PyeongChang Organizing Committee for the 2018 Olympic & Paralympic Games (hereinafter “POCOG”) has set forth and disclosed its Policy on Handling Personal Information as follows to protect the personal information of information providers and to handle complaints related thereto in a prompt and smooth manner pursuant to article 30 of the Personal Information Protection Act.
Article 1 (Purpose of Handling Personal Information)
POCOG shall handle personal information for following purposes. The personal information being handled by POCOG shall not be handled for purposes other than the objectives stipulated below. Upon changes in the purpose of handling personal information, POCOG shall take necessary actions, such as gaining the consent of the information provider, in accordance with article 18 of the Personal Information Protection Act:
- 1. Signing up for, and management of, membership to the official website of the Olympic Winter Games PyeongChang 2018 and PyeongChang 2018 Paralympics
To confirm the applicant’s intention to sign up for membership; to verify and authenticate the identity of the applicant to provide members-only, customized services; to maintain and manage membership qualifications; to restrict any behavior or improper use of the service that undermines the smooth operation of services; to keep records for customer consultation and dispute mediation; to address inquiries or complaints raised by members; to deliver various notices; and to verify the intention to cancel membership, etc.
- 2. Payment of admission tickets and licensed products
To purchase admission tickets and licensed products (payments, invoicing, etc.); and to send admission tickets and licensed products, etc.
- 3. Development, provision, promotion and marketing of new services
To identify statistics on the use of services by members (i.e. identify access frequency); to develop new services and provide bespoke services (i.e. provide services, post advertisements and offer commercial information according to the statistical attributes of members); to check the validity of services; and to provide event information and opportunities for members to participate in such events, etc.
Article 2 (Personal Information Handled by POCOG)
POCOG shall record the following personal information items under article 32 of the Personal Information Protection Act:
personal information items
Name of the personal information file for Grounds for & purpose of handling personal information, Personal information recorded in the personal information file
|Name of the personal information file
||Grounds for & purpose of handling personal information
||Personal information recorded in the personal information file
|Information on members of the official website of the Olympic Winter Games PyeongChang 2018 and PyeongChang 2018 Paralympics
||Grounds: Article 15 of the Personal Information Protection Act / Purpose: to support promotion and internal customer management for Olympic Winter Games PyeongChang 2018 and PyeongChang 2018 Paralympics
||- Mandatory items: nationality, email (ID), password, name, date of birth, telephone number, place of residence (city, country), language
- -Optional items: areas of interest, favorite sports, consent to receive information
※ For more details about items registered in the personal information files of POCOG, please access the personal information protection portal of the Ministry of the Interior and Safety at www.privacy.go.kr → click “Personal information inquiries” → click “Request access to personal information” → and use “Search the list of personal information files” menu
- 1. POCOG shall classify a minimal amount of personal information as follows as mandatory items upon the member’s initial sign-up for membership, for such purposes as granting membership, smooth customer consultations and provision of services:
- - Mandatory items: nationality, email (ID), password, name, date of birth, telephone number, place of residence (city, country), language
- - Optional items: areas of interest, favorite sports, consent to receive information (applicants may obtain membership even if they do not fill in the optional items)
- 2. The following information may be automatically generated and collected in the process of using the service or handling personal information:
- - IP address, cookies, access details, service access log, error log, device information, etc.
- 3. The following information may be collected, only from members who use additional services or personalized services, or who participate in events by using their ID:
- - Areas of interest, intention to participate in POCOG events, additional address information and contact information to receive gifts
- 4. The following information may be collected in the event that self-authentication is needed under applicable laws and regulations in the process of using certain services, such as purchasing admission tickets or licensed products:
- - Name, date of birth, gender, connecting information, duplicate identification information, mobile phone number, local/foreign resident information, detailed address, etc.
- 5. The following payment information may be collected in the process of using certain services such as the purchase of admission tickets or licensed products:
- - Upon payment by credit cards: the name of the card company, card number, etc.
- - Upon payment through account transfers: the name of the bank, account number, etc.
Article 3 (Period for Handling & Retaining Personal Information)
The personal information of the user shall be, in principle, destroyed immediately upon achievement of the purpose of handling the personal information as exemplified below:
- - If the information was collected for membership sign-up: to be destroyed when the member loses the membership
- - If the information was collected for one-off purposes such as for surveys or events: when the survey or event comes to an end
Provided however, the following information shall be preserved for a specified period of time for the following reasons:
- 1. Internal regulations of POCOG
- Personal information items of members subject to preservation: nationality, email (ID), password, name, date of birth, telephone number, place of residence, language, consent to receive information, areas of interest, favorite sports, etc.
- • Reasons for preservation: to provide smooth consultations and various services, etc.
- • Period of preservation: 5 years from the date of signing up for membership
- Illegitimate transaction record items related to payment that are subject to preservation: ID, name (payer/recipient), mobile phone number (payer/recipient), address of the recipient, IP address, cookies, device information
- • Reasons for preservation: to prevent illegitimate transactions
- • Period of preservation: 3 years from the point of transaction
※ “Records of illegitimate transactions” refer to records of transactions that have breached applicable laws, regulations and terms of service (i.e. identity theft or illegal use of credit cards for instant cash) or that have infringed upon the rights or interests of other members or a third party
- Preservation of website access records (i.e. log data, etc. of PC telecommunications or Internet access)
- • Reasons for preservation: if prosecutors, judicial police officers, or the head of an information investigation institution restrict the use of telecommunications or request the provision of materials ascertaining such telecommunications
- • Period of preservation: 3 months
- 2. Applicable laws and regulations
If specific personal information needs to be preserved pursuant to provisions of applicable laws and regulations, such as the Commercial Act and the Act on the Consumer Protection in Electronic Commerce, etc., POCOG shall preserve the member information for a certain period of time as prescribed by applicable laws and regulations. In this case, POCOG shall use the information only for the intended purposes, and handle and retain the personal information for the following periods:
- - Preservation of records on cancellation of subscription or agreements pursuant to subparagraph 2, paragraph 1, article 6 of the Enforcement Decree of the Act on Consumer Protection in Electronic Commerce, etc. : 5 years
- - Preservation of records on payments and supply of goods pursuant to subparagraph 3, paragraph 1, article 6 of the Enforcement Decree of the Act on the Consumer Protection in Electronic Commerce, etc. : 5 years
- - Preservation of records associated with marks or advertisements pursuant to subparagraph 1, paragraph 1, article 6 of the Enforcement Decree of the Act on the Consumer Protection in Electronic Commerce, etc. : 6 months
- - Preservation of records associated with handling complaints or disputes from consumers pursuant to subparagraph 4, paragraph 1, article 6 of the Enforcement Decree of the Act on Consumer Protection in Electronic Commerce, etc. : 3 years
- - Preservation of records on details and date of provision, etc. of credit information pursuant to article 20 of the Credit Information Use and Protection Act and article 16-2 of the Enforcement Decree of the said Act: 3 years
Article 4 (Provision of Personal Information to a Third Party)
- ① POCOG shall use the personal information of users to the extent specified in article 2 above, and may provide the personal information of users to a third party in the event stated in article 17 and 18 of the Personal Information Protection Act.
- ② POCOG has undertaken to share with the International Olympic Committee (hereinafter “IOC”) only the personal information whose collection was agreed to by users under paragraph 1 and 3 of article 17 of the Personal Information Protection Act, to create a positive and sustainable legacy of the Olympic Games and to promote the activities of IOC, organizations affiliated thereto, and the Olympic Movement specified in the Olympic Charter, when PyeongChang won the bid for the Winter Olympic Games. In other words, IOC reserves the right to collect and use the personal information that had been collected with the consent of users (including the authority that can be exercised through a third party who represents IOC according to the instructions of IOC), in accordance with the objectives stipulated in Consent to Provision of Personal Information.
IOC reserves the right to collect and use the personal information that had been collected with the consent
Recipient of Personal Information, IOC(International Olympic Committee) / Switzerland
|Recipient of Personal Information
|A recipient of personal information
||IOC(International Olympic Committee) / Switzerland
|Personal information items to be transferred to IOC
||Nationality, email (ID), password, name, date of birth, telephone number, place of residence, language, consent to provision of information
|Date / method of transfer
||Upon gaining website membership / Available to access into personal information database in a process of sFTP
|Purpose of using personal information
||Provision of information on, and promotion of, IOC and associated organizations, as well as the Olympic Movement specified in the Olympic Charter
|Duration of retaining & using personal information
||In accordance with article 3(Personal information is destroyed immediately upon membership cancellation)
- ③ IOC may retain and use the personal information that had been provided until the membership of the information provider is cancelled. Members have the authority to request for erasure of their information in the database of IOC by contacting IOC or expressing their intention to unsubscribe in a message sent from IOC.
- ④ If a user does not want his or her personal information to be delivered to IOC, the user shall not receive any marketing information from IOC, and shall not be subject to any disadvantages. The user reserves the right to refuse the provision of his or her personal information.
- ⑤ POCOG shall not provide a third party with the personal information of users outside the extent defined in paragraph 1 and 3 of article 17 of the Personal Information Protection Act. Notwithstanding the foregoing, POCOG may provide a third party with personal information for purposes other than the objectives described herein, pursuant to paragraph 2, article 18 of the Personal Information Protection Act, in any of the following events, unless such provision of personal information has the possibility to unlawfully infringe upon the interests of a third party:
- 1. If POCOG has gained consent to the use of such information from the user;
- 2. If there is a special provision in other laws permitting such provision of information;
- 3. If it is impossible to gain prior consent of the user as the user or his/her legal representative is in a state in which he/she is unable to express his/her intention, or the place of residence of the user or his/her legal representative is unidentifiable, and if it is clear that provision of such information is deemed necessary to urgently save the life of, provide physical protection for, or to protect the property of the information provider or a third party;
- 4. If provision of such information is necessary for statistical purposes or for such purposes as academic research, with the personal information being provided in a form that makes specific individuals unidentifiable;
- 5. If it is impossible to carry out the duties prescribed by other laws if: 1) the personal information is not used for purposes other than the objectives initially set forth herein; or 2) the personal information is not provided to a third party, and if provision of such information has been deliberated upon and decided by the Personal Information Committee pursuant to the Personal Information Protection Act;
- 6. If the information needs to be provided to a foreign government or an international organization to fulfill treaties or other international agreements;
- 7. If the information is needed to investigate crimes, or to prosecute and maintain a case;
- 8. If the information is needed for the Court to conduct trials; or
- 9. If the information is needed to execute sentences, probation or protective disposition
POCOG, when providing a third party with personal information for purposes other than initially stipulated objectives under paragraphs 2 to 6, 8 and 9 above, shall post on its official website necessary information on the legal grounds, purpose and extent, etc. of such provision.
Article 5 (Outsourcing of Handling Personal Information)
- ① POCOG outsources part of the service as below to provide and enhance its services and to ensure safe management of personal information. POCOG shall train the contractor and supervise the contractor’s safe handling of personal information to prevent any loss, theft, leak, forgery, falsification or damage of personal information of users through outsourcing.
- ② The organization in charge of handling personal information for POCOG and its responsibilities are outlined below:
The organization in charge of handling personal information for POCOG and its responsibilities
Contractor, Duties, Period for handling & retaining personal information
||Period for handling & retaining personal information
|Ssangyong Information & Communications Corp, Sports Business Department (02-2262-8170)
||Develop and operate systems for the provision of services
||To follow article 3. Provided however, upon termination of the outsourcing agreement, the period shall also terminate at the point of termination of the agreement.
Article 6 (Procedure and Method of Destroying Personal Information)
- ① POCOG shall destroy personal information immediately when the personal information becomes unnecessary, for such reasons as expiration of the period of holding personal information or achievement of the purpose of handling personal information.
- ② If personal information needs to be preserved under other laws and regulations even if the period of holding personal information has expired or the purpose of handling personal information has been achieved, with regard to personal information whose provision was agreed to by the information provider, the personal information (or personal information files) shall be transferred to a separate database or preserved in a different repository.
- ③ The procedure and method of destroying personal information are as follows:
- 1. Destruction procedure
POCOG shall establish a personal information destruction plan for personal information (or personal information files) that needs to be destroyed, and destroy the information accordingly. POCOG shall select the personal information (or personal information files) for which reasons for destruction have arisen, and gain the approval of the privacy officer of POCOG to destroy the personal information (or personal information files). The information entered by the information provider shall be transferred to a separate database (to be transferred to a different document if in hard copy) upon achieving the intended objectives and stored for a certain period of time under internal policies and applicable laws and regulations, or destroyed without delay. The personal information transferred to the database shall not be used for purposes other than those prescribed herein, unless otherwise required by laws and regulations.
- 2. Due date for information destruction
Personal information of the information provider shall be destroyed within five days from the date the period of retaining the information expires, and within five days from the date the handling of such information is deemed unnecessary, for example due to achievement of the purpose of handling such information, removal of the service requiring such information, or termination of the business requiring of such information.
- 3. Method of destruction
Any personal information in printed copy shall be shredded or incinerated. Personal information saved in the form of electronic files shall be destroyed by technical means which makes the records irrecoverable.
Article 7 (Measures to Ensure Safety of Personal Information)
Pursuant to article 29 of the Personal Information Protection Act, and article 28 of the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc., POCOG takes technical, managerial and physical measures needed to ensure the safety of personal information:
- ① Establish and implement an internal management plan: POCOG establishes and implements an internal management system to ensure the safe handling of personal information.
- ② Train and minimize the number of staff handling personal information: POCOG designates staff in charge of handling personal information and keeps the number of such staff to a minimum to manage personal information. The staff responsible for handling personal information are subject to continued training to comply with the Policy on Handling Personal Information.
- ③ Manage access authority: Access authority to the database system handling personal information is granted, changed or repealed to ensure that necessary steps are taken to control access to personal information. Also, intrusion prevention systems are used to control any unauthorized access from outside.
- ④ Control access: POCOG installs a security program to prevent the leakage or damage of personal information caused by hacking or viruses, performs regular updates and inspections, installs the system in areas where access from outside is controlled, and physically and technically monitors and blocks unauthorized access.
- ⑤ Encrypt personal information: The personal information of the information provider is encrypted, saved and managed. For highly significant data, a separate security feature is used, such as encoding of the file and data being transmitted, or a file locking mechanism, etc.
- ⑥ Store and inspect access log: POCOG’s staff in charge of handling personal information keeps and manages the access log of the personal information handling system for at least six months. To address any loss, theft, leak, forgery, falsification or damage of personal information, POCOG inspects the access log and similar logs at least once every six months.
- ⑦ Ensure safety measures for personal information management devices: POCOG takes the following safety measures for personal information management devices to prevent loss or damage of personal information (e.g. leakage of personal information):
- 1.Prevent unauthorized access to the personal information management device which is intended to arbitrarily manipulate the device;
- 2. Prevent the use of the information for purposes other than those prescribed herein; and
- 3. Apply security measures to prevent malware from infecting the computer, etc.
- ⑧ Take physical measures for safety: POCOG designates an independent place to store the personal information, and establishes and operates access control procedures therefor. Also, POCOG stores documents and secondary storage devices in a safe place that is secured by locking devices.
- ⑨ Prevent malware, etc.: POCOG, to prevent leakage and damage of personal information through hacking or viruses, installs security programs, performs regular updates and inspections, installs the system in areas where access from the outside is controlled, and physically and technically monitors and blocks unauthorized access, and complies with following subparagraphs:
- 1. Use the automatic update feature of the security program or update the program at least once a day to keep the program up to date;
- 2. Update the security program without delay if malware warnings are issued or the software maker of the application program or the operating system issues a security update notice; and
- 3. Take countermeasures to malware that has been detected, for example, deleting the malware
- ⑩ Operate an organization dedicated to personal information protection
- - POCOG has created a Personal Information Protection Organization, etc. to check the implementation of the Policy on Handling Personal Information and compliance thereof by the responsible staff, so that any issues that are detected can be immediately rectified and remedied.
- - Provided however, POCOG shall not be liable for any damage that is not attributable to POCOG, such as events caused by negligence of the user or outside the control of POCOG, when POCOG has fulfilled all of its obligations to protect personal information.
- ⑪ Inspect the implementation of safety measures: POCOG regularly inspects whether the aforesaid measures for safety are being implemented smoothly.
Article 8 (Rights and Obligations of Information Providers and Matters related to the Method of Exercising such Rights and Obligations)
- ① The information provider may, at any time, exercise the rights associated with protection of personal information as follows:
- 1. Demand for access to personal information;
- 2. Demand for correction upon detection of any error;
- 3. Demand for erasure;
- 4. Demand for cessation of handling the information; and
- 5. Demand for disclosure of the source of information that had been collected from a third-party (added-article 20 of the Act)
POCOG, when handling personal information that has been collected from an entity other than the information provider, notifies the information provider of the following upon demand of the information provider:
- 1) The source of the personal information; and
- 2) The purpose of handling the personal information
- ② The rights under paragraph 1 above can be exercised via written notice, telephone calls, emails, facsimile, etc. to POCOG, upon which POCOG shall take necessary actions without delay.
- ③ If an information provider demands correction or removal of any erroneous personal information, POCOG shall not use or provide the personal information until such correction or removal is completed.
- ④ The rights under paragraph 1 above can be exercised by a legal representative of the information provider or a duly authorized representative of the information provider, upon which the power of attorney in accordance with Schedule 11 of the Enforcement Rule of the Personal Information Protection Act shall be submitted.
- ⑤ The information provider shall not infringe upon the privacy or personal information of himself/herself or a third party being handled by POCOG, in violation of applicable laws and regulations such as the Personal Information Protection Act.
Article 9 (Installation, Operation and Rejection of Automatic Collection Tools for Personal Information)
- ① Cookies
- - POCOG may use “cookies” to store and open at any time the user’s information in order to provide personalized and bespoke services.
- - Cookies refer to tiny text files sent to the browser of the user by the server being used to operate the website, which are saved on the hard disk of the user’s PC. If the user visits the website thereafter, the server of the website reads the details of the cookies saved on the hard disk of the user to maintain the settings of the user and provide customized services.
- - Cookies do not automatically or actively collect personally identifiable information, and users may reject or delete the cookies at any time.
- - The cookies are used to identify the patterns of users’ visits and usage of each service and the website of POCOG; popular search queries; secured connection status; the number of users, etc. to provide optimized and customized information to users, including promotional information
- ③ Rejection of installation or operation of cookies
- - The user reserves the right to accept or deny the installation of cookies. Therefore, the user may set his or her options on the web browser to allow all cookies to be saved, to check each time cookies are saved, or to reject the saving of all cookies.
- - Provided however, in case of rejecting the cookies, the user may be restricted from using some of the services of POCOG which require a log-in.
Article 10 (Matters related to Privacy Officer)
- ① POCOG designates privacy officers and departments responsible for personal information protection as below, to take charge of duties associated with handling personal information, address complaints and damages of information providers in relation to the handling of personal information:
to take charge of duties associated with handling personal information, address complaints and damages of information providers in relation to the handling of personal information:
Privacy officer, Personal information protection departments, Duties in charge
||Personal information protection departments
||Duties in charge
|Name: KIM Daikyun
Dept : PyeongChang Organizing Committee for the 2018 Olympic and Paralympic Winter Games
Phone : 033-350-2018u
Position : Director General, Communications Bureau
Address : 108-27, Olympic-ro, Daegwanryeong-myeon, Pyeongchang-gun, Gangwon-do, Republic of Korea
|Dept : PR Planning Department
Manager : YOO Chehjin
Phone : 033-350-5881
※ Including tasks for inspection request of personal information
|Management of personal information of official website membership(sign-up, cancel for memebership, etc.), Development and provision of various website services(e.g. services which needs personal information to be collected and used, such as events, application of education program, venue tour program, e-mail for public relation, newsletter), Promotion and marketing of other services
- ② Information providers may contact the privacy officer and the department responsible for personal information protection for inquiries and grievances or to remedy damages in connection with personal information protection which have arisen in the process of using the services (or businesses) of POCOG. POCOG shall, without delay, provide an answer and handle the inquiries or grievances.
※ Remedy for infringement of rights or interests: In the event information providers wish to report infringement of personal information or require consultations on such infringement, they are advised to inquire at the following institutions. <The following institutions are independent of POCOG. If information providers are not satisfied with POCOG’s handling of complaints or remedy of damages related to personal information, or if they need more help, they are advised to inquire at the following institutions.>
- - Personal Information Infringement Reporting Center (privacy.kisa.or.kr / 118 without area code)
- - Cyber Investigation Team of the Supreme Prosecutors’ Office (spo.go.kr / 1301 without area code)
- - Cyber Security Bureau of the National Police Agency (cyberbureau.police.go.kr / 182 without area code)
Article 11 (Claim for Access to Personal Information)
- ① The information provider may ask for access to personal information under article 35 of the Personal Information Protection Act to the department responsible for personal information protection. POCOG shall take reasonable measures for prompt handling of the information provider’s request to access personal information.
- ② The information provider may ask for access to personal information via the website of the personal information protection portal of the Ministry of the Interior and Safety (www.privacy.go.kr), in addition to filing the request to the responsible department, etc. as stated in paragraph 1 above.
- ▶ Access the personal information protection portal of the Ministry of the Interior and Safety → Go to “Personal information inquiries” → Click “Demand access to personal information” (real-name verification required through Internet personal identification number)
Article 12 (Applicable Scope)
- ① Members using the services of the official website of POCOG at a third-party server shall also be subject to the Policy on Handling Personal Information.
- ② Collection of personal information by websites operated by third-party institutions whose link is posted on the official website of POCOG shall not be subject to the Policy on Handling Personal Information.
Article 13 (Matters related to Changes to the Policy)
- ① The Policy on Handling Personal Information shall be effective from 1. 11. 2017..
- ② Any addition, amendment or deletion in the Policy on Handling Personal Information shall be announced via the website of POCOG.