Privacy Policy of SM Brand Marketing Co., Ltd.

1. Purpose of the Privacy Policy

  1. ① SM Brand Marketing Co., Ltd. (hereinafter referred to as "the Company") values the personal information of users and strives to manage and protect it effectively and securely to ensure the safety of user information.
  2. ② The Company complies with the relevant laws and guidelines related to the protection of personal information, such as the Personal Information Protection Act, the Act on Promotion of Information and Communication Network Utilization and Information Protection, and other applicable laws.
  3. ③ According to this Privacy Policy, the Company informs users of the purposes and methods of using the personal information provided by users who utilize the inquiry service (hereinafter referred to as "the Service") and explains the measures taken to protect personal information.
  4. ④ The Company makes this privacy policy easily accessible to users by posting it on the Company’s website.

2. Collection of Personal Information and Methods for Collection

  1. ① The Company collects the necessary personal information at minimum for smooth reception of inquiries and provision of responses.
    1. 1. Personal information collected when using the 'Inquiry' service
      - Mandatory information: Name, email, mobile phone number
  2. ② The Company collects personal information through the following methods.
    1. 1. When a user directly inputs and submits information to use a service.

3. Purposes of Collection and Use of Personal Information

The Company utilizes the collected personal information for the following purposes. The processed personal information will not be used for purposes other than the one listed below, and in the event of any changes in the purposes, necessary measures, including obtaining consent from users in advance, will be taken.

  1. ① Smooth reception of inquiries and provision of responses through the 'Inquiry' service.

4. Matters Regarding the Provision of Personal Information to Third Parties

  1. ① The Company uses the user's personal information within the scope notified in the 'Purposes of Collection and Use of Personal Information' and does not exceed this scope or disclose the user's personal information to external parties without the user's prior consent. However, exceptions may apply in the following cases:
    1. 1. When users have previously agreed to a disclosure;
    2. 2. When required by law or in response to a request from investigative agencies according to the procedures and methods prescribed by law for investigative purposes;
  2. ② If the Company needs to provide the user's personal information to a third party beyond the scope mentioned above, it will be done after obtaining the user's consent.

5. Matters Regarding the Transfer of Personal Information Outside the EU

By the adequacy decision on the protection of personal data for South Korea by the European Union (EU), the Company may transfer the personal information of users from the EU without any separate procedures.

6. Outsourcing of Collected Personal Information

  1. ① The Company does not outsource collected personal information.

7. Retention and Use Period of Collected Personal Information

  1. ① The Company processes and retains personal information within the period specified under the law or the consent obtained from the data subject at the time of collecting personal information. However, the Company retains the following information for the specified period for the reasons stated below:
    1. 1. Reason for retention of information based on related laws:
      In cases where it is necessary to retain user information under the provisions of related laws such as the Electronic Commerce Act and the Protection of Communications Secretes Act, the Company keeps the information for a certain period as stipulated by the related laws. In such cases, the Company utilizes the stored information only for retention, and the retention periods are as follows:
      • - Records related to consumer complaints or resolution for dispute: Electronic Commerce Act, Retention Period: 3 years
      • - Records related to visits (telecommunications traffic data): Protection of Communications Secretes Act, Retention Period: 3 months

8. Destruction Procedure of Personal Information and Method Thereof

  1. ① The Company promptly destroys applicable personal information when the retention period expires or when the personal information becomes unnecessary due to the achievement of the collection and usage purposes.
  2. ② Destruction Procedure
    1. 1. Information entered by users is destroyed without delay when the purposes of collecting and using personal information are achieved, and it is not used for any other purposes except as required by law.
    2. 2. The Company selects personal information for destruction when the reasons for destruction arise, obtains approval from the Company's personal information protection manager, and proceeds with the destruction.
  3. ③ Destruction Method
    1. 1. Printed personal information shall be shredded or incinerated, and electronically stored personal information shall be deleted using technology that ensures the irreversibility of the records.

9. Rights and Obligations of Users and Legal Representatives and Methods of Exercising Them

  1. ① In accordance with Article 35, Paragraph 1 of the Personal Information Protection Act, users may exercise their rights to access, correct, delete, transfer, and request the suspension of processing regarding their personal information at any time concerning the Company.
  2. ② The rights mentioned in Paragraph 1 may be exercised through the 'Inquiry' section on the Company's website. Users also may refuse consent or request the withdrawal of consent for the collection and use of personal information. However, it may affect the use of some or all of the services.
  3. ③ Users may request access, correction, deletion, transfer, or suspension of processing of personal information in writing, via email, facsimile (FAX), and other applicable means in accordance with Article 41 (1) of the Enforcement Decree of the Personal Information Protection Act. The Company will promptly take action in response to such requests.
  4. ④ If a user requests correction of personal information due to an error, the Company will not use or provide the relevant personal information until the correction is complete. If incorrect personal information has already been provided to a third party, the Company will promptly notify the third party of the correction results to ensure that the correction is reflected.
  5. ⑤ Personal information that has been terminated or deleted at the user's request is securely processed in accordance with relevant laws and regulations, and access or use for purposes other than those specified is restricted.
  6. ⑥ In accordance with Article 37-2 of the Personal Information Protection Act, users may refuse a decision or request an explanation from the Company when the decision is made by a process of personal information with an automated system, including a system with artificial intelligence technology, and the decision significantly impacts the user's rights or obligations.
  7. ⑦ The rights mentioned in Paragraph 1 can be exercised through a legal representative or an agent authorized by the user. In this case, a power of attorney according to the format specified in Form No. 11 of the Enforcement Rules of the Personal Information Protection Act shall be submitted.
  8. ⑧ The access to personal information and request for suspension of processing personal information may be restricted in accordance with Article 35 (5), and Article 37 (2) of the Personal Information Protection Act.
  9. ⑨ Requests for correction and deletion of personal information cannot be made if the collection of such personal information is explicitly stated as a target of the collection in other laws.
  10. ⑩ The Company verifies that the person making requests for access, correction, deletion, transfer, or suspension of processing of personal information is the principal or a legitimate representative in accordance with the user's rights.

10. Various Rights of Users within the EU

  1. ① Users within the EU have the right to exercise various rights related to personal information under Articles 15 to 22 of the GDPR, including the right to provide, access, correct, delete (right to be forgotten), restrict processing, transfer, object, and not be subject to automated decision-making, including profiling.
  2. ② However, the Company may not delete some personal information if it falls under one of the following, the right to erasure (right to be forgotten) in Article 17 of the GDPR: A. Processing of personal information is necessary for legal compliance; B. Processing of personal information is necessary for the exercise or defense of legal claims;

11. Technical and Administrative Measures to Protect Personal Information

To ensure the protection of personal information, the Company has implemented the following technical and administrative measures in handling user's personal information, aiming to prevent loss, theft, leakage, alteration, or damage.

  1. ① Technical Measures
    1. 1. The Company makes every effort to prevent the leakage or damage of user's personal information due to hacking, computer viruses, or similar threats. Regular backups are performed to prepare for potential data loss, and up-to-date antivirus programs are employed to prevent leakage or damage of user's personal information. Encryption communication is also utilized to transmit personal information over the network securely. Additionally, an intrusion prevention system is employed to control unauthorized access from external sources, and various technological measures are in place to enhance overall system security.
  2. ② Administrative Measures
    1. 1. The handling of personal information is restricted to a designated representative within the Company. Passwords are assigned and regularly updated for the management. The representative takes training regularly to comply with the Privacy Policy.
    2. 2. The Company has appointed a manager for the Privacy Policy. The implementation of the policy is always checked to verify compliance, and the Company is committed to making efforts to correct and rectify any issues as soon as they are discovered. Please note that the Company does not assume any responsibility for any issues arising from the user's negligence or internet-related problems leading to the leakage of personal information.

12. Information Regarding the Installation/Operation and Rejection of Automatic Collection Devices for Personal Information

The Company does not use any automatic collection devices, such as cookies, to store and retrieve user information.

13. Additional Use and Provision

  1. ①Under Article 15 (3), and Article 17 (4) of the Personal Information Protection Act, and Article 14-2 of the Enforcement Decree of the Personal Information Protection Act, the Company may use or provide personal information additionally without the user's consent.
  2. ② When considering additional use or provision of personal information without the user's consent, the Company shall consider the following factors:
    1. 1. Whether there is predictability regarding the additional use or provision of personal information based on the circumstances of the collection or processing practices;
    2. 2. Whether the additional use or provision of personal information unduly infringes on the user's interests;
    3. 3. Whether measures for ensuring security, such as anonymization or encryption, have been implemented;

14. Links to Other Sites

The Company may provide links to websites of other companies or materials through the service. In such cases, the ‘Privacy Policy" of the site is unrelated to the "Privacy Policy" of the Company's service. Therefore, the "Privacy Policy" of the newly visited site shall be reviewed.

15. Personal Information Protection Manager

  1. ① The Company designates a Personal Information Protection Manager responsible for collecting opinions and handling complaints regarding personal information.
1. Personal Information Protection Manager
Name: JUNGWOO KIM
Position: Excutive
E-mail: responsibility@smtown.com
  1. ② Users can make requests for access to personal information under Article 35 of the Personal Information Protection Act to the following department. The Company will make efforts to promptly process users’ requests for access to his or her personal information.
1. Requests Processing for Access to Personal Information
- Company: SM BRAND MARKETING Co., Ltd.
- Department in charge: Service Planning and Operations Team
- E-Mail:responsibility@smtown.com

③ Other Reporting and Counseling Organizations for Breaches of Personal Information

  • 1. Personal Information Dispute Mediation Committee (http://www.kopico.go.kr/ Phone: 1833-6972 without area code)
  • 2. Personal Information Infringement Report Center (https://privacy.kisa.or.kr/ Phone: 118 without area code)
  • 3. Cyber Investigation Division of Supreme Prosecutors' Office (http://www.spo.go.kr / Phone: 1301 without area code)
  • 4. Electronic Cybercrime Report & Management System (https://ecrm.police.go.kr/minwon/main / Phone: 182 without area code)

④ Individuals whose rights or interests have been infringed due to the disposition made by the head of a public institution regarding requests under Article 35 (Access to Personal Information), Article 36 (Correction or Erasure of Personal Information), Article 37 (Suspension of Processing of Personal Information), etc., may file an administrative appeal in accordance with the Administrative Appeals Act.
‣ Central Administrative Appeals Commission Corporation: (Without an area code) 110 (www.simpan.go.kr)

16. Amendment of the Privacy Policy

① This privacy policy will be effective from May 1, 2024.