authentication in accordance with membership service delivery, membership maintenance and management, ID confirmation, preventing a wrongful use of service, checking for the consent from a legal representative when collecting personal information of children aged 14 or under, and public notices and notifications.
2. Customer Service Handling
Personal information is handled for such purposes as checking out customer complaints and notifying of handling results.
3. Use of Marketing and Advertising
Used for marketing and advertising activities, such as promotions, events and the delivery of
advertising information related to the Company’s activities and events.
4. Statistical Analysis and Service Improvement
Used to help improve customer’s services and provide new services.
Retention and Usage Period of Personal Information
The Company shall collect and handle customer’s personal information during the fixed time period, when its retention is needed, in accordance with regulations of related laws regarding the Act on Promotion of Information and Communications Network Utilization and Information Protection.
- Personal information must be immediately deleted upon membership withdrawals or expulsion.
- Keeps separate personal information of members with no login records in the past one year (the Act on Promotion of Information and Communications Network Utilization and Information Protection).
- What is needed in providing confirmation data on communication facts, such as member’s telecommunication date and time, start and end times of telecommunication, the membership number of the other party, and position tracking data of information and data communication equipment connected to user communications network: 12 months (The Protection of Communications Secrets Act).
- Requirements in providing confirmation data on communication facts, such as log record data and IP address: 3 months (The Protection of Communications Secrets Act).
- Records on display/advertisement: 6 months (The Act on the Consumer Protection in the Electronic Commerce, etc).
Personal Information Destruction Procedures and Methods
The Company shall destroy, in principle, the corresponding information without delay after
purposes for collecting and using personal information have been achieved.
The following shows destruction procedures and methods of personal information.
1. Destruction Procedures
The information entered by the user for a membership signup is moved to the separate DB (paper to be stored in a separate filing cabinet) after its purpose is fulfilled. Then, it is stored for a certain period of time depending on grounds for information protection in accordance with internal policy and other related laws. The same personal information shall not be retained and used for purposes other than those stipulated in the laws.
2. Destruction Methods
Personal information printed on paper shall be shredded with a shredder and destroyed through burning. Personal information stored in electronic file formats shall be deleted with the use of a technical method where records are non-renewable.
The Company shall utilize its members’ personal information as long as it does not exceed the range notified in terms and conditions of use and ‘Purpose of Personal Information Collection and Usage’, shall neither use it beyond the same range nor provide it to others or other businesses or organizations.
However, the Company, when in need of personal information for statistical preparation and academic research, is entitled to provide personal information to the third party when offering it in a form with a specific individual unknown.
Offering Personal Information by Work Entrusted
The Company shall not, in principle, provide its customers’ personal information to others without their consent. But, the Company is entitled to provide personal information for work entrusted to achieve the Purpose of Personal Information Collection and Usage, under the member consent.
User Rights, Obligations and their Implementation Method
The user is entitled to exercise on the Company the rights associated with a personal information protection as set forth in each of items listed below with respect to him/her and children aged 14 or under (comes under a legal representative only).
① Personal information access request
② Correction request for the presence of an error
③ Request for deletion
④ Request to stop handling
The user may exercise his/her rights set forth in Clause 1 on the Company through writing forms, emails and fax according to the Enforcement Rules to Personal Information Protection Act, and the Company will take proper action on this without delay. Rights for a personal information access request may be exercised through an agent such as the user’s legal representative or person entrusted. In this case, the agent must submit the power of attorney pursuant to the Enforcement Rules to Personal Information Protection Act.
When the user requests a correction to or deletion of an error in his/her personal information as set out in Clause 2, the Company shall not use or provide the corresponding personal information until the correction or deletion is completed.
As for a request for deletion set out in Clause 3, the user is not allowed to ask for a deletion when the personal information is clearly specified as collectable in other laws.
As for a handling stop request set out in Clause 4, the Company is entitled to inform the user of the corresponding reason for each of the items below or of other legitimate reasons and to reject a request to stop handling.
1. In case special regulations are specified in laws or there is an inevitable need to comply with legal obligations.
2. In case there are concerns about a possible harm to other people’s life and body, or fears about breaking into other people’s property and other benefits in a wrongful manner.
3. In case an agreement fulfillment is difficult due to failing to provide the user with the agreed service unless personal information is handled, therefore, making the user reluctant to show his/her intention clearly to cancel the agreement.
Regarding the Installation, Operation and Rejection of an Automatically Collecting Personal Information System
A. Running Cookies
② Cookies are small text files that are sent by the server used in operating websites to the user’s browser and are stored on the hard disk on the user’s computer.
③ The user should allow cookies to run so that he/she uses personalized or customized services after accessing and logging into the Company.
④ The Company finds out information about a member ID by using cookies to provide suited and more useful for the user.
① Authorizing unique cookies to the user’s browser accessing the Company also helps figure out the user volume, such as the frequency of visiting the Company homepage by members and non-members as well as the total number of users.
② The Company utilizes cookie information also for better systematic services and to identify member’s history of participation in other events or surveys.
C. Cookies Installation, Operation and Rejection
① The user has an option for a cookie installation. Therefore, the user may set up options in the web browser to allow all cookies, go through the confirmation process whenever cookies are stored or may reject the storing of all cookies.
② However, when rejecting the storing of cookies, the user may have difficulty using all services requiring the logging process.
③ The following shows how to assign (in internet explorer) whether to allow a cookie installation.
৹ Select the Internet Option from the Tool menu.
৹ Click on the Personal Information tab.
৹ Set up the Personal Information Handling Level.
Safety Measures for Personal Information
The following technical, managerial and physical measures needed to secure safety are being taken in accordance with the Personal Information Protection Act.
A. Minimum Number of Employees and Education Handling Personal Information
A limited number of employees are assigned in handling personal information to keep personal information management measures in progress.
B. Establishing and Implementing Internal Management Plans
Internal management plans are being established and implemented to get personal information handled safely.
C. Technical Measures in Preparation for Hacking
The Company installs security programs to prevent personal information from leaking and being damaged due to hacking or computer virus, makes regular renewals and inspections, installs systems in the access restricted area, taking technical, physical monitoring and prevention measures.
D. Personal Information Encryption
User’s personal information is encrypted with a password, stored and managed. Only the user knows it and critical data makes use of separate security functions, such as coding files and transmission data, or using a file locking function.
E. Personal Information Access Limit
Necessary measures are being taken for personal information access control through authorizing, changing and canceling an access authorization to database system handling personal information. Unauthorized access from outside is also under control with the use of the firewall system.
F. Use of the Locking System for Document Security
Documents and auxiliary storage medium that contain personal information are being kept in a safe place with a lock system.
G. Access Control for an Unauthorized Person
A physical storage where personal information is kept is placed separately, establishing and operating access control procedures.
Details about a Personal Information Protection Manager and Rights Infringement Rectification Method
The Company assigns a personal information protection manager as shown below, to take an
overall responsibility for handling personal information and tackle complaints from the subject of
information related to personal information handling, and to provide remedy for damage.
A. Personal Information Protection Manager
৹ Name in Full : TS Kim
৹ Position at Work :
৹ Contact : 080-420-7272, email@example.com
B. Personal Information Protection Manager’s Department (* Linked to the personal
information protection department).
৹ Name of Department : Customer Service Department
৹ Person in Charge : Crystal Kim
৹ Contact : 080-420-7272, firstname.lastname@example.org
C. Rights Infringement Rectification Method
The user may file an application for dispute resolutions or consultation to get rectified from personal information infringement to the Personal Information Dispute Mediation Committee and the Information Infringement Notification Center (operated by Korea Internet & Security Agency. For other reports or consultations on other personal information infringements, contact the units below for enquiries.
৹ The Personal Information Dispute Mediation Committee : (Without area code) 118
৹ The Cyber Crime Investigation Division at the Supreme (Public) Prosecutors' Office : 02-3480-3573
৹ The Cyber Terror Response Center at the National Policy Agency : 1566-0112
৹ the Information Infringement Notification Center operated by Korea Internet & Security Agency :
Duty of Disclosure of Personal Information Handling Policy
This personal information handling policy applies from the date of enforcement. In case there is any addition, deletion and correction in changes to laws and policy, a notice will be made through public notifications 7 days before the changes takes effect.
Date of notification: January 4, 2019
Date of enforcement : January 4, 2019