1. 1. BUYKOREA processes personal information to a minimum as necessary for the purpose of providing customer service, handling civil complaints, and performing duties under its jurisdiction.
2. 2. The purpose of processing personal information processed by buyKOREA is as follows.

   The purpose of processing personal information processed by buyKOREA is as follows.

   No.	Name of personal information file	Operating grounds	Purpose of management
   1	Member for buyKOREA overseas buyers	Owner of information's consent	Supporting export of domestic companies and providing product information
   2	KOTRA Integrated Member	Owner of information's consent	Providing service, handling complaints, etc

1. 1. Personal information processed by buyKOREA shall be processed within the scope specified for collection and use purposes, and the retention period prescribed by the Personal Information Protection Act and related statutes shall apply mutatis mutandis.
2. 2. The management and retention period of each of personal information is specified as follows.

   The management and retention period of each of personal information is specified as follows.

   No.	Name of personal information file	Operating grounds	Retention Period
   1	Member for buyKOREA overseas buyers	Owner of information's consent	Until the membership withdrawal
   2	KOTRA Integrated Member	Owner of information's consent	Until the membership withdrawal

3. 3. The entire personal information file operated by KOTRA is guided by the 'Personal Information Protection Portal'.
   • Personal information protection portal (www.privacy.go.kr) → Civil petition yard → Request for perusal of personal information → Search for personal information file list → Enter "Korea Trade-Investment Promotion Agency" in the name of the institution.

buyKOREA processes the information subject's personal information only to the extent specified in Article 1 (the purpose of processing personal information) and does not process it beyond its original purpose or provide it to third parties without prior consent from the entity unless.

1. 1. The case to obtain separate consent from owner of information
2. 2. The case special articles are prescribed in the Act and the Articles.
3. 3. As the case where owner of information or legal representative is unable to give the declaration of his/her consent or is unable to obtain prior consent due to unknown address, the case clearly admitted to be necessary for the benefit of owner of information or third party's imminent life, body, property
4. 4. As the case necessary for statistical writing and academic research purposes, the case to provide personal information in a form that can't identify a specific individual
5. 5. As the case the personal information is used for intended purposes other than the purpose or if not provided to a third party, the duties stipulated by other Act cannot be performed, the case to pass through deliberation and resolution of the protection committee
6. 6. The case to be necessary to provide to foreign governments or international organizations for performing treaties or other international agreements
7. 7. The case to be necessary for investigating crimes, and filing and maintaining the prosecution
8. 8. The case to be necessary to perform the court's trial
9. 9. The case to be necessary to execute punishment as well as custody, probation

1. 1. buyKOREA has entrusted personal information management as below for a seamless personal information management.

   The management and retention period of each of personal information is specified as follows.

   No.	Entrusted affairs	Entrusted company name	Telephone number	Working Hour	check result of trustee management status
   1	buyKOREA homepage operation & maintenance	-	-	09:00~18:00	appropriate
   2	Operating customer service center	-	-	09:00~18:00	appropriate
   3	System maintenance	-	-	09:00~18:00	appropriate
   4	BuyKOREA help desk operation& product management	FYM CO., Ltd	070-4888-2270	09:00~18:00	appropriate

2. 2. When signing an entrustment contract, BuyKOREA stipulates in the contract that the trustee handles personal information safely in accordance with Article 26 of the Personal Information Protection Act, technical measures, re-entrustment restrictions, management, and damages.
3. 3. If the details of the entrusted work or the trustee change, we will disclose it through this personal information processing policy without delay.

1. 1. The owner of information (the legal representative can exercise the right under 14 years of age) can exercise the right of personal information protection of following each subparagraph at any time.
   1. 1) Request to access personal information not right or false.
   2. 2) If there is an error, request correction
   3. 3) Request to delete
   4. 4) Request to suspend management
2. 2. The exercise of rights under paragraph 1 may be made in writing, e-mail, imitation transmission (FAX), etc. after preparation in accordance with attached Form 8 of Personal Information Processing Method, and we will take measures without delay
3. 3. When owner of information has requested correction or deletion of personal information, it will not be use or provided that year personal information until the correction or deletion is completed.
4. 4. The exercise of rights under paragraph 1 may be conducted through an agent, such as the legal representative of the information subject or a person delegated. In such cases, you shall submit a power of attorney in attached Form 11 of the Notice on the Method of Processing Personal Information.
5. 5. The request of the personal information access and suspension of management of, the right of owner of information may be restricted by the Personal Information Protection Act Article 35 Paragraph 5, Article 37 Paragraph 2.
6. 6. Requests for the correction and deletion of personal information cannot be requested to be deleted if the personal information is specified as to be collected object in the other Act and Articles.
7. 7. We verify whether the person to request for access, correction, deletion, suspension, etc according to the owner of information's right, is the person himself or a legitimate representative.
   • Present identity card to identify yourself (identity card, driver's license, passport, etc.)
   • In case of a representative, present your identity card and a power of attorney to identify your representative

   • [Attachment 8 of the Notice on the Method of Processing Personal Information] Presentation of a Request for Access to Personal Information

   • [Attachment 11 of the Notice on the Method of Processing Personal Information] Presentation of a power of attorney

8. 8. Requests for access, correction, deletion, and suspension of personal information management will be processed in the following procedure.
   

   search of personal informaition file list

   (request of reviewing)

   1. request of reviewing
   2. confirmation of request subject and confirmation of personal information reviewing range
   3. confirmation of personal information reviewing restriction range
      1. notification of reviewing decision(permit/limit/postpnoement)
         1. reviewing
      2. notification of reviewing decision(reject)

   (correct/deletion, requestto suspend processing)

   1. correct/deletion, requestto suspend processing
   2. confirm request subject and personal informaition correct/deletion, check processing suspension range
   3. personal informaition correct/deletion, check restriction of processing suspension, correction/deletion
      1. correction/deletion, notification of result of suspension of processing
      2. correction/deletion, notification of restriction of processing suspension(rejection, other law, and others)

buyKOREA manages following personal information items.

1. 1. buyKOREA will, in principle, destroy personal information without delay when the purpose of personal information management is achieved. However, when it is necessary to preserve it in accordance with other Acts, this is not the case. The procedures, deadlines and methods of destruction are specified as follows.
   1. 1) Destruction procedure

      Unnecessary personal information and personal information files are managed under the responsibilities of personal information manager according to the internal policy procedure as follows

      • Destruction of personal information ary.
        Personal information that has passed the retention period will be destroyed without delay from the end date
      • Destruction of personal information files
        When the personal information file becomes unnecessary such as the purpose of personal information file management being achieved, abolition of service, or the end of the business, the personal information file is destroyed without delay from the date when personal information management is recognized as unnecessary.
   2. 1) How to destroy
      1. ① Electronic forms of information use technological methods that cannot reproduce the records.
      2. ② Personal information printed on paper is shredded by shredder or destroyed by incineration.

buyKOREA, pursuant to Article 29 of the 「Personal Information Protection Acttt」, takes the technical, administrative and physical measures necessary for ensuring safety as follows.

1. 1. Establishment and implementation of an internal management plan
   BUYKOREA establishes and implements an internal management plan in accordance with the 'Standard for measures to secure safety of personal information'.
2. 2. Minimization and education of persons in charge of handling personal information
   We designate a person in charge of handling personal information and implement measures to manage personal information by minimizing it.
3. 3. Restrictions on access to personal information
   We are taking necessary measures to control access to personal information through granting, changing, and deleting access to the database system that processes personal information, and controlling unauthorized access from outside using the intrusion prevention system.
4. 4. Storage of access records and prevention of forgery and alteration
   Records (web logs, summary information, etc.) connected to the personal information processing system have been kept and managed for at least a year. However, the personal information processing system that processes personal information or processes unique identification information or sensitive information for more than 50,000 information subjects has been kept and managed for more than two years.
5. 5. Encryption of personal information
   Your personal information is encrypted, stored, and managed. We also use separate security features such as encryption and use of sensitive data when storing and transferring.
6. 6. Installing and periodically inspecting and renewing security programs
   BUYKOREA installs security programs and periodically updates and checks them to prevent personal information leakage or damage caused by hacking or computer viruses.
7. 7. Access control procedures are established and operated separately for the physical storage of the personal information system that holds personal information on unauthorized persons.

buyKOREA manages following personal information items.

buyKOREA, pursuant to Article 29 of the 「Personal Information Protection Acttt」, takes the technical, administrative and physical measures necessary for ensuring safety as follows.

1. 1. The owner of information can request to access personal information pursuant to Article 35 of the Personal Information Protection Act to the following department. KOTRA will endeavor to promptly handle owner of information's request to access personal information.
   1. 1) The department of reception and handling of request to access personal information
      • Name of department : Digital Transformation Department
      • Contact person : Kyu Kyung Kim, Assistant Manager
      • Contact point : TEL : 02-3460-3457 q.kim10@kotra.or.kr
2. 2. In addition to the department receiving and processing requests for perusal under paragraph 1, the information subject may request perusal of personal information through the Personal Information Protection Portal (www.privacy.go.kr) of the Personal Information Protection Committee.
   1. 1) The Ministry of the Interior's comprehensive support portal for personal information protection → Complaints of personal information → Request for personal information access
   2. 2) Personal Information Protection Committee Comprehensive Portal → Personal Information Complaint → Request for perusal of personal information, etc. (Real name authentication required through public IPIN)

The owner of information can inquire damage relief, consultation, and others about infringement of personal information to the following institutions. (As the following institutions are separate from KOTRA, when you are not satisfied with KOTRA's own personal information complaints handling, damage relief results, or need further assistance, please contact them.)

1. 1. Reporting Center for Infringements on Personal Information (operated by The Korea Internet and Security Agency)
   • Affairs : Reporting personal information infringement, application for consultation
   • Homepage : privacy.kisa.or.kr
   • Telephone : (Without an area code) 118
   • Address : (58324) 9 Jinheung-gil, Naju, Jeollanam-do, Republic Of Korea
2. 2. Personal Information Dispute Mediation Committee (The Korea Internet and Security Agency)
   • Affairs : Personal information dispute mediation application, collective dispute mediation (civil settlement)
   • Homepage : www.kopico.go.kr
   • Tel : 1833-6972
   • Address : (03171) 209 Sejong Daero Road, Jongno-gu, Government Seoul Office 4F Personal Information Dispute Mediation Committee
3. 3. Supreme Prosecutors' Office Cyber Crime Investigation Department: 1301 (www.spo.go.kr, cid@spo.go.kr)
4. 4. Cyber Terror Response Center of National Police Agency : 182 (cyberbureau.police.go.kr)

In addition, a person who is infringed the rights or interests due to administrative disposition or omission by the head of public institution for the request of owner of information on personal information correction, deletion or suspension, etc, can request the administrative appeals as provided by the Administrative Appeals Act

Refer to the telephone number of the Central Administrative Appeals Commission (www.simpan.go.kr)

buyKOREA can use cookie which stores users information and detect them at any time (COOKIE, automatic collection device of personal information such as internet access information file, etc). A cookie, as a small amount of information that a server to be used to run an institution's website sends to a user's browser, is also stored on the user's computer's hard disk. When a user accesses a website, the institution’s computer can read the contents of the cookie on the user's browser and detect user’s additional information in your computer, and can provide the service without further input such as the name of the contact, and others. Cookies identify your computer but do not personally identify yourself. In addition, the user has the option of installing cookies. As a result, by that the user can install the options in the web browser, the user accept all cookies, or check each time when a cookie is saved, or refuse to save all cookies. However, when you refuse to install cookies, you might turn to be uncomfortable with using the web and to have difficulty in using some services that require login.

(Example of how to install)

1. 1) Internet Explorer : Tools menu at the top of web browser ▷ Internet options ▷ Personal information ▷ Cookie blocking level installation
2. 2) Chrome : Installation menu on the right side of Web browser ▷ Advanced installation display at the bottom of the screen ▷ Contents installing button of personal information ▷ Cookie blocking level installation

The owner of information can inquire damage relief, consultation, and others about infringement of personal information to the following institutions. (As the following institutions are separate from KOTRA, when you are not satisfied with KOTRA's own personal information complaints handling, damage relief results, or need further assistance, please contact them.)

1. 1. This policy will take effect on 1st Jan, 2024.
2. 2. The previous document could be found below

   • Privacy policy, June 20, 2019 ~ March 1, 2021

   • Privacy policy, March 2, 2021 ~ July 5, 2021

   • Privacy Policy, July 6, 2021 ~ August 31, 2021

   • Privacy Policy, September 1, 2021 ~ January 6, 2022

   • Privacy Policy, March 2, 2021~ Februry 12, 2023

   • Private policy, Februry 13, 2023~ June 14, 2023

   • Private Policy, June 15, 2023 ~ December 31, 2023

A controller is responsible for the collection and processing of your personal data in accordance with the General Data Protection Regulation (GDPR) as well as further applicable data protection laws. Please find your controller and its contact information here, depending on where you are.

A controller is responsible for the collection and processing of your personal data in accordance with the General Data Protection Regulation (GDPR) as well as further applicable data protection laws. Please find your controller and its contact information here, depending on where you are.

We generally collect your personal data directly from you, when, for example, you submit an Message, attend events or seminars, use or engage in our services or provide us with your contacts. With your consent, we may sign up your membership and register Inquiries on your behalf.

From time to time, we may gain access to your business contact details via recognised business data providers or an official website of your organisation. We may also receive your contact details through our primary contacts at your organisation if they think you may benefit from our services. As we work closely with other organisations, public agencies or governments of South Korea, we may also receive information about you from them.

When you visit our website, computer and technology information (e.g. browser type, IP address, unique device ID, etc.) is automatically collected via your browsers.

We do not collect more information than we need to fulfil our purposes mentioned in this Policy and will not retain it for longer than is necessary. The types of personal data we collect and share depend on the nature of your relationship with us and the requirements of applicable laws.

• We collect your email, password, name, telephone, and company information when you sign up for membership.
• We collect data regarding orders, purchases, and Inquiries that you provide in your transaction.
• We collect content that you share with other members through services such as inquiries, feedbacks, and price quotes.
• We collect your payment details, shipping, billing, and other information you provide in connection with the purchase or shipping of items.
• We gather your contact information and details of your comments, requests or any other issues you’ve raised regarding our services.
• We collect data that is generated through your actions which is linked to your account such as items placed in your shopping cart or your favorites.
• The personal data that we process may include any other personal data that is provided to us during the course of our services.
• When you visit our website, we collect and store information that your browser automatically transmits to us such as IP address, date and time of your access, your browser type, operating system type, and cookie-related data. For more information about our use of Cookies, please see 9. Cookies.

As KOTRA is a public agency of South Korea, we process personal data for a number of different purposes that arise from our missions to contribute to the development of the national economy through global business support activities. laws.

We may process your personal data for the following purposes:

• To provide you with e-commerce services including offer, negotiation, contract, payment, and shipping between members
• To permit your membership registration and to prevent damages that may occur during business relations between members
• To sign up your membership and register Inquiries on your behalf
• To contact you or communicate with you concerning our services
• To respond to your requests, inquiries or concerns regarding our services
• To contact you with regard to business opportunities which we believe might interest you

For visitors to our website

The information collected automatically when you visit our website will be processed for the following purposes:

• To ensure our website stays securely by preventing, detecting, mitigating and investigating fraud and security breaches
• To ensure the performance of our website
• To ensure that the content of our website is presented in the most effective manner for you and your computer

The provision of your personal data will generally be voluntary and there is no statutory nor contractual obligation to provide your personal data. We generally do not contractually require the provision of your personal data but note that in any event, non-provision of personal data might exclude you from using some of our services or parts thereof.

Our services are not intended for use by children. Under applicable national laws, we do not knowingly collect personal data from users who are considered children. According to our User Agreement, children are not permitted to use our services.

Where KOTRA is processing personal data for the performance of its functions, the primary legal bases under the GDPR are as follows:

• Where the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract in accordance with Art. 6 (1) (b) of the GDPR. (i.e. using e-commerce services, signing up membership)
• Where the processing is necessary for the legitimate interests pursued by KOTRA or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data in accordance with Art. 6 (1) (f) of the GDPR. (i.e. preventing or detecting security issues)
• Where we have obtained a data subject’s consent to the processing in accordance with Art. 6 (1) (a) of the GDPR. (i.e. signing up membership and registration of Inquiry on your behalf)
• Where the processing is necessary to comply with legal obligations in accordance with Art. 6 (1) (c) of the GDPR.

We do not sell or disclose your personal data to third parties for their marketing or advertising purposes without your consent. We only disclose your personal data when it is necessary for the purposes mentioned in this Policy or when we have obtained your consent.

Third party service providers may access to your personal data on a need to know basis for the purpose of providing services on behalf of us. They cannot do anything with your personal data without our permission. They will not share your personal data with any organisation apart from us, nor will they keep your personal data for longer than the period we instruct.

When necessary, we share your personal data with the following the data processors and recipients as far as necessary for the purposes described in this Policy:

• KOTRA headquarters in Korea and KOTRA offices in charge
• Other members of the website
• Payment service providers
• Shipping companies
• External operators of websites, applications, and services
• Law enforcement agencies, courts, government agencies or public authorities, intergovernmental or supranational bodies
• Third parties who are involved in judicial proceedings, in particular, if they submit a legal order, court order or equivalent legal order to us.

As KOTRA is a public agency of South Korea, your personal data may be transferred to South Korea for the purposes mentioned in this Policy. As South Korea has not sought nor received “adequacy decision” from the European Commission, we use Standard Contractual Clauses adopted by the European Commission to provide appropriate safeguards for the transfer of your personal data.

Given the nature of KOTRA’s missions and functions, we may also disclose your personal data to recipients overseas. To ensure an adequate level of data protection when transferring your personal data from the European Economic Area (EEA) to third countries (outside the EEA), we will only transfer your personal data on the basis of an adequacy decision or appropriate safeguards such as Standard Contractual Clauses adopted by the European Commission. Upon request, we will provide you with a copy of the relevant information.

Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work or work more efficiently. We use cookies that are necessary for the operation of this website to enhance your experience when you use our website. You can control your cookies through the browser settings. Please visit the browser developer's website if you want to find out how to manage your cookies on your browser.

If you want to know more about cookies, please visit www.aboutcookies.org or www.allaboutcookies.org.

We have implemented technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised access or disclosure of personal data. We restrict access to your personal data to those who need to know that information to provide benefits or services to you. In addition, we train our employees to help them be well aware of risks associated with data security and confidentiality.

We strive to keep our processing activities with respect to your personal data as limited as possible. Your personal data will be retained only for as long as we need it to fulfil the purpose for which we have collected it and, if applicable, as long as required by statutory retention requirements. In case of consent, your personal data will be at the latest deleted without undue delay after the withdrawal of such consent.

You have the rights, at any time:

• without giving reasons according to Art. 15 of the GDPR to obtain information about your data stored with us. With the exception of any connection fees charged by your provider, you will not incur any costs as a result of the inquiry;
• to have the data rectified in accordance with Art. 16 of the GDPR;
• to have the data erased in accordance with Art. 17 of the GDPR;
• to obtain from the controller restriction of processing in accordance with Art. 18 of the GDPR;
• to object to the processing for sending the newsletter according to Art. 21 (2) of the GDPR;
• to object to other forms of processing of your personal data in accordance with Art. 21 (1) of the GDPR;
• to withdraw any consent to the collection and use of data given to us at any time, without affecting the lawfulness of processing based on consent before its withdrawal in accordance with Art. 7 (3) of the GDPR;
• to receive your personal data in a machine-readable format and to transmit them to another person responsible in accordance with Art. 20 of the GDPR;

If you would like to exercise any of these rights, you can contact the Data Protection Officer or Data Protection Manager responsible for your region. You can find the contact information of our Data Protection Managers and Data Protection Officer here.

No cost will be charged for any response to acceptable requests. If for some reasons the request is denied, we will provide an explanation as to why the request has been denied.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes for the period we hold your data.

We take any complaints we receive from you very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We also welcome any suggestions for improving our procedures.

We ask that you first submit any such complaints directly to the Data Protection Officer or Data Protection Manager in your country. If you aren't satisfied with our response or have concerns about how we process your personal data, you have the right to lodge a complaint with the appropriate data protection authority in your region.

You may find links to other websites on our websites. We recommend that you read the privacy policies on the other websites you visit. This Policy does not cover how other websites collect and process personal data.