Quick Link
SEOUL TOURISM ORGANIZATION

Information Disclosure

Privacy Policy of the Seoul Tourism Organization
The Seoul Tourism Organization (hereinafter referred to as “Organization”) prescribes the following Privacy Policy to protect personal information, rights, and interests of users, as well as to fluently resolve the grievances of users in accordance with the Personal Information Protection Act. When the Organization revises the Privacy Policy, a notification is to be posted on the notice board (or a separate notification) at www.sto.or.kr

Moreover, our Organization respects the rights and interests of users including their rights to request access and rights to request correction of personal information retained by the Organization in accordance with related regulations. In order to receive relief for infringement of rights and interests, the users may request dispute resolution or consultation with the Personal Information Dispute Mediation Committee and the Korea Internet & Security Agency's Personal Information Infringement Reporting Center.

When the Organization revises the Privacy Policy, the period of effectiveness and revised contents are to be disclosed to allow the information subject to easily understand the contents before and after revision.

This Policy takes effect on April 23, 2020.
1. Purpose of Personal Information Processing
Article 1 (Purpose of Personal Information Processing)
The organization processes personal information for the following purposes. The processed personal information shall not be used for purposes other than the purposes listed below, and consent shall be requested in advance if any change is to be made for the purpose of use.
Purpose of Personal Information Processing – No., Task Details with Privacy Data, Purpose of Personal Information Processing
No. Task Details with Privacy Data Purpose of Personal Information Processing
1 Reception and Processing of Inquiries To provide answers to inquiries
2 Website Member Management Member authentication (identification) for use of membership service
3 Advertisement of Seoul Tourism For tourism marketing volunteers, etc.
4 Support Businesses For contacting business associates, etc.
5 Supporters Activity Recruitment of operating personals, etc.
6 Public Contest Hosting of public contests and selection of winners
7 Event Participation and Proceeding Selecting event winner and send event prizes, etc.
8 Newsletter Sending newsletter to subscribers, etc.
9 Support Tourist Activities Reservation of city tour bus, device rental, tourist guide, voucher issuance, etc.
2. Processing of Personal Information, Processing Categories, and Retaining Period
Article 2 (Processing of Personal Information, Processing Categories, and Retaining Period)
The organization stores personal data until the purpose of personal information processing is fulfilled. Provided, that for the following cases that retainment of personal information is required by relevant laws, personal data is stored for a certain period with prior consent from the information subject.

1. When a member withdraws from membership or evicted, the organization preserves personal information for five (5) years from the date of expiration in order to prepare for prevention of abuse of rights, prevention of misuse, disputes, and investigation cooperation.
Processing of Personal Information, Processing Categories, and Retaining Period – No., Task Details with Privacy Data, Items of Collection, Retention Period
No. Task Details with Privacy Data Items of Collection Retention Period
1 Reception and Processing of Inquiries Required: Name, Company Name, E-mail, Mobile Phone Number 3 years
2 Website Member Management Required: E-mail, Name, Mobile Phone Number, Password
Optional: Date of Birth, Nationality, Gender
3 years from membership withdrawal
3 Advertisement of Seoul Tourism Required: SNS Account or E-mail, Name, Mobile Phone Number 5 years
4 Support Businesses Required: Business name, position, email, phone number, mobile number, name, nationality, address, and passport number 3 years
5 Supporters Activity Required: Name, Contacts (Mobile Phone Number, E-mail Address), Gender, Date of Birth/Optional: Education, qualification, history of participation in official events, and personal statement 3 years
6 Public Contest Required: Email, name, affiliation, mobile phone number, and address 5 years
7 Event Participation and Proceeding Required: SNS account or e-mail, name, and mobile phone number 1 years
8 Newsletter Required: E-mail 5 years
9 Support Tourist Activities Required: E-mail, name, date of birth, mobile number, phone number, address, disability registration information, maternal book, resident registration number3 years 3 years
2. The organization preserves the following information for the duration specified below.
   A. Records on termination of contract or agreement: 5 years (Act on the Consumer Protection in Electronic Commerce, Etc.)
   B. Records of payment and supply of goods: 5 years (Act on the Consumer Protection in Electronic Commerce, Etc.))
   C. Records of consumer complaints or dispute settlement: 3 years (Act on the Consumer Protection in Electronic Commerce, Etc.)
   D. Records on advertisement/exposure: 6 months (Act on the Consumer Protection in Electronic Commerce, Etc.)
   E. History of service use, access log, access IP information: 3 months (Protection of Communications Secrets Act)
   F. Tax payment data including taxes and utilities charge: 5 years (Framework Act on National Taxes)

More information on personal information processing can be found on the “personal information file book” below.
View Personal Information File Book of Seoul Tourism Organization
3. Installation, Operation, Rejection of Automatic Data Collector
Article 3 (Installation, Operation, Rejection of Automatic Data Collector)
Seoul Tourism Organization uses “cookies” which frequently saves and find the user data. Cookies are small amount of data sent to the user’s web browser (Such as Netscape, Internet Explorer) by the website, and they may be saved in the hard disk on the user’s PC. When an user access the website, Seoul Tourism Organization reads the cookies on the user’s PC and may provide services without inputting additional information such as by finding additional information of the user on the PC. Although cookies identify the user’s PC, they do not identify the user individually. Also, the user has the right to reject the use of cookies. On the web browser’s Tools > Internet Option Tab, the user has the right to choose to accept all cookies, get notification during each cookie installation, or reject all use of cookies.
4. Provision of Personal Information to a Third Party
Article 4 (Provision of Personal Information to a Third Party)
The organization processes personal information within the scope defined in Article 1 (Purpose of Personal Information Processing) in principle, and does not process the information out of scope or provide the information to a third party without the user’s prior consent.
1. A specific consent is received from the information subject
2. According to a specific regulation in a relevant law
3. The information subject or legal guardian is unable to express his/her opinion or prior consent may not be received due to reasons such as unidentified home address, and the use of information is deemed to be required for life, physical body, or benefit of property for a third party
4. The personal information is provided for purposes of statistics or academic research in a form that a specific individual is indistinguishable
5. The provision of personal information for other purposes or to a third party is required to exercise a task mandated by the laws, and it has been passed from review and resolution of the protection committee
6. The information is required for use in foreign agency or international organization in order to fulfill treaties and other international agreements
7. The information is required for raising and maintenance of prosecution and criminal investigation
8. The information is required for court trials
9. The information is required for execution of sentence, custody, and protective disposition
5. Consignment of Personal Information Processing
Article 5 (Consignment of Personal Information Processing)
The organization shall process the consignment of personal information according to the document with the following items.

1. Items regarding prohibited use of personal information for other purposes than consignment tasks
2. Items regarding management/technical measures of personal information
3. Items regarding safety of personal information
   A. Items regarding the purpose and bounds of consignment tasks, limitation of re-consignment, and safety acquisition of personal information
   B. Items regarding supervision review of personal information obtained for consignment purposes
   C. Items regarding the responsibilities and liabilities for damages of the trustee

The current consignment overview of personal information for this organization is as follow.
Consignment Overview of Personal Information
6. Rights and Responsibilities of the Information Subject and Legal Guardian
Article 6 (Consignment of Personal Information Processing)
1. Information subject (refers to a legal guardian for children under age of 14) may exercise the rights related to the protection of personal information as following.
   A. Request for personal information access
   B. Request for correction/deletion of the personal information
   C. Request for suspension of personal information processing

2. Exercising the above rights may be performed by completing the “Personal Information (Access, Correction/Deletion, Processing Suspension) Request” or by submission through internet, fax, e-mail, phone, written request, visitation to the department in charge, and the organization will process the request immediately.

3. Access of personal information may be directly requested to the department in charge or also through the “General Portal for Personal Information Protection” of the Ministry of Public Administration and Security (www.privacy.go.kr).
Go to the General Portal for Personal Information Protection of the Ministry of Public Administration and Security
4. If the information subject requested for correction or deletion of personal information, then the information shall not be used or provided until the correction or deletion is completed.
   A. The rights to access the personal information or request for processing suspension may be restricted in accordance with the Article 35 (5) and 37 (2) of the Personal Information Protection Act
   B. Correction and deletion of the personal information may not be requested if the information is specified as a subject of collection in other relevant laws.
   C. When requested for access, correction/deletion, suspension of processing per the rights of the information subject, an appropriate authentication of the requester shall be performed.
   D. Exercise of the rights according to the above items may be performed through the legal guardian or rightful delegate of the information subject. In this case, a proof of delegation according to the Attachment 11 of the Enforcement Rule of the Personal Information Protection Act
7. Destruction of Personal Information
Article 7 (Destruction of Personal Information)
The organization shall destroy the personal information when the purpose of personal information processing is fulfilled without delay. The procedure, period, and method of destruction is as follow.

1. Destruction Procedure
The information entered by the user is transferred to a separate storage (device) after the completion of purpose (to a file box for printed data) and destroyed after certain duration of storage per information security according to internal guideline (processing criteria of personal information) and relevant laws. In this case, the personal data transferred to a storage (device) shall not be used for other purposes unless mandated by the laws.

2. Destruction Period
The personal information of the user is destroyed within five (5) days from the retainment period, if this period has passed, and within five (5) days from the date of determination that the use of information is deemed unnecessary, due to reasons such as the fulfillment of the purpose of personal information processing, termination of the respective service, and conclusion of business.

3. Destruction Method
Electronic forms of personal information are deleted using technical means that cannot be restored. Printed data are destroyed in a shredder or a burner.
8. Safety Action for the Personal Information
Article 8 (Safety Action for the Personal Information)
The organization takes the necessary technical, management, physical action in order to secure the safety of personal Information in accordance with Article 29 of the Personal Information Protection Act as follow.

1. Training and minimizing the number of the employees handling personal Information: The organization designates employees that handle personal data, and restrict the task to these employees to minimize the exposure to the personal Information.
2. Restrict access to personal information: The organization is taking action to control the access to personal data by granting, modifying, and expiring access rights to the database system for personal information processing, and controls unauthorized access from external.
3. Access log and prevention of falsification: Access log to the personal information processing system is saved and managed for a minimum of 1 year, and security functions are in place to prevent falsification, theft, and loss of the access log.
4. Entry control for unauthorized personnel: The organization has a physically isolated storage area for personal data, and has established an entrance protocol to control access to this area.
9. Privacy Officer
Article 9 (Actions for Safe Acquisition of Personal Information)
In order to protect the personal data and process complaints regarding the personal information, the organization has designated a privacy responsible and officer as following (privacy officer according to Article 31 (1) of Personal Information Protection Act). However, as specified in the “personal information file of Seoul Tourism Organization,” privacy responsible and officer are designated (specified under “responsible department” and “responsible”) by each personal information file name.
Actions for Safe Acquisition of Personal Information – Category, Privacy Responsible, Privacy Officer
Category Privacy Responsible Privacy Officer
Responsible Department Management Headquarters Management Support Team
Name(Title) Nah Sang-hoon Chief of Headquarters Kim Da-yoong Deputy
TEL 02-3788-0865 02-3788-0854
E-mail shna@sto.or.kr days@sto.or.kr
10. Department for Access Request to Personal Information
Article 10 (Department for Access Request to Personal Information)
Please contact the following department regarding access requests to personal information.

- Main Contact : (02)3788-0800
- Address : Management Support Team, 9F, Narakium Jeodong Building, 340, Samil-daero, Jung-gu, Seoul
11. Relief Action for Infringement on Rights and Interests
Article 11 (Relief Action for Infringement on Rights and Interests)
In order to receive relief for infringement of privacy, information subject may request for dispute resolution or consultation to Personal Information Dispute Mediation Committee and the Korea Internet & Security Agency's Personal Information Infringement Reporting Center. For other report or consultation of privacy infringement, please contact the following agency.

▶ Personal Information Infringement Reporting Center (operated by Korea Internet & Security Agency)
- Task Activities : Report infringement of personal information, and request for consultation
- Website : privacy.kisa.or.kr
- TEL : (without country code) 118
- Address : KISA, 9, Jinheung-gil, Naju-si, Jeollanam-do

▶ Personal Information Dispute Mediation Committee
- Task Activities : Request for personal information dispute resolution, adjust organizational dispute (civil settlement)
- Website : www.kopico.go.kr
- TEL : 1833-6972
- Address : 4F, Central Government Complex, 209, Sejong-daero, Jongno-gu, Seoul

▶ Supreme Prosecutor’s Office Cyber Criminal Investigation Office
- Website : www.spo.go.kr
- TEL : (without country code) 1301
- E-mail : privacy@spo.go.kr

▶ National Police Agency Cyber Security Office
- Website : https://www.police.go.kr/www/security/cyber.jsp
- TEL : (without country code) 182
12. Change of Privacy Policy
Article 12 (Change of Privacy Policy)
1. Any changes to the current privacy policy shall be announced on the “announcement” of the homepage at minimum of seven (7) days before the revision.
2. This privacy policy takes effect on April 23 2020.
3. Previous privacy policy may be viewed below.