PRIVACY POLICY

Effective as of 27.02, 2015 Read Agreement Before

GENERAL PROVISIONS

The Company gives priority to protection of personal information and it is always doing its utmost to protect personal information of members. The Company observes the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. and other rules and regulations related to protection of personal information and “Policy on Protection of Personal Information.”

Personal Data Protection Policy allows the Company to inform members of the purpose and method of using their personal information and the measures for protection of the personal information.

This personal data protection policy will be posted on the Service provided by the Company so that the customers can refer to it anytime.

The Company's Personal Data Protection Policy includes the following contents:

A. Items of personal information to be collected and methods of collection
B. The purpose of using personal information
C. Customers' consent on collecting personal information
D. Customers' consent on providing or sharing personal information with a third party
E. Consignment of the handling of personal information
F. The period of retention and the procedures and method of destruction of personal information
G. The right of user and his or her legal representative and the method of exercising such right
H. Collection of personal information by cookie
I. Personal data protection for children under 14 years of age
J. Technical and managerial measures for protection of personal information
K. Person in charge of protection of personal information
L. Counsel and report of infringement of the personal information
M. Obligation to notify any change in policy

A. Items of personal information to be collected and methods of collection

The Company collects and utilizes the minimum amount of personal information of the member required for the purpose of authentication of user, payment of services, shipment and provision of the customized service to the member by utilizing the personal information as marketing materials for statistics and analysis.

1. Purpose of personal information collection

① Personal identification authentication: these are used in the process of authentication of users access to membership service
② To obtain communication channels through which the Company provides notifications, timely responses to customers' complaints and sends the Information about new services, new products, events, and information in regards to research for the Service development
③ For payment of paid service and products
④ To ship purchased products or giveaways
⑤ To confirm whether the member wishes to receive the email or SMS text message including the information on affiliated service, product/service marketing (including affiliates), sales promotion, appreciation events, events, and up-to-date information
⑥ For confirmation agreement from a legal representative and identification of the legal representative when collecting personal informations for users under 14 years old

2. Items of personal Information to be collected

table
Division	Items to be collected
Required items	CJ ONE user : Name, ID, password, E-mail address, mobile phone number, Birthday, sex, I-PIN or personal identification authentication
	E-mail user : Name, ID, password, E-mail address.
	Facebook user : ID for separate use, E-mail address, name, sex and profile photo
	Twitter user : ID for separate use, E-mail address, name and profile photo
Optional items	Nickname, profile photo, address, mobile phone number and E-mail address
Other information on transaction and personal	service using record, data access log, cookie, IP address, records of payment
preference collected during the process of members' using the service or Company's doing the business	suspension of membership and withdrawal from the membership
Mobile phone information while using the mobile service	Carrier information, mobile phone model name, hardware ID, version of OS(Android/iOS), Push token, mobile phone access date, session ID, mobile phone MAC address The mobile phone information is in a format that cannot be used for personal identification and the Company does not participate in any activities to identify individuals using the collected data

3. The method of collection

① The personal Information collected through homepage, written document, telephone, Q&A bulletin board, registration for giveaway event, shipping request and etc.
② The personal information is provided by the Company's affiliated partners
③ The personal information is collected through a program that analyzes the log
④ The personal information is collected through cookie

B. The purpose of using personal information

The Company utilizes the personal information collected for the following purposes.

1. For the performance of service contract and calculation of payment of the service

For provision of contents, shipment of giveaways, user authentication in financial transactions, purchase of a paid product and payment of fees

2. Members management

For user authentication of membership service, personal identification prevention of illicit use or unauthorized use by fraudulent member, confirmation of a member's intent to join, enrollment or limitation of the number of enrollment, consent from a legal representative (parent) to collect personal information of children under 15 years of age, further personal verification of a legal representative, maintenance of records for conflict resolution customer service including recourse and redress, and sending notification

3. For marketing and advertisement purpose

Providing services and advertisements based on demographic characteristics. Identifying access frequency and statistics of users using the service. To provide customized advertisements and information based on users characteristic. To provide events and extracte targer users when new service is launced.

C. Customers’ consent on collecting personal information

The Company collects the minimum amount of personal information required for the execution and performance of service use agreements by using legal and fair methods. When the Company collects a user’s identification information, it must receive the user’s prior consent according to the following legal procedures. As to the collection of the personal information, the Company gives notification to the users through the Personal Information Protection Policy of the Company or the Personal Information Handling Policy. When the member clicks on the “agree” button, it is deemed as the member’s consent to the collection of personal information. The Company studies the distribution of members and their interests and patterns of behavior based on server log files of the Company or its own research. The purpose is to learn more about its members and provide high-quality service to members. The information from these studies is thoroughly collected and analyzed, but does not contain the information, which can recognize the identification of individual member.

D. Customer consents to disclosure of the following customer’ personal information to third parties authorized by Company

The Company shall not utilize the personal information or provide it to a third party, other companies, or organizations beyond the purpose stipulated in the policy, except for cases where the member’s consent is already obtained or the disclosure of personal information is inevitable for the purpose of taking legal measures due to their violation of the Company’s policy and management regulations, or responding to a request from the relevant governmental institutions. If the Company wishes to provide (or share) additional personal information beyond the designated purpose of the Personal Information Protection Policy, it shall give a notification to the member by means of the User Policy, the Personal Information Protection Policy, electronic mails or a written document about to whom or to which business the information is provided to, the items of personal information to be provided, the purpose of provision of personal information and receive the prior consent from the member.

However, personal information can be provided without the member’s consent according to relevant provisions in the laws in the following cases :

1. Where it is necessary for charge of payment for the Services
2. Where it is necessary for statistics, academic studies or market research, but the information shall be the
3. Where it is allowed by special provisions in Law of Real Name Financial Transaction, the Use and Protection of Credit Information Act, Telecommunications Basic Act, Telecommunications Business Act, Local Taxes Law, Customers Basic Act, Law of Bank of Korea or the Criminal Procedure Code.

The Company shall provide personal information provided by the Members to the service management CGV Corporation to provide “CJ ONE” integrated Membership Services.
The personal information provided shall be persevered for a period of thirty (30) days after termination of the Services (including the Service cancellation request) unless additional consent has been made.

table
The third party	The purpose of usage	Provided personal information	The period of retention and usage
CJ CGV	-Website log-in - Earn and redeem CJ ONE points -Additional CJ ONE membership services	Name, ID, password, address, phone number (including cellular) email address, birthdate, I-Pin, and other authentication information from identification institutions	Available for 30 days after cancelling CJ ONE membership
Payletter	Payment processing for the purchase of a paid product	ID, item information, purchase order number, biller, payment amount, cell phone number, carrier	Follows “F. The period of retention and the procedures and method of destruction of personal information”
CJ OliveNetworks	Payment processing for the purchase of a paid product	ID, buyer’s name, item information, transaction number, card number, expiration date, first 2 digits of password number, cell phone number, carrier, telephone number, account number, bank code, pin number of arts gift card, pin number of books gift card	Follows “F. The period of retention and the procedures and method of destruction of personal information
KB Kookmin Card BC Card Samsung Card Shinhan Card KEB Card Hana Card Lotte Card Citi Card Shinsegae Card CH Card Kwang Ju Card Hyundai Card JB Card Nonghyup Card SH Card Jeju Card CU Card Woori Card	Paid item purchase (credit card payment)	ID, transaction number, transaction date, fee amount, buyer’s name, card number, expiration date, first 2 digits of password number	Follows “F. The period of retention and the procedures and method of destruction of personal information
Mobilians	Paid item purchase (payment using cell phone / telephone / arts gift card / books gift card)	- Common: ID, buyer’s name, transaction number, transaction date, fee amount - cell phone payment: transaction number, cell phone number, carrier - telephone payment: transaction number, telephone number arts gift card payment: arts gift card pin number bookstore gift card payment: books gift card pin number	Follows “F. The period of retention and the procedures and method of destruction of personal information
LG U+	Paid item purchase (online transfer payment)	Transaction number, account number, bank code (If a customer makes a purchase: customer’s name and information regarding the purchased item are additionally disclosed)	Follows “F. The period of retention and the procedures and method of destruction of personal information
Galaxia	Paid item purchase (cell phone payment)	Cell phone number, payment amount, transaction item, ID, name, carrier, purchase order number	Follows “F. The period of retention and the procedures and method of destruction of personal information
Danal	Paid item purchase (cell phone payment)	Cell phone number, payment amount, payment item, SMS number of authorization, buyer’s company purchase order number, payer name, unique price of transaction., ID	Follows “F. The period of retention and the procedures and method of destruction of personal information
SK Planet	Payment processing for the purchase of a paid product	item information, purchase order number, card number, expiration date, first 2 digits of password number, cell phone number, carrier, telephone number	Follows “F. The period of retention and the procedures and method of destruction of personal information”
CJ Hello Vision	Catch On VOD Package TV membership confirmation	Member name, phone number	Immediate deletion following confirmation of TV membership
Hyundai HCN	Catch On VOD Package TV membership confirmation	Member name, birthdate	Immediate deletion following confirmation of TV membership
C&M	Catch On VOD Package TV membership confirmation	Member name, birthdate	Immediate deletion following confirmation of TV membership
t-broad	Catch On VOD Package TV membership confirmation	Member name, birthdate, phone number	Immediate deletion following confirmation of TV membership
LG U+	Catch On VOD Package TV membership confirmation	Member number	Immediate deletion following confirmation of TV membership
Seokyung Cable Television	Catch On VOD Package TV membership confirmation	Member name, birthdate	Immediate deletion following confirmation of TV membership
CMB	Catch On VOD Package TV membership confirmation	Member name, birthdate, phone number	Immediate deletion following confirmation of TV membership
KCN	Catch On VOD Package TV membership confirmation	Member name, birthdate	Immediate deletion following confirmation of TV membership
NIB	Catch On VOD Package TV membership confirmation	Member name, birthdate	Immediate deletion following confirmation of TV membership
ABN	Catch On VOD Package TV membership confirmation	Member name, birthdate, phone number	Immediate deletion following confirmation of TV membership
Joyful Communication Network	Catch On VOD Package TV membership confirmation	Member name, birthdate, phone number	Immediate deletion following confirmation of TV membership
Green Cable Television Station	Catch On VOD Package TV membership confirmation	Member name, birthdate	Immediate deletion following confirmation of TV membership
infobank	- Text voting service provision in connection with Mnet.com data - Operation of SMS, MMS transmission system related to event promotion	Cellular phone number	Complies with “F. The period of retention and the procedures and method of destruction of personal information”.

E. Management of Personal Information Consignment

The Company consigns the handling of personal information necessary for payment and customer service to external company (“consignee”) for the Service as described below.


Consignment Alliance	Consignment Task	Consignment Areas	Shared Information
CJ Telenix	Customer guidance and CS customer service systems operation	Customer service center operation	Membership information, payment information
T&C International	Shipping agency services	Delivery of goods for the event	Name, telephone number, address
CJ OliveNetworks	Customer information, promotion, Event-related services	text message delivery system	ID, mobile phone number
LG U+	Customer Information, Promotion, Event related service	SMS, MMS transmission system facility management	ID, cellphone number
LG Household & Health Care Ltd.	Customer service, Shipping agency service	Customer service center operation and product shipping	Name, phone number, address
GLOSSYBOX KOREA	Customer service, Shipping agency service	Customer service center operation and product shipping	Name, phone number, address
NICE Information Service Co., Ltd.	Personal identification service via mobile	Identification process	Name, sex, date of birth(Y-M-D), nationality, cellular phone number, service carrier

F. The period of retention and the procedures and method of destruction of personal information

When personal information becomes obsolete due to the achievement of the purpose of collecting and handling personal information, the Company shall immediately destroy such information

1. The list of information to be destroyed

1. Information provided when signing up for membership: It should be destroyed when the member withdraws from his or her membership or whose membership is revoked
2. If information other than the membership information, such as bank account information, was collected for the purpose of payment of refund it should be destroyed after the payment or refund
3. If different delivery address was collected other than the address provided in signing up for membership for the purpose of survey or events, it should be destroyed after the purpose is achieved

2. However, the personal information of a member can be retained even after the purpose was achieved in exceptional cases required by the Commercial Law or other laws

A. Where retention is inevitable due to the provisions in Commercial Law, Protection of Users of Digital Contents and other relevant laws.
- - Information in regards to consenting or withdrawing the contract: 5 years
- - Information in regards to payment settlements and supply of goods: 5 years
- - Information in regards to handling of customers’ complaints and disputes: 3 years
B. Where the Company already notified the member of the period of retention through proper procedures
C. Where the Company received consent from an individual member

3. The method of destruction

A. Personal information printed in document: It shall be destroyed by shredder
B. Personal information saved as electronic file: It shall be destroyed with technical method which disables the recovery or reproduction of such personal information

G. The right of user and his or her legal representative and the method of exercising such right

1. Accessing the account information and the method of modification of information Members

If members request correction of error in the account information, the Company will not use or provide the personal information to others before such information is modified. In case where the Company already provided the personal information with error to a third party, it will immediately notify the third party of the modified information. However, if there is reasonable ground to refuse a member's access or request for correction of part or all of the personal information, the Company may immediately notify members of such refusal and provide its basis for such refusal.

In the following exceptional cases, however, the Company may refuse members to access or modify the personal information without notice.

1. Where there is a risk of remarkable harm to the Member him or herself or to the third party’s life, body, property or right.
2. Where there is a chance of remarkable interruption to the service provider’s business
3. Where there is a violation of laws and regulations

2. Retraction of members’ consent and the method of withdrawal from membership

Members may anytime retract their consent to the collection, use, and provision of personal information that they provided at the time of signing up membership. Retraction of consent and withdrawal from membership at one of the Company’s websites applies to all of the Company’s websites. When members wish to retract their consent (or withdraw from membership), they can click on the “withdrawal from membership” option on the company's website and directly apply for withdrawal. Or, they may contact the person in charge of managing personal information by phone or electronic mail, and then the Company shall immediately commerce with necessary measures.

H. Collection of personal information by cookie

The Company manages “cookie” which frequently saves and finds personal information of members.
Cookie is a small text file sent by the server used to run the website or mobile services of the Company to the browser of members and it is saved in the hard disk of members’ devices (PC Smartphone, tablet PC, etc).
Cookie may contain the information of websites that members visited and members’ personal information. Members have the right to choose the installation of cookie. By setting the options on web browsers, members may enable cookies completely request it to ask the consent whenever cookies save data or disable cookies completely so that they are always blocked.

However, if members disabled cookies completely, they might experience some difficulty in fully utilizing the Services.

1. Allowing installation of cookie (Internet Explorer)

a. Click “Internet Options” under “Tools” menu
b. Click “Privacy Tab”
c. Set “Personal Information Protection Level”

2. Viewing cookies (Internet Explorer)

a. Click “Tools” menu in task bar
b. Click “Internet Options”
c. Click “Settings” in general tab
d. Select “View Files”

3. The purpose of using cookie

The personal information gathered through cookie is used in providing customized information tailored to the members’ interest areas, target marketing by analyzing customers’ preferences and interest areas through frequency of access and length of use by Members and non-Members, Ticketing advertisement, and customized service through customers’ habits in utilizing the Service, improving the Service tailored to customers’ preferences and posting on bulletin board.

I. Personal data protection for children under 14 years of age

Children under 14 years of age (so called ‘minor’) shall need consent from a legal representative (parent) to apply for membership. The consent may be made by authorization number through a cell phone or an email from the legal representative (parent). Otherwise, a download able form signed by the legal representative (parent) may be mailed or faxed to the customer center.
Company may collect minimum personal information of a legal representative (parent) such as their name and contact information from the minor. The legal representative (parent) may view, correct, and delete the personal information of the minor. For these actions, make a to the legal representative (parent) may click "correction of member information" by himself or herself or request the person in charge of personal information correction, by telephone or email.
Company shall not give or share information of minor with a third party and in the event that a correction is requested by a legal representative (parent), The Company shall not use or supply the information until the correction is made. Minor membership application shall be followed by an authorization by a legal representative (parent) within 10 days. Otherwise, the Information of a minor and a legal representative (parent) shall be deleted immediately consistent with the other terms of this policy.

J. Technical and managerial measures for protection of personal information

The Company implements technical and managerial measures for protection of personal information. It also provides its employees with education about personal information protection and does its utmost to prevent the loss from leakage of personal information by limiting the minimum number of employees who can access to the personal information

1. Technical measures

In managing the personal information, the Company takes the following technical measures to prevent loss, theft, leakage, falsification, or destruction of personal information and to secure the safety of Its member's personal Information :

1. Customers’ personal information is being controlled by the internal network, which cannot be accessed or invaded by the external network
2. The important data is strictly protected through individual security functions such as encrypting a file or data or using a lock function
3. The Company uses vaccine programs to protect its system from computer virus. Vaccine programs are updated periodically. If a sudden viruses appears, the Company immediately installs a new vaccine program in order to prevent invasion of personal information
4. The Company adopts a security system that allows personal information to be safely transmitted on the network through a cryptographic algorithm
5. The Company first encrypts the important personal information of members such as passwords and stores them
6. The Company is strengthening its security by installing access-control systems in each server

2. Managerial measures

A. To securely protect personal information, the Company operates under the authorization of its information protection management system and other authorizations provided by external specialized agencies for its major system and facilities
B. The Company prepares the necessary procedures for its employees’ access to personal information and management of personal information so that its employees can fully understand and conform to those procedures
C. The company limits the minimum number of employees who can deal with personal information of customers. Those who can deal with customers’ personal information are limited to the lists below
- - Those who directly or indirectly deal with the customers and perform marketing tasks
- - Those who are in charge of personal information management tasks (i.e. Personal Information Management Officer or Personal Information Protection Officer)
- - Those who inevitably have to deal with personal information due to other tasks
D. When the Company handles customers’ personal information through the computer, it designates a person who is authorized to access to personal information, assigns identifiable signal (IDs) and passwords, and periodically renews passwords
E. For employees who deal with personal information, the Company provides regular internal education programs and external commissioned educations on new security technology and their obligations to protect personal information
F. When the Company hires new employees, it obligates them to sign an Information Protection Pledge or Personal Information Protection Pledge in order to prevent potential leakage of information by the new employees. It also prepares internal procedures to check implementation of Personal Information Protection Policy and supervises whether the employees comply with the Policy
G. When employees leave the Company the Company obligates them to sign a Secrecy Declaration to prevent them from destroying invading or disclosing customers’ personal information they learned from their work at the Company
H. Duties and responsibilities of a person who dealt with personal information are transferred to a new person under strictly secured conditions. The Company clearly stipulates the employees’ responsibility for any disclosure of personal information after joining the Company and leaving the Company
I. Date processing room and data storage room are designated as specially protected areas and the Company implements access management procedures such as the control of access to such areas
J. If the Company collects or provides payment information such as customers’ credit card numbers or bank account numbers to customers in order to enter into the Service Contract with customers or offer the service to them, it takes necessary measures to authenticate the customers’ identities by checking their IDs, passwords, or requiring electronic signatures

K. Person in charge of protection of personal information

In order to protect members’ personal information and handle their complaints related to the Company’s use of personal information, the Company designates the relevant department and Personal Information Management Officer as below. If you have any complaints in regards to personal information while using the service, please report it to the Personal Information Management Officer or Personal Information Protection Officer and we will get back to you right away.

Personal Information Management Officer

Name: Dong-Hun, Lee of Digital Media headquarter
Telephone number: 1566-2226

Personal Information Protection Officer

Music: Digital) Music Service Team Ju-Hwan, Cho
Broadcast: Broadcast) Digital Media Business Team In-Beom, Seo
Telephone number: 1566-2226

L. Advise and reporting in regards to invasion of personal information

Contact the person in charge of personal information by means of telephone or electronic mails to discuss or report any invasion of personal information, or report it to the invasion of personal information complaint center of the Korea Internet and Security Agency (KISA), which is the affiliate public organization of the Ministry of Information and Communication

Invasion of Personal Information Complaint Center

Telephone : (no area code)118
Website : http://www.118.or.kr

ePRIVACY Mark Certification Commission

Telephone : 02-580-0533~4
Website : http://www.eprivacy.or.kr

Supreme Prosecutors’ Office High-Tech and Financial Crimes Investigation Division

Telephone : 02-3480-2000
Website : http://www.spo.go.kr

National Police Agency Cyber Terror Response Center

Telephone : 02-392-0330
Website : http://www.ctrc.go.kr

M. Pursuant to Company’s Obligation to Notify Change in Policy Changed

This Personal Information Protection Policy may be frequently modified by amendment of relevant laws and government policy and the Company’s internal policy. In cases where the Personal Information Protection Policy of the Company is amended, the Company notifies customers of the amended policy at the website operated by the Company for at least 10 days or by other methods. If you have any questions in regards to an amendment of the policy, you may ask the personal Information Management Officer or Personal Information Protection Officer or the customer service at the Company’s website.

① Notification date of current privacy statement changes: February 16, 2015
② Enforcement date of current privacy statement:: February 27, 2015