1. To provide services Personal information is processed for the purpose of providing services such as identity verification (authentication), issuance of certificates (e.g., training completion certificate), national domain registration, handling of complaints about spans, handling of complaints about identity theft (resident registration number), and consulting on overseas expansion.

2. To handle requests and complaintsPersonal information is processed for the purpose of handling request and complaints such as viewing personal information, correcting/deleting personal information, suspending the processing of personal information, reporting personal information leakage, receiving and processing reports of privacy infringement, handling complaints about spams, and reporting hacking.

The Company processes and retains personal information in accordance with statutes or within the scope agreed to by the Information Provider.
Processing and retention during the period in which services are provided by Y-Biologics

Personal information collected and held by the Company will not be provided to a third party without the consent of the user, provided that it may be provided to a third party in the following cases:

1. Consent has been obtained from the Information Provider;

2. It is permitted by special provisions in the law or it is unavoidable in order to comply with statutory obligations;

3. It is necessary in order to protect the life, body, and/or properties of the Information Provider or a third party, but prior consent cannot obtained as the Information Provider or his/her legal representative is unable to express his/her opinion or the address of the Information Provider is unknown;

4. It is necessary for academic research, a statistical report, etc., and the information is provided in a form in which the person to whom it belongs cannot be identified.

If the Company will inform the Information Provider of the following information and obtain consent in case of providing his/her personal information to a third party:
Name of the information recipient (e.g., name of the individual, corporation, or organization) and contact information;
Purpose with which the personal information will be used by the recipient and the type of personal information to be provided;
Period during which the personal information will be retained and used by the recipient;
The fact that the Information Provider has the right to refuse and the details of any disadvantages that may arise from withholding consent, if any.

In principle, the Company will not entrust the processing of personal information to others without the user’s consent. However, when the Company entrusts the processing of personal information to a third party, it will be in accordance with Article 26 (Restrictions on Processing of Personal Information in Outsourcing) of the Personal Information Protection Act and the documents containing the following matters, with the details of the entrusted work and the party that the work has been entrusted to will be posted on the Company website:

1. Matters concerning the prohibition of processing of personal information for purposes other than performing the entrusted work;

2. Matters concerning technical and administrative protection measures for the personal information;

3. Other matters prescribed by Presidential Decree for the safe and secure management of personal information.

Purpose and scope of entrusted work

Restrictions against subcontracting

Matters concerning measures to ensure safety and security, such as restricting access to personal information

Matters concerning supervision, such as checking the management status of personal information held in connection with the entrusted work

Matters concerning liability, such as compensation for damages in case the trustee violates the obligations to be observed under Article 26 (2) of the Act

Users who are information providers may exercise the following rights:

1. Request to view personal information: Users may request to their personal information files held by the Company pursuant to Article 35 (Access to Personal Information) of the Personal Information Protection Act. However, access to personal information may be limited in the following cases in accordance with Article 35 (5) of the Personal Information Protection Act:

• A. Viewing of personal information is prohibited or restricted by law;
• B. There is a risk of causing harm to the life or body of another person or infringing on the property and other interests of another person;
• C. It will cause severe disruptions in any of the following tasks:

i) Tasks involved in an examination, qualification review, etc. in relation to the academic background, function, and employment;

ii) Tasks involved in an evaluation or judgment that is currently in progress for the calculation of compensation and benefits, etc.

iii) Tasks involved in an ongoing audit and investigation carried out according to the law.

2. Request to correct/delete personal information: Users may request the Company to correct or delete their personal information files held by the Company pursuant to Article 36 (Correction and Deletion of Personal Information) of the Personal Information Protection Act. However, personal information specified as information subject to collection in other laws cannot be deleted.

3. Request to suspend the processing of personal information: Users may request the Company to suspend the processing of their personal information files held by the Company pursuant to Article 37 (Suspension, etc. of Processing of Personal Information) of the Personal Information Protection Act. Also, the legal representative of a child under the age of 14 may request the Company to view, correct, delete, or suspend the processing of the child’s personal information. However, a request to suspend the processing of personal information may be rejected in the following cases according to Article 37 (2) of the Personal Information Protection Act:

• A. It is permitted by special provisions in the law or it is unavoidable in order to comply with statutory obligations;
• B. There is a risk of causing harm to the life or body of another person or infringing on the property and other interests of another person;
• C. It will not be possible for a public agency to carry out the affairs designated by other statutes if the personal information in question is not processed;
• D. It will be difficult to fulfill the contract, such as providing the services agreed upon with the Information Provider, if the personal information is not processed, and the Information Provider has not clearly stated his/her intent to terminate the contract.

4. In case there is a request to view, correct or delete, or suspend the processing of personal information, the Company will notify the user of the action it will take within 10 days. A request to view, correct or delete, or suspend the processing of personal information may be filed through the relevant department, and the form is provided in [Annex 1].

5. Users can exercise thee above rights through an agent such as the legal representative of the information subject or a person who has been delegated the authority. In this case, a power of attorney provided in [Annex 2] must be submitted.

The Company collects and retains personal information only in accordance with the relevant statutes and the consent of the Information Provider. The key types of personal information collected and held by the Company are as follows:
< company name, customer name, phone number, mobile phone number, email address, website address >

In principle, the Company destroys personal information without delay when the retention period has elapsed or the purpose of processing has been attained. However, this is not the case when the personal information must be retained further according to law. The procedure, timepoint and methods of destruction are as follows:

1. Destruction procedure The information entered by the user is destroyed according to the internal policy and related laws after the retention period has elapsed or the purpose of processing has been attained.

2. Destruction timepoint The user’s personal information will be destroyed within 5 days from the end of the retention period when the retention period has elapsed and within 5 days from the date the personal information processing is deemed unnecessary, such as when the purpose of processing personal information is achieved.

3. Destruction method The Company destroys personal information in the following ways: Electronic file: Permanently deleted in a way that the file cannot be restored Record, printed material, writing, or other recording medium other than in the form of an electronic file: Shredded or incinerated

1. Establishment and implementation of an internal control planThe Company implements an internal control plan (established on January 6, 2014) in accordance with the Standards for Measures to Ensure the Safety and Security of Personal Information (Ministry of the Interior and Safety Notice No. 2011 - No. 43).

2. Minimal designation of personal information handlers and their trainingThe Company designates a minimal number of personal information handlers and provides them with regular training.

3. Restricting access to personal informationAccess to personal information is controlled by granting, changing, and canceling access privileges for the database system that processes personal information, and unauthorized access from the outside is prevented using an anti-intrusion system and an intrusion prevention system. When a personal information handler needs to access the personal information processing system from the outside via an information and communication network, a virtual private network (VPN) is used. Records are kept in regard to the granting, changing, and cancellation of access privileges, and these records are stored for at least 3 years.

4. Storage of access records and prevention of tampering and forgeryRecords of access to the personal information processing system (web logs, summary information, etc.) are stored and controlled for at least 6 months, and access records are controlled to prevent tampering, forgery, theft, and loss.

5. Encryption of personal informationThe personal information of users is encrypted before being stored and controlled. Important data are encrypted prior to storage and transmission for extra security.

6. Technical measures against hacking, etc.In order to prevent personal information leakage or damage caused by hacking or computer viruses, the Company has installed security programs and periodically updates and inspects them. Technical and physical monitoring and surveillance systems are installed in areas subject to access control to prevent unauthorized access from the outside, etc.

7. Access control for unauthorized personsThere is a physical storage place for the personal information system used to store personal information, and an access control procedure is in implementation.

If you have any questions related to personal information protection or wish to report or inquire about the handling of a personal information infringement, feel free to contact the Personal Information Infringement Report Center operated by the Korea Internet & Security Agency.

* Call 118 (ARS Ext. 2) or send an email to privacy@kisa.or.kr
If it is an inquiry regarding the personal information held by the Company, please contact us below.

[Privacy Officer]Department: Marketing Team
Name: Jeon Joon-young
Tel: 010-4290-4811
Email: jyjeon@ybiologics.com

[Person in Charge of Personal Information Protection]Department: Marketing Team
Name: Yoo Seok-ho
Phone: 042-931-9916
Email: mito0926@ybiologics.com

This Privacy Policy is effective from April 28, 2016.

In the event of privacy infringement, the Information Provider concerned may request a resolution of a dispute or consultation from the Personal Information Dispute Mediation Committee or the Personal Information Infringement Report Center of the Korea Internet & Security Agency. To report or consult on any privacy infringements, feel free to contact the following organizations:

Personal Information Infringement Report Center 1. Personal Information Dispute Mediation Committee: 118 (Ext. 2)
2. Supreme Prosecutors’ Office Cybercrime Investigation Team: 02-3480-3571 (http://www.spo.go.kr)
3. National Police Agency Cyberterrorism Response Center: 1566-0112 (http://www.netan.go.kr)
A person whose rights or interests have been infringed due to a disposition or forbearance by the head of a public institution to fulfill the obligations under Article 35 (Viewing of Personal Information), Article 36 (Correction and Deletion of Personal Information), and Article 37 (Suspension, etc. of Personal Information Processing) of the Personal Information Protection Act may file an administrative appeal in accordance with the Administrative Appeals Act.
※ For more information on administrative appeals, please refer to the website of the Ministry of Legislation (http://www.moleg.go.kr).