01. PURPOSE OF PERSONAL INFORMATION COLLECTION AND MANAGEMENT

The Medical Center shall use collected personal information for the purposes listed below. All the information provided by customers shall not be used except those purposes and when we change the purposes to use it, we shall seek consent of customers in advance in compliance with the Personal Information Protection Act.

A) Membership Information on Homepage

• 1) Mandatory Information: For customer service application, review and optimized membership service through the homepage.
• 2) Optional Information: For providing services such as medical center news, health advice and survey through email.

B) Treatment and Treatment Support

• 1) Customer identification process (Health Insurance Check) for treatment appointment, reservation of treatment/medical checkup, appointment review, treatment result etc.
• 2) Securing active communication channel to deliver notifications and address complaints & problems etc.
• 3) A variety of surveys of customer satisfaction with medical services and evaluation. Guide of Happycalls
• 4) Notifications for appointment, reservation, expected hospitalization, medical checkup etc. through SMS and guide of Happycall.
• 5) Issuing treatment receipt, statement and various certificates.
• 6) Delivering items and results of medical check-up. Providing information on medical examination before and after the checkup.
• 7) Providing medical services for diagnosis and treatment (Sharing personal information and medical record needed for consultation-based care and relevant parties)
• 8) Providing support services such as requesting treatment fee, payment, refund etc.
• 9) Basic data for entrusted and out-bound examination in on/off line.
• 10) Data for providing health contents tailored to the need of each customer and developing new services.
• 11) Providing information abiding by medical, criminal and other related laws.
• 12) Basic data for clinical trials and minimum amount of analysis information need for education (Training), research, certification evaluation of domestic/foreign etc. (Personal information for research and clinical trials purposes shall be collected only after review from the Institutional Review Board and Research Ethics

02. PERSONAL INFORMATION RETENTION AND USAGE PERIOD

When collecting personal information from subjects, the Medical Center processes and retains the information within permitted and agreed period as the law dictates. Please refer to the following:

A) Information for homepage membership: Until the membership withdrawal. However, in some cases as indicated below, the information shall be retained until the termination of the issue.

• 1) Until the termination of legal examination and investigation for relevant law infringement
• 2) If there are bond and liabilities issues related to homepage utilization, personal information will be held until the issues are all cleared

B) Collected information to provide medical service: Retention period specified in the Medical Law. However, even after the purpose for collecting and using personal information has been achieved, the period shall be extended if the information needs to be preserved according to the commercial law and other related regulations and for patients' medical services.

C) Personal information collected for the purposes of questionnaire, event etc.: Information shall be retained until the purpose of collecting it has been achieved.

D) Records about signs and advertisement: For 6 months (Consumer Protection Act for electronic commerce etc.).

E) Records about consumer complaints and dispute handling: 3 years. (Consumer Protection Act for electronic commerce etc.).

F) Records about user identification: 6 months. (Act on Promotion of Information And Communications Network Utilization And Information Protection etc.)

G) Records about visit: 3 months (Protection of Communications Secrets Act)

H) Data on collecting, processing and utilizing credit information: 3 years according to the Use and Protection of Credit Information Act.

03. PROVISION OF PERSONAL INFORMATION TO THIRD PARTY

Under any circumstances, the Medical Center does not use personal information of customers beyond the scope indicated in the PURPOSE OF PERSONAL INFORMATION COLLECTION AND MANAGEMENT or provide it to any others except to prior customer consent or relevant regulations require. However, based on the regulations of related act, it is allowed to provide personal information without customer consent in the following cases.

A) Upon agreement by users to open their information

B) Provision of medical records to health insurance examiners based on the National Health Insurance Act to request insurance benefit to cover treatment cost.

C) Modification of personal information to make the individual unidentifiable for statistics creation and academic research purposes.

D) Upon request by law enforcement agencies according to methods & procedures followed by the law.

E) As required by special regulations specified in the Act on Real Name Financial Transactions and Guarantee of Secrecy, Use and Protection of Credit Information Act, Electronic Communication Fundamental Law, Electronic Communications Networks, Local Tax Act, Consumer Protection Act, Bank of Korea Act, Criminal Procedure Act etc.

04. ENTRUSTMENT OF PERSONAL INFORMATION PROCESSING

A) The Medical Center allows personal information to be commissioned for better services as below. When signing the entrustment agreement, the Medical Center stipulates necessary conditions in order to safely manage entrusted personal information in compliance with the law.

B) When signing an entrustment agreement, the Medical Center clearly dictates in the document such items as prohibition on processing personal information except for entrusted affair execution, technical & administrative protection measures, restriction on re-entrustment, management & monitoring of entrusted party, liabilities for damages and other responsibilities, and the Medical Center shall ensure that the entrusted party deal with personal information as safely as possible.

C) As changes are made to the details of entrusted affair or the entrusted party, the Medical Center shall publicize it without any delay according to the Personal Information Management Policy.

05. RIGHTS OF THE USERS AND METHOD TO EXERCISING SUCH RIGHTS (RIGHTS OF USERS AND LEGAL REPRESENTIATIVES AND WAYS OF EXERCISING THE RIGHTS)

1. The Medical Center responds to customer request without any delay for discontinuance of access, correction, deletion and processing of personal information.

2. However, the Medical Center shall not proceed with discontinuance of access, correction, deletion and processing of personal information if the requests are made by telephone, mail, fax and so forth. Such requests shall be processed only by customer visit in order to protect personal information of the customer.

3. If there is a legitimate reason to deny customer request for discontinuance of access, correction and deletion of personal information in whole or in part, the Medical Center shall notify the customer and explain about the reason.

4. Regarding the policy of the Medical Center on review of personal information of customers, please refer to the following details:

A) Review of personal information

• 1) In case customer visits the Medical Center to review his/her personal information, the Medical Center shall identify the customer by his/her ID card, passport, driver's license etc.
• 2) In case legal representative of the customer visits the Medical Center to review the aforementioned information, the Medical Center shall require letter of consent, power of attorney or certificate of family relations, ID of the representative, copy of the customer ID etc. to prove the qualification of the representative according to the relevant regulations.

B) Correction and deletion of personal information

• 1) In case customer visits the Medical Center to demand correction/deletion of personal information and there is the need to correct/delete the information due to errors, the Medical Center shall proceed with correction/deletion without any delay. The Medical Center is allowed to require customers of documentary evidence for the necessary correction/deletion.
• 2) However, personal information authorized to be retained for the retention period by the law shall not be corrected/deleted regardless of customer requests.
• 3) In case customer requests correction/deletion of his/her personal information, the Medical Center shall identify the customer and take necessary measures in compliance with relevant regulations.
• 4) In case legal representative of the customer visits the Medical Center and demand correction/deletion of the aforementioned information, the Medical Center shall request and confirm documentary evidence such as letter of consent, power of attorney or certificate of family relations, ID of the representative, copy of the customer ID etc. to prove the qualification of the representative according to the relevant regulations.

C) Discontinuance of personal information processing: Withdrawal of agreement for collection/utilization or provision of personal information (Membership cancellation)

• 1) In case customer visits the Medical Center to request discontinuance of personal information processing, the Medical Center shall identify the customer and take necessary measures in compliance with relevant regulations.
• 2) In case representative of the customer visits the Medical Center and demand discontinuance of the aforementioned information processing, the Medical Center shall request and confirm documentary evidence such as power of attorney, ID of the representative, copy of the customer ID etc. to prove the qualification of the representative according to the relevant regulations.

D) Review/correction/deletion of homepage membership information: As for review/correction/deletion of membership information, login to the homepage, click "My Page", go to "Information Correction," and subsequently modify the information to complete the process.

E) Legal agent for children under 14 years old: Legal agent may request discontinuance of access, correction, deletion and processing of personal information of children under 14 years old and shall submit documentary evidence to prove the relationship with the child/children.

06. TYPES OF PERSONAL INFORMATION PROCESSED AND METHOD OF COLLECTING PERSONAL INFORMATION, RIGHTS TO REJECT AND CONSEQUENCES

The Medical Center collects minimum amount of personal information for treatment, homepage membership, provision of additional services for treatment and so forth. Please refer to the following details of items the Medical Center processes in this regard.

A) Items to be collected for homepage membership

• 1) Mandatory items: Name, ID, password, address, contact (Telephone number, mobile phone number), email and information on a legal agent for children under 14 years old.
• 2) Optional items: Application for email receipt, frequented hospital(s)
• 3) As services are used and provided, information such as record of service utilization, access log, cookie, access IP may be created and collected automatically.

B) Treatment & medical checkup

• 1) Mandatory items: Registration number, name, resident registration number, address, contact (Phone number), information on personal health & treatment.
• 2) Optional items: Email.
• 3) Information on personal health and medical treatment: Personal information such as patient/family history etc. needed by medical staff to provide optimal medical service.
• 4) In compliance with the Medical Law, unique identification information and treatment data shall be retained compulsorily. (Customer consent unnecessary)

C) Payment of treatment fee

• 1) Credit card payment: Approval information of credit card payment such as name of the credit card company, card serial numbers etc.

D) Complaints Handling & Processing

• 1) Make complaints through homepage
  - Mandatory information: Name, phone number, email
• 2) Visit & file complaints
  - Mandatory information: Name(Complainer, patient), phone number, hospital registration number

E) Method of collecting personal information: Homepage, paper, fax, Telephone, online consultation, email etc.

F) Consent to collection of personal information: When collecting identifiable personal information of user(s), the Medical Center acquires user consent in compliance with legitimate procedures as shown below.

• 1) Consent-acquiring process for collecting personal information: The Medical Center notifies customers of details of the process when they fill out "Personal Information Collection and Usage Consent Form" for treatment and through Personal Data Processing Policy or Terms of Use, the Medical Center informs customers of details of personal information collection. When customer clicks "Agree," it shall be construed as agreement on personal data collection.
• 2) Collecting personal information of children under 14 years old shall require consent of legal representative.

G) Rights to reject and consequences

User may refuse to agree and cancel agreement even after consent at any time. In case user disagrees to consent, he/she may be limited in using services as collected personal information is necessary to provide quality services.

07. DISPOSAL OF PERSONAL INFORMAITION (PROCESS AND METHOD)

1. When "Purpose of Personal Information Collection and Utilization" is achieved, the Medical Center disposes of such personal information without delay.
The process and method of disposal of personal information are as follows:

A) Disposal Process

• 1) Personal information collected for membership etc. will be saved in a separate database (in case of personal information in paper form, the information will be saved in a separate document) and preserved there for the required period of time in accordance with relevant laws and the Medical Center's internal policies for information protection purposes (refer to PERSONAL INFORMATION RETENTION AND USAGE PERIOD), and will be disposed after the required period elapses.
• 2) The aforementioned information preserved will not be used except in strict adherence to the relevant law.

B) Disposal Method

• 1) Electronic file: Technical tools will be used to make sure that such information (files) will not be reproduced.
• 2) Information in paper: Information in paper form will be destroyed by shredding it with a paper shredder or incinerated.

08. PERSONAL INFORMATION PROTECTION MANAGER

1. The Medical Center appoints personal information managers as below who are responsible for all affairs relating to personal information protection and processing. The Medical Center will respond without delay to reports or complaints on any issues or services upon receiving them.

* CHA Bundang Medical Center, CHA University

* Website of CHA Bundang MedicalCenter,CHAUniversity

2. Please inquire at the following institutions for report or consultation on infringement of personal information

A) Privacy Infringement Report Center(http://privacy.kisa.or.kr / 118)

B) Supreme Prosecutors' Office Cyber Investigation Division(http://www.spo.go.kr /1301)

C) National Police Agency Cyber Bureau(http://cyberbureau.police.go.kr / 182)

D) Personal Information Dispute Mediation Committee (http://www.kopico.go.kr / 1833-6972)

09. CHANGES IN THE PERSONAL INFORMATION MANAGEMENT POLICY AND NOTIFICATION (DUTY OF NOTIFICATION REGARDING POLICY CHANGE)

1. This personal information management policy was established in November 30, 2016, and in case content of it is added, deleted and modified due to changes in laws, policies or security technology, the Medical Center will notify changed details through homepage of the Medical Center at least 7 days before the new personal information management policy comes into effect.

- Publication Date: Jun 01, 2019
- Effective Date: Jun 08, 2019

10. MEASURES TO SECURE SAFETY OF PERSONAL INFORMATION

The Medical Center takes the following technical and administrative measures necessary to prevent loss, theft, leakage, alteration or damage of personal information as it is processed.

A) Technical measures

• 1) Personal information of customers is managed by internal network that controls illegal access from outside by encrypting files and transmission data. Separate security devices such as locking technology are also utilized to thoroughly protect important data.
• 2) The Medical Center ensures that persons in charge of personal information process system and personal information managers install the latest vaccine program in their computers and devices in order to monitor, check and deal with computer virus, spyware and other malicious programs. Also, vaccine programs are regularly updated in preparation of new and sudden attacks of computer virus, thereby protecting personal information from any damage.
• 3) In order to protect personal information from leakage caused by computer hacking or other outside intrusion, the Medical Center installs systems in exclusive areas where unauthorized access from outside is strictly controlled and operates intrusion prevention system and intrusion monitoring system 24 hours a day to protect the network.

B) Administrative measures

• 1) The Medical Center arranges procedures necessary for secure access and management of personal information of customers and ensures that its staff is fully aware of them and observe.
• 2) The Medical Center shall limit the accessing authority to staff carrying out personal information management tasks such as person in charge thereof etc, and regularly provide them with educations in and outside the Medical Center for better personal information handling. Staff members carrying out personal information management tasks are as follows:
  ① Staff who contacts customers directly or indirectly and manages ensuing tasks.
  ② Staff such as person in charge of personal information protection and personal information management who are tasked with management and protection of personal information.
  ③ Staff essential in accessing personal information as related to work.
• 3) In case of using computer to manage personal information of customers, a manager(s) is appointed with access authority to personal data of customers and ID & Password are assigned to the person and the password is regularly updated.
• 4) In case new staff is recruited, the Medical Center ensures they sign the information security pledge or personal information security pledge. In doing so, the Medical Center establishes its internal procedures and endeavors to prevent date leakage caused by staff and conducts audits in order to ensure strict compliance of staff with Personal Information Management Policy.
• 5) In case a staff member retires, the Medical Center ensures the person sign Non-Disclosure Agreement, thereby preventing damage, leakage or infringement of personal information by the person.
• 6) Transfer of business between personal information managers is conducted with strict security, and principles of responsibility are made clear for staff on any infringement of personal information caused after their entering/retiring from the Medical Center.
• 7) The Medical Center implements access control by designating computer room, data storage room etc. as a special security zone.

11. METHOD OF WITHDRAWING CONSENT AND CANCELLING MEMBERSHIP

1. Customer may withdraw at any time his/her consent made for membership to collection, usage and provision of personal information.

2. Member may cancel his/her membership by visiting the homepage of the Medical Center, going to "Customer Service," and clicking "Internet Error & Membership Cancellation" after identification check. Member may contact a website manager via letter, telephone or fax to authorize the manager for the cancellation, and then personal information of the customer will be destroyed without any delay.

12. INSTALLING/OPERATING AUTOMATIC COLLECTION EQUIPMENT REGARDING PERSONAL INFORMATION AND MATTERS AGAINST THE COLLECTION

1. What is cookie?

• A) In order to provide customers with personalized & optimized service, the Medical Center utilizes "Cookie" to restore and find user information.
• B) Cookie is a small size text file that the server used in operating the website of Medical Center sends to the user browser and it is saved in the user's hard disk. As the user revisits the website, the server of the website recognizes the cookies restored in the hard disk of the user and uses it to maintain the setting of the user and provide customized services.
• C) Cookie does not automatically/actively collect data that recognize individuals, and user may refuse or delete collection of cookie at any time.

2. Purpose for using cookie: Providing a customized individual service including advertisements through analysis of user connection frequency, visiting times etc., recognizing the User favorites and interest area, visiting numbers etc.

3. Installation/operation of cookie & the refusal thereof

• A) Members have the option to install cookie, therefore they can allow all cookies by opting on the web-browser, request to confirm whenever cookie is restored, or refuse all cookie installation
• B) However, if such installation is refused, it would be difficult to use certain services, which require log-in.
• Refer to the following steps to choose/refuse cookie installation (In case of Internet Explorer)
  ① Click on the [Tools] menu option and then select [Internet Options]
  ② Click [Personal Tab]
  ③ Set [Privacy Level]

13. INSTALLATION AND OPERATION OF IMAGE DATA PROCESSING EQUIPMENT

The Medical Center installs and operates image data processing equipment as follows:

A) Purpose of installing image data processing equipment: Providing security to clients and facilities, preventing fire and crime and managing parking.

B) The number of equipment installed, location and scope of recording

• 1) The number of equipment installed: 457 devices for main facilities.
• 2) Location of installation Scope of recording: Entire space of lobby, hallway, parking lot, road, elevator etc.

C) Manager, division and person authorized to have access to image data

• 1) Position: Facility Team Leader
• 2) Name of Team: Facility Team
• 3) Tel: (031) 780-4898

D) Recording time, retention period, storage place and management method of image data

• 1) Recording hours: 24 hours non-stop recording
• 2) Retention period: within 2 – 4 weeks
• 3) Storage place: Emergency room, parking control room etc.
• 4) Management Method: Details on of purpose, usage, destruction, review and provision of personal image data to the 3rd party will be recorded and managed, and upon the expiration of retention period, the data will be destroyed in a way that such data will not be reproduced (Information in paper form will be destroyed with a paper shredder or incinerated).

E) Method and place of image data confirmation

• 1) Confirmation method: Contact to apply for a visit
• 2) Confirmation place: Emergency room

F) Measures to deal with the request of the subject of information for inspection of image data

• 1) Request for inspection of image data or request for checking the existence of data may be made to the operator of the image data processing equipment. In such a case, an inspection of image data may be allowed only if the person requesting it has been recorded as the subject of such recording, or it is deemed obviously necessary for his/her physical safety and property interests.
• 2) However, the following cases may deny requests of the subject of such recording for review:
  ① Destruction of such image data after expiration of retention period.
  ② Existence of legitimate reasons to deny requests of the subject of such recorded data.

G) Technical, administrative and physical measures to protect image data: Image data processed by the Medical Center is managed safely through several measures such as encryption. Also, the Medical Center grants graded access authority to staff according to their position as an administrative measure to protect personal image data. In addition, the Medical Center records and manages information such as creation date & time, review purpose, reviewer, review date of personal image data in an effort to prevent fabrication and alteration of the aforementioned data. Furthermore, locking devices have been installed for secure physical storage of personal image data.