Personal Information Handling Policy

The Korea Information Certificate Authority Inc. (hereinafter referred to as “KICA”) hereby confirms its compliance with the Digital Signature Act, Personal Information Protection Act, as well as other relevant laws and regulations in order to protect personal information supplied by customers for the provision of secure server authentication services. It establishes and discloses the enforcement of the following Privacy Policy.

1. Personal Information to be collected and method of collection

KICA collects the following personal information from customers looking to use its secure server authentication services. If other additional information is required, KICA may request the customers for the corresponding information separately.

• (1)Personal Information items to be collected
  • ① Name, office telephone number, e-mail address, mobile phone number, department name, title
  • ② Service usage records, access logs, cookies, access IP information, illegal usage records, etc. during the course of using KICA services or processing business operations may be generated and collected automatically.
• (2) Method of collection

  Service website (including notice boards, etc.), documents submitted to KICA, etc.

2. Purpose of collected personal information

KICA uses the personal information for the following purposes.

• (1) Execution of the contract and fee settlement

  Providing of services, payment of purchases and charges, delivery of required information in using its services, etc.

• (2) Customer management

  Providing of services, payment of purchases and charges, delivery of required information in using its services, etc.

• (3) Marketing and advertisement (promotional activities)

  Providing of services, payment of purchases and charges, delivery of required information in using its services, etc.

3. Period for retention and use of personal information

KICA shall retain and use a member’s personal information from the date a member subscribes to the service and throughout the duration KICA services are rendered to the member. If a customer cancels its membership, if the customer withdraws its consent that allows KICA to collect and use the member’s personal information, if KICA has fulfilled its purpose of collecting and using the information, if the collection and usage period expires, or if the business is terminated, KICA shall dispose the corresponding personal information without delay. However, personal information may be retained for a certain period if it is required for the settlement of service fees, litigations or disputes, etc. Moreover, if personal information must be retained under relevant laws and regulations, including the Commercial Act, Framework Act on National Taxes, Protection of Communications Secrets Act, and the Act on the Consumer Protection in Electronic Commerce, etc., the company shall retain the information for the set period of time stipulated under the corresponding legislation. In such case, KICA may use the information exclusively for the purposes, and the retention period shall be as follows:

• A. Critical documents and slips related to commercial ledgers and sales operations: 10 years - Critical documents/5 years - Statements (Commercial Act)
• B. Ledgers and evidentiary documents related to transactions: 5 years (Framework Act on National Taxes, Corporate Tax Act, Value-Added Tax Act, etc.)
• C. Log records, IP addresses, etc. required when providing communication confirmation data: 3 months (Protection of Communications Secrets Act)
• D. Records related to sign/advertisement : 6 months (Act on the Consumer Protection in Electronic Commerce)
• E. Records related to contracts or withdrawal of subscription : 5 years (Act on the Consumer Protection in Electronic Commerce)
• F. Records related to payments and provision of goods/services: 5 years (Act on the Consumer Protection in Electronic Commerce)
• G. Records related to customer complaint or dispute treatment : 3 years (Act on the Consumer Protection in Electronic Commerce)
• H. Records related to the collection, process, and use of credit information: 3 years (Credit Information Use and Protection Act)

4. Installation/maintenance of auto personal information collection devices (cookies) and declining installation/maintenance of such devices

• (1) What is a cookie?
  • ① KICA uses ‘cookies’ that save and open customer information in order to provide individualized and customized services.
  • ② Cookies are saved on the customer’s hard disk in the form of a very small text file which the server being used to operate the website sends to the customer’s browser. When the customer visits the website on a later point in time, the website reads the cookies in the customer’s hard disk to maintain the user’s system environment settings and offer customized services.
  • ③ Cookies do not automatically/actively collect information that enables others to identify an individual. Customers can refuse to save or delete cookies at any time.
• (2) Purpose of using cookies

  Cookies are used to keep users logged into websites they previously visited, update IDs, record visited pages, check whether a legal guardian consented the use of minors, check delivery information of additional products, etc. and provide customers with optimized, convenient services.

• (3) Installation, maintenance of cookies and refusal to install, maintain cookies
  • ① A customer has the right to choose whether to install cookies or not. As such, the customer can allow all cookies, require the system to ask for consent whenever cookies are saved, or refuse to save all cookies by configuring the option settings in his/her browser. However, if the customer refuses to save cookies, it may become difficult to use some services of the website.
  • ② A customer may allow all cookie installations as follows (for Internet Explorers).
    • - Select [Internet Options] from the [Tools] menu
    • - Click the [Privacy] tab
    • - Enable/disable cookies using [Privacy Level]

5. Provision of personal information to a third party

KICA shall not provide or leak personal information of customers without the consent of its members. However, if the information is required to respond to a request from a government institution pursuant to relevant laws and regulations, if the information is required for the investigation of a crime, if the information is required at the request of the Korea Internet Safety Commission, or if the information is required to settle fee payments, KICA may process the data and eliminate all personal identification markers, then provide the information without the consent of its members. KICA may share the personal information of customers with affiliated companies and vendors to improve service quality. In such case, it shall notify its members with the target information, details, and grounds for providing the information and acquire their consent. If the member declines, KICA cannot share the information. Moreover, if KICA needs to share personal information beyond the scope that was originally agreed upon with its customers, it shall acquire the consent of members separately. If a user wishes to cancel his/her consent to provide personal information, the user can notify KICA and KICA will request the corresponding company to delete the corresponding personal information.

• * Secure server authentication service

  KICA provides personal information as follows with the consent of its customers for the purpose of issuing secure server certificates. Customers may choose to decline the provision of personal information. In such case, however, the customers will not be able to sign up for membership, issue certificates, renew certificates, or access additional KICA’s services.

  • A. Company name: Sectigo, Digicert
  • B. Purpose: Provision of information for the purpose of certificate issue
  • C. Items to be provided : All information entered as the owner of the certificate and person-in-charge (refer to collected personal information items)
  • D. Period of retention and use of recipient : certificates are retained throughout the life of the certificate, then discarded automatically.

6. Commission for collected personal information

KICA commissions personal information to enhance service quality. When it enters into a commission contract, it complies with all requirements stipulated under relevant laws and regulations to ensure that personal information can be kept safely. Personal information commissioned by the company, the commissioned organization, commissioned duties are as follows.

7. Rights/Obligations of the principal of information and the execution of such rights/obligations

KICA shall do its utmost to protect the personal information of its customers. KICA respects the rights of each individual user over his/her own personal information, therefore allows each user to access, update, delete personal information at any time using the menus available on its website. If a user wishes to terminate his/her membership, the user may do so using the [Request] menu and withdraw his/her consent to KICA over the use of personal information.

8. Disposal of personal information

In principle, KICA shall immediately destroy all collected personal information and used once it fulfills the purpose of collecting and using the information. The disposal protocol and method are as follows:

• A. Disposal protocol: Information supplied by a customer to sign up for membership, etc. shall be transferred to a separate DB (separate file cabinet for paper documents) once it fulfills its purpose. The information shall be stored for a set period of time as stipulated under internal policies, relevant laws and regulations for information protection purposes (refer to the ‘Retention and usage period’ section), then it shall be disposed permanently. Personal information transferred to a separate DB cannot be used to serve other purposes, unless stipulated otherwise by law.
• B. Disposal method: Personal information saved in the form of an electronic file shall be deleted using a technical method that ensures the record unavailable to restore.
• C. Personal information validity system: The personal information of users who have not used the service for a year is separately stored or destroyed according to the Personal Information Validity System.

9. Securing the safety of personal information

KICA implements the following protective measure to safely manage customers’ personal information.

• (1) Establishment and implementation of an internal management plan

  The company establishes and implements an internal management plan in accordance with the ‘standards for securing safety of personal information’

• (2) Minimization and education of designation of personal information handlers

  The designation of personal information is minimized and regular training is provided

• (3) Limitation on access to the personal information

  Access to personal information is controlled by granting, changing, or canceling access to the database system that processes personal information, and unauthorized access from the outside is controlled using an intrusion blocking system and an intrusion prevention system.

• (4) Storage of access records and prevention of forgery

  Records of accessing the personal information processing system (web log, summary information, etc.) have been stored and managed for at least 6 months.

• (5) Encryption of the personal information

  Customer’s personal information is encrypted, saved and managed. Additionally, separate security features is used for important data by the encryption when storing and transmitting.

• (6) Technical measures to prepare for hacking, etc.

  To prevent personal information leakage and damage caused by hacking or computer viruses, the company installs security programs, periodically renews and inspects, and installs systems in areas where access is restricted from the outside, monitors and blocks them technically and physically.

• (7) Access controls to unauthorized person

  There is a separate physical storage place for personal information systems that store personal information, and access control procedures are established and operated.

10. Rights of the user and legal representative, and how to exercise such rights

A member or legal representative may view or correct personal information pertaining to himself/herself or a minor under the age of 14, or request to terminate a service at any time. A user may view or correct his/her information or the information of a minor under the age of 14 from the [Member Information Update] menu. To terminate a service, a member may contact the person-in-charge of personal information via phone or e-mail. The person-in-charge shall process the termination request without delay upon confirming the identity of the requesting entity.

11. Amendments to the Privacy Policy

This Privacy Policy can be accessed at any time on the website. It may be amended in response to amendments made to relevant laws and regulations, or to provide better services. Please visit the website regularly and check for updates. When KICA amends its Privacy Policy, it shall disclose all details on the website for each service it provides.

12. Remedies against the infringement on rights and interests

A user may request the resolution of conflicts or counseling at the following organizations for remedies against infringements on personal information rights.
- Korea Internet and Security Agency Personal Data Protection Center (privacy.kisa.or.kr/(no area code) 118)
- Personal Information Dispute Mediation Committee (www.kopico.go.kr/02-2100-2499)
- Supreme Prosecutors’ Office Cyber Crimes Investigation Department (www.spo.go.kr / 02-3480-2000)
- National Police Agency Cyber Bureau: (Cyberbureau.police.go.kr/(no area code) 182))

13. Person-in-charge of personal information protection

Inquires related to personal information will be answered when the e-mail is sent to the address below.

• Person-in-charge of personal information protection

• Name : Jaejung Kim

• Division : Department of Information Protection

• Tel : (02)360-3210

• Address : Korea Information Certificate Authority Inc., 5F, C-dong, 242, Pangyo-ro, Bundang-gu, Seongnam-si, Gyeonggi-do (463-400)

• E-mail address : jjkim@signgate.com

• Personal Information Protection and Management Department
• • Division: SSL team
  • Tel: (02)360-3065
  • E-mail address : webmaster@kicassl.com
• Service information phone number

  - Secure Server Authentication Service (SSL) : 02-360-3065

14. Duty of disclosure

If any amendment occurs to its Privacy Policy, KICA shall disclose the details at least 7 days before the enforcement of such amendments on its website.

• - Disclosure date: November 25, 2021
• - Enforcement date: Desember 2, 2021