We at the Institute of Information & Communications Technology Planning & Evaluation (“we,” “us,” “our,” or “ours”) hereby disclose our Personal Information Handling Guidelines as follows to protect the personal information of the homepage members (“members”) and testees of the Test Of Practical Competency in IT (TOPCIT) and to handle the relevant complaints and problems effectively in accordance with the provisions of the Personal Information Protection Act, Article 30.

Article 1 (Purpose of handling personal information)

1. ① We handle personal information for the purposes stated in the following. We do not use personal information for any purposes other than those stated in the following. Where there is a change in the purposes, we shall take the necessary steps, including obtaining members’ separate consent etc. as provided under Article 18 of the Personal Information Protection Act.
   1. 1. Subscription to the TOPCIT homepage membership and management of testees
      We handle personal information for the following purposes: ascertainment of the members' intention to subscribe to the membership subscription; identification/certification concerning the provision of membership-based services; maintenance/management of the membership; identification concerning the Real Name System; prevention of dishonest use of our services; ascertainment of legal representatives’ consent in processing the personal information of minors under the age of 14; dispatch of notices; handling of complaints.
   2. 2. Selection of those with good test score
      - Awarding of those with good test score in the TOPCIT held periodic basis
2. ② We shall handle personal information files registered and disclosed under the Personal Information Protection Act, Article 32 for the following purposes:
   

   ※ For matters concerning our disclosure of the status of registration of personal information files, please use the following procedure: Personal Information Protection Commission's (PIPC) relevant portal (www.privacy.go.kr) → Civil petition → Request for access to personal information → Checking the list of personal information files.

Article 2 (Period for handling/keeping personal information)

1. ① We shall handle/keep personal information within the period stipulated in the law or the period consented to by members at the time of collecting their personal information.
2. ② Personal information items collected by us through TOPCIT homepage are as follows:
   1. 1. [Required] ID, password, name, DOB, gender, cell phone number, email address, portrait photo, occupation/current employer, academic background, college major, name of department, home country, address, consent/refusal to receive short messages, consent/refusal to receives emails, test score
      [Optional] contact number, name in English
   2. 2. Basis of operation: Consent of the data subject
3. ③ Period for handling/retention of personal information shall be as follows:
   1. 1. For the purpose of membership subscription and management: Upon members’ reaffirmation of consent after the first two years, upon withdrawal of membership, or upon cessation of the relevant situation in the event of any one of the following:
      1. a. Where a law enforcement agency’s investigation is under way concerning a violation of the law: by the end of such investigation.
      2. b. Where credit/debt remains unsettled concerning the use of the TOPCIT homepage or the TOPCIT test application: by the settlement of such credit/debt.
   2. 2. For TOPCIT certification list management: until the end of TOPCIT's validity

Article 3 (Provision of personal information to third parties)

1. ① We shall only handle members’ personal information as per what is stated in the foregoing Article 1. We shall only provide the members’ personal information to third parties upon obtaining the members’ consent or according to the relevant clause in the law including Article 17 of the Personal Information Protection Act.
2. ② Regarding TOPCIT-based special evaluations, we shall provide the following personal information to third parties:
   1. 1. Personal information provided to: institutions responsible for handling groups of testees
   2. 2. Purpose of their receiving personal information: test score, test application, and awarding those who attain a good score
   3. 3. Personal information items provided: ID, name, DOB, gender, portrait photo, cell phone number, test score, test application status, etc.
   4. 4. Period for their retention/uise of personal information: until they have achieved the purpose of the collection and use of personal information.

Article 4 (Entrustment of personal information processing)

1. ① We may entrust the members’ personal information to a processing business for the purpose of efficiency.
2. ② In entrusting the members’ personal information, we stipulate the following in the contract: prohibition of personal information processing outside the entrusted business as provided under Article 25, Personal Information Protection Act; the need to implement administrative/technical protective measures; prohibition of sub-entrustment/contracting of members’ personal information to another party; the entrusted business’s responsibility concerning the management/supervision of personal information and compensation of losses/damages incurred by the members as a result of the entrusted business’s mismanagement thereof. Furthermore, we conduct regular checks to determine whether personal information is being handled safely and securely.
3. ③ In the event of an addition to or change in the contents of the entrusted business or trustee, we shall inform members thereof without delay through these Guidelines.
4. ④ The status of our entrustment of personal information is as follows.

Article 5 (Members’/legal agents’ rights and obligations; how to exercise rights)

1. ① Members may ask us to allow them to access, correct, delete or stop handling their personal information kept by us at any time.
2. ② Members may exercise their right as stated in the foregoing ① in writing or via email or fax as provided under Article 41(1), Enforcement Decree of the Personal Information Protection Act, and we shall comply with such request without delay.
3. ③ Exercise of the right stated in the foregoing ① may be done through the members’ (legal) agent. In such a case, the (legal) agent shall submit power of attorney using the form provided in Annex 11, Enforcement Rules of the Personal Information Protection Act.
4. ④ As regards requests that we allow the members to access their personal information kept by us or that we stop handling their personal information, such a right may be limited as per Articles 35(5) and 37(2) the Personal Information Protection Act.
5. ⑤ As for requests for the correction or deletion of members’ personal information kept by us, such requests for deletion shall not be made if the said personal information is stipulated as a “required” item for collection under another law.
6. ⑥ In connection with the foregoing ①, we shall identify the member or his/her (legal) agent.

Article 6 (Personal information items processed)

We process the following personal information items.

1. 1. For the purpose of membership subscription/management
   • [Required] ID, password, name
2. 2. For the purpose of TOPCIT applicant management/certification list management
   • [Required] ID, password, name, DOB, gender, cell phone number, email address, portrait photo, occupation/current employer, academic background, college major, name of department, home country, address, consent/refusal to receive short messages, consent/refusal to receives emails, test score
   • [Optional] Contact number and name in English
3. 3. The following items of personal information may be created and collected automatically in the course of members’ use of the TOPCIT homepage:
   • - IP address, cookies, MAC address, service use records, browsing history, records about dishonest use of our services

     ※ For matters concerning our disclosure of the status of registration of personal information files, please use the following procedure: Personal Information Protection Commission's (PIPC) relevant portal (www.privacy.go.kr) → Civil petition → Request for access to personal information → Checking the list of personal information files.

Article 7 (Destruction of personal information)

1. ① We shall destroy the personal information collected by us immediately upon attaining the purpose of collecting it or at the end of the designated retention period.
2. ② In cases where we are required to retain the members’ personal information under another law despite the passage of the designated retention period consented to by the members or the attainment of the purpose of collecting it, we shall relocate such personal information (or file) to a separate database or move it to another storage for its preservation and safekeeping.
3. ③ We shall destroy personal information as follows.
   1. 1. Procedure
      We establish a plan for the destruction of personal information (or file) and then select and destroy it (or the files) after obtaining the approval of the Personal Information Manager.
   2. 2. Method of destruction
      Personal information recorded and stored in the form of electronic files is destroyed irrecoverably, using a Low Level Format or other such method. Paper printouts (hard copy) containing personal information are destroyed using a shredder or incinerator.

Article 8 (Measures taken to secure safety of personal information)

1. ① We take the following measures to secure the safety of personal information.
   1. 1. Administrative measures: execution of the internal management plan, periodic education for employees, etc.
   2. 2. Technical measures: adequate management of the right to access the personal information handling system, blocking of unauthorized access, encoding of unique identification information, installation of security programs, etc.
   3. 3. Physical measures: Designation of computer rooms and data storage rooms, etc. as off-limit areas.

Article 9 (Matters concerning operation of devices for automatic collection of personal information and members’ rejection thereof)

1. ① We use cookies to store information about our members temporarily and retrieve the cookies in order to provide them with customized services.
2. ② Cookies are small pieces of data that are sent from a server to operate TOPCIT homepage and are stored on a member's computer.
   1. 1. Purpose of using cookies: Cookies are used to provide optimized services to the members by analyzing the following information: visits/use of each service, websites visited by members, popular search words, secure or insecure connection, etc.
   2. 2. How to reject the storage of cookies:
      Go to the “Tool” menu at the top of the internet browser > Internet option > Privacy > Setting as desired.
   3. 3. If members reject the storage of cookies on their PC, they may experience difficulties and/or disadvantages in using our customized services.

Article 10 (Personal Information Manager)

1. ① We appoint a Personal information Manager etc. as follows to take charge of all business pertaining to the processing of personal information, the handling of members’ complaints, and remediation of their losses/damages.
   1. ▶ Personal Information Manager
      • Chief of Division Hong Seung-pyo, Management Support Division
      • ☎: 042-612-8300
      • email address: sphong@iitp.kr
   2. ▶ Employee in charge of personal information protection
      • Principal Researcher Go Se-uk, Information Service Team
      • ☎: 042-612-8778
      • email address: swkoh@iitp.kr
2. ② Members and testees may contact the employees or the department in charge of TOPCIT for assistance with personal information-related matters including complaints. Their requests will be handled adequately and promptly.

Article 11 (Members’ request to access personal information kept by us)

1. ① The members may request the following department to allow them to access their personal information kept by us under Article 35 of the Personal Information Protection Act; and we shall do our utmost to comply with their requests promptly.
   1. ▶ Department in charge of handling requests for access to their personal information
      • Senior Researcher Park Jang-sun, SW HRD Team
      • ☎: 042-612-845
      • email address: park@iitp.kr
2. ② Members may also ask the PIPC’s personal information protection portal site (www.privacy.go.kr) to allow them to access their personal information.

   ▶ www.privacy.go.kr → Civil petition → Request for access to personal information (For this procedure, members will be subject to public I-PIN for certification of their real name.)

Article 12 (Remediation of members’ losses related to our service)

The members may ask the following institutions for consulting and remediation concerning any losses/damages incurred by them as a consequence of the mishandling etc. of their personal information.

1. ▶ Personal Information Infringement Reporting Center (operated by KISA)
   • - Business: Handling of reported cases of personal information infringement, consulting.
   • - Homepage: privacy.kisa.or.kr
   • - ☎: 118
   • - Address: 3F, 9 Jinheung-gil, Naju-si, Jeollanam-do 58324
2. ▶ Personal Information Dispute Mediation Committee
   • - Business: Arbitration of personal information-related disputes; arbitration of collective disputes (under the Civil Act).
   • - Homepage: www.kopico.go.kr
   • - ☎: 1833-6972
   • - Address: 4F, 209, Sejong-daero, Jongno-gu, Seoul, 03171
3. ▶ Cybercrime Investigation Department of Supreme Prosecutors' Office:
   • ☎ 02-3480-3573 (www.spo.go.kr)
4. ▶ Cybercrime Investigation Department of Supreme Prosecutors' Office: ☎ 02-3480-3573 (www.spo.go.kr)
5. ▶ Cyber bureau of Korean National Police Agency: ☎ 182 (http://cyberbureau.police.go.kr)

Article 13 (Amended to these Guidelines)

1. ① This amendment to the Guidelines shall enter into force on March 1, 2021.