General Data Protection Policy
For the purpose of data protection of its users, the Company maintains a record of processing activities (Article 30 of GDPR), designates a Data Protection Officer (DPO) to operate its business in accordance with GDPR (Article 37), implements Data Protection Impact Assessment (DPIA) under the supervision of the DPO and trains its employees for data protection (Article 39).
The Company formulates legal framework to process personal data including sensitive data (Articles 6 and 9) and has the explicit consent of the data subject to the processing of his or her personal data (Article 7). It has the explicit consent of a data subject in case of automated individual decision-making, including profiling (Article 22), and has the consent of the holder of parental responsibility over a child for the child’s data processing, in which case it makes reasonable efforts to verify if such consent is given or authorized by the lawful person, taking into consideration available technology (Article 8). Additionally, in case of transfer of personal data to third countries, the company has the explicit consent of a data subject (Article 49).
The Company allows a data subject to exercise his or her rights guaranteed by GDPR as follows: the right to receipt of his or her data (Articles 13 and 14), the right to access (Article 15), the right to rectification (Article 16), the right to erasure (Article 17), the right to restriction of processing (Article 18), the right to data portability (Article 20), the right to object (Article 21) and the right not to be subject to an automated individual decision-making, including profiling (Article 22).
The Company is in compliance with the obligations of data protection by design and by default (Article 25) and implements technical and operational measures reasonably necessary to prevent the data from leakage and breach (Article 32). It notifies a personal data breach to the supervisory authority within 72 hours after having become aware of it (Article 33) and communicates a personal data breach to a data subject without undue delay if the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons (Article 34).
Controller and Contact Information
The service provider and controller of personal data is as follows:
Sky Labs (“Company”)
#703, 58, Pangyo-ro 255beon-gil, Bundang-gu, Seongnam-si, Gyeonggi-do, Republic of Korea
The DPO of the Company is as follows:
Collection and Use of Personal Data
- • Personal data provided by users: We collect personal data users provide to us which includes:
- – To verify and authenticate of user identity; e-mail address (ID), medical license number, name, date of birth, hospital name, medical department, specialty, country code.
- • Personal data produced or automatically collected by the Company: Besides the data directly provided by users, the Company can produce or automatically collect data related to CART Web services.
- – Equipment information such as records on the use of and access to services, verification records, access IP information, unique number for equipment identification (example, equipment ID), OS information (country, language), application version, etc.
- – Log information such as IP address, log data, use time, internet protocol address, cookies and web beacons, etc.
- – Other information such as preference, visited pages, etc.
Method of collection
The Company collects the personal data of users in the following manner (Article 6(1)(a)):
- • Collection through websites with the prior consent of the users
Disclosure of Personal Data
We may disclose users’ personal data for certain purposes and to third parties, as described below:
- • Service Providers: We use other companies, agents or contractors (“Service Providers”) to perform services on our behalf or to assist us with the provision of services to you. For example, we engage Service Providers to provide marketing, advertising, communications, infrastructure and IT services, to personalize and optimize our service, to process credit card transactions or other payment methods, to provide customer service, to collect debts, to analyze and enhance data (including data about users’ interactions with our service), and to process and administer consumer surveys. In the course of providing such services, these Service Providers may have access to your personal data or other information. We do not authorize them to use or disclose your personal data except in connection with providing their services.
- • Partners: Users may have a relationship with one or more of our Partners, in which case we may share certain data with them in order to coordinate with them on providing the service to members and providing information about the availability of the service.
- • Promotional offers: We may offer joint promotions or programs that, in order for your participation, will require us to share your data with third parties. In fulfilling these types of promotions, we may share your name and other data in connection with fulfilling the incentive. Please note that these third parties are responsible for their own privacy practices.
- • Business transfers: In connection with any reorganization, restructuring, merger or sale, or other transfer of assets, we will transfer data, including personal data, provided that the receiving party agrees to respect your personal data in a manner that is consistent with our Privacy Statement.
Necessity of personal data
The personal data provided by users is necessary for the service use contract between a user and the Company and the smooth delivery of the services therein. Users are restricted from using the Company’s services unless they give consent to the collection of essential personal data. However, users may refuse to provide optional personal data, and in such case, they will still be able to use the Company’s services except those that require the provision of optional personal data.
Transfers of Personal Data to Third Countries
The Company may transfer users’ personal data to companies located in other countries or other companies for any purpose specified in this Policy. It will take reasonable measures to the companies where the personal data is transmitted, retained or processed in order to protect the data.
Based on the above notice, the Company may transfer users’ personal data to the Republic of Korea after obtaining explicit consent for transfer of personal data to third countries (Article 49 Paragraph 1 (a)).
|What items of personal data are transferred||All personal data provided by the users or automatically collected by the Company|
|Receiving country||Germany (Frankfurt)|
|Where, when and how personal data is transferred||When personal data is collected, it will be stored in the cloud service|
|Who a recipient is||Amazon Web Services, Inc.|
|Why the recipient uses personal data||To provide cloud service|
|How long the recipient retains and uses personal data||Until termination of provision of cloud service and consignment contract|
Users or their legal representatives, as data subjects, can exercise the following rights regarding the collection, use and disclosure of personal data by the Company:
- • Right to withdraw prior consent (Article 7 (3))
- • Right of access by the data subject (Article 15);
- • Right to rectification (Article 16)
- • Right to erasure (‘right to be forgotten’) (Article 17)
- • Right to restriction of processing (Article 18)
- • Right to data portability (Article 20)
- • Right to object (Article 21)
- • Rights related to automated individual decision-making, including profiling (Article 22)
- • Right to lodge a complaint with a supervisory authority (Article 77)
In order to exercise any of the foregoing rights, users may use the ‘Edit Profile’ menu on the CART Web page, make a written request to the Company (or the DPO, representative) using the data subject request form provided by the Company. In such case, the Company shall immediately make actions accordingly: provided, however, that the Company may reject such request if and to the extent there are reasonable grounds prescribed in law or equivalent thereto.
Upon the request from a data subject, the Company must take the following actions:
- • To take actions regarding a request only after authenticating the identity of the data subject (or his or her legal representative);
- • To ask if a subject requires the information to be provided in writing or whether he or she will accept it in an electronic form;
- • To have a standard process for the company to effectively inspect all relevant systems and to communicate with other departments;
- • To notify a data subject if there is no information that he or she has requested;
- • To formulate reasonable criteria to determine whether to correct or disclose personal data if the personal data requested by a data subject includes the information of other individuals; provided however, such data can be disclosed if the other individuals explicitly give the consent thereto. The company should consider the impact of such disclosure and the possible breach of others’ personal data if no explicit consent is available, in which case, it should document the justification of such disclosure;
- • To take actions in accordance with the request of a data subject in such a manner as he or she can understand, including the requirements under Article 15;
- • To make no available the transfer system which can be traceable in case of providing a data subject with the information he or she has requested. Such information should be disclosed in a safe electronic means if individually agreed upon with the data subject; or
- • To document the actions which have been taken for the request of a data subject.
Also users or their legal representatives have the right to lodge a complaint with a supervisory authority (Article 13(2) and 14(2)(e)).
The Company takes the security of personal data seriously. It has the following security measures to prevent the unauthorized access to, or disclosure, use or change of the personal data (Article 32).
- • To formulate countermeasures against hacking
- – To install a system in the zone to which the external access is strictly restricted so as to prevent users’ personal data from leakage or damage by hacking or computer viruses
- • To establish and implement internal management plans
- – To conduct regular internal audit (semiannual) to safely process personal data
- – To keep minimal the number of employees processing personal data and educate them
- • To install and operate access control systems
- – To take necessary actions to restrict the access to the personal data, such as the grant, change or termination of the right to access the data base system of personal data processing
- – To take necessary actions to restrict the access to the personal data, such as the grant, change or termination of the right to access the data base system of personal data processing
- – To designate a physical place of storing personal data to restrict the access by unauthorized persons and to establish and operate such access control procedure
- – Enterprise-wide DLP solution installation and operation
- • Take measures to prevent forgery or alteration of access records and store and collect log records through the installation of Endpoint Protector, a security program.
Data Breach Escalation and Checklist
It is specified in Articles 33 and 34 that in case of a personal data breach, the controller should without undue delay notify the personal data breach to supervisory authority and communicate the personal data breach to the data subject. To this end, the Company takes actions regarding personal data breach before and after the occurrence of such incidence in accordance with the following checklist:
- • Preparing for a data breach
- – To prepare a method to recognize a data breach;
- – To prepare a detailed response plan for addressing any personal data breach that may occur;
- – To allocate responsibility for managing breach to a dedicated person or team; and
- – To train staff to knows how to escalate a security incident to the appropriate person or team in its organization that can determine whether a breach has occurred
- • Response to a data breach
- – To have in place a process to assess the likely risk to data subjects as a result of a breach;
- – To have in place an internal process to notify the Information Commissioner’s Office (ICO) of a breach within 72 hours of becoming aware of it;
- – To have Breach Notification Form to be submitted to the Supervisory Authority ICO if a data breach occurs;
- – To have a process to communicate the personal data breach to the affected individuals without undue delay;
- – To know what information about a breach the company must provide to individuals, and to provide advice to help them protect themselves from its effects; and
- – To document all breaches
- • Process of report and notification of data breach
- – To contact the relevant supervisory authority of a breach within 72 hours after having become aware of it;
- – To directly contact the individuals affected by a breach if it is likely to result in a high risk to their rights and freedoms; and
- – To have in place a Breach Notification Form to the Supervisory Authority and a Breach Notification Form to the Data Subject.
CART Web is designed for adults who are over 19 years of age and is not directed to children. However, if the Company learns that any personal data of children has been collected through CART Web, it will take the appropriate steps to delete this data.
However, if the Company collects, for the provision of its services, any personal data of children, it will comply will comply with the following procedures for the protection of children’s personal data (Article 8):
- • To verify if a child is subject to the guardian’s consent and such guardian is authorized, within the scope of reasonable efforts;
- • To have the consent from a child’s parent or guardian to collect the child’s personal data or to provide the child with product information and the Company’s services directly;
- • To grant a child’s legal representative the right to access, correct or delete or temporally suspend the processing of, the child’s personal data or the right to withdraw the prior consent of the representative; and
- • To limit the collection of personal data to the extent solely required for the participation in online activities
The Company may use users’ personal data to create individual or collective profiles (hereinafter referred to as “profiling”) for the purpose of identifying how to provide the users with better services, for example, providing the users with customized content of services by analyzing which aspect of the Company and/or services most attracts users, and the patterns in which users use the services. In addition, the Company uses the personal data for the following purposes: to create user clusters to identify the users’ interest in the Company’s products and/or services; to analyze the market and statistics or; to enhance the Company’s services (all websites, etc.). The processing of personal data for profiling is carried out in line with the guarantees and measures specified in applicable law (Article 22).
Data Retention Policy
For the purpose of protecting users’ data, the Company complies with the principle of Data Minimisation where the processing of personal data should be appropriate and limited to the extent solely necessary for the purposes for which the data are processed (Article 5 Paragraph 1 (c)). To this end, the Company abides by the following retention policy:
- • All personal data processed by the Company is subject to and protected by the Company’s Members’ retention policy.
- • Personal data are retained for no longer than is necessary for the purposes for which the personal data are processed. The Company will immediately destroy the personal data once the user deletes his or her account on CART Web. However, the personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (Article 5 Paragraph 1 (e));
- • The Data Protection Officer designates the strict retention period regarding the storage of users’ personal data and does not retain the data more than the period which requires the data. The Company monitors the compliance regarding the data retention on a regular basis and deletes the data, if no longer necessary, in a safe manner (Recital Article 39);
- • The company schedules regular review of stored data to determine whether the data is still required;
- • The company immediately destroys especially sensitive data including sexual orientation, race, beliefs, health information, etc. and does not retain the data for no longer than is necessary;
- • The company is in compliance with relevant regulations such as GDPR, etc. in relation to the retention of users’ personal data;
The Company educates and monitors employees including the HR department that handle personal data of the Company’s employees not only to handle users’ personal data but also employees’ personal data in compliance with the GDPR (Article 39). The Company documents the records that manage all training-related contents for employees (date, time, list of subjects, list of attendees, contents of training, subject of training, role of DPO).
Cookies and Internet Advertising
The Company may collect collective impersonal data through ‘cookies’ or ‘web beacons.’
Cookies are substantially small text files to be sent to the browser of the users by the server used for the operation of the Company’s websites and are stored in hard-disks of the users’ computers.
Web beacons are a small quantity of code which exists on websites and e-mail. By using web beacons, we can identify whether a user has interacted with certain webs or the contents of email.
These functions are used for evaluating, improving services and customizing user experience so that the Company provides way improved services for the users.
The items of cookies to be collected by the Company and the purpose of such collection are as follows:
- • Required cookies: This kind of cookies is indispensably necessary for the users to use the functions of the Company’s website. No services such as shopping cart or electronic bill payment can be provided for a user unless he or she accepts these cookies. These cookies do not collect any data which can be used for marketing or store the sites that the users have visited.
- – To retain the data entered in an order form while searching other webpages during the web browser session
- – To retain the purchased services for the webpage of products and checkout
- – To verify whether a user logs onto the website
- – To ensure that a user is connected to a correct service on the v’s website if The Company makes any change in the operation of the Company’s website.
- – To connect the users to a certain application or server of the services
- • Performance cookies: This kind of cookies collects data of how the users use the Company’s website such as the webpages most frequently visited by the users. Such data helps the v optimize its website so that the users can search more conveniently on its website. Such cookies do not collect any data regarding users’ identification. All or any data collected by this kind of cookies is anonymous since the data is collectively processed.
- – Web analysis: to provide statistical data on how to use the website;
- – Advertisement response fee: to confirm the effect of the Company’s advertisement;
- – Tracing affiliates; to provide the Company’s affiliates with the feedback of anonymous data that one of the visitors to the Company’s website has visited an affiliate’s website;
- – Error management: to identify errors which have occurred in order to improve the Company’s website; or
- – Design testing: to test other designs of the Company’s website
- • Functionality cookies: This kind of cookies is used to store the set-ups so as to provide services and improve the user experience. No data collected by these cookies identifies individual users.
- – To store changed set-ups such as layout, text size, basic set-up and colors; or
- – To store the survey which has been conducted by the Company and completed by the users
- • Target cookies: This kind of cookies is connected with the services provided by a 3rd party such as the buttons of ‘likes’ and ‘share’. The 3rd party recognizes the users’ visit to the Company’s website to provide such services.
- – To allow social networks connected to such cookies to use the users’ visit information, thus putting the advertisement targeting the users; or
- – To provide the users’ visit information for advertisement agencies so that the agencies can suggest the tailored ad which can attract the interest of the users
The users have an option for cookie installation: accepting all cookies, making each cookie confirmed whenever it is saved, or refusing the storage of all cookies: Provided that, such refusal may limit the user from using the parts of services provided by the Company.
The latest update date: 01 November, 2021