Personal Information Handling Policy

The Korea Information Certificate Authority Inc. (hereinafter referred to as “KICA”) hereby confirms its compliance with the Digital Signature Act, Personal Information Protection Act, as well as other relevant laws and regulations in order to protect personal information supplied by customers for the provision of secure server authentication services. It establishes and discloses the enforcement of the following Privacy Policy.

1. Personal Information to be collected and method of collection.

KICA collects the following personal information from customers looking to use its secure server authentication services. If other additional information is required, KICA may request the customers for the corresponding information separately.

• (1) Personal Information items to be collected.
  • ① Name, office telephone number, e-mail address, mobile phone number, department name, title.
  • ② Service usage records, access logs, cookies, access IP information, illegal usage records, etc. during the course of using KICA services or processing business operations may be generated and collected automatically.
• (2) Method of collection.

  Service website (including notice boards, etc.), documents submitted to KICA, etc.

2. Purpose of collected personal information.

KICA uses personal information for the following purposes.

• (1) Execution of the contract and fee settlement.

  Providing of services, payment of purchases and charges, delivery of required information in using its services, etc.

• (2) Customer management.

  Providing necessary information for renewal and use of SSL services, handling 1:1 inquiry, delivering announcements, and preventing unauthorized and fraudulent use.

• (3) Marketing and advertisement (promotional activities).

  Delivery of promotional information for SSL marketing and participation in events, and utilization of statistics for member service usage.

3. Period for retention and use of personal information.

KICA shall retain and use a member’s personal information from the date a member subscribes to the service and throughout the duration KICA services are rendered to the member. If a customer cancels its membership, if the customer withdraws its consent that allows KICA to collect and use the member’s personal information, if KICA has fulfilled its purpose of collecting and using the information, if the collection and usage period expires, or if the business is terminated, KICA shall dispose the corresponding personal information without delay. However, personal information may be retained for a certain period if it is required for the settlement of service fees, litigations or disputes, etc. Moreover, if personal information must be retained under relevant laws and regulations, including the Commercial Act, Framework Act on National Taxes, Protection of Communications Secrets Act, and the Act on the Consumer Protection in Electronic Commerce, etc., the company shall retain the information for the set period of time stipulated under the corresponding legislation. In such case, KICA may use the information exclusively for the purposes, and the retention period shall be as follows:

• A. Critical documents and slips related to commercial ledgers and sales operations: 10 years - Critical documents/5 years - Statements (Commercial Act).
• B. Ledgers and evidentiary documents related to transactions: 5 years (Framework Act on National Taxes, Corporate Tax Act, Value-Added Tax Act, etc.).
• C. Log records, IP addresses, etc. required when providing communication confirmation data: 3 months (Protection of Communications Secrets Act)
• D. Records related to sign/advertisement : 6 months (Act on the Consumer Protection in Electronic Commerce).
• E. Records related to contracts or withdrawal of subscription : 5 years (Act on the Consumer Protection in Electronic Commerce).
• F. Records related to payments and provision of goods/services: 5 years (Act on the Consumer Protection in Electronic Commerce).
• G. Records related to customer complaint or dispute treatment : 3 years (Act on the Consumer Protection in Electronic Commerce).
• H. Records related to the collection, process, and use of credit information: 5 years (Credit Information Use and Protection Act).

4. Installation/maintenance of auto personal information collection devices (cookies) and declining installation/maintenance of such devices.

• (1) What is a cookie?
  • ① KICA uses ‘cookies’ that save and open customer information in order to provide individualized and customized services.
  • ② Cookies are saved on the customer’s hard disk in the form of a very small text file which the server being used to operate the website sends to the customer’s browser. When the customer visits the website on a later point in time, the website reads the cookies in the customer’s hard disk to maintain the user’s system environment settings and offer customized services.
  • ③ Cookies do not automatically/actively collect information that enables others to identify an individual. Customers can refuse to save or delete cookies at any time.
• (2) Purpose of using cookies.

  Cookies are used to keep users logged into websites they previously visited, update IDs, record visited pages, check whether a legal guardian consented the use of minors, check delivery information of additional products, etc. and provide customers with optimized, convenient services.

• (3) Installation, maintenance of cookies and refusal to install, maintain cookies.
  • ① A customer has the right to choose whether to install cookies or not. As such, the customer can allow all cookies, require the system to ask for consent whenever cookies are saved, or refuse to save all cookies by configuring the option settings in his/her browser. However, if the customer refuses to save cookies, it may become difficult to use some services of the website.
  • ② A customer may allow all cookie installations as follows (for Internet Explorers).
    • - Select [Internet Options] from the [Tools] menu.
    • - Click the [Privacy] tab.
    • - Enable/disable cookies using [Privacy Level]

5. Provision of personal information to a third party.

KICA shall not provide or leak personal information of customers without the consent of its members. However, if the information is required to respond to a request from a government institution pursuant to relevant laws and regulations, if the information is required for the investigation of a crime, if the information is required at the request of the Korea Internet Safety Commission, or if the information is required to settle fee payments, KICA may process the data and eliminate all personal identification markers, then provide the information without the consent of its members. KICA may share the personal information of customers with affiliated companies and vendors to improve service quality. In such case, it shall notify its members with the target information, details, and grounds for providing the information and acquire their consent. If the member declines, KICA cannot share the information. Moreover, if KICA needs to share personal information beyond the scope that was originally agreed upon with its customers, it shall acquire the consent of members separately. If a user wishes to cancel his/her consent to provide personal information, the user can notify KICA and KICA will request the corresponding company to delete the corresponding personal information.

• * Secure server authentication service.

  KICA provides personal information as follows with the consent of its customers for the purpose of issuing secure server certificates. Customers may choose to decline the provision of personal information. In such case, however, the customers will not be able to sign up for membership, issue certificates, renew certificates, or access additional KICA’s services.

  Provision of personal information

  Company name	purpose	Items to be provided	Period of retention and use of recipient
  SECTIGO	Sectigo certificate issuance and service provision	Information of the person in charge (Name, Contact Number, E-mail)	Upon certificate expiration
  	Identity verification of Sectigo certificate applicants	Name, copy of applicant's identification, applicant's photograph	Upon certificate expiration

6.Transfer of Personal Information Overseas.

For the provision of secure server authentication services, Korea Information Certificate Authority discloses personal information to third parties outside the country as follows:

Country	Company Name	Contact Information	Purpose of transferring Personal Information	Information to be transferred	Date and method of transfer	Retention and usage period of personal information
USA	SECTIGO	Name: Eric Staudinger Email: eric.staudinger@sectigo.com	Transfer of information for certificate issuance	Information of the person incharge (Name, Phone Number, E-mail) Name, copy of applicant's identification, applicant's photograph	When applying for issuance, register in the SECTIGO system	Upon certificate expiration

7. Personal information processing outsourcing.

Korea Information Certificate Authority entrusts personal information for the improvement of services, and, in accordance with relevant laws, stipulates necessary provisions in outsourcing contracts to ensure the secure management of personal information. The details of the company's personal information outsourcing organization and the content of the entrusted tasks are as follows.

Recipient of outsourcing company	Content of outsourcing task	Retention and usage period of personal information
Pay Pal	Service fee payment	Affiliation period

8. Rights/Obligations of the principal of information and the execution of such rights/obligations.

KICA shall do its utmost to protect the personal information of its customers. KICA respects the rights of each individual user over his/her own personal information, therefore allows each user to access, update, delete personal information at any time using the menus available on its website. If a user wishes to terminate his/her membership, the user may do so using the [Request] menu and withdraw his/her consent to KICA over the use of personal information.

9. Disposal of personal information.

In principle, KICA shall immediately destroy all collected personal information and used once it fulfills the purpose of collecting and using the information. The disposal protocol and method are as follows:

• A. Disposal protocol: Information supplied by a customer to sign up for membership, etc. shall be transferred to a separate DB (separate file cabinet for paper documents) once it fulfills its purpose. The information shall be stored for a set period of time as stipulated under internal policies, relevant laws and regulations for information protection purposes (refer to the ‘Retention and usage period’ section), then it shall be disposed permanently. Personal information transferred to a separate DB cannot be used to serve other purposes, unless stipulated otherwise by law.
• B. Disposal method: Personal information saved in the form of an electronic file shall be deleted using a technical method that ensures the record unavailable to restore.
• C. Personal information validity system: The personal information of users who have not used the service for a year is separately stored or destroyed according to the Personal Information Validity System.

10. Securing the safety of personal information

KICA implements the following protective measure to safely manage customers’ personal information.

• (1) Establishment and implementation of an internal management plan
  The company establishes and implements an internal management plan in accordance with the ‘standards for securing safety of personal information’.
• (2) Minimization and education of designation of personal information handlers
  The designation of personal information is minimized, and regular training is provided.
• (3) Limitation on access to the personal information
  Access to personal information is controlled by granting, changing, or canceling access to the database system that processes personal information, and unauthorized access from the outside is controlled using an intrusion blocking system and an intrusion prevention system.
• (4) Storage of access records and prevention of forgery
  Records of accessing the personal information processing system (web log, summary information, etc.) have been stored and managed for at least 6 months.
• (5) Encryption of the personal information
  Customer’s personal information is encrypted, saved and managed. Additionally, separate security features is used for important data by the encryption when storing and transmitting.
• (6) Technical measures to prepare for hacking, etc
  To prevent personal information leakage and damage caused by hacking or computer viruses, the company installs security programs, periodically renews and inspects, and installs systems in areas where access is restricted from the outside, monitors and blocks them technically and physically.
• (7) Access controls to unauthorized person
  There is a separate physical storage place for personal information systems that store personal information, and access control procedures are established and operated.

11. Rights of the user and legal representative, and how to exercise such rights

A member or legal representative may view or correct personal information pertaining to himself/herself or a minor under the age of 14, or request to terminate a service at any time. A user may view or correct his/her information or the information of a minor under the age of 14 from the [Member Information Update] menu. To terminate a service, a member may contact the person-in-charge of personal information via phone or e-mail. The person-in-charge shall process the termination request without delay upon confirming the identity of the requesting entity.

12. Amendments to the Privacy Policy

This Privacy Policy can be accessed at any time on the website. It may be amended in response to amendments made to relevant laws and regulations, or to provide better services. Please visit the website regularly and check for updates. When KICA amends its Privacy Policy, it shall disclose all details on the website for each service it provides. 13. Remedies for infringement of rights

A user may request the resolution of conflicts or counseling at the following organizations for remedies against infringements on personal information rights.

No.	Remedy institution for rights infringement	URL	Contact Number
1	Korea Internet and Security Agency Personal Data Protection Center	privacy.kisa.or.kr	(No area code) 118
2	Personal Information Dispute Mediation Committee	www.kopico.go.kr	1833-6972
3	Supreme Prosecutors’ Office Cyber Crimes Investigation Department	www.spo.go.kr	(No area code) 1301
4	National Police Agency Cyber Bureau	ecrm.cyber.go.kr	(No area code) 182

14. Person-in-charge of personal information protection

Korea Information Certificate Authority takes overall responsibility for tasks related to the processing of personal information and, in order to address complaints and provide remedies for data subjects related to the processing of personal information, has designated a Data Protection Officer as follows :

• [Person-in-charge of personal information protection]
• Name: Yoon Kyoo, Kim
• Title: Board of director (CISO, CPO)
• Tel : (02)360-3116
• E-mail address : privacy@signgate.com
• * It is connected to the department responsible for personal information protection

• [Personal Information Protection and Management Department]
• Name: Seong Hoon Kim
• Division: Department of Information Protection
• Tel: (02)360-3116
• E-mail address : privacy@signgate.com

The data subject can inquire about all matters related to the protection of personal information, complaints, and remedies arising from the use of the company's services (or business) to the personal information protection manager and the relevant department. The company will promptly respond to and handle inquiries from the data subject.

15. Department handling requests for access to personal information

The subject of information can request access to personal information from the department below. Korea Information Certificate Authority will make efforts to promptly process the subject's request for access to personal information.

• Division: SSL Team
• Tel: (02)360-3065
• E-mail address: webmaster@kicassl.com

16. Duty of disclosure

If any amendment occurs to its Privacy Policy, KICA shall disclose the details at least 7 days before the enforcement of such amendments on its website.

• Disclosure date: 1 February 2024
• Enforcement date: 8 February 2024