Privacy Policy

2025/07/21

<CIS Co., Ltd.> (hereinafter referred to as “the Company”) establishes and discloses personal information processing guidelines in order to protect the personal information of information subjects in accordance with Article 30 of the Personal Information Protection Act, to promptly and smoothly handle related complaints, and to comply with domestic and international laws related to personal information. Through the Personal Information Processing Policy, the Company informs customers about how the personal information collected from them is processed and for what purposes, as well as the measures taken to protect their personal information. The Personal Information Processing Policy may be revised in accordance with changes in laws, policies, and internal company guidelines. In the event of any revisions to the Personal Information Processing Policy, the Company will notify customers through the company’s website.

Article 1. Purpose of Personal Information Processing

1. Personal information is processed for the purpose of contacting/notifying the reporter to confirm their identity and the report, and to investigate the facts for the purpose of operating/managing the cyber complaint center and notifying the reporter of the results of the investigation.
2. Personal information is processed for the purpose of managing and analyzing the website, preventing crimes or accidents, preventing misuse, preventing malicious access attempts and intrusions, and analyzing user visits and usage patterns in accordance with the services provided on the website.

Article 2. Scope of Application

This processing policy applies only to the following persons.

1. 1. Users and visitors of our website

Article 3. Definition of Terms

1. Personal Information: Information about living individuals, such as names, resident registration numbers, and images, that can be used to identify individuals (including information that cannot identify specific individuals on its own but can be easily combined with other information to identify individuals).
2. Processing: The collection, creation, recording, storage, retention, processing, editing, retrieval, output, correction, restoration, use, provision, disclosure, destruction, or other similar acts involving personal information.
3. Data Subject: The individual who can be identified by the information being processed.
4. Personal Information File: A collection of personal information that has been systematically arranged or organized according to certain rules to facilitate retrieval.

Article 4. Rights/Obligations of Information Subjects and Legal Representatives and Methods of Exercising Such Rights

1. Information subjects may exercise their rights to access, correct, delete, or request the processing of their personal information at any time.
2. The exercise of the rights specified in Paragraph 1 may be conducted in writing, via email, or by facsimile (FAX) in accordance with Article 41, Paragraph 1 of the Enforcement Decree of the Personal Information Protection Act, and the company will take prompt action in response.
3. The rights specified in Paragraph 1 may be exercised through a legal representative or an authorized agent. In such cases, a power of attorney in the format specified in Appendix 11 of the Enforcement Rules of the Personal Information Protection Act must be submitted.
4. Requests for access to and suspension of processing of personal information may be restricted in accordance with Article 35, Paragraph 15 and Article 37, Paragraph 2 of the Personal Information Protection Act.
5. Requests for correction or deletion of personal information cannot be made if such personal information is specified as a collection target in other laws and regulations
6. When receiving requests for access, correction/deletion, or suspension of processing based on the rights of data subjects, the company verifies whether the person making the request is the data subject themselves or a legitimate representative.
7. If a customer requests correction or deletion of personal information due to errors, etc., the company shall not use or provide such personal information until the correction or deletion is completed.
8. Customers shall not violate the Personal Information Protection Act or other relevant laws and regulations by infringing on their own or others’ personal information and privacy that is being processed by the company.

Article 5. Personal Information Processing Items and Retention Period

1. Customer consultation and request processing: 3 years after consultation and request processing is completed
2. Cyber complaint center operation/management: 1 year of storage for reported cases
3. Website management and analysis, crime or accident prevention: 1 year after collection

Article 6. Destruction of Personal Information

1. The Company shall destroy personal information without delay when it is no longer necessary due to the expiration of the retention period or the achievement of the purpose of processing.
2. Personal information obtained with the consent of the information subject shall be transferred to a separate database (DB) or stored in a different location when it is necessary to continue to retain the personal information in accordance with other laws and regulations, even after the retention period has expired or the purpose of processing has been achieved.
3. The procedures and methods for the destruction of personal information are as follows.
4. Destruction procedure: The company selects personal information for which the grounds for destruction have arisen and destroys it after obtaining the approval of the company’s personal information protection officer.
5. Destruction method: The company destroys personal information recorded/stored in electronic file format by using methods such as low-level formatting (Low Level Format) to prevent the records from being reproduced, and destroys personal information recorded/stored on paper documents by shredding them with a shredder or incinerating them.
   1. Destruction method: The company destroys personal information recorded/stored in electronic file format by using methods such as low-level formatting (Low Level Format) to prevent the records from being reproduced, and destroys personal information recorded/stored on paper documents by shredding them with a shredder or incinerating them.
   2. Destruction method: The company destroys personal information recorded/stored in electronic file format by using methods such as low-level formatting (Low Level Format) to prevent the records from being reproduced, and destroys personal information recorded/stored on paper documents by shredding them with a shredder or incinerating them.

Article 7. Measures to Ensure the Security of Personal Information

In accordance with Article 29 of the Personal Information Protection Act and Article 30 of the Enforcement Decree, the Company takes the following technical, administrative, and physical measures necessary to ensure security.

1. We designate a minimum number of personal information processing officers and provide them with regular training to ensure compliance with personal information processing guidelines.
2. We establish and implement internal management plans to ensure the safe processing of personal information.
3. Personal information is securely stored and managed through encryption, and important data is encrypted during storage and transmission.
4. To prevent the leakage or damage of personal information due to hacking or computer viruses, we install security programs and monitor and block such threats through regular updates and inspections.
5. To prevent the leakage or damage of personal information due to hacking or computer viruses, we install security programs and monitor and block such threats through regular updates and inspections.
6. To prevent the leakage or damage of personal information due to hacking or computer viruses, we install security programs and monitor and block such threats through regular updates and inspections.
7. To prevent the leakage or damage of personal information due to hacking or computer viruses, we install security programs and monitor and block such threats through regular updates and inspections.

Article 8. Personal Information Protection Officer

1. The Company is responsible for overseeing all matters related to the handling of personal information and has designated the following Personal Information Protection Officer to handle customer complaints and provide relief for damage related to the handling of personal information.

Personal Information Protection Officer:
(Head) Lee Ho-kyu, Team Leader, Human Resources Planning Team / 053-245-1161 / hg7983@cisro.co.kr
(Deputy) Kim Won-seok, Assistant Manager, Human Resources Planning Team / 053-245-1162 / wjrmdbwj2503@cisro.co.kr

System Security Officer:
(Head) IT1 Part Manager Yong-Woon Jeong / 053-245-1152 / jungmin.kim@cisro.co.kr
(Deputy) Information Infrastructure Team Assistant Manager Chang-Wook Park / 053-245-1153 / soyeong.an@cisro.co.kr

1. If the personal information protection officer becomes aware of any violation of relevant laws and regulations related to personal information protection, he or she shall immediately report it to the company and take corrective measures.
2. You may contact the personal information protection officer and the department in charge with any inquiries, complaints, or requests for compensation related to personal information protection that arise while using the company’s services. The company will respond to and handle inquiries from information subjects without delay.

Article 9. Changes to the Personal Information Processing Policy

This Personal Information Processing Policy was established on February 1, 2024, and in the event of additions, deletions, or revisions to its contents due to the enactment or revision of laws, changes in government policy, or changes in company internal policies, we will notify you of the reasons for the changes and the details through the company’s groupware at least seven days prior to the revision.

1. Effective Date of the Personal Information Processing Guidelines: April 1, 2012
2. First Revision Date of the Personal Information Processing Guidelines: April 1, 2015
3. Second Revision Date of the Personal Information Processing Guidelines: February 1, 2024
4. Third Revision Date of the Personal Information Processing Guidelines: July 21, 2025