Internal Information Management Regulations

General Provisions 

Purpose

The purpose of these regulations is to establish technical, administrative, and physical measures to ensure the security of personal information, preventing its loss, theft, leakage, alteration, or damage in accordance with Article 29 of the Personal Information Protection Act and its Enforcement Decree.



Scope of Application

These regulations apply to all cases where personal information is collected, used, or provided through various means such as written documents or information and communications networks. They apply to internal employees as well as external personnel handling such personal information.



Establishment and Implementation of Internal Management Plan

Establishment of the Internal Management Plan

A. Scope of Establishment and Approval of the Internal Management Plan

1) The Personal Information Protection Officer must establish an internal management plan that includes overall matters related to the protection of personal information at Wisebirds Co., Ltd. 

2) When establishing the internal management plan, the Personal Information Protection Officer must ensure that it complies with relevant laws and regulations concerning personal information protection.

3) The Personal Information Protection Officer must review the validity of the internal management plan prepared by the Personal Information Protection Officer and approve it to ensure the protection of personal information.

4) The Personal Information Protection Officer must review the validity and necessity of amendments to the internal management plan by the end of December each year to reflect changes or amendments in relevant personal information protection laws.



B. Announcement of the Internal Management Plan

1) The Personal Information Protection Officer must announce the internal management plan to all employees of Wisebirds by the end of February each year.

2) The internal management plan must be made accessible to employees at any time, and any changes must be communicated promptly.



Personal Information Protection Organization

Organizational Structure for Personal Information Protection

CEO:


Personal Information Protection Officer:



Personal Information Protection Manager:

Main Contact Number : 02-538-8897



Composition of Personal Information Handlers

A. Personal Information Handler: Refers to the organization, Wisebirds Co., Ltd., that processes personal information to manage personal information files for business purposes.

B. Personal Information Protection Officer: The individual responsible for overseeing and managing the processing of personal information, including administrative tasks, and heads the department responsible for personal information-related duties.

C. Personal Information Protection Manager: The operational lead who handles the processing of personal information and is responsible for tasks related to personal information protection.

D. Personal Information Processor: The individual who processes personal information under the direction and supervision of the Personal Information Handler and is responsible for each item in the personal information file list.




Designation of the Personal Information Protection Officer

The Personal Information Protection Officer is designated based on Article 32 of the Enforcement Decree of the Personal Information Protection Act. The officer oversees administrative duties and handles matters related to the processing of personal information.


Affiliation

Position

Legal Basis

Wise Birds Inc.

Director

Article 32 of the Enforcement Decree of the Personal Information Protection Act


Duties and Responsibilities of the Personal Information Protection Officer

A. Implement and enforce protective measures to ensure that internal guidelines related to personal information protection are followed, and take responsibility for management and supervision.

B. Handle and address complaints from data subjects and establish training programs for employees who handle personal information.

C. If personal information processing tasks are outsourced, continuously monitor and verify the personal information management status of the entrusted party.

D. If a violation of this law or other related laws is discovered, take immediate corrective action and, if necessary, report the corrective measures to the head of the organization.



Scope, Duties, and Responsibilities of the Personal Information Protection Manager

A. Under the direction and supervision of the Personal Information Handler, enforce protective measures to ensure compliance with internal guidelines related to personal information and oversee the adherence to and implementation of these guidelines.

B. Responsible for the practical handling of complaints from data subjects and the training of employees who handle personal information.

C. If personal information processing tasks are outsourced, continuously monitor and manage the personal information management status of the entrusted party.



Scope, Duties, and Responsibilities of the Personal Information Processor

A. Process personal information under the direction and supervision of the Personal Information Handler, ensuring the secure management of personal information.

B. Participate in personal information protection activities, adhere to and implement the internal management plan, and comply with the technical and administrative protective measures standards.

C. Inspect and address any unlawful or improper personal information infringement activities conducted by employees or third parties.



Technical and Administrative Security Measures for Personal Information

Access Rights Management Measures for Personal Information Handlers

A. Granting Access Rights:
Access rights are granted to the minimum necessary extent based on the job responsibilities of the personnel.

B. Management of Access Rights:

1) In the event of personnel changes, such as resignations or transfers, promptly modify or revoke the access rights to the personal information processing system for the affected individuals.

2) Record all instances of granting, modifying, or revoking access rights, and retain these records for at least three years.


Note: When issuing user accounts that can access the personal information processing system, only one account per personal information handler should be issued, and it should not be shared with others.


Password Management Measures

A. Change Frequency:
Passwords should be changed at least once every six months.

B. Combination Rules:
Passwords should be at least 8 to 10 characters long and include a combination of uppercase letters, lowercase letters, and numbers.

C. Applicable Targets:
Files or systems containing personal information.



Access Control Measures

A. Access Limitation:
Access to the personal information processing system is only permitted from computers connected to the work network.

B. Firewall and Harmful Content Blocking:
Unauthorized IP addresses are blocked by the firewall and harmful content blocking systems, which also monitor for illegal access attempts.

C. Prevention of Personal Information Leaks:
A system is in place to prevent personal information from being accessed by unauthorized personnel or leaked externally.



Personal Information Encryption Measures

A. Encryption Targets:
Unique identification information, passwords, credit card numbers, and other sensitive data transmitted via information and communications networks or stored on auxiliary storage devices must be encrypted.
Reference: Article 21 and Article 30, Paragraph 1, Clause 3 of the Enforcement Decree of the Personal Information Protection Act.


B. Encryption Method:
Files containing unique identification information should be stored and managed with encrypted passwords.



Installation and Operation Measures for Security Programs

A. Routine Operations:
Use the automatic security update function of the computer's operating system or perform manual updates at least once a week.

B. In Case of Emergencies:
Immediately implement updates announced by the operating system manufacturer.



Personal Information Protection Training

Establishment of Training Plans

A. Annual Training Plan
The Personal Information Protection Officer shall establish an annual personal information protection training plan by the end of December each year, including the following elements:

1) Training objectives and target audience.

2) Training schedule and methods.

B. Evaluation and Improvement
After conducting the training as per the established plan, the Personal Information Protection Officer must review the effectiveness and areas for improvement, incorporating these insights into the training plan for the following year.



Training Content

Personal information protection training may cover the following topics:

∙ Importance of personal information protection.

∙ Compliance with and implementation of the internal management plan.

∙ Organizational security policies, guidelines, instructions, and risk management strategies, including risks and countermeasures.

∙ Proper use of systems, including hardware and software associated with personal information systems.

∙ Implementation of technical and administrative protective measures for personal information.

∙ Necessity of reporting violations of personal information protection.

∙ Procedures, responsibilities, and task descriptions related to personal information protection duties.

∙ Prohibited actions for those involved in personal information protection.

∙ Procedures related to the implementation of personal information protection compliance.



Conducting Training

A. Responsibility to Educate
The Personal Information Protection Officer must strive to enhance employee awareness of customer information protection and prevent the misuse or leakage of personal information by conducting regular personal information protection training for all employees and personal information handlers at least once a year.

B. Regular Training
The annual training must be conducted once for all employees and once specifically for personal information handlers.

C. Training Methods
Training may be conducted using various methods, including in-person sessions, online courses, etc. If necessary, external experts or professional agencies may be engaged to provide the training.

D. Ongoing Education
If there are significant developments in personal information protection or changes related to personal information protection tasks, the Personal Information Protection Officer may conduct additional training sessions through departmental meetings or other appropriate methods.



Response to Personal Information Breach

Breach Response Measures

A. Access Log Management

1) To ensure a swift response, records of access by personal information handlers to the personal information processing system must be retained and managed for at least six months.

2) Access logs of personal information handlers must be securely managed to prevent tampering, theft, or loss.


B. Notification of Breach Incident

1) In the event of a breach incident, unless there is a justifiable reason, the following information must be notified to the affected data subject within five days:

- The types of personal information that were leaked.

- The timing and circumstances of the leak.

-  Information on how the data subject can minimize potential damage.

-  The response measures taken by the personal information handler and the procedures for remedying the damage.

-  Contact details of the department responsible for receiving reports and inquiries in case the data subject suffers harm.

2) After taking urgent measures such as blocking access paths, checking and addressing vulnerabilities, and deleting leaked personal information to prevent further spread and additional leaks, notify the data subject.



Remedies for Personal Information Breach

Remedial Measures

A. Prevention of Damage:
The personal information handler must comply with the Personal Information Protection Act and take all necessary precautions and supervisory actions to prevent any harm to data subjects (familiarizing themselves with and taking action based on Chapters 1 to 6 of this internal management plan).


Note: According to Article 39 of the Personal Information Protection Act, if a data subject suffers damage due to a violation of the law by the personal information handler, the handler may be liable for compensation. The handler can only avoid liability if they prove the absence of intent or negligence. Furthermore, if the handler has complied with the law and exercised due care and supervision, liability for damages due to the loss, theft, leakage, alteration, or destruction of personal information may be mitigated.


B. Application for Mediation by the Dispute Mediation Committee:
If a data subject applies for dispute mediation with the Dispute Mediation Committee for redress, the personal information handler should consider the committee's recommendations and seek an amicable settlement.


Note: Under Article 43 of the Personal Information Protection Act, if a data subject finds it difficult to seek redress through litigation due to costs, procedures, or other reasons, they may apply for dispute mediation with the Dispute Mediation Committee. The mediation process does not rely on a court judgment; instead, it involves both parties making concessions based on the committee's recommendations. If both parties accept the mediation, it carries the same effect as a final court ruling.



  • ad@wisebirds.co.kr
  • ad@wisebirds.co.kr
  • ad@wisebirds.co.kr
  • ad@wisebirds.co.kr
  • ad@wisebirds.co.kr
  • ad@wisebirds.co.kr
  • ad@wisebirds.co.kr
  • ad@wisebirds.co.kr
  • ad@wisebirds.co.kr
  • ad@wisebirds.co.kr
  • ad@wisebirds.co.kr
  • ad@wisebirds.co.kr

Experience our specialized, structured services. 


Korea(본사)

경기도 성남시 수정구 금토로 69

다우디지털스퀘어 5층

Email. ad@wisebirds.co.kr

Japan

〒105-0012 Tokyo, Minato City, Shibadaimon,

1 Chome−9−9 Nomura fudousan Bldg, 6F

Tel. +81-3-6435-6205ㅣEmail. contact@wisebirds.jp

ⓒ Wisebirds Corp. All rights reserved.

체계적이고 전문화된 서비스를 경험해보세요


Korea

69, Geumto-ro, Sujeong-gu, Seongnam-si, Gyeonggi-do, Republic of Korea

Email. contact_ads@wisebirds.com

Japan

105-0012 Tokyo, Minato City, Shibadaimo
1 Chome−9−9 Nomura fudousan Bldg, 6F
Tel. +81-3-6435-6205ㅣEmail. contact@wisebirds.jp

ⓒ Wisebirds Corp. All rights reserved.