iSOBER Privacy Policy
This
Privacy Policy explains how Sentech Korea Inc. (“the Company”) processes
the personal data of its users, including without limitation, the options that
a user selects for the collection, use and disclosure of his or her certain data.
Controller
and Contact Information
The
service provider and controller of personal data is as follows:
Sentech Korea Corp.(“the
Company”)
21-6, Jimok-ro
75beon-gil, Paju-si, Gyeonggi-do, 10880, Republic of Korea
The DPO of the Company is as follows:
Keun Hyung Park
Director
+82 31 8071 4400 / rndsupport@sentechkorea.com
•
If you have questions about your account in general, how
to contact customer service for assistance, questions specifically about this
Privacy Notices, or our use of your personal data, cookies or similar
technologies, please contact our Data Protection Officer(DPO, Keun Hyung Park, Director). If you contact us for assistance,
we may need to authenticate your identity before fulfilling you request for your
safety and ours.
Collection
and Use of data
We
receive and store data about users such as:
-
To verify and authenticate of user identity and
for user contact; user Email address of the SNS account(Facebook, Google) the user linked
to iSOBER application,
-
To provide iSOBER services; name, telephone number, address, location,
picture, Alcohol level data measured via iSOBER application, Information of Breathalyzer
·
Personal data produced
or automatically collected by the Company: Besides the personal data directly provided
by users, the Company can produce or automatically collect data related to iSOBER services which
includes:
- Log information
such as IP address, mobile’s model and OS version, usage time.
Method of
collection
The Company collects the personal data of users in the following manner (Article 6(1)(a)):
•
Collection
through mobile devices with the prior consent of the users
Disclosure of Personal
Data
We may disclose users’
personal data for certain purposes and to third parties, as described below:
· Service Providers: We use other companies, agents or
contractors ("Service Providers") to perform services on our behalf
or to assist us with the provision of services to you. For example, we engage
Service Providers to provide marketing, advertising, communications, infrastructure
and IT services, to personalize and optimize our service, to provide customer
service, to analyze and enhance data (including data about users' interactions
with our service), and to process and administer consumer surveys. In the
course of providing such services, these Service Providers may have access to
your personal data or other information. We do not authorize them to use or
disclose your personal data except in connection with providing their services.
· Partners: Users may have a relationship with one or
more of our Partners, in which case we may share certain data with them in
order to coordinate with them on providing the service to members and providing
information about the availability of the service.
· Protection of The Company and others:The Company and its Service Providers may
disclose and otherwise use your personal data and other information where we or
they reasonably believe such disclosure is needed to (a) satisfy any applicable
law, regulation, legal process, or governmental request, (b) enforce applicable
terms of use, including investigation of potential violations thereof, (c)
detect, prevent, or otherwise address illegal or suspected illegal activities
(including payment fraud), security or technical issues, or (d) protect against
harm to the rights, property or safety of The Company, its users or the public, as required
or permitted by law.
Necessity of personal
data
The personal data provided by users is necessary for the service use
contract between a user and the Company and the smooth
delivery of the services therein. Users are restricted from using the Company’s
services unless they give consent to the collection of essential personal data.
However, users may refuse to provide optional personal data, and in such case, they
will still be able to use the Company’s services except those that require the provision
of optional personal data.
Transfer
of Personal Data to Third Countries
The Company may transfer
users’ personal data to companies located in other countries or other companies
for any purpose specified in this Policy. It will take reasonable measures to
the companies where the information is transmitted, retained or processed in
order to protect the information.
In particular, the Company transfers all
personal data provided by the users or automatically collected by the Company to
the Republic of Korea, where the Company is situated in. The Republic of Korea
have not received an adequacy decision from the European Commission, and the
Privacy laws of the Republic of Korea do not stipulate all the rights of data
subjects and principles of information processing as defined by the GDPR. However,
the Company fully complies to the GDPR through this Privacy Policy, and users
are entitled to all protections based on the GDPR.
Based on the above notice, the Company
may transfer users’ personal data to the Republic of Korea after obtaining
explicit consent for transfer of personal data to third countries (Article 49 Paragraph
1 (a)).
Users’ rights
Users or their
legal representatives, as data subjects, can exercise the following rights
regarding the collection, use and disclosure of personal data by the Company:
•
Right of access by
the data subject (Article 15);
•
Right to rectification
(Article 16)
•
Right to erasure
(‘right to be forgotten’) (Article 17)
•
Right to
restriction of processing (Article 18)
•
Right to data
portability (Article 20)
•
Right to object
(Article 21)
•
Rights related to
automated individual decision-making, including profiling (Article 22)
•
Right to withdraw
prior consent (Article 7(3))
In order to exercise
any of the foregoing rights, make a written request to the Company (or the DPO,
representative) using the data subject request form provided by the Company. In
such case, the Company shall immediately make actions accordingly: provided, however,
that the Company may reject such request if and to the extent
there are reasonable grounds prescribed in law or equivalent thereto.
Upon the request
from a data subject, the Company must take the following actions:
·
To take actions regarding
a request only after authenticating the identity of the data subject (or his or
her legal representative);
·
To ask if a
subject requires the information to be provided in writing or whether he or she
will accept it in an electronic form;
·
To have a
standard process for the company to effectively inspect all relevant systems
and to communicate with other departments;
·
To notify a data
subject if there is no information that he or she has requested;
·
To formulate
reasonable criteria to determine whether to correct or disclose personal data
if the personal data requested by a data subject includes the information of
other individuals; provided however, such data can be disclosed if the other
individuals explicitly give the consent thereto. The company should consider
the impact of such disclosure and the possible breach of others’ personal data
if no explicit consent is available, in which case, it should document the
justification of such disclosure;
·
To take actions
in accordance with the request of a data subject in such a manner as he or she
can understand, including the requirements under Article 15;
·
To make no
available the transfer system which can be traceable in case of providing a
data subject with the information he or she has requested. Such information
should be disclosed in a safe electronic means if individually agreed upon with
the data subject; or
·
To document the
actions which have been taken for the request of a data subject.
Also users or
their legal representatives have the right to lodge a complaint with a
supervisory authority (Article 13(2) and 14(2)(e)).
Security
The Company takes the security
of personal data seriously. It has the following security measures to prevent
the unauthorized access to, or disclosure, use or change of the personal data (Article
32).
·
To formulate
countermeasures against hacking
-
To install a
system in the zone to which the external access is strictly restricted so as to
prevent users' personal data from leakage or damage by hacking or computer
viruses
·
To establish and
implement internal management plans
-
To conduct
regular internal audit (semiannual) to safely process personal data
-
To keep minimal
the number of employees processing personal data and educate them
·
To install and
operate access control systems
-
To take
necessary actions to restrict the access to the personal data, such as the
grant, change or termination of the right to access the data base system of personal
data processing
-
To keep the
documents, storage devices, etc. which include personal data in a safe place
with a lock
-
To designate
a physical place of storing personal data to restrict the access by
unauthorized persons and to establish and operate such access control procedure
-
Enterprise-wide DLP solution installation and
operation
·
Take measures to
prevent forgery or alteration of access records and store and collect log records
through the installation of Endpoint Protector, a security program.
Children
The Company’s products and services are intended for use by
individuals 14 years of age and older, and those under the age of 14 are not
eligible to use any of our service. In principle, the Company does not collect
any personal data from children. However, if the Company learns that any
personal data of children has been collected through iSOBER application, it
will comply with the following procedures for the protection
of children’s personal data (Article 8):
·
To verify if a
child is subject to the guardian’s consent and such guardian is authorized,
within the scope of reasonable efforts;
·
To have the
consent from a child’s parent or guardian to collect the child’s personal data
or to provide the child with product information and the Company’s services
directly;
·
To notify
parents or guardian of the Company's privacy policy for children, including the items, purpose and
disclosure of collected personal data;
·
To grant a
child’s legal representative the right to access, correct or delete or
temporally suspend the processing of, the child’s personal data or the right to
withdraw the prior consent of the representative; and
·
To limit the
collection of personal data to the extent solely required for the participation
in online activities
Profiling and
automated decisions
The Companydoes not use users’ personal data to create
individual or collective profiles (hereinafter referred to as “profiling”) for
the purpose of profiling and making automated decisions.
Data Retention Policy
For the purpose
of protecting users’ data, the Company complies with the principle of Data Minimisation where the processing
of personal data should be appropriate and limited to the extent solely necessary
for the purposes for which the data are processed (Article 5 Paragraph 1 (c)).
To this end, the Company
abides by the following retention policy:
·
All personal
data processed by the Company is subject to and protected by the Company’s Members’
retention policy.
·
Personal data are
retained
for no longer than is necessary for the purposes for which the personal data
are processed. The Company
will immediately destroy the personal data once the user deletes his or her account
on iSOBER application. However, the personal data may be stored for longer
periods insofar as the personal data will be processed solely for archiving
purposes in the public interest, scientific or historical research purposes or
statistical purposes subject to implementation of the appropriate technical and
organizational measures required by this Regulation in order to safeguard the
rights and freedoms of the data subject (Article 5 Paragraph 1 (e));
·
The Company abides by the methods set forth in
the ‘Security’ part of this Privacy Policy to delete physical and digital data;
·
The Data
Protection Officer designates the strict retention period regarding the storage
of users’ personal data and does not retain the data more than the period which
requires the data. The Companymonitors the compliance regarding the
data retention on a regular basis and deletes the data, if no longer necessary,
in a safe manner (Recital Article 39);
·
The company
schedules regular review of stored data to determine whether the data is still
required;
·
The company
immediately destroys especially sensitive data including sexual orientation,
race, beliefs, health information, etc. and does not retain the data for no
longer than is necessary;
·
The company
forthwith takes the actions set forth in the ‘User’s right’ part of this
Privacy Policy if a user exercises his or her right guaranteed by GDPR as a
data subject;
·
The company is
in compliance with relevant regulations such as GDPR, etc. in relation to the
retention of users’ personal data;
·
The company makes
sure that all employees are aware of the data retention policy prescribed in
this Privacy Policy and GDPR;
·
The company sets
this Privacy Policy by documenting a GDPR data retention policy. This Privacy
Policy may need to be provided to regulators in the event of an audit or
investigation of a complaint of a user or an employee; and
·
This Privacy
Policy may be used as proof that the company complies with the requirements of
GDPR.
Privacy Policy related
to the Company’s employees
The Company
educates and monitors employees including the HR department that handle
personal data of the Company’s employees not only to handle users’ personal
data but also employees’ personal data in compliance with the GDPR (Article 39).
The Company documents the records that manage all training-related contents for
employees (date, time, list of subjects, list of attendees, contents of
training, subject of training, role of DPO).
The company
delivers this Privacy Policy to its employees, either in hard copy documents or
electronically. Employees who process personal data have the right, for
example, to request the employer to correct incorrect information regarding
that personal data.
Modification of
Privacy Policy
The Company has the right to amend or modify this
Privacy Policy from time to time, in which case, the Company will make a public notice of it through iSOBER application (or through individual notice in
writing by e-mail) and have the consent of the users if required by relevant
law.
The latest
update date: (2021.12. 02.)