Lotte Foundation for Arts (hereinafter referred to as “the Foundation”) values personal information protection for users (hereinafter referred to as “the Member”), and protects personal information provided by members to the Foundation online during use of the Foundation’s services.
The Foundation complies with the “Act on Promotion of Information & Communications Network Utilization and Protection of Information” and the “Personal Information Protection Act,” and has established this Personal Information Policy, thus protecting the members’ rights and interests. The following is the Foundation’s Personal Information Policy.
Definition of terms
Terms used in this Personal Information Policy are defined as follows.
information Information on a living individual which serves to identify such individual through items such as name and ID (username) contained in such information (including information which in itself cannot identify a certain individual but can do so by easily combining with other information)
service Member who can use various membership (e.g., L.POINT card, and L.POINT) services provided by the Foundation
member Member who can use L.POINT service
service Service provided by Internet service-providing Lotte Group affiliate companies to L.POINT members. Since the Foundation’s members are also L.POINT members, member information protection is outsourced or entrusted to Lotte Members Co., Ltd.
1. Purpose of personal information processing
The Foundation processes personal information for the following purposes, and the personal information processed is not used for other purposes. If there are changes in the purposes, the Foundation will take necessary measures such as obtaining separate consent.
- ① Manage website members (e.g., check an online member’s intent of membership subscription, check the member’s age and his/her legal representative’s consent, check the member’s and his/her legal representative’s identities, member identification, and check the member’s intent of membership withdrawal).
- ② Analyze records of service use and frequency of access, prepare statistics on service use, provide tailored service and post advertisements according to service analysis and statistics, etc.
- ③ Protect members and operate services (e.g., restrict use by law-violating members, prevent and sanction acts including unauthorized use interfering with smooth operation of service, prevent member account theft and unauthorized transaction, send notice of amendment to the Terms of Service, etc., keep records for dispute mediation, and handle complaints).
- ④ Identity verification, purchase and payment, and shipping of goods and services, in the provision of paid service.
- ⑤ Contact information-owners by e-mail, text messages, phone, etc., for marketing and promotion purposes, such as providing event information and participation opportunity to consenting members and providing advertising information to promote or recommend purchase of goods and services.
- ⑥ Check the complainant’s identity, check the content of complaint, contact for fact-finding, notify the results, etc.
2. Personal information items collected, method of collecting them, and period of retention
-
① Personal information items collected
As mandatory items, the Foundation collects (member’s) name, ID (username), password, date of birth, gender, address, contact information (home and mobile phone number), and e-mail address. Also, in the process of use of service, IP address, cookies, records on use of service, device information, and location information can be created and collected. - ② Method of collecting personal information A. During subscription to membership and use of service on the websites (www.lottemuseum.com, www.lotteconcerthall.com), the Foundation collects a member’s personal information if the member consents to collection thereof and enters the information himself/herself. B. During consultations with the customer center, a member’s personal information can be collected through websites, e-mail, facsimile, phone, etc. C. In offline events, etc., personal information can be collected with written consent.
-
③ Period of retention of personal information
Where required by applicable law, the Foundation keeps the members’ personal information during the period prescribed by the law. In that case, the company keeps the information separately, and only uses the same for relevant purposes and not for other purposes such as marketing.
Information kept Period of
retentionApplicable laws Records on payment for and
supply of goods and services5 years Act on Consumer Protection in
E-CommerceRecords on contract, offer
withdrawal, etc.5 years Act on Consumer Protection in
E-CommerceRecords on consumer complaints or dispute handling 3 years
3. Validity period of personal information
The Foundation, to protect the personal information of long-term non-users of the service, operates a system of personal information validity period.
Such valid period is 1 year from the time of a member’s last use of the service, after which period the Foundation separately stores and manages the personal information. This separate storage and management, a measure tantamount to destruction of
personal information based on physical or logical separation of personal information, stores and manages the personal information of the aforesaid long-term non-users separately from that of general members, and restricts access thereto by the Foundation’s
ordinary employees. Also, the Foundation notifies, by emails, etc. at least 30 days before the validity period expires, the relevant user of the fact that his/her personal information will be separately stored and managed. Even after expiry of the
validity period, however, a member’s login to the websites will be deemed as a request for re-use of the service, and the state of separate storage and management of personal information will be turned into that of normal use thereof.
4. Disclosure of personal information to a third party (Sharing of personal information)
The Foundation only processes the members’ personal information as specified in “Purpose of personal information processing” above, and does not disclose the same to a third party, except in accordance with Articles 17 and 18 of the Personal Information Protection Act, such as when consented by the information-owner or required by statutory provisions.
-
① Partnership
When entering into partnership with another company, the Foundation must give the members detailed prior notice of the name of the partner company, purpose of partnership, content of service provided, scope of shared personal information, purpose of personal information’s use, period of the partnership, etc., and must only disclose or share information based on the member’s active consent (directly indicating intent of sharing personal information). In cases of change or end of the partnership, the same process will also be used for notice and consent. -
② Outsourcing of personal information processing
When outsourcing the processing of members’ personal information to another person for smooth conduct of duties, the Foundation must give detailed prior notice of the name of contractor, scope of personal information processing outsourced, purpose of outsourcing, process of outsourced processing, period of outsourcing, etc. -
③ Method of notice and consent
As regards disclosure of personal information to a third party, the Foundation notifies members at least 7 days in advance in the “Notices” sections of the online homepages. Also, if necessary, it sends individual notices to members once or more by e-mail, etc., and must obtain “active consent” (directly indicating intent of sharing personal information). - ④ Exceptions - Where requested by competent agencies under applicable laws for purposes such as crime investigation - Where disclosed to advertisers, partner companies, research organizations, etc. in formats that do not allow identification of specific individuals, for purposes such as statistical data analysis or academic or market research - Where otherwise requested according to the procedure of applicable laws, In any of the following cases, the Foundation will do its best to prevent indiscriminate disclosure of personal information against the original purpose of collection and use thereof.
5. Personal information-processing contractors
-
① The Foundation, for smooth conduct of duties, contracts or outsources personal information processing as follows.
Contractor Jobs being outsourced Lotte Members Co., Ltd. Manage and handle member information Lotte Data Communication Co. Build and maintain computer system Culturedotcom Co., Ltd. Build and maintain computer system NICE (National Information & Credit Evaluation, Inc.) I-PIN-, mobile phone-, and real name-based
(date of birth-based) personal identification serviceInterpark Manage ticket reservation system, send text messages
on completion of ticket reservation & paymentKCP Provide credit card and virtual account services KICC Provide credit card and virtual account services Logen (delivery company), Post Office, Lotte Global Logistics Ship membership cards, information package and tickets - ② The Foundation, when entering into an outsourcing contract with a contractor, expressly sets forth, in the contract or other documents, matters such as prohibition of personal information processing other than for the purpose of outsourcing, technical/administrative protection measures, restriction on subcontracting, management/supervision of the contractor, and damages and other liabilities, and supervises whether the contractor securely processes personal information.
- ③ In cases of changes in the job outsourced or by the contractor, the Foundation will promptly disclose the same in this Personal Information Policy.
6. Rights and obligations of information-owners, and method of exercising the rights
- ① An information-owner may at any time exercise against the Foundation the following rights related to personal information protection. ᆞ Request viewing of his/her personal information ᆞ Request correction of errors, etc. in his/her personal information ᆞ Request deletion of his/her personal information ᆞ Request suspension of processing of his/her personal information
- ② The right under Paragraph 1 may be exercised against the Foundation on the websites, in writing, by phone, e-mail, facsimile, etc., in which case the Foundation will take prompt measures.
- ※ Department receiving and handling requests for viewing of personal information ᆞ Department: CS Strategy Team ᆞ Personnel: Kim Eun-jin (Assistant manager) ᆞ Contact: TEL 02-3213-3126, FAX 02-6234-3140, E-mail webmaster_lch@lotte.net
- ③ Where an information-owner requests correction or deletion of errors in his/her personal information, the Foundation will not use or disclose the personal information until correction or deletion thereof is completed.
- ④ The right under Paragraph 1 may be exercised through an information-owner’s legal representative or agent. In that case, the information-owner must submit a power of attorney under the Personal Information Protection Act Enforcement Rule (Form No. 11 attached thereto).
- ⑤ An information-owner may not infringe on another person’s personal information or privacy, in violation of applicable laws such as the Personal Information Protection Act.
7. Destruction of personal information
- ① The Foundation, where any personal information becomes unnecessary (e.g., the period of retention of personal information expiring, or the purpose of processing the personal information being achieved), promptly destroys such personal information.
- ② The Foundation, where the period of keeping personal information consented by the information-owner has expired or the purpose of processing the same has been achieved but the Foundation is still required to keep the same by other laws, moves the personal information to a different database or changes location of keeping or storing the same.
-
③ The process and method of personal information destruction are as follows.
▶ Process
The Foundation selects such personal information as is required to be destroyed, and destroys the same with approval of its chief personal information officer. ▶ Method
Personal information recorded and stored in an electronic file format shall be deleted by a method that does not allow reproduction of the records, and personal information recorded and stored on paper shall be shredded by a shredder.
8. Measures to secure security of personal information
The Foundation, for security of personal information, takes the following measures.
-
① Technical measures
The Foundation, in its handling of personal information, takes the following technical measures for security so that personal information will not be lost, stolen, leaked, altered without authorization, or damaged. A. Personal information is protected by passwords, and files and transmitted data are encrypted so that the general users and managers cannot have access thereto. B. The Foundation uses vaccine programs to prevent damages by computer viruses. Vaccine programs are periodically updated in order to respond to computer viruses. C. In preparation for external intrusion such as hacking, each server is equipped with security measures such as anti-intrusion system and weakness analysis system. - ② Administrative measures A. The Foundation limits, to a minimum, the number of personnel with access to personal information. The personnel with such access are as follows. - Person who conducts marketing directly towards members - Person who conducts personal information management (e.g., chief personal information officer and personal information manager) - Any other person who cannot avoid handling personal information in his/her job B. The Foundation, for its personal information-handling employees, conducts periodic internal and external education/training on new security technologies and personal information protection obligations. C. The Foundation prevents man-made information leaking (or information leaking by people), by requiring every employee to submit a pledge of security at the time of being employed, and has in place an internal process to audit employees’ implementation of and compliance with this Personal Information Policy. D. The Foundation maintains strict security in transfer of duties between personal information-handling personnel, and has clarified responsibility for personal information accidents during and after the employment. E. The Foundation has designated its computer room and data storages as special protection areas, and controls access thereto. F. The Foundation is not responsible for things or events occurring through individual members’ mistakes or the Internet’s inherent risk. Individual members must properly manage, and be responsible for, their IDs (usernames), in order to protect their personal information. G. Where personal information is otherwise lost, leaked, altered without authorization, or damaged due to employees’ mistakes or technical/administrative accidents, the Foundation will immediately notify the members, and make appropriate measures and compensation.
-
③ Exceptions
The Foundation values the members’ postings, and does its best to protect them so that they are not altered without authorization, damaged, or deleted, except in the following cases. A. Spam (e.g., chain letter, “800 million Won” mail (some kind of Ponzi scheme), and advertising for specific websites) B. Postings which spread falsities for the purpose of slandering another person, thus defaming such person C. Disclosing another person’s identity (profiles) without consent thereof D. Postings which infringe on others’ rights such as the company’s copyright and a third party’s copyright E. Other postings in conflict with the purpose of the bulletin
The websites contain various banners and links and are linked to many other websites. This is a measure or action based on contracts with advertisers or disclosing the source of the provided contents. In cases where a member clicks the link and moves to another website, such website’s personal information policy is entirely unrelated to the Foundation. Thus, members are hereby advised to review the new website’s policy.
9. Installation and running of automatic personal information-collecting devices, and refusal thereof
The Foundation uses ‘cookies’ which can temporarily store and retrieve member information. Cookies refer to data which the Foundation’s server transmits to a member’s web browser, and do not affect other parts of the personal computers at all. When a member accesses the websites, the Foundation’s server computer reads the content of cookies in the member’s web browser, so that the member can receive service without making further entries. Also, cookies can be used for analysis of access frequency or visit hours, identification of areas of interest, etc. Members can choose whether or not to use cookies. By setting options in the web browser, they may either allow all cookies, or require confirmation whenever a cookie is stored, or refuse all cookies.
10. Chief personal information officer
- ① The Foundation, to oversee personal information processing and handle information-owners’ personal information-related complaints, has designated the chief personal information officer as follows. ▶ Chief personal information officer ᆞ Name: Yu Hyeong-seon ᆞ Department: CS Strategy Team ᆞ Position: Team head ▶ Personal information manager ᆞ Name: Kim Eun-jin ᆞ Department: CS Strategy Team ᆞ Position: Assistant manager
- ② Information-owners may contact the chief personal information officer and the relevant department regarding all personal information protection-related inquiries, complaints, and damages occurring from use of the Foundation’s services (or business). The Foundation will promptly respond to and handle the information-owners’ inquiries.
11. Remedy for infringement
Information-owners can inquire of the following institutions regarding damages remedy and counseling on personal information infringement.
- ▶ Personal Information Violation Reporting Center (of the Korea Internet & Security Agency (KISA)) ᆞ Duties: Receive reports, and counsel, on personal information infringement ᆞ Website: privacy.kisa.or.kr ᆞ Phone: 118 (No prefix) ᆞ Address: Korea Internet & Security Agency, 135 Jungdae-ro, Songpa-gu, Seoul (138-950)
- ▶ Personal Information Dispute Mediation Committee (of the Korea Internet & Security Agency (KISA)) ᆞ Duties: Mediation of personal information disputes, mediation of class (group) disputes (civil resolution) ᆞ Website: privacy.kisa.or.kr ᆞ Phone: 118 (No prefix) ᆞ Address: Korea Internet & Security Agency, 135 Jungdae-ro, Songpa-gu, Seoul (138-950)
- ▶ Forensic Science Investigation Department Supreme Prosecutor’s Office: 1301 (spo.go.kr)
- ▶ Cyber Safety Bureau, National Police Agency: 182 (cyberbureau.policy.go.kr)
12. Changes in the Personal Information Policy
This Personal Information Policy shall become effective on October 25, 2019, and for easy comparison, the changes are being notified in the “Notices” sections of the websites.
-
▶ Enacted: October 25, 2019
▶ December 07, 2017 Comparison