Article 1 (Purpose of processing personal data)

• ①Tcon does not use personal data for any other purposes than the following in order to provide services through its website and mobile app. Should the purpose change, Tcon shall take necessary measures such as seeking consent from its users under Article 18 of the Personal Data Protection Act.
  • 1.Management of membership

    At the time a new member joins the website, personal data are processed to verify the intention to join as a member, identify and authenticate the user, manage membership status, prevent unauthorized use of services, verify the consent of a legal guardian when processing the personal data of children aged younger than 14 (or 16 in the case of overseas users), to send various notifications and address any grievances.

  • 2.Management of the license tests and events
    • A.To receive an application for tests, manage information on those who passed the test, and to issue license certificates.
    • B.To handle administrative work, manage payment information and manage statistics in accordance with the relevant law
    • C.To provide information on similar competitions such as Hanmadang or Hanmadang by continent.
    • D.To send newsletters or information on new services
  • 3.Payment services

    Personal data are processed to view payment details, make payments, settle accounts and issue receipts of payments.

  • 4.Processing of complaints

    Personal data are processed to verify the identity of the person filing the complaint, verify the content of the complaint, contact individuals for relevant investigation, and notify the results.

  • 5.Smooth delivery of other services
• ②Under Article 32 of the Personal Data Protection Act, the purpose of processing personal data files is as follows.

  Under Article 32 of the Personal Data Protection Act, the purpose of processing personal data files is as follows List

  No.	Name of personal file	Grounds for and purpose of processing	Personal information recorded on file	Period for which the record is held
  1	Information on Taekwondo membership	Consent of the data owner/ Membership management	<Common>ID, password, name, nationality, date of birth, gender, mobile number, address, belt, email, CI/CD value,	-Until membership is deleted or cancelled. -Data of dormant users of one year or longer shall be held for one year. -Data related to complaints shall be held for five years after the case is closed.
  			<Mobile>Information on the Taekwondo belt
  2	Information on the Taekwondo belt	Article 19, Article 19.2 of the Law on the Promotion of Taekwondo / Promotion of Taekwondo and the qualifications for belts	<Common>ID, name, nationality, date of birth, belt, address, original copy of the resident registration certificate	-Permanently
  			<Payment services>Bank account (credit card) number, mobile number	-Payment services : five years

Article 2 (Personal data to be processed)

• ①Tcon processes the following personal data to provide services on its website and mobile app.

  Tcon processes the following personal data to provide services on its website and mobile app List

  	Essential items	Optional items
  Management of membership	<Common>Type of member, ID, password, name, nationality, date of birth, gender, mobile number, address, belt, email, address, CI/CD value <Mobile>Unique data or ID of the device	Landline number, FAX number
  Information on the Taekwondo belt	<Common>ID, name, nationality, date of birth, belt, address, original copy of the resident registration certificate <Payment services>Bank account (credit card) number, mobile number

• ②IP address, cookies, MAC address, service use history, login history and history of illegitimate use may also be saved while using the internet services.

Article 3 (Collection of personal data)

• 1.Management of membership

  Tcon directly collects data from the user and an official institution that can verify the data at the time the user joins the website or mobile app as a member.

• 2.Management of license tests and events
  • A.Personal data are collected directly from users to manage data related to applications or to candidates who passed the test, or to issue license certificates.
  • B.Data are directly collected from the user and an official institution to manage statistics in accordance with the relevant law or for administrative work and the management of payment information.
  • C.Data are directly collected from the user and user organization when applications are made to participate in Hanmadang, Hanmadang by continent and similar events.
  • D.Data are directly collected from the user when newsletters are sent or when information is given on new services.
  • E.Data and meta data included in all communications sent to Tcon through email or websites are collected.
• 3.Payment services

  Data are directly collected from the user and user organization during the registration of bank accounts or payment processes.

• 4.Addressing complaints
  • A.Data are directly collected from the user and user organization when they join as members or apply for services.
  • B.Data are directly collected from users when they submit complaints through the user center.
  • C.All personal data sent to Tcon are collected.

Article 4 (Supply of personal data to a third party or international transfers of personal data)

• ①Tcon processes personal data only within the scope as stipulated in Article 1 (objective of processing personal data) and shall not use personal data in a way that goes beyond such a scope without prior consent, disclose such data to a third party or transfer them internationally. However, the following cases shall be exceptions.
  • 1.In the case that separate consent is acquired from the owner of the data and there are special rules in other laws.
  • 2.In the case that the owner of the personal data or his legal guardian is unconscious or is unlocatable, making it impossible to receive prior consent and where the disclosure or transfer is recognized as necessary for urgent matters of life or death, physical benefits or properties of the owner of the data or a third party.
  • 3.In the case that disclosure or transfer is needed to compile statistics or carry out academic research, and where personal data are treated anonymously.
  • 4.In the case that certain tasks as stipulated under law cannot be carried out unless the personal data are used in a way that exceeds the scope as defined in this document or are disclosed to a third party, and where a review and approval of such use or transfer have been granted by the personal data protection committee.
  • 5.In the case that such a disclosure or transfer to a foreign government or an international organization is necessary to implement treaties or other international agreements.
  • 6.In the case that such a disclosure or transfer of personal data is necessary for international crime investigation or prosecution.
  • 7.In the case that such a disclosure or transfer is needed for the proceedings in a court of law.
  • 8.In the case that such a disclosure or transfer is necessary for punitive, corrective or protective measures.
  • 9.In the case that such a disclosure or transfer is needed across borders, in association with the hosting and operation of competitions by Tcon.
  • ※ However, this shall not apply if there are concerns that the interests of the owner of the personal data or a third party may be violated.
• ②The personal data of users who use Tcon are provided to third parties as follows.

  The personal data of users who use Tcon are provided to third parties as follows List

  Recipient	Purpose of supplying personal data	Personal data item	Period for which the record is held
  KR Partners Co. Ltd.	Remittance to a financial institution and request for authorization	Name, resident registration number (date of birth), bank account (credit card) number, mobile number	Five years following the processing of a payment
  Korea Telecom Co. Ltd.	Remittance to a financial institution and request for authorization	Name, resident registration number (date of birth), bank account (credit card) number, mobile number	Five years following the processing of payment
  Individuals recommended by the heads of Taekwondo institutions abroad	Request for review on belts	ID, Name, resident registration number (date of birth), bank account (credit card) number, mobile number	Permanently

• ③Personal data may be transferred to countries that do not have a data protection law that is equivalent to that enforced in Korea or in the EEC (i.e. U.S.A., Russia, Japan, China, India).

Article 5 (Subcontracting of the processing of personal data)

• ①Tcon outsources the processing of personal data to authenticate the user on the website or mobile app (authentication is carried out through the verification of unique data).

  Tcon outsources the processing of personal data to authenticate the user on the website or mobile app (authentication is carried out through the verification of unique data) List

  Party handling the processing	Subcontracted work	Personal data involved
  Korea Taekwondo Association	Request for a review of qualification for belts	ID, name, nationality, date of birth, gender, belt, address, email, mobile number
  Government or public organization	Request for a review of qualification for belts	ID, name, nationality, date of birth, gender, belt, address, email, mobile number
  Organization operating the Hanmadang competitions	Operation of the Hanmadang competition	ID, name, nationality, date of birth, gender, belt, address, email, mobile number
  System maintenance and repair companies	System maintenance and repairs	Overall system data

• ②Tcon supervises the subcontractor under Article 26 of the Personal Data Protection Act to ensure that personal data are not used for purposes other than the outsourced work, technical and managerial protection measures are taken, re-subcontracting of the work is not carried out, regular training is provided on the handling of personal data and the party understands its liabilities concerning damages. These items are listed in the subcontracting contract.
• ③Other than what is stated above, Tcon shall not subcontract the processing of personal data to a third party. In the case that the content of the work subcontracted or the subcontractor changes, this shall be immediately disclosed through our policy on the processing of personal data.

Article 6 (Matters concerning the security of personal data)

• 1.Establishment and implementation of internal management plans
  • A.For the secure processing and management of personal data, Tcon establishes and implements an internal management plan for all workforce handling personal data.
• 2.Limited access to personal data
  • A.Authority to access the data base that processes personal data would be given, revised or deleted for the control of access. The intrusion blocking system will detect unauthorized access. If the personal data processing system is accessed from an outside source, VPN (Virtual Private Network) will be offered for safe access.
• 3.Encryption of personal data
  • A.The user’s personal data are encrypted, saved and managed. When important data are stored or transmitted, they are encrypted beforehand for security.
• 4.Storing of login records and the prevention of ill-intended changes
  • A.Records on login to the personal data processing system are stored for at least 6 months. Special care is taken to ensure the login records are not stolen or changed with malintent.
• 5.Technical measures against hacking
  • A.Tcon has installed a security program to protect personal data from being leaked or contaminated through hacking or viruses. The program is regularly updated and reviewed, and is installed in a restricted area for technical and physical surveillance.
• 6.Restricted access against unauthorized users
  • A.A separate, physical space is designated for the personal data processing system that holds personal data. Access to this space is restricted and controlled
• 7.Minimal number of employees handling personal data and the training of said employees
  • A.A minimal number of employees are designated to handle personal data. These employees are subject to regular and spontaneous training to raise the awareness of the importance in taking precautions when handling personal data.

Article 7 (Destruction or deletion of personal data)

• ①Tcon shall immediately delete or destruct personal data once the period for holding such data has passed, the objectives have been met or when a member has requested to delete his membership.
• ②In the case that Tcon is required by law to keep personal data despite the period of holding such data having passed or the objectives having been met, the personal data in question are stored separately from those of other individuals
• ③Tcon deletes or destructs the personal data in the following method.
  • 1.Process for deletion

    Personal data eligible for deletion are selected. After approval from Tcon’s manager is obtained, the personal data in question are deleted as follows.

    • A.When a member deletes his membership on the website, his personal data are automatically deleted.
    • B.Personal data whose holding period have passed are either automatically deleted or deleted upon the approval of Tcon’s manager.
  • 2.Method of deletion

    Complete deletion is carried out to prevent the restoration of the personal data.

    • A.Electronic files : When the files are partially deleted, after the personal data in question are deleted, they are managed to prevent restoration. When the files are deleted in their entirety, resets, writing over or the use of a dedicated terminal will be the methods applied.
    • B.Non-electronic forms of records or prints: For partial deletion, the personal data in question are masked or punched. When the records are deleted in their entirety, they are shredded or burned.
• ④The owner of the personal data (or his legal guardian) may withdraw his consent to the collection, use and supply of his personal data. However, the withdrawal of this consent may cause disruption in the use of services.
  • ○How to withdraw your consent

    Login > My Page > “Withdraw”

Article 8 (The rights and obligations of the owner of personal data or his legal guardian)

• ①The owner of personal data or his legal guardian may request to view his personal data, have it corrected, deleted or have its processing suspended.
  • 1.n the case that it is inevitable due to the relevant law or in order to observe legal responsibilities.
  • 2.In the case that there are concerns of possible harm to the life, physical safety, property or other interests of another person.
• ②The exercise of rights under Clause 1 may be requested in writing based on the form in Appendix, via phone call, email, FAX or the internet. For data managed on the website, the request may be made through the member’s personal page after logging in.
• ③Upon receiving a request for viewing, correcting, deleting or suspending the processing of personal data, Tcon shall verify that the person who made the request is the user him/herself or his/her legal guardian.
• ④Exercise of rights may be performed through the legal guardian or an agent of the owner of the personal data. In such a case, a letter of delegation as per Appendix No. 11 Rules of Implementing the Personal Data Protection Act shall be submitted to Tcon.
• ⑤In the case of a request for the correction or deletion of personal data by the owner or legal guardian, Tcon shall not use or supply the personal data in question until the correction or deletion is complete.
• ⑥In response to a request for the viewing, correcting, deleting or suspending the processing of personal data, the following steps shall be taken
  • 1.Viewing of personal data

    Request to view personal data → Verification of the party making the request and the scope of viewing → Verification of the limits to the viewing of personal data → Request approved (or denied) → Viewing

  • 2.Correction, deletion or suspension of the processing of personal data

    Request to have personal data corrected, deleted or suspended for processing → Verification of the party making the request and the scope of viewing → Verification of limits to the viewing of personal data → Notification on the request approved (or denied)

Article 9 (Manager for the protection of personal data)

Article 10 (Installation and operation of automatic collection devices for personal data and the withdrawal of consent to such collection)

• ①Tcon may install and operate automatic collection devices for personal data such as cookies to store information related to the usage of the website or mobile app. Cookies are very small text files that are sent by the server for the website and mobile app to the user’s browser. It is a file that includes identification letters and numbers that are sent by the web server to the web browser and stored on the browser.
• ②Cookies may be permanent or session cookies. Permanent cookies are stored on the web browser and unless deleted by the user before the expiration date, remain valid until the expiration date. Meanwhile, session cookies end when the web browser is closed. Cookies do not contain identification information for each user but personal data saved by the user are stored on the cookie and connected with the information acquired from the cookie.
• ③The user may opt for cookies or not, using the web browser settings. However, if cookies are not accepted, there may be some inconvenience in using the services. This may vary depending on the version of the browser.
  • ○How to reject cookies

    ▶ (For Internet Explorer)

    “Tools” on the top of the web browser > Internet options > Personal data > Advanced” → The user may choose from ‘allow’, ‘block’, or ‘selected by the user’

    ▶ (For Chrome)

    “Settings” on the upper right of the web browser > Personal data > Set contents > Cookies” → ‘Accept’, ‘Maintain until the browser session ends’ or ‘Block’

    ▶ (For Firefox)

    “Tools” on the upper right of the web browser > Options > Personal data > Drop-down menu” → Choose between the ‘Set user definition for records’, ‘Allow cookies on site’, and ‘Select/ unselect’.

• ④Blocking all cookies may have a negative effect on the use of the website and may make it difficult to use all the features provided by Tcon. Cookies already stored on the computer cannot be deleted. This may vary depending on the version of the browser.
  • ○How to delete cookies

    ▶ (For Internet Explorer)

    Cookie files must be deleted manually. (See: http://support.microsoft.com/kb/278835)

    ▶ (For Chrome)

    Custom setting and management > Settings > Advanced settings > Internet use information Delete > “Delete cookies and other sites”

    ▶ (For Firefox)

    Tools > Option > Personal data → "User definition on records" → "Display of cookies" → "Removal of all cookies"

Article 11 (Addressing cases of violation of rights)

• ①Owners of personal data can request a resolution of dispute or a counseling session with the KOPICO or the Korea Internet Promotion Center to address cases of violation of rights.
• ②Please inquire to the following organizations if you need to report on a case of the violation of rights concerning personal data or a counseling session is needed.
  • 1.Privacy Center: Call 118 (privacy.kisa.or.kr)
  • 2.KOPICO : Call 1833-6972 (www.kopico.go.kr)
  • 3.Department of Cyber Crimes at the Grand Prosecutor’s Office : Call 1301, cid@spo.go.kr (www.spo.go.kr)
  • 4.Cyber Safety Bureau at the National Police: Call 182 (cyberbureau.police.go.kr)

Article 12 (Changes to the policy of processing personal data)

• ①This policy shall take effect on October 1, 2019.

(Appendix 1)

(Appendix 2)