Privacy Policy

This English version of the PLAYBOARD Privacy Policy is a machine translation based on the original Korean version of the PLAYBOARD Privacy Policy. If there is any conflict between these two versions, the original Korean version of the PLAYBOARD Privacy Policy shall prevail. The relationship between you and PLAYBOARD in relation to the PLAYBOARD Terms of Service or PLAYBOARD Services shall be governed by the laws of Republic of Korea, and any dispute arising between you and PLAYBOARD arising out of or in connection with the PLAYBOARD Privacy Policy or PLAYBOARD Services, shall be resolved in accordance with the procedures set out in the Civil Procedure Act of Republic of Korea.
DIFF.Inc. (hereinafter referred to as the 'Company') establishes the following personal information handling policy to protect the personal information of information subjects in accordance with 30. of the 「Personal Information Protection Act」 and to promptly and smoothly handle related grievances. · Published. This Privacy Policy is effective from July 25, 2022.

1. Purpose

DIFF.co.'s personal information protection management regulations (hereinafter referred to as 'this regulation') are in accordance with 29. of the 「Personal Information Protection Act」, 30. of the Enforcement Decree of the Act, and 'Standards for measures to ensure the safety of personal information' (notified by the Ministry of Public Administration and Security). The purpose of processing personal information is to determine the technical, administrative and physical safety measures necessary to secure safety so that personal information is not lost, stolen, leaked, forged, altered or damaged.

2. Definitions

The meanings of terms used in this regulation are as follows.
  • 'Personal information' refers to information about a living individual that can identify an individual through name, resident registration number, and video (including information that can be easily combined with other information to identify a specific individual even if the information alone cannot identify a specific individual) say
  • 'Processing' means collection, creation, linkage, interlocking, recording, storage, retention, processing, editing, search, output, correction, recovery, use, provision, disclosure, destruction, and other personal information of personal information. refers to similar actions.
  • The term 'information subject' refers to a person who can be identified by the processed information and is the subject of the information.
  • 'Personal information file' refers to a collection of personal information that is systematically arranged or composed according to certain rules so that personal information can be easily retrieved.
  • 'Personal information controller' refers to public institutions, corporations, organizations and individuals who process personal information by themselves or through other people to operate personal information files for business purposes.
  • The term 'person in charge of personal information protection' refers to a person who is in general responsible for the personal information processing of the personal information controller and falls under 32. (2) of the Enforcement Decree of the Personal Information Protection Act.
  • 'Person in charge of personal information protection' refers to the person in charge of handling and managing the personal information of the personal information controller.
  • 'Person in charge of personal information protection by field' refers to a person who is in general responsible for the personal information processing of the personal information manager, limited to the unit (field) classified by the 'company'.
  • 'Person in charge of personal information protection by field' refers to the person in charge of handling and managing personal information limited to the unit (field) classified by the 'company' among the personal information processing tasks of the personal information controller.
  • 'Personal information handler' refers to a person in charge of processing personal information under the direction and supervision of the personal information controller, including executives and employees, dispatched workers, and part-time workers.
  • The term 'personal information processing system' refers to a system that is systematically configured to process personal information, such as a database system.
  • 'Password' is a unique character string that must be entered together with an identifier when the information subject or personal information handler accesses the personal information processing system, business computer, or information communication network, etc. Information that is not disclosed to others.
  • The term 'information and communications network' means collecting, processing, storing, searching, transmitting or receiving information by using telecommunications equipment pursuant to 2., Item 2 of the Framework Act on Telecommunications, or by using telecommunications equipment and computer and computer technology. information and communication system that
  • An 'open wireless network' refers to a network in which an unspecified number of people can use the Internet through a wireless access device (AP).
  • A 'mobile device' refers to a portable device used for personal information processing, such as, but not limited to, a PDA, smartphone, tablet PC, etc. that can use a wireless network.
  • 'Bio information' refers to information about physical or behavioral characteristics that can identify an individual, such as fingerprint, face, iris, vein, voice, and handwriting, and includes information processed or generated therefrom.
  • 'Secondary storage medium' means a medium that can store data such as removable hard disk, USB memory, CD (Compact Disk), DVD (Digital Versatile Disk), etc. (but not limited thereto) and can be easily connected to personal information processing system or personal computer. ∙Removable storage medium.
  • 'Internal network' refers to a section in which access in the Internet section is controlled or blocked by physical network separation or access control system.
  • 'Access record' is an electronic record of the personal information handler's account, access date and time, access location information, processed information subject information, and tasks performed by the personal information handler, etc., in connection with the personal information processing system say that In this case, 'connection' refers to a state in which data transmission or reception is possible by being connected to the personal information processing system.
  • 'Management terminal' refers to a terminal that directly accesses the personal information processing system for the purpose of management, operation, development, security, etc. of the personal information processing system.
  • 'User' means a person who uses information and communication services provided by the company.
  • 'Authentication information' refers to information used to verify the identity of an identifier requested by a personal information processing system or information and communications network management system.

3. Scope of Application

This personal information management regulation applies to the trustee who handles personal information by the company or is entrusted with the company's personal information processing business.

4. Establishment and approval of personal information protection management regulations

  • The person in charge of personal information protection shall establish this regulation through the internal decision-making process so that the company can comply with laws and regulations related to personal information protection.
  • If there is an important change in each matter in this regulation, the person in charge of personal information protection shall immediately reflect and correct it.
  • If the person in charge of personal information protection establishes or modifies this regulation in accordance with paragraphs 1 and 2 of this Article, he/she shall obtain approval for internal approval, etc. from the CEO, and shall keep and manage the history.
  • The company may prepare and implement various guidelines for detailed implementation of this regulation, and in this case, paragraph 3 of this article shall also be followed.
  • The person in charge of personal information protection checks and manages the implementation of this regulation at least once a year and takes appropriate measures according to the result.

5. Publication of internal management plan

  • The person in charge of personal information protection shall notify all executives and employees and related persons of this regulation approved in accordance with 4. (3) to comply with it.
  • These regulations are disclosed in a way that executives and employees can read at any time, and any changes are notified.

6. Designation of the person in charge of personal information protection

In accordance with 32. of the Enforcement Decree of the Act such as 31. of the 「Personal Information Protection Act」, the company appoints the person in charge of personal information protection who is responsible for the handling of personal information as the representative director.

7. Role and Responsibilities of Personal Information Protection Officer

  • The person in charge of personal information protection performs the following tasks.
    • Establishment and implementation of a personal information protection plan
    • Regular investigation and improvement of personal information processing status and practices
    • Handling of complaints related to the processing of personal information and remedy for damage
    • Establishment of an internal control system to prevent personal information leakage and misuse/abuse
    • Establishment and implementation of a privacy education plan
    • Protection and management of personal information files
    • Establishment, change and enforcement of personal information processing policy in accordance with 30. of the 「Personal Information Protection Act」
    • Management of personal information protection related materials
    • Destruction of personal information when the purpose of processing has been achieved or the retention period has expired
    • General response in case of personal information infringement or leakage incidents
  • The person in charge of personal information protection may, if necessary, frequently investigate the current status of personal information processing, processing system, etc. or receive a report from the relevant parties in carrying out the duties of paragraph 1.
  • When the person in charge of personal information protection becomes aware of a violation of this Act and other related laws in relation to personal information protection, he/she shall take immediate corrective action.
  • The person in charge of personal information protection by field is limited to the unit (field) classified by the 'company', and the roles and responsibilities of the person in charge of personal information protection specified in this article are the same.

8. Role and Responsibilities of Personal Information Protection Officer

  • The person in charge of personal information protection may act on behalf of the role and responsibilities of the person in charge of personal information protection specified in 7..
  • The person in charge of personal information protection by field is limited to the unit (field) classified by the 'company', and the roles and responsibilities of the person in charge of personal information protection specified in this article are the same.

9. Role and Responsibilities of Personal Information Handler

  • A personal information handler is a person who handles the following tasks under the direction and supervision of the company, and refers to executives and employees, contract workers, dispatched workers, part-time workers, and companies entrusted with personal information processing by contract (including employees of the company).
    • Personal data processing
    • Personal information protection-related tasks entrusted by the person in charge of personal information protection
    • Application for registration of personal information (file) to the person in charge of personal information protection
    • Destruction of personal information (file)
    • When personal information (file) is destroyed, ask the person in charge of personal information protection to delete the registration of personal information (file)
    • Participation in personal information protection activities
    • Compliance with and implementation of this regulation
    • Implementation of standards for technical and administrative protection of personal information
  • In handling personal information, the personal information handler must comply with this regulation and related laws and regulations on personal information protection so that personal information can be safely managed.
  • The personal information handler shall check for any illegal or unreasonable infringement of personal information by its employees or third parties. When a new employee or transferee occurs within the department, the department head must educate and guide the security regulations in consideration of the nature of the job.

10. Education of the person in charge of personal information protection and the person in charge

The company conducts education related to personal information protection at least once a year for the person in charge of personal information protection.

11. Education of personal information protection handlers

  • The person in charge of personal information protection establishes and implements a personal information protection education plan necessary for personal information handlers by determining the following matters in order to ensure the proper handling of personal information.
    • Educational purpose and audience
    • Training content
    • Training schedule and methods
  • The person in charge of personal information protection records and keeps the results of the personal information protection education in accordance with Chapter 4 (certificate of completion, attendance certificate, etc.) or related data to prove it.

12. Management of access rights

  • The company grants the access right to the personal information processing system to the minimum range necessary for business performance, depending on the person in charge of the business.
  • The company will change or cancel the access right of the personal information processing system without delay if the personal information handler is changed due to a personnel change such as a transfer or retirement.
  • The company records the details of granting, changing, or canceling the authority under paragraphs 1 and 2 of this Article, and keeps the record for at least 5 years.
  • When the company issues a user account that can access the personal information processing system, it must issue a user account for each personal information handler, and prevent it from being shared with other personal information handlers.
  • The company shall apply the following matters so that the personal information handler or information subject can set and implement a secure password on the personal information processing system and internet homepage.
    • Composed of at least 10 characters by combining two or more of uppercase and lowercase letters, numbers, and special characters, or at least 8 characters by combining three or more
    • Avoid easy-to-guess personal information such as consecutive numbers, birthdays, phone numbers, and passwords similar to IDs
    • Change the password at least once a quarter by setting an expiration date on the password
  • The company shall take necessary technical measures, such as restricting access to the personal information processing system, if the account information or password is entered incorrectly more than a certain number of times so that only authorized personal information handlers can access the personal information processing system.

13. Access Control

  • The company takes measures including the following functions to prevent unauthorized internal and external illegal access and intrusion accidents through information and communications networks.
    • Restricting unauthorized access by restricting access rights to the personal information processing system to IP (Internet Protocol) addresses, etc.
    • Detect and respond to illegal attempts to leak personal information by analyzing the IP address connected to the personal information processing system
  • When the personal information handler wants to access the personal information processing system from the outside through the information and communications network, the company applies a secure connection means such as a virtual private network (VPN) or a dedicated line, or applies a secure authentication method.
  • The company accesses personal information processing systems, business computers, mobile devices, and management terminals so that the personal information being handled is not disclosed or leaked to persons who do not have the right to read through the Internet homepage, P2P, sharing settings, and use of open wireless networks. Measures related to control, etc. shall be taken.
  • The company checks vulnerabilities at least once a year and takes necessary supplementary measures to prevent leakage, alteration, or damage of unique identification information through the Internet homepage that processes unique identification information.
  • In order to prevent illegal access to the personal information processing system and infringement accidents, the company automatically blocks access to the system when the personal information handler does not process for a certain period of time.
  • If the company does not use a separate personal information processing system and uses a business computer or mobile device to process personal information, Paragraph 1 may not apply, and in this case, the operating system (OS: Operating System) of the business computer or mobile device ) or the access control function provided by security programs, etc.
  • The company takes protective measures such as setting a password on the mobile device for business purposes so that personal information is not leaked due to loss or theft of the mobile device for business use.

14. Encryption of personal information

  • The company shall encrypt the unique identification information, password, and bio-information when transmitting it through the information and communication network or through an auxiliary storage medium.
  • When the company transmits/receives user's personal information and authentication information through the information and communications network, it shall be encrypted through measures such as the establishment of a safe security server. The security server shall have one of the following functions.
    • A function that encrypts the transmitted information by installing an SSL (Secure Socket Layer) certificate on the web server and transmits/receives it
    • A function that encrypts the transmitted information by installing an encryption application on the web server and transmits/receives it
  • The company must encrypt and store passwords and bio-information. However, when storing the password, one-way encryption (hash function) is performed so that it is not decrypted and stored.
  • When the company stores unique identification information in the Internet section and the intermediate point between the Internet section and the internal network (DMZ: Demilitarized Zone), it must be encrypted.
  • When a company stores unique identification information on its internal network, it must be encrypted.
  • When the company encrypts personal information in accordance with paragraphs 1 to 5 of this article, it is encrypted and stored with a secure encryption algorithm.
  • The company establishes and implements procedures for generating, using, storing, distributing and destroying secure encryption keys to safely store encrypted personal information.
  • The company must encrypt the user's personal information when storing it on a computer, mobile device, or auxiliary storage medium. In particular, when storing and managing unique identification information in a business computer or mobile device, it must be encrypted using commercial encryption software or a secure encryption algorithm before storage.

15. Storage and inspection of access records

  • The company keeps and manages records of personal information handlers accessing the personal information processing system for at least one year. However, in the case of a personal information processing system that processes personal information about 50,000 or more data subjects or processes unique identification information or sensitive information, it shall be stored and managed for at least two years.
    • Personal information handler identification information (account information such as ID)
    • Access date and time (date and time)
    • Access location information (accessor's terminal information or IP address)
    • Processed information subject information (name of information subject, ID, etc.)
    • Tasks performed (view, edit, delete, print, input, etc.)
  • The company shall check the access records of the personal information processing system at least once a month in order to respond to the loss, theft, leakage, forgery, alteration, or damage of personal information. In particular, when it is discovered that personal information has been downloaded, the reason must be checked as stipulated in this regulation.
  • The company shall safely store the access records of personal information handlers in a separate physical storage device to prevent forgery, falsification, theft, or loss, and perform regular backups.

16. Prevention of malicious programs, etc.

The company shall install and operate security programs such as vaccine software that can prevent and treat malicious programs, and shall comply with the following matters.
  • Use the automatic update function of the security program or update it at least once a day to keep it up to date
  • When an alert related to a malicious program is issued, or when there is a security update notice from the manufacturer of the application or operating system software in use, update accordingly
  • Countermeasures such as deletion of detected malicious programs, etc.

17. Safety Measures for Management Terminals

The company shall take the following safety measures for management terminals to prevent personal information infringement accidents such as leakage of personal information.
  • Measures to prevent unauthorized persons from accessing and arbitrarily operating the management terminal
  • Measures not to be used for any other purpose
  • Application of security measures to prevent infection by malicious programs

18. Organization and operation of personal information protection organization

  • The company shall organize and operate a personal information protection organization including the following matters for safe processing of personal information.
    • Designation of the person in charge of personal information protection
    • Designation of a person in charge to support the work of the person in charge of personal information protection under the direction and supervision of the person in charge of personal information protection
    • Designation of the personal information handling department that handles personal information
  • The establishment, change, and abolition of the personal information protection organization shall be determined with approval from the CEO.
  • The personal information handling department shall handle personal information in sufficient consultation and coordination with the personal information protection organization.
  • The personal information protection organization shall perform the duties in accordance with 7., and may perform other matters deemed necessary by the company to secure the safety of personal information.

19. Response to Personal Information Leakage Accidents

  • The company establishes and implements a personal information leakage incident response plan to minimize damage by promptly responding to personal information leakage incidents.
  • The personal information leakage incident response plan according to Paragraph 1 includes emergency measures, leak notification, inquiry and report procedures, customer complaints response measures, on-site congestion minimization measures, customer anxiety relief measures, victim relief measures, etc.
  • The company strives to minimize the inconvenience and economic burden of the data subject in carrying out damage recovery measures due to personal information leakage.

20. Risk analysis and response

  • The company conducts risk analysis to prevent personal information from being lost, stolen, leaked, forged, altered or damaged, and prepares countermeasures such as applying necessary security measures.
  • The risk analysis according to Paragraph 1 may be performed by using the personal information risk analysis criteria or by identifying and evaluating risk factors.

21. Management and supervision of trustees

  • When entrusting the processing of personal information, the company sets the following matters, educates the trustee, and supervises whether the trustee handles personal information safely.
    • For training and supervision
    • Training and Supervision Content
    • Training and supervision schedules and methods
  • The company keeps records of the results of training and supervising the trustee in accordance with paragraph 1, and takes necessary security measures when problems are found.
  • When the company entrusts the processing of personal information, it shall be based on the document containing the contents of each of the following subparagraphs.
    • Purpose and scope of entrusted work
    • Consignment period
    • Restrictions on re-entrustment
    • Matters concerning the prohibition of processing of personal information other than for the purpose of performing entrusted work
    • Matters concerning measures to ensure safety, such as restricting access to personal information
    • Matters related to supervision, such as inspection of the management status of personal information held in connection with consigned work
    • Matters concerning liability, such as compensation for damages, in case the trustee violates the obligation to be complied with
  • When entrusting the processing of personal information, the company discloses the details of the entrusted work and the trustee on the Internet website.

22. Physical Safety Measures

  • If the company has a separate physical storage place where personal information is stored, it shall establish and operate an access control procedure for it.
  • The company keeps documents containing personal information and auxiliary storage media in a safe place with a lock.
  • The company shall prepare security measures to control the import and export of auxiliary storage media containing personal information. However, this may not be applied when personal information is processed using a business computer or mobile device without operating a separate personal information processing system.

23. Disaster and Disaster Preparedness Safety Measures

  • The company prepares and regularly checks response procedures such as a crisis response manual to protect the personal information processing system in case of disasters such as fire, flood, power outage, etc.
  • The company prepares a plan for the backup and recovery of the personal information processing system in the event of a disaster or disaster.

24. Destruction of personal information

  • When the company destroys personal information, it takes one of the following actions.
    • Complete destruction (incineration, crushing, etc.)
    • Deletion using dedicated device equipment
    • Perform a wipe or overwrite to prevent data from being restored
  • When the company destroys only a part of personal information, if it is difficult to destroy it by the method of paragraph 1, it shall take the following measures.
    • Electronic files: Manage and supervise so that personal information is not recovered and reproduced after deletion
    • Records, printed materials, writings, and other recording media other than subparagraph 1 : Deleted by masking the relevant part, perforation, etc.
  • Each personal information handler frequently checks whether the personal information managed by the personal information processing system and electronic devices used for business purposes is subject to destruction as the personal information becomes unnecessary, such as the expiration of the retention period and achievement of the purpose of processing personal information. Discard after confirmation, and report the results to the team leader or department head regularly once a month.
  • Each team leader or department head who has received a report pursuant to Paragraph 3 checks the details of destruction, collects them and reports them to the person in charge of personal information protection.

25. Designation of the person responsible for managing pseudonymous information and additional information

  • For the efficient management and protection of pseudonymous information, the company appoints the CEO as the person in charge of managing pseudonymous information.
  • The pseudonymous information manager performs the following roles.
    • Establishment and implementation of an internal management plan for pseudonymous information
    • Inspection and management of the implementation status of the internal management plan
    • Management of pseudonymization and adequacy review status
    • Management and supervision of pseudonymous information and additional information
    • Management of pseudonymous information processing status and related records
    • Establishment and implementation of education plan for persons who process pseudonymous information
    • Management and supervision of pseudonymization and pseudonym information processing consignment (if applicable)
    • Establishment and implementation of re-identification monitoring for pseudonymous information and handling measures in case of re-identification
    • Other matters concerning the protection of the processing of pseudonymous information

26. Separate storage of pseudonymous information and additional information

  • When pseudonymization is completed, pseudonymized information must be stored separately from personal information prior to pseudonymization.
  • Additional information generated in the process of pseudonymization should be kept separate from pseudonym information.
  • In principle, personal information, pseudonymous information and additional information should be physically separated and stored before pseudonymization, and logical separation can be implemented if physical storage is difficult.
  • Strict access control should be applied when logically segregated and stored.

27. Separation of access rights to pseudonymized information and additional information

  • When pseudonymization is completed, the right to access pseudonymous information or additional information should be strictly controlled with a minimum number of personnel, and should be given differentially according to the task.
  • The right to access additional information and the right to access pseudonymous information should be managed separately.
  • The details of granting, changing, or canceling access to pseudonymous information or additional information shall be recorded, and these records shall be kept for at least 3 years.

28. Measures to ensure the safety of pseudonymized information and additional information

  • For pseudonymous information and additional information, safety measures required by the Personal Information Protection Act and the Enforcement Decree of the same shall be carried out.
  • Unless there is a special reason in the additional information, it should be deleted immediately after creation. However, if additional information is needed for reasons such as time series analysis, it should be encrypted and stored.

29. Education of persons who process pseudonymous information

  • The person in charge of pseudonymous information management shall establish and implement an education plan for the protection of pseudonymous information necessary for persons who process pseudonymous information.
  • Education on the protection of pseudonymous information should be implemented including the following contents.
    • Matters concerning the basis for processing of pseudonymous information
    • Matters concerning safety measures for pseudonymous information and additional information
    • Matters concerning the prohibition of re-identification
  • Education for persons who process pseudonymous information can be carried out together with education on personal information protection, and the results of the education or related data that can prove it must be recorded and kept.

30. Creation and storage of records of processing of pseudonymous information

  • When processing pseudonymous information, records should be kept in the pseudonymous information processing ledger for the following matters.
    • Information on the basis for processing of pseudonymous information
    • Items of personal information that have been pseudonymized
    • History of use of pseudonym information
    • Recipient when provided to a third party
    • Other matters declared by the Personal Information Protection Committee as necessary to manage the processing of pseudonymous information

31. Disclosure of Privacy Policy

  • In relation to the processing of pseudonymous information, the following information shall be included in the privacy policy and disclosed.
    • Purpose of processing of pseudonymous information
    • Pseudonym information processing period (optional)
    • Matters concerning provision of pseudonym information to third parties (if applicable)
    • Matters concerning consignment processing of pseudonymous information (if applicable)
    • Items of pseudonymous information processed
    • Matters concerning measures to ensure the safety of pseudonymous information

32. Prohibition of re-identification of pseudonymous information

  • The act of re-identifying the pseudonymous information of the person who processes the pseudonymous information is strictly prohibited.
  • If a person who processes pseudonymous information encounters re-identification of a specific individual while processing pseudonymous information, immediately stop processing, notify the person in charge of pseudonymous information management, and take immediate action according to the established handling plan for re-identification.

33. Use and provision of personal information for purposes other than the purpose

In principle, the company shall not use or provide personal information beyond the scope of the original collection purpose. However, in any of the following cases, personal information may be used for purposes other than the intended purpose or provided to a third party, except when there is a risk of unfairly infringing upon the interests of the information subject or a third party.
  • In case of obtaining separate consent from the information subject
  • Special Provisions in Other Laws
  • When it is clearly necessary for the interests of the life, body, or property of the data subject or a third party
  • If personal information is not used for any other purpose or provided to a third party, it is impossible to perform the duties under the jurisdiction of other laws and has been deliberated and decided by the Protection Committee
  • When it is necessary for the provision of foreign governments, etc. for the implementation of treaties and international agreements
  • When it is necessary for criminal investigation and initiation and maintenance of public prosecution
  • In case it is necessary to carry out the judicial affairs of the court
  • Where it is necessary for the execution of punishment, probation, and protective disposition

Bylaws

These 'Privacy Policy' shall apply from July 25, 2022.