Items of personal information collected and collection methods
Purpose of collection and use of personal information
Provision and sharing of personal information
Outsourcing of personal information processing
Measures to ensure the safety of personal information
Retention and use period of personal information
Procedure and method for destruction of personal information
Rights of users and legal representatives and how to exercise them
Withdrawal of consent / member withdrawal procedure
Installation/operation of automatic personal information collection devices and how to refuse them
Personal information manager
Duty to notify changes to this policy
Items of personal information collected and collection methods
The Clinic collects only the minimum personal information necessary to provide services. Some items are required and some are optional; optional items are not required for service use.
Website collection items
Required: selected procedure(s), full name, age, mobile/whatsApp number, current contact-lens status
Optional: gender, nationality, preferred date & time, translator, additional information
Collected via generation/analytics tools (e.g., visitor analytics tools)
Clinical (treatment) collection items
Required: name, resident registration number, foreigner registration number (for foreigners only)
※ Name and resident registration number are required entries under Article 14 of the Enforcement Rules of the Medical Service Act (items to be recorded in medical records).
Optional: contact number, address, email, reason for visit
When personal information is collected for a specific short-term purpose not listed above, we will notify you separately. Collected information includes any updates you make after initial registration.
Purpose of collection and use of personal information
The Clinic uses collected personal information for the following purposes. All information provided will not be used for purposes other than those listed below, and we will seek prior consent if the purpose of use changes.
To respond to online inquiries
To provide diagnosis and treatment services
For billing, payment, and refund support related to medical fees
For identity verification related to appointment booking, appointment checking, and member services
To provide notices, handle complaints, and ensure smooth communication; to inform you of new services and events
For issuing certificates and sending items related to medical examinations
To provide personalized content and support development of new services
For the minimum analysis data necessary for education, research, and medical services
As basic data for outsourced online tests and clinical trial reviews
To provide health information and Clinic newsletters/promotional materials
Provision and sharing of personal information
Except with your consent or where required by law, the Clinic will not use or provide your personal information beyond the purposes notified in “Purpose of collection and use of personal information.” Exceptions include:
Where users have agreed in advance to disclosure
Submission of medical records to the Health Insurance Review & Assessment Service for claims under the National Health Insurance Act
Where required by investigative agencies in accordance with legal procedures and methods
Outsourcing of personal information processing
To operate personal information tasks smoothly, the Clinic outsources certain processing tasks as follows.
Service provider: MD Lab Plus Co., Ltd.
Items provided: name, date of birth
Outsourced task: genetic testing to prevent surgical complications
Outsourcing period: until the end of the outsourcing contract
When new patients (first-time visitors) register via the website or call center, they are also registered in the Clinic’s medical information system. When concluding outsourcing contracts, the Clinic specifies in writing (in accordance with Article 25 of the Personal Information Protection Act) restrictions on processing personal information for purposes other than the outsourced task, technical and administrative protection measures, limits on re-outsourcing, supervision and management of the outsourced party, liability for damages, etc., and supervises whether the contractor safely handles personal information. If the content of the outsourcing or the outsourced party changes, we will promptly disclose this Privacy Policy.
Service provider: ToBeCon Co., Ltd.
Items provided: medical certificates (13 types)
Outsourced task: online issuance of medical certificates
Outsourcing period: until the end of the outsourcing contract
Measures to ensure the safety of personal information
Minimization and training of personnel handling personal information: Personnel who handle personal data are minimized and given regular training.
Regular internal audits: At least once a year self-audits are conducted to ensure safety.
Establishment and implementation of internal management plans: Internal plans are established and implemented to ensure safe handling.
Encryption of personal information: Passwords are stored and managed in encrypted form so only the user can know them; important data files and transmission data are encrypted.
Storage of access logs and prevention of tampering: Access logs to the personal information processing system are retained for at least six months and protected against tampering, theft, and loss through security functions.
Access control for unauthorized persons: A separate physical storage location for the personal information system is established with access control procedures.
Retention and use period of personal information
The Clinic retains personal information for the periods required by applicable laws and destroys it without delay thereafter.
For member registration: until membership is withdrawn or the member is expelled
For survey/event purposes: until the survey or event ends
For treatment purposes: retained in accordance with the periods specified in Article 15 of the Enforcement Rules of the Medical Service Act (“Retention of records related to medical treatment”) (items retained: name, address, resident registration number, medical information)
Records related to consumer complaints or dispute resolution: 3 years (Act on Consumer Protection in Electronic Commerce, etc.)
Records related to collection/processing/use of credit information: 3 years (Act on Use and Protection of Credit Information)
Visit logs: 3 months (Telecommunications Privacy Protection Act)
However, even if the original purpose has been achieved, personal information may be retained where retention is required by law (e.g., Commercial Act).
Procedure and method for destruction of personal information
The Clinic destroys personal information without delay once the purpose of collection and use has been achieved. The procedures and methods are:
Destruction procedure: Information provided for membership, etc., is destroyed immediately after the purpose is fulfilled using the destruction method below.
Destruction method: Electronic personal data are deleted using technical methods that make recovery impossible. Paper records are shredded or incinerated.
Rights of users and legal representatives and how to exercise them
For children under 14 (hereinafter “children”), membership registration requires the consent of a legal representative. The Clinic collects only the minimum information necessary to obtain the legal representative’s consent (such as name and contact information) and obtains consent in the manner described in this Privacy Policy. The child’s legal representative may request access to, correction of, or deletion of the child’s personal information. To do so, the legal representative must complete verification procedures, after which they may directly access, correct, or delete the child’s information, or contact the personal information protection officer by letter, phone, email, or fax to request necessary measures.
The Clinic does not provide children’s information to third parties. If a legal representative requests correction of erroneous personal data collected from a child, the Clinic will prohibit the use or provision of that data until correction is completed.
Withdrawal of consent / member withdrawal procedure
You may withdraw your consent to the collection, use, and provision of personal information at any time. To withdraw membership, click “Delete Account” on the website or contact the personal information protection department by letter, phone, or fax. We will promptly destroy your personal information and take necessary measures.
Installation/operation of automatic personal information collection devices and how to refuse them
The Clinic may operate cookies that store and retrieve your information. Cookies are strings of information that a web server sends to your browser and are returned to the server when the browser requests additional information. When you visit the website, the Clinic reads cookie contents from your browser to provide certain services without requiring additional input such as your name.
The only information collected via cookies is the member’s ID; no other information is collected. Cookies collected may be used for:
Providing personalized screen information based on individual interests
Tracking pages of interest to provide personalized services on next visit
Analyzing user habits to inform service improvements
You have the option to accept or refuse cookies. In your browser, go to Tools > Internet Options > Privacy > Advanced to accept all cookies, receive notification when cookies are set, or refuse all cookies. If you refuse cookies, you may experience inconvenience or difficulty using the service. Cookies expire when the browser is closed or upon logout.
Personal information manager
To protect your personal information and handle related complaints, the Clinic has appointed a personal information manager and a handling department as follows.
Number of staff handling personal information: 30
Personal information manager
Name: Kim Moo-yeon
Position: Representative Director, GS Eye Center
Affiliation: GS Eye Center
Phone: 02-3469-0900
Email: gseyeweb@naver.com
You may report any personal information protection complaints arising from use of the Company’s services to the personal information manager or the handling department. The Company will respond promptly and adequately to user reports.
For other reports or consultations regarding personal information infringement, please contact:
Personal Dispute Mediation Committee (www.1336.or.kr / 1336)
Korea Privacy Certification Committee (www.eprivacy.or.kr / Tel: 02-580-0533~4)
Supreme Prosecutors’ Office Internet Crime Investigation Center (http://icic.sppo.go.kr / Tel: 02-3480-3600)
National Police Agency Cyber Terror Response Center (www.ctrc.go.kr / Tel: 02-392-0330)
Notice date: November 23, 2015 / Effective date: December 1, 2015
Representative Director, GS Eye Center