The RIGHT Foundation (hereinafter referred to as “the Foundation”) establishes and presents this Privacy Guideline to ensure the privacy of data subjects pursuant to Article 30 of the Personal Information Protection Act of Korea and to effectively address any privacy-related concerns.
Article 1 (Purpose of Processing Personal Information)
The Foundation processes personal information for the following purposes: If the purpose of personal information processing change, the Foundation will implement necessary actions, including obtaining separate consent pursuant to Article 18 of the Personal Information Protection Act.
- Applicants’ personal information: The Foundation processes personal information to decide and execute the provision of research funds and grants.
- Reviewers’ personal information: The Foundation processes personal information for payment and tax filing purposes.
- Newsletter recipients’ personal information: The Foundation processes personal information to manage subscriptions and send newsletters.
Article 2 (Personal Data Processing and Retention Period)
- The Foundation will retain and use the personal information in accordance with either the time frame stipulated by relevant laws or the duration agreed upon by data subjects at the time of collection.
- The corresponding use and retention periods of processed personal information items are as follows:
- Applicants’ personal information
For those who are awarded a project by the Foundation, their personal information will be retained and used for 5 years after the end of the project for the purposes stated above. For those who are not awarded a project, their personal information will only be retained for 1 year from the date of the decision.
Basis for the retention: Consent from the data subject
- Reviewers’ personal information
Reviewers’ personal information will be retained and used until 5 years after the end of the final report period, starting from the date they provide consent for the collection and usage of their information.
Basis for the retention: Consent from the data subject, as required by Article 160-2 of the Income Tax Act
- Newsletter recipients’ personal information
Newsletter recipients’ personal information will be retained and used until the data subject opts out, beginning from the date of consent for data collection and usage.
Article 3 (Personal Data Items to be Processed)
The Foundation processes the following personal data items:
- Applicants’ personal information
Required items: Name, company name, phone number, email, and title
For the Training Award, additionally nationality or citizenship, country of residence, age group, gender, highest degree obtained, professional experience, completed training courses <Amended onNovember 01, 2023>
- Reviewers’ personal information
Required items: Name, resident registration number (Korean citizens), passport number (non-Korean citizens), phone number, email, company name, title, bank account information, and nationality
- Newsletter recipients’ personal information
Required items: Name, affiliation (department and position), email
Optional items: Phone number (mobile)
Article 4 (Provision of Personal Information to Third Parties)
The Foundation provides personal information to third parties only when there is consent from the individual or when it is required by applicable laws as stipulated in Articles 17 and 18 of the Personal Information Protection Act.
Article 5 (Outsourcing Personal Information Processing)
- The Foundation has outsourced its personal information processing tasks for efficiency as follows:
- Outsourced tasks: Research grant management
Outsourcing provider (Outsourcer): Fluxx Labs Inc.
Outsourcing period: Till the withdrawal of the membership
Responsibilities in outsourced tasks: Recruiting research grant applicants, grant management, evaluation, and notifications
- In all outsourcing contracts, the Foundation guarantees that the agreement and contract document clarify the liabilities and responsibilities of the Outsourcer pursuant to Article 26 of Personal Information Protection Act, including, but not limited to the prevention of using personal information beyond the intended scope, implementation of technical and administrative safeguards, restriction on further outsourcing, supervision and management of the Outsourcer, and potential liability for damages. The Foundation also ensures the secure handling of personal information by the Outsourcer.
- In the event of a change in the content of the outsourced processing or the Outsourcer, the Foundation will promptly disclose such changes through this Privacy Guideline.
Article 6 (Cross-border Transfer of Personal Information)
The Foundation delegates the responsibilities of collection, management, evaluation and notification of research grant applications to Fluxx Labs Inc., a corporation based overseas, according to the specifics outlined below.
| Outsourcer | Fluxx Labs Inc. |
|---|---|
| Location | 2261 Market Street, #4060, San Francisco, CA 94114, US |
| Entrusted time and transfer method | 2Starting from November 1, 2023, until the member withdraws or the outsourcing contract is terminated. Data transfer through network |
| Contact information of the data manager | privacy@fluxxlabs.com |
| Personal information items to be entrusted | 1. Name, mobile phone number, email, affiliation, and title of applicants For the Training Award, additionally nationality or citizenship, country of residence, age group, gender, highest degree obtained, professional experience, completed training courses 2. Name, mobile phone number, email, affiliation, title, bank account details, nationality, and passport number of evaluators |
| Retention and use period of personal information | Applicants’ information: Until membership withdrawal, or 5 years after the project's end for research grant awardees. Evaluators’ information Until 5 years after the end date of the final tax filing period |
Article 7 (Personal Data Destruction Procedure and Method)
- When personal information becomes obsolete, such as when the retention period expires or the processing purpose has been achieved, the Foundation disposes of the personal information promptly.
- In cases where personal information needs to be retained continuously pursuant to other laws despite the expiration of the agreed-upon retention period or the achievement of the processing purpose, it will be transferred to a separate database (DB) or stored in a different location.
- The following outlines the procedure and method for the destruction of personal information:
- Destruction process
The Foundation identifies personal information that is eligible for or requires destruction and initiates the destruction process upon receiving approval from the Privacy Officer.
- Destruction method
As for personal information printed on paper, it undergoes proper disposal through shredding or incineration. Personal information stored in electronic formats is subjected to secure deletion using unrecoverable and irreversible techniques.
Article 8 (Rights and Responsibilities of Data Subjects or Their Representatives and Procedures for Exercising Rights)
- Data subjects possess the right to request access, correction, deletion, and suspension of their personal information from the Foundation at any time.
- The exercise of rights pursuant to Paragraph 1 can be made in writing, through email, or other means pursuant to Article 41 Paragraph 1 of the Enforcement Decree of the Personal Information Protection Act, and the Foundation will promptly implement necessary actions upon receipt of valid requests.
- The data subject may exercise their rights in accordance with Paragraph 1, either directly or indirectly through their legal representative or an authorized agent.
- The rights of data subjects to access personal information and request the suspension of its processing may be subject to limitations as stipulated by Article 35 Paragraph 4 and Article 37 Paragraph 2 of the Personal Information Protection Act.
- If the personal information in question is explicitly required to be collected under other legal provisions, requests for correction and deletion of such information may be declined.
- The Foundation verifies the identity of the requester, whether an individual or their legitimate representative, who has submitted requests such as access, correction, deletion, or processing suspension in accordance with the data subject's rights.
Article 9 (Measures to Safeguard Personal Information)
The Foundation takes the following measures to safeguard personal information.
- Establishment and execution of internal control plan
The Foundation has established and implemented internal control plan to ensure the secure processing of personal information.
- Minimization and training of personal information handling staff
The Foundation has restricted the handling of personal information to a designated group of employees and has implemented measures to control the handling of personal information.
- Regular internal audits
To ensure security and proper handling of personal information, the Foundation conducts internal audits on a regular (quarterly) basis.
- Controlling personal information access
The Foundation employs essential measures to manage access to personal information by managing permissions for accessing personal information databases, encompassing actions such as granting, updating, and revoking access permissions, while implementing an intrusion prevention system to prevent any unauthorized external access attempts.
- Maintenance and security of access records
The Foundation ensures the retention and management of access records for the personal information processing system for a minimum period of one year. Moreover, a comprehensive security mechanism is in place to prevent forgery, alteration, theft, and the unintentional loss of these records.
- Encryption of personal information
Personally identifiable information, such as passport details, undergoes encryption upon reception, transmission, or transfer to ensure security.
- Technical measures against hacking and similar threats
In order to prevent the potential leakage and damage of personal information due to hacking or computer viruses, the Foundation employs a variety of technical and physical measures, encompassing the installation of security programs that are regularly updated and assessed, as well as the establishment of systems in zones where external access is strictly controlled.
- Controlling unauthorized access
The Foundation stores and maintains personal information in physically segregated locations, implementing rigorous access control procedures and protocols.
- Locking devices for document security
Physical documents and auxiliary storage media containing personal information are securely stored and maintained in designated locations equipped with locking mechanism.
Article 10 (Installation, Operation, and Rejection of Automatic Personal Information Collection Devices)
- The Foundation utilizes cookies to collect and retrieve users' browsing histories, allowing for the delivery of personalized services tailored to each user.
- Cookies are small data fragments that are transmitted from a website's server (HTTP) to users' computer browsers and may be subsequently stored on the hard disks of their PCs.
- Purpose of cookies: Cookies are utilized to enhance services by analyzing factors such as users' access frequency, visit duration, preferences, and interests and to track information about viewed web pages, enabling the provision of new offers.
- How to install, enable, or reject cookies: Users have the option to configure their web browsers to allow all cookies, request permission before saving cookies, or refuse all cookies.
- Please note that rejecting cookies may result in limited access to some services.
Article 11 (Privacy Officer)
- The foundation appoints a Privacy Officer to oversee tasks concerning the processing of personal information, including addressing complaints and grievances and providing remedies for data subjects in relation to personal information processing, as outlined below:
▶ Privacy Officer
Name: Hanee Kim
Title: CEO
Contact information: +82-2-6337-9400; hani.kim@rightfoundation.kr
▶ Privacy Department
Department name: Finance and Operation
Contact person: Jiyoung Moon
Contact information: +82-2-6337-9412; jiyoung.moon@rightfoundation.kr
- Data subjects may contact the Privacy Officer and the competent department for any inquiries, complaints, or damages related to the protection of personal information that arise while using the Foundation's services or business. The Foundation will promptly respond and handle inquiries from data subjects.
Article 12 (Responsible Department for Receiving and Addressing Requests for Personal Information Access)
Pursuant to Article 35 of the Personal Information Protection Act, data subjects have the right to request access to their personal information from the Privacy Department (refer to Article 11). The Foundation will strive to expedite the processing of these access requests upon receiving them from the data subjects.
Article 13 (Remedy for Infringement of Rights and Interests of Data Subjects)
Data subjects seeking remedies for personal information infringements can submit requests for dispute resolution or consultation to authorities such as the Personal Information Dispute Mediation Committee and the Privacy Breach Report of Korea Internet & Security Agency. Additionally, the authorities listed below can offer support for reporting or seeking advice on issues related to other instances of personal information breaches.
- Personal Information Dispute Mediation Committee: 1833-6972 (www.kopico.go.kr)
- Privacy Breach Report: 118 (privacy.kisa.or.kr)
- Prosecution Service: 1301 (privacy.kisa.or.kr)
- National Police Agency: 182 (ecrm.cyber.go.kr)
Article 14 (Changes in Privacy Guideline)
This Privacy Guideline will be effective from 11. 1. 2023. <Amended on November 01, 2023>