Korea Tourism Organization (hereinafter referred to as “KTO”) has adopted its privacy policy as set forth hereafter for the operation and management of its Integrated Medical Tourism Information Platform (www.visitmedicalkorea.com: hereinafter referred to as “VMK Homepage”) to ensure that users’ personal information and rights are properly protected and that their grievances related to their personal information are effectively handled in compliance with the Personal Information Protection Act (hereinafter referred to as “Act”).

Notwithstanding the foregoing, where any of its internal organizations (such as group/team, center, office, and others) creates its homepage, and adopts and implements its own privacy policy, please be advised that the privacy policy of such internal organization applies and will be posted on its homepage. (In case of CRM customers, their personal information will be processed in accordance with this privacy policy, while the privacy policy applicable to Duty Free VIP members will be posted separately.) If this VMK Homepage Privacy Policy is revised, a public notice of such revision will be given by KTO by posting a notice thereof on its website (or by giving notice to each user).

KTO processes personal information on its VMK Homepage for the purposes described below. Once processed by KTO, personal information will not be used for any other purposes, and in case of a change in the purpose of use thereof, KTO will seek prior consent from users.

1. Sign-up and management of homepage membership To confirm applicants’ intention to sign up for a membership, identify applicants and authenticate their identity, manage users’ membership maintenance, verify users’ identity according to the limited identity verification system, prevent any unlawful use of services, confirm the consent of the legal representative in collecting the personal information of children under 14 years old, give notices, and so forth
2. Handling of civil petitions To verify the identity of civil petitioners, check the nature of civil petitions, communicate or give notice for conducting a fact-finding examination, give notice of the result of handling civil petitions, and so forth
3. Provision of goods and/or services To provide services, contents, or customized services; settle the payment of fees; and so forth
4. Marketing and advertising purposes To develop new services and provide customized services, provide event and/or advertising information and the opportunity to participate, provide services and post advertisements according to demographic characteristics, conduct academic or market research, verify the effectiveness of services, examine access frequency or collect statistics on the use of services by users, and so forth
5. Other purposes To collect essential and other information required by KTO’s regulations and rules and/or in relation to its business

※ For the detailed purposes of KTO’s processing of personal information, please refer to “KTO Personal Information Files” below or use the search menu for the list of personal information files on the Privacy Information Protection Portal (www.privacy.go.kr) of the Ministry of the Interior and Safety, as follows: the privacy information protection portal (www.privacy.go.kr) → civil petitions for personal information → requests for access and others to personal information → search menu for the list of personal information files.

1. Procedures for one-time real name authentication (“I-PIN,” those by credit rating agencies, and others) should be followed for services that require customer participation such as civil petitions, events, and others. For this reason, KTO does not retain the resident registration numbers of users on its VMK Homepage.
2. Users’ “browser type,” “OS,” “date and time of visit,” and “IP” items are automatically collected to improve the quality of services.
3. . In addition to the abovementioned items, for the other detailed items of personal information to be processed by KTO, please refer to “KTO Personal Information Files” below or use the search menu for the list of personal information files on the Privacy Information Protection Portal (www.privacy.go.kr) of the Ministry of the Interior and Safety as follows: Privacy Information Protection Portal (www.privacy.go.kr) → civil petitions for personal information → requests for access and other concerns to personal information → search menu for the list of personal information files.

※ The following items of personal information may be automatically generated and collected in the course of using web services. If a user refuses to give consent to the collection of such information, the user may not use the services: - IP address, cookies, MAC address, records of the use of services, records of visit, and others

In principle, users’ personal information is promptly destroyed without delay once the purpose of processing the same information has been achieved. Nevertheless, the information contained in the “KTO Personal information Files” below is preserved for the respective preservation period prescribed according to the relevant provisions of applicable law and on relevant grounds.

1. In principle, KTO processes users’ personal information on its VMK Homepage within the scope of processing prescribed in Article 1 (Purpose of Processing Personal Information) hereof. Thus, users’ personal information will not be processed beyond the original scope of processing prescribed herein nor provided to third parties without the prior consent of users.
   
   For the detailed scope of processing personal information by KTO, please refer to “KTO Personal Information Files” below or use the search menu for the list of personal information files on the Privacy Information Protection Portal (www.privacy.go.kr) of the Ministry of the Interior and Safety as follows: Privacy Information Protection Portal (www.privacy.go.kr) → civil petitions for personal information → requests for access and other concerns to personal information → search menu for the list of personal information files.

Description of Entrusted Services	Technical processing for the operation and management of the VMK Homepage, and the management and protection of members’ personal information Assistance in technical processing in relation to the handling of online civil petitions Technical processing related to the provision of digital goods and digital information services Assistance in technical processing, including online event realization, analysis of statistics, and others, designed to promote the use of information services Other assistance in taking technical measures to protect personal information and managing personal information
Entrusting Department / Representative	Medical &Wellness Team / Lee Dongeun
Service Provider (Entrustee)	Ubitems
Term of Entrustment Contract	January 1 – December 31, 2019
Entrustee’s Contact Number	02-575-4758

1. KTO entrusts the processing of personal information to a third party in relation to its VMK Homepage as follows to ensure that users’ personal information will be effectively processed:
2. In entering into such entrustment contracts in relation to its VMK Homepage, KTO clearly defines in the contracts or other relevant documents the purpose of performing the services entrusted therein and the provisions of the parties’ responsibilities in accordance with Article 26 of the act including the prohibition of the processing of personal information; technical and administrative protection measures; restrictions on the re-entrustment, control, and supervision of entrustees; liability for damages and other concerns; and monitoring entrustees to ensure that they process users’ personal information safely and securely.
3. In case of changes in the services entrusted or any of the service providers entrusted with such services, KTO will promptly disclose such changes through this privacy policy and seek prior consent from users for such changes, if necessary.

1. As the subject of personal information, each user is entitled to use the following rights: To request access and correction of his/her own personal information and/or of a child under 14 years old or cancellation of membership, and to request correction and deletion of errors concerning his/her personal information
2. In requesting such access, correction, cancellation, deletion, and other concerns with respect to personal information, each user may access or correct his/her personal information or cancel membership in person after following the identity verification procedure such as the “modification of personal information,” “correction of member information,” “cancellation of membership,” “revocation of consent,” and others.
3. If a user has requested correction or deletion of errors and others concerning his/her personal information, KTO will not use or provide the user’s personal information to third parties until the correction or deletion of such errors and other concerns has been completed on its VMK Homepage.
4. The personal information canceled or deleted at the request of a user will be processed by KTO on its VMK Homepage in accordance with the provisions of Article 43 of the Enforcement Decree of the act.
5. The subject of personal information may request KTO’s personal information protection department (ICT Business Development Team, Lee Taejun / Personal Information Protection Representative, Phone No.: 033-738-3696, Email Address: ltj8857@knto.or.kr) to give access, correct, or delete or stop processing his/her personal information. Alternatively, he/she may also make such request on the Privacy Information Protection Portal (www.privacy.go.kr) of the Ministry of the Interior and Safety (MOIS).

※ Privacy Information Protection Portal (MOIS) → Civil Petition Center → requests for access and other concerns to personal information (An identity verification is required.)

In principle, KTO promptly destroys personal information without delay once the purpose of processing such personal information has been achieved. Procedures and deadline, as well as methods of destruction of personal information, are as follows:

• Destruction Procedures

  The information entered by users is transferred to a separate database (or a separate document, in case of information printed on paper) once the purpose thereof has been achieved, and it is immediately destroyed after it has been retained for a given period in accordance with KTO’s internal policy and applicable law. In such a case, the personal information transferred to the separate database will not be used for any other purposes unless required by law.

• Destruction Deadlines

  Users’ personal information will be destroyed within five days following the end of the retention period thereof when the retention period has expired or within five days from the date when it is deemed unnecessary to process such personal information any longer because of the achievement of the purpose of processing the same, discontinuance of the service(s), closure of business, and the like.

• Destruction Methods

  The personal information stored in an electronic file will be deleted by using some technological methods that render such information impossible to be regenerated. The personal information printed on paper will be shredded with a shredder or destroyed through incineration.

KTO takes the necessary technical, administrative, and physical measures to ensure the safety of personal information regarding its VMK Homepage as follows according to Article 29 of the act:

1. The minimum number of employees who handle personal information and education

   KTO appoints employees to handle personal information and limits the handling thereof to such employees in charge, thus taking measures for managing personal information by minimizing the number of employees involved therein.

2. Conducting a privacy impact assessment

   KTO complies with the obligation to conduct a privacy impact assessment in accordance with Article 35 of the Enforcement Decree of the act and Article 6 of the addendum to the aforementioned Enforcement Decree to ensure safety in handling personal information and improve its personal information management system.

3. Development and implementation of an internal management plan

   An internal management plan has been developed and is implemented to ensure the safe processing of personal information.

4. Encryption of personal information

   Personal information is managed through the application of encryption technologies, which guarantee safe storage and transmission of personal information, or through other comparable measures.

5. Technical measures against hacking and others

   To prevent any computer viruses or hackers from leaking and damaging personal information, necessary security programs are installed, and regularly updated and tested. Moreover, the personal information processing system has been established in a controlled access area, and is monitored and isolated technologically and physically.

6. Access control procedures for personal information

   Necessary actions are taken to control access to personal information by granting, modifying, or revoking access to the personal information processing database system. Moreover, unauthorized access from outside is controlled by using an intrusion prevention system.

7. Storage of records of access, and protection against forgery and alteration

   Records of access to the personal information processing system are stored and managed for at least six months, and security functions are used to protect such records of access from forgery, alteration, theft, or loss.

8. Use of locks to provide document security

   Documents, supplementary storage media, and others that contain personal information are stored in a safe place with locks.

9. Control of unauthorized access

   A physical storage area for storing personal information is separately designated, and access control procedures for such storage area are established and implemented.

KTO has appointed a personal information protection manager and a working-level representative to protect personal information and handle grievances related to personal information on its VMK Homepage (i.e., a personal information protection manager under Article 31.1 of the act) as follows:

• Personal information protection manager

  Name: Park Cheolhyeon Department/Position: General Manager / ICT for Tourism Services Contact Information: (Phone) 033-738-3040, (Email) parkch@knto.or.kr

• Personal information protection department

  Department: ICT Business Development Team Personal information protection representative: Lee Taejun Contact Information: (Phone) 033-738-3696, (Email) ltj8857@knto.or.kr

1. The subject of personal information is entitled to make a request to KTO for access to his/her personal information as follows in accordance with Article 35 of the act. KTO will endeavor to ensure that such a request for access to personal information made by the subject of personal information will be promptly processed on its VMK Homepage.
   Department in Charge: Medical&Wellness Team
   Representative: Lee Dongeun
   Contact Information: (Phone) 033-738-3380, (Email) k-medi@knto.or.kr, (Fax) 033-738-3887
2. In addition to KTO’s department in charge of receiving and handling such requests for access under subsection 1 above, the subject of personal information may also request access to personal information on the Privacy Information Protection Portal (www.privacy.go.kr) of the Ministry of the Interior and Safety (MOIS).

※ Privacy Information Protection Portal (MOIS) → civil petitions for personal information → requests for access and others to personal information (An I-PIN is required for identity verification purposes.)

To receive remedies for privacy violations, the subject of personal information may request to the Personal Information Dispute Mediation Committee, the Personal Information Incident Report Center (run by the Korea Internet & Security Agency), and other related agencies for the settlement of disputes or consultation and other concerns. Moreover, please contact the following agencies to file a report or consult about privacy violations.

• Personal Information Protection Portal (run by the Ministry of the Interior and Safety)

  Homepage: www.privacy.go.kr
  Phone Number: +82-2-2100-3394

• Personal Information Incident Report Center (run by the Korea Interment & Security Agency)

  Homepage: privacy.kisa.or.kr
  Phone Number: 118, without telephone exchange number

• Personal Information Dispute Mediation Committee (run by the Personal Information Protection Commission)

  Homepage: www.kopico.go.kr
  Phone Number: +82-1833-6972

• Cybercrime Investigation Department, Supreme Prosecutors’ Office

  Homepage: www.spo.go.kr
  Phone Number: +82-2-3480-3573; (Representative Telephone Number of the Supreme Prosecutors’ Office) 1301, without telephone exchange number

• Cyber Safety Bureau, National Police Agency

  Homepage: www.cyber.go.kr
  Phone Number: (Cybercrime) +82-2-393-9112; (Representative Telephone Number of the National Police Agency) 182, without telephone exchange number

※ Procedures for requesting administrative appeals: A person whose rights or interests have been violated as a result of the actions taken or the omissions of the head of the public institution or agency with respect to the request made in accordance with the provisions of Article 35 (Access to Personal Information), Article 36 (Correction and Deletion of Personal Information), and Article 37 (Request to Stop Processing Personal Information and Others) of the act may file an administrative appeal according to the relevant provisions of the Administrative Appeals Act.
- For more detailed information about administrative appeals, please refer to Online Administrative Appeals (www.simpan.go.kr).

This privacy policy will take effect on the effective date thereof, and if any addition to or deletion or correction of the above terms and conditions is required as a result of the revision of applicable law or this privacy policy, a public notice will be given by KTO by posting a notice thereof on its VMK Homepage seven days prior to the effective date of such changes and onward.