Personal Data Processing Policy

Exobrain Consortium shall not use personal information for purposes other than those intended; if the purposes change, it shall thereupon obtain the consent of the owner of the relevant information for the new purposes. Exobrain Consortium uses collected personal information for the following purposes:

1. Request for Access to Personal Information: Access to personal information files held by Exobrain Consortium may be requested in accordance with Article 35 (Access to Personal Information) of the Personal Information Protection Act. However, requests for access to personal information may be restricted according to Article 35 (5) of the Personal Information Protection Act.
2. Collected Items (Required): Name, Company Name, Email, Contacts
3. Period of Holding: In principle, after collection and collection purposes of personal information are achieved, the relevant personal information shall be destroyed without delay. Provided, where the personal information must be preserved pursuant to any related statutes, personal information may be preserved for a certain period set by the related statutes as follows:
   • The records of transactions, such as marks, advertisements, contents of contracts, and the execution thereof according to the Act on the Consumer Protection in Electronic Commerce, etc.
     - Records of marks and advertisements: June
     - Records of consumer complaints and/or settlements of dispute 3 years
   • Preservation of communication confirmation data pursuant to Article 41 of the Protection of Communications Secrets Act
     - Computer communication, Internet log records, data on tracing the location of connectors: 3 months
     Preservation of identity verification information pursuant to Article 29 of the Enforcement Decree of the Act on Promotion of Information and Communications Network Utilization and Information Protection: 6 months after the posting of information on a message board

A user as an owner of information may exercise the following rights:

1. Request for Access to Personal Information: Access to personal information files held by Exobrain Consortium may be requested in accordance with Article 35 (Access to Personal Information) of the Personal Information Protection Act. However, requests for access to personal information may be restricted according to Article 35 (5) of the Personal Information Protection Act.
   • Where access to information is prohibited or restricted by Acts;
   • Where a third party is likely to be physically harmed, or a third party's property or other interests are likely to be unduly infringed upon;
   • Where access to information substantially hinders a public institution performing any of the following:
     - Affairs concerning tests for academic achievement, functions and employment, and qualification evaluation;
     - Affairs concerning an assessment or decision in progress regarding compensation and/or benefits;
     - Affairs concerning an audit and/or investigation being conducted under other Acts.
2. Request for Correction or Deletion of Personal Information: An owner of information may request the correction or deletion of his/her personal information held by Exobrain Consortium in accordance with Article 36 (Correction or Deletion of Personal Information) of the Personal Information Protection Act: Provided, That if other statutes stipulates the particular personal information be collected, the owner of information shall not request the deletion thereof.
3. Request for Suspension from Managing Personal Information: An owner of information may request the suspension of the management of his/her personal information held by Exobrain Consortium in accordance with Article 37 (Suspension from Managing Personal Information) of the Personal Information Protection Act: In addition, a legal guardian of a child under the age of 14 years may request access to, the correction, deletion, or suspension of the child's personal information from Exobrain Consortium. However, the request for suspension of personal information may be restricted according to Article 37 (2) of the Personal Information Protection Act.
   • Where there exist special provisions in any Act or it is necessary to fulfill an obligation imposed by or under any statute;
   • Where a third party is likely to be physically harmed, or a third party's property or other interests are likely to be unduly infringed upon;
   • Where a public institution is unable to conduct its affairs stipulated by or under other Acts unless it manages personal information;
   • Where it is impractical to perform a contract, such as a failure to provide an owner of information with stipulated services unless Exobrain Consortium manages their personal information, and the owner of the information fails to clearly express his/her intention to terminate the contract.
4. Regarding the request for access to, correction, deletion, and suspension of management of personal information, Exobrain Consortium shall notify of the relevant affairs within 10 days. Access to, correction, deletion, and suspension of management of personal information may be requested for through the relevant department.
5. The above-mentioned rights may be executed through a legal representative of an owner of information or an agent delegated by the owner of information. In this case, a power of attorney must be submitted.

When the holding period of personal information expires, or the management purpose of the personal information is achieved, Exobrain Consortium shall destroy the personal information without delay: Provided, that this shall not apply where the personal information must be preserved pursuant to any other statute. Destruction procedures, periods and methods are as follows:

1. Destruction Procedures: After information entered by users exceeds the holding period or achieves the management purpose, it shall be destroyed pursuant to internal policy or related laws.
2. Destruction Periods: In case that users’ personal information exceeds the holding period, the personal information shall be destroyed within 5 days after the holing period expires. If the purpose of the management of personal information is achieved and the personal information is unnecessary, the personal information shall be destroyed within 5 days after the recognition that the management of the personal information is unnecessary.
3. Destruction Methods: Exobrain Consortium destroys personal information the following methods:
   • In the case of personal information in electronic form: It shall be permanently and unrecoverably deleted
   • In the case of records, printouts, paper documents, and media containing personal information, other than electronic forms: They shall be shredded or incinerated

Exobrain Consortium shall take the technical, administrative, and physical measures necessary for ensuring safety pursuant to Article 29 of the Personal Information Protection Act.

1. Establishment and Execution of Internal Management Plans Exobrain Consortium establishes and executes the internal management plan (January 6, 2014) pursuant to the ‘Standard to Secure Safety of Personal Information’ (Notice 2011-43 of the Ministry of Public Administration and Security)
2. Minimization and Education of Designation of Personal Information Managers: Exobrain Consortium shall minimize the designation of personal information managers and conduct regular education programs.
3. Restrictions on Access to Personal Information: Exobrain Consortium controls access to personal information through the granting, changing and cancelation of access rights to database systems to handle personal information, and prevents illegal access from outside using firewall systems and intrusion protection systems. When a personal information manager accesses personal information systems from outside through information network systems, he/she uses VPN (Virtual Private Network). Exobrain Consortium shall record details regarding the granting, changing and cancelation of access rights and store the records for at least 3 years.
4. Encryption of Personal Information: Exobrain Consortium shall encrypt, save, and manage users’ personal information. In addition, Exobrain Consortium uses separate security functions such as encrypting when saving and transferring important data.
5. Technical Measures to Prepare for Hacking and more: Exobrain Consortium installs security programs, conducts regular updates and examinations, installs systems at areas restricted access from outside, and monitors and blocks technically and physically to prevent personal information leakage and damage by hacking or computer viruses.
6. Access Control of Unauthorized Persons: Exobrain Consortium prepares a separate physical storage place for personal information systems storing personal information, and establishes and operates its access control procedures.

Exobrain Consortium will make reasonable efforts to respond to queries regarding personal information protection or reporting/handling personal information infringement.

The Personal Information Management Policies shall apply from July 1, 2015.