KoFIU

Privacy Policy of KoFIU

KoFIU abides by the Personal Information Protection Act(hereinafter PIPA) and its prescribing matters to protect freedom and rights of individuals and to manage personal information in a legitimate and secure manner. Pursuant to Article 30 of PIPA, KoFIU informs the process and standards of personal information management to subject of information. For rapid and smooth information management and management of relevant matters, privacy policy of KoFIU has been established and is disclosed as following.

1. 1) 1. Purpose of the Collection and Use of Personal Information
   KoFIU collects personal information at minimum pursuant to ‘Act on Reporting and Using Specified Financial Transaction Information (hereinafter FTRA)’ to prevent criminal activity and establish sound and transparent financial order by regulating money laundering activity or terrorism financing committed through abusing financial transaction. The collected information is not used for any other purpose, and if the purpose of collection is altered, necessary measures will be taken, by seeking separate consent etc. e.g., pursuant to Article 18 of PIPA.
2. 2) Period for Retaining and Using Personal Information

   KoFIU retains and uses personal information in accordance with FTRA Article 12-2, as follows.

   Period for Retaining and Using Personal Information

   Purpose	Types	Period
   FTRA-related matters	Information referred to in Article 4 and 4-2	25 years
   	Information referred to in Article 5-3(2), 9, 13-1(2)	5 years
   	Information referred to in Article 15(7)	10 years
   Sign up	ID, Password, Name, Position, Date of Appointment, Mobile Numbers, Email (optional)	Until Suspension

3. 3) Outsourcing of Collected Information

   KoFIU entrusts collected information as following for seamless personal information management.

   
   

   • ㅇ Outsourcee: KCC I&C, ALLFORLAND
   • ㅇ Outsourced Service: Operation and Maintenance of FIU Information System

   
   

   KoFIU has articulated prevention of personal information processing for other purposes than the outsourced purpose, technical and managerial safeguards, limitation of re-outsourcing the work, management and supervision over the outsourcee, compensation of damage clause, etc. in the written contract, and supervises outsourcees whether they safely manage personal information.

   
   

   KoFIU will notify the subject of information of any changes made on the outsourced work or the outsourcee without delay pursuant to the same competent legislation.

4. 4) Destruction of Personal Information
   KoFIU destroys personal information without delay when the personal information becomes unnecessary owing to the expiry of the retention period, attainment of the purpose of processing the personal information, etc., in accordance with PIPA and FTRA. However, the information may not be destroyed even after the expiry of the period, when the necessity to realize the purpose pursuant to FTRA is acknowledged.
   
   Details of destruction are as follows.

   • ㅇ Destruction Process
     
     • - KoFIU destroys unnecessary personal information or personal information files in accordance with internal policy, under control of personal information controller.
     • - KoFIU destroys information of which retention period expired, without delay from when the uselessness of the information is acknowledged due to completion of purpose, service suspension, end of business, etc.
   • ㅇ Destruction Method
     • - KoFIU takes measures, as appropriate, to prevent recovery and revival of electronic files, and destroys written documents by shredding or burning.
5. 5) Rights and Obligation of Data Subjects and Legal Representatives, and How to Exercise such Rights
   A data subject may appoint his or her representative to file requests for access, correction or erasure, suspension of processing, and withdrawal of consent. The request can be made through written documents, electronic mails, Fax, etc. pursuant to Article 41-1 of PIPA, and on any received requests KoFIU will take measures as appropriate without delay.
   
   Such rights can be exercised by legal representatives and other entrusted agents of information subjects, and to do so, a person must submit power of attorney, using the template that can be found in Appendix 11 of ‘Notification on Personal Information Processing(2020-7)’
   
   A person cannot request correction or erasure of information when FTRA or else legislation stipulates the information as subjected to collection. KoFIU, when requested upon access, correction or erasure, suspension of processing, and withdrawal of consent, confirms the identification of the person, or legitimacy of legal representatives.
   
   A data subject’s requests for access or suspension of processing may be limited n accordance with Article 35-4, 37-2 of PIPA.
   

   Limiting or Denying of Access (「PIPA」 Article 35-4)

   • 1. Where access is prohibited or limited by Acts;
   • 2. Where access may cause damage to the life or body of a third party, or unjustified infringement of property and other interests of any other person;
   • 3. Where a public institution has grave difficulties in performing any of the following duties:
     • (a) Imposition, collection or refund of taxes;
     • (b) Evaluation of academic achievements or admission affairs at the schools of each level established under the Elementary and Secondary Education Act and the Higher Education Act, lifelong educational facilities established under the Lifelong Education Act, and other higher educational institutions established under other Acts;
     • (c) Testing and qualification examination regarding academic competence, technical capability and employment;
     • (d) Ongoing evaluation or decision-making in relation to compensation or grant assessment;
     • (e) Ongoing audit and examination under other Acts.

   Grounds of Rejecting Suspension of Processing (「PIPA」 Article 37-2)

   • 1. Where special provisions in other laws so require or it is inevitable to observe legal obligations;
   • 2. Where access may cause damage to the life or body of a third party, or unjustified infringement of property and other interests of any other person;
   • 3. Where the public institution cannot perform its work as prescribed by any Act without processing the personal information in question;
   • 4. Where it is impracticable to perform a contract such as the provision of services as agreed upon with the said data subject without processing the personal information in question, and the data subject has not clearly expressed the desire to terminate the agreement.
6. 6) Measures Taken to Secure Personal Information Safety
   KoFIU is taking following measures to securely retain personal information.
   
   ㅇ Managerial Measure: Internal Control Plan Establishment and Operation, Regular Officer Training
   ㅇ Technical Measure: Access Management over Personal Information Processing System, Installation of Access Control System, Encryption of Unique Identifier, Secure System Installation, etc.
   ㅇ Physical Measure: Access Control over Data Center, Archive, etc.
7. 7) Installation, Operation and Rejection of Automatic Information Collection System
   KoFIU does not run ‘cookies’ that store and uses user information.
8. 8) Personal Information Manager

   KoFIU, to ensure comprehensive accountability of personal information and to process complaints or damages, has designated personal information manager as follows.

   Personal Information Manager

   - Name:

   Kichul Sung

   - Position:

   Director General

   - Contact:

   (Tel) 02-2100-1733

   Personal Information Department (access request processing)

   - Office:

   Planning & Administration Office

   - Officer:

   Chaeri Kim

   - Contact:

   (Tel) 02-2100-1759
   (E-mail) kofiuinfo@korea.kr
   (FAX) 02-2100-1738

   
   Any individual can make inquiries to the competent office, or officer regarding personal information protection, complaints, compensation of damages, etc.
   KoFIU will process your request without delay.
9. 9) Remedies from Information Infringement
   Subject of information may seek resolution of conflict or counseling from Personal Information Dispute Mediation Committee and Personal Information Infringement Report Center of Korea Internet & Security Agency (KISA) for redemption.
   
   For other reports or counseling on the breach of privacy, please contact the below agencies.
   
   

   • ㅇ Personal Information Dispute Mediation Committee : 1833-6972 (www.kopico.go.kr)
   • ㅇ Personal Information Infringement Report Center : 118 (privacy.kisa.or.kr)
   • ㅇ Supreme Prosecutor’s Office : 1301 (www.spo.go.kr)
   • ㅇ National Police Agency : 182 (ecrm.cyber.go.kr)

   
   Where anyone subject to infringement of rights or interests caused by any illegal or unjust disposition or omission of public power by administrative agencies, he or she may file administrative appeals procedures for redemption.
   
   

   • ㅇ Central Administration Appeals Commission : 110 (www.simpan.go.kr)
10. 10) Privacy Policy Modification Status
    • This privacy policy enters into effect from 16th March 2023.
    • Privacy policy beforehand can be found below.