국립현대미술관

1. Collection and retention of personal information

a. Collection and retention of personal information by the National Museum of Modern and Contemporary Art, Korea (hereinafter “MMCA,” “we,” “us” or “our”) are compliant with statutory provisions and only made upon prior consent of the data subject (hereinafter “data subject,” “user,” “you,” or “your”). Statutory provisions authorize MMCA to collect and retain personal information files as followings:

Planning & General Management Department Conservation & Art Bank Department PR & Customer Service Department ※For your access to MMCA personal information files, please visit at www.privacy.go.kr (Personal Information Protection Commission of the Ministry of the Interior and Safety), and browse as follows: Petition → Request for personal information → Personal information files search.

b. Personal information automatically collected and stored when using websites

• ·Your personal information automatically collected and retained for your service usage pattern analysis and better website browsing experiences includes:
• - your internet service domain name, website address you have visited before visiting our website and date & time of your previous visits; and
• - name of browser and operating system you use when you visit our websites.

c. Personal information retained by statutory requirements

• · We retain your personal information for a specific period of time as required by applicable statutory requirements. In such event, we retrieve and use your personal information only for the purpose specified in respective laws and regulations.

d. Access to personal information files

· We process your personal information in a legally permitted and appropriate manner to protect your privacy. However, a part of your personal information may be disclosed to or shared with a third party to the extend permitted by the applicable laws and regulations.

2. Use and sharing of personal information

a. Sharing of your personal information with third parties

• · Even if we share your personal information with a third party, such party has no right to disclose your personal information unless explicitly agreed by us.
• · Your personal information we are permitted to share with third parties under the applicable laws and regulations includes:

  Sharing of your personal information with third parties (File name, Third party, Purpose, Data, Period of retention & use)

  File name	Third party	Purpose	Data	Period of retention & use
  Volunteer list	Gwacheon Volunteer Center	Volunteer contribution records	Name, Date of birth, Activities, Service hours	Removed immediately after completion of data entry into 1365 system

• · Personal information we collect, retain, use, disclose or share with third parties are subject to prior notice and your explicit consent except otherwise required by laws or regulations.

b. Entrusting of your personal information

• · In a case we entrust your personal information to public entities or private entities pursuant to Article 26 (Limited processing of entrusted personal information) of the Personal Information Protection Act, we set out limitations and procedures of such entrusting and ensure that the entrusted entities use the same level of care that we use for protecting your personal information. In addition to that, we conduct inspections to verify how your personal information is being protected at third party’s premises
• · Your personal information we are permitted to entrust to third parties under the applicable laws and regulations includes:

  Outsourcing (Third party, Data, Purpose, Use & retention period)

  Third party	Data	Purpose	Use & Retention Period
  PCN	E-mail, Password, Name, Date of Birth, Address, Telephone number, Mobile phone number	Website service & maintenance	Removed upon termination of an outsourcing agreement
  PCN	E-mail, Password, Name, Date of Birth, Address, Telephone number, Mobile phone number	Art Bank website service & maintenance	Removed upon termination of an outsourcing agreement
  NETCOM	E-mail, Password, Name, Mobile phone number	MMCA Friends service & maintenance	Removed upon termination of an outsourcing agreement
  TUNESYSTEM	Member DB	Website hardware & software maintenance	Removed upon termination of an outsourcing agreement

c. Limited use and sharing of personal information Use and sharing of your personal information we collect and retain are subject to privacy laws and regulations.

• · Article 18 (Limited use and sharing of personal information) of the Personal Information Protection Act allows us to use or share your personal information with third parties if such use or sharing is
  1. 1. explicit agreed by the data subject
  2. 2. specifically required by other laws or regulations
  3. 3. necessary to protect the data subject or any third party who is in eminent life-threatening danger, physical harm or property loss while obtaining a prior consent is unavailable because such data subject or his/her legal agent is incapable of expressing its own intention to agree or disagree, or we are unable to contact such data subject or his/her legal agent due to unknown address
  4. 4. used for statistical survey and academic research as long as personal information is anonymized
  5. 5. unavoidable as executing statutory obligations require use or sharing of personal information other than specified herein; provided however that such use or sharing is permitted to the extent that is reviewed and approved by the Privacy Protection Commission
  6. 6. required to be disclosed to a foreign government or international institution for the purpose of executing any treaty or inter-governmental agreement
  7. 7. necessary for criminal investigation or filing and/or sustainment of a public prosecution
  8. 8. necessary for judicial proceeding
  9. 9. necessary for probationary and/or protectionary order execution

3. Disposal of personal information

Your personal information will be removed, deleted, or destructed immediately upon the purpose of collection and use is attained. Removal, deletion, or destruction procedures and methods are as follows:

a. Procedures of removal, deletion, or destruction

• · Personal information you have submitted for accessing to our services including signing-up will be removed, deleted, or destructed after their respective purposes are realized and their respective retention periods as required by applicable laws and regulations and/or our privacy policy (see the period of retention and use) expires.
• · Your personal information retained by us will not be used for any purpose other than specified herein, except otherwise required by laws and regulations.

b. Methods of removal, deletion, or destruction

• · Personal information contained in printed media will be destroyed either by a paper shredder or fire pit.
• · Personal information contained in digital media will be removed, deleted, or destroyed in such manner that no data can be recovered.

4. Data subject’s rights

「Chapter 5 (Ensuring data subject’s rights) of the Personal Information Protection Act specifies that in respect with his or her personal information, the data subject shall be entitled to:

1. 1. access to his or her personal information
2. 2. correction or deletion of his or her personal information
3. 3. suspension of processing of his or her personal information
4. 4. exercise of his or her statutory rights
5. 5. claim for damages

5. Access to, correction, deletion, and suspended processing of personal information files

The data subject is entitled to request an access to, correction and deletion, and suspended processing of his or her personal information we retain pursuant to Article 35 (Access to personal information), Article 36 (Correction and deletion of personal information), and Article 37 (Suspended processing of personal information) of the Personal Information Protection Act.

a. Access to personal information

• · You have the right to access to your personal information files we retain pursuant to the Personal Information Protection Act and other privacy regulations. Access procedures are as follows:
• · Your access to personal information files may be denied pursuant to the fourth paragraph of Article 35 (Access to personal information) of the Personal Information Protection Act, if such access is:
  1. 1. prohibited or restricted by the applicable laws and regulations
  2. 2. likely to cause life-threatening danger, physical harm, property loss, or injury of legitimate interests of another person
  3. 3. causes interrupted execution of government agency’s administrative operations including
  1. a. imposition, collection or return of tax.
  2. b. scoring or admission evaluation at a school established under the Mandatory Education Act and the Higher Education Act, at a lifelong learning center established under the Life-long Learning Act, or at a higher educational institution established under other laws.
  3. c. academic achievement & skill testing and employment, or qualification review.
  4. d. evaluation or consideration relating to application either a compensation or benefit.
  5. e. audit or inspection activities carried out under other laws and regulations.

b. correction, deletion, and suspended processing of personal information.

• · After accessing to your personal information files, you may request the personal information processor to correct, delete, or suspend processing of your personal information; provided however that your deletion request may not be acceptable if your personal information is subject to mandatory collection & retention under other laws and regulation. Correction, deletion or suspended processing procedures are as follows:
• · “Access, Correction, Deletion or Suspended Processing of Personal Information” [Form No. 8, Enforcement Decree of the Personal Information Protection Act]Download
• · Letter of attorney [Form No. 11, Enforcement Decree of the Personal Information Protection Act]Download

6. Privacy violation report

When you are using our website services, if you find any violation or damage resulting from collection, use, sharing, entrusting of your personal information which is not subject to such collection, use, sharing, entrusting under the applicable laws, or collected, used, shared, entrusted without your prior consent, or if you have reasonable cause to believe that your personal information is breached or your right as the data subject is violated, you can report such violation to competent authorities as follows:

7. Technical and managerial protection measures

We employ technical and managerial measures to protect your personal information from any loss, theft, leakage, falsification, or damage. Our measures include:

a. Password encryption

• · Your password we retain and control is fully encrypted and only known to you. Editing your profile including password change is only made by you.

b. Countermeasures against potential attacks including hacking

• · We use our best efforts to protect your personal information from potential cyber attacks including hacking and virus. In this regard, your personal information is subject a regular back and being protected by the latest anti-virus software which can prevent any leakage or damage of your personal information while we retain. Cryptographic communication between our database and that of third parties realizes safe and secured transferring of your personal information. We employee an advanced firewall system, denying any unauthorized access. We allocate our available resources to acquire and operate the most advanced cyber security assets.

c. Minimization and training of employees handing personal information

• · We permit only our employees to access to your personal information to the extent they need, and undertake additional measures to limit their access to your personal information by assigning them separate passcode which is subject to a regular update. In addition to that, we provide them data security training, including MMCA Privacy Policy.

d. Privacy protection organization

• · We exert our best efforts to ensure that MMCA Privacy Policy is fully observed and followed, and undertake necessary corrective actions to address any found problems. However, we assume no liability for any and all losses and damages arising out of, or relating to breach of your personal information including your user ID or password due to internet service provider’s faults or your own negligence.

8. Remedies for privacy violations

In the event of privacy violations, you as the data subject may seek for remedies, including consultations. If you are not satisfied with our privacy protection measures or remedies for breach of privacy, you can seek assistance from other government authorities as follows:

Privacy Violation Complaint Center: Report a privacy violation case, including consultation

• - Website: privacy.kisa.or.kr (TEL: 118)
• - Address: Privacy Violation Complaint Center, 135 Jungdae-ro, Songpa-gu, Seoul 138-950

Privacy Arbitration Board: File an individual or collective privacy-related arbitration under the Civil Code

• - Website: www.kopico.go.kr (TEL: +82-2-1833-6972)
• - Address: 4F, Government Complex Seoul, 209, Sejongdae-ro, Jongno-gu, Seoul 03171

Public Prosecutors’ Office Cybercrime Investigation Group: Call +82-2-3480-3573 or visit at www.spo.go.kr

National Police Agency Cyber Bureau: Call 1566-0112 or visit at www.netan.go.kr

9. Operation and control of closed-circuit television systems

We have and operate closed-circuit television systems as follows:

• · Purpose and legal basis of closed-circuit television system installations
• - Security, safety and fire-prevention of MMCA facilities
• - Protection of collections from theft, and (if any) evidence collection
• · Units, locations and surveillance range

  Units, locations and surveillance range (Location, Unit, Surveillance Range)

  Location	Units	Surveillance Range
  MMCA Gwacheon	120	Entire premises
  MMCA Seoul	223
  MMCA Deoksugung	26
  MMCA Cheongju	180	Entire Regidency
  MMCA Residency Goyang	14
  MMCA Residency Changdong	13
  Total	576

• · Controller, Operating Department and Operator

  Controller, Operating Department and Operator (Location, Operating Department, Controller, Operator)

  Location	Operating Department	Controller	Operator
  MMCA Gwacheon	Administration Support Department	Manager of Administration Support Department	Security Control room Member
  MMCA Seoul	Administration Support Department	Manager of Administration Support Department	Control RM
  MMCA Deoksugung	Exhibition-3 Team	Leader of Exhibition-3 Team	Security Control room Member
  MMCA Cheongju	Collection Storage Control Team	Leader of Collection Storage Control Team	Security Control room Member
  MMCA Residency	Exhibition-2 Team	Leader of Exhibition-2 Team	Security Control room Member

• · Surveillance hours, and retention period, retention place and disposal of footages
• - Surveillance hours: 24 hours a day
• - Footage retention period: 90 days
• - Footage retention place

  Footage retention place (Location, Retention place)

  Location	Retention place
  MMCA Gwacheon	Security Control room
  MMCA Seoul	Control RM
  MMCA Deoksugung	Security Control room
  MMCA Cheongju	Security Control room
  MMCA Residency	Security Control room

• - Disposal of footages: We strictly control and log use, sharing, destruction of, and access to CCTV footages only within permitted purposes, and footages contained in digital media are destroyed in such manner that no data can be recovered (in case of printed media, destroyed either by a paper shredder or fire pit) upon their statutory retention period expires.
• · Footage retention place and access to footages
• - Access to footages: You as the data subject may request a CCTV data controller to disclose CCTV footages containing your personal information.
• - Retention place

  Retention place (Location, Retention place)

  Location	Retention place
  MMCA Gwacheon	Security Control room
  MMCA Seoul	Control RM
  MMCA Deoksugung	Security Control room
  MMCA Cheongju	Security Control room
  MMCA Residency	Security Control room

• · Data subject’s request to access to CCTV footages: You must submit a request in writing and your access to CCTV footages will be permitted only when such CCTV footages contain an actual image of you and such access is necessary to protect you from any eminent life-threatening danger, physical harm or property loss.
• · Technical, managerial and physical measures to protect CCTV footages: Our internal procedures to control and restrict access to CCTV footages include secure data storage and data communication technologies, processing history log, anti-forgery and falsification measures, physical anti-breaking facilities and locking devices.

10. Privacy Officer and Security Manager

· MMCA Chief Privacy Officer: Kim seok-il, Manager of Planning & General Management Dept.

• Phone: (02)2188-6102
• E-mail: k4637146@korea.kr
• Address: MMCA Planning & General Management Department, Gwangyeong-ro, Gwacheon-si, Gyeonggi-do 13829, Republic of Korea

· MMCA Personal Information Security Manager: Joe su-yeun

• Phone: (02)2188-6162
• E-mail: suyeun00@korea.kr
• FAX: (02)2188-6161
• Address: MMCA Planning & General Management Department (Data processing office), Gwangyeong-ro, Gwacheon-si, Gyeonggi-do 13829, Republic of Korea
• • Or you can report to the following infringement of the personal information reporting center operated by the Ministry of Public Administration and Security according to Article 62 of Enforcement Decree of The Personal Information Protection Act.
• Korea Internet & Security Agency Personal Informaation Infringement Report Center(http://kisa.or.kr, Tel : 118)

11. Changes to this policy

• · This Privacy Policy becomes effective on July 14, 2020.