1. 1. buyKOREA processes personal information to a minimum as necessary for the purpose of providing customer service, handling civil complaints, and performing duties under its jurisdiction. Additionally, certain personal information may be processed through KOTRA's internal customer management system for the purpose of responding to customer inquiries and facilitating export consultations. In such cases, the information is transferred to the system only when the data subject has provided optional consent.
2. 2. The purpose of processing personal information processed by buyKOREA is as follows.

   The purpose of processing personal information processed by buyKOREA is as follows.

   No.	Name of personal information file	Operating grounds	Purpose of management
   1	Member for buyKOREA overseas buyers	Owner of information's consent	Supporting export of domestic companies and providing product information
   2	Member for buyKOREA Korean sellers	Owner of information's consent	Providing service, handling complaints
   3	buyKOREA B2B Inquiry- related Information	Owner of information's consent	Providing service.
   4	buyKOREA B2B Transaction Information	Owner of information's consent	Providing service.

1. 1. Personal information processed by buyKOREA shall be processed within the scope specified for collection and use purposes, and the retention period prescribed by the Personal Information Protection Act and related statutes shall apply mutatis mutandis.
2. 2. The management and retention period of each of personal information is specified as follows.

   The management and retention period of each of personal information is specified as follows.

   No.	Name of personal information file	Operating grounds	Purpose of management	Retention Period
   1	Member for buyKOREA overseas buyers	Data Subject Consent, Legal Basis	Membership management and provision of services on the buyKOREA website	Retained for 5 years after membership withdrawal Article 15(1)(1) of the Personal Information Protection Act (“Consent of the data subject”) Article 15(1)(2) of the Personal Information Protection Act (“Special provisions under the law”) ① Article 6 of the Enforcement Decree of the Act on the Consumer Protection in Electronic Commerce, etc. (“Records to be retained by business operators”)
   2	Member for buyKOREA Korean sellers
   3	buyKOREA B2B Inquiry- related Information		Records related to the provision of buyKOREA services, B2B inquiries, adjustments, and cancellations	Retained for 5 years Article 15(1)(1) of the Personal Information Protection Act (“Consent of the data subject”) Article 15(1)(2) of the Personal Information Protection Act (“Special provisions under the law”) ① Article 6 of the Enforcement Decree of the Act on the Consumer Protection in Electronic Commerce, etc. (“Records to be retained by business operators”)
   4	buyKOREA B2B Transaction Information		Records related to the provision of buyKOREA services, B2B payments and the supply of goods or services

3. 3. Personal Information Processed in Accordance with Relevant Laws with the Data Subject’s Consent

   The purpose of processing personal information processed by buyKOREA is as follows.

   Relevant Laws	Purpose	Retention Period
   Article 15(1)(2) of the Personal Information Protection Act (“Special provisions under the law”), Article 6 of the Enforcement Decree of the Act on the Consumer Protection in Electronic Commerce, etc.	Retention of records related to B2B inquiries, adjustments, and cancellations	5 years
   	Retention of records related to B2B payments and supply of goods, etc.	5 years

   • Requests to change the retention period based on the circumstances of each country (e.g., applicable laws) will be reviewed and addressed accordingly.
4. 4. A full list of personal information files managed by KOTRA is available through the Personal Information Portal (www.privacy.go.kr).
   • Personal Information Portal (www.privacy.go.kr) → Personal Services → Request for perusal of personal information → Search personal information files → Enter “Korea Trade-Investment Promotion Agency” in the institution name field to view detailed information. Search personal information files open new

buyKOREA processes the information subject's personal information only to the extent specified in Article 1 (the purpose of processing personal information) and does not process it beyond its original purpose or provide it to third parties without prior consent from the entity unless.

1. 1. The case to obtain separate consent from owner of information
2. 2. The case where special provisions are prescribed in other Acts or regulations
3. 3. The case clearly admitted to be necessary for the benefit of owner of information or third party's imminent life, body, property
4. 4. As the case the personal information is used for intended purposes other than the purpose or if not provided to a third party, the duties stipulated by other Act cannot be performed, the case to pass through deliberation and resolution of the protection committee
5. 5. he case to be necessary to provide to foreign governments or international organizations for performing treaties or other international agreements
6. 6. The case to be necessary for investigating crimes, and filing and maintaining the prosecution
7. 7. The case to be necessary to perform the court's trial
8. 8. The case to be necessary to execute punishment as well as custody, probation
9. 9. The case where it is urgently required to protect public health, safety, or welfare

1. 1. buyKOREA has entrusted personal information management as below for a seamless personal information management.

   The management and retention period of each of personal information is specified as follows.

   No.	Entrusted affairs	Entrusted company name	Telephone number	Working Hour	Check result of trustee management status	Sub- entrustment Status
   1	buyKOREA homepage operation & maintenance	KSIGN Co., Ltd.	02-2140-7200	09:00~18:00	appropriate	Not applicable

2. 2. When signing an entrustment contract, buyKOREA stipulates in the contract that the trustee handles personal information safely in accordance with Article 26 of the Personal Information Protection Act, technical measures, re-entrustment restrictions, management, and damages.
3. 3. In accordance with Article 26(6) of the Personal Information Protection Act, when an entrusted party sub-entrusts KOTRA’s personal information processing tasks, it shall obtain KOTRA’s consent, and the details of the sub-entrustee and the sub-entrusted tasks are disclosed through this Privacy Policy.
4. 4. If the details of the entrusted work or the trustee change, we will disclose it through this personal information processing policy without delay.

1. 1. Data subjects may exercise the following personal information protection rights at any time: the right to access, transfer, rectify, delete, suspend processing of, and withdraw consent to their personal information.
   1. 1) Request to access personal information not right or false
   2. 2) If there is an error, request correction
   3. 3) Request to delete
   4. 4) Request to suspend management
2. 2. The exercise of rights under Paragraph 1 may be made in writing, by e-mail, by fax, through the Internet, or by other means pursuant to Article 41(1) of the Enforcement Decree of the Personal Information Protection Act, and appropriate measures will be taken without delay.
3. 3. When owner of information has requested correction or deletion of personal information, it will not be use or provided that year personal information until the correction or deletion is completed.
4. 4. The exercise of rights under paragraph 1 may be conducted through an agent, such as the legal representative of the information subject or a person delegated. In such cases, you shall submit a power of attorney in attached Form 11 of the Notice on the Method of Processing Personal Information.
5. 5. The request of the personal information access and suspension of management of, the right of owner of information may be restricted by the Personal Information Protection Act Article 35 Paragraph 4, Article 37 Paragraph 2.
6. 6. Requests for the correction and deletion of personal information cannot be requested to be deleted if the personal information is specified as to be collected object in the other Act and Articles.
7. 7. We verify whether the person to request for access, correction, deletion, suspension, etc. according to the owner of information's right, is the person himself or a legitimate representative.
   • Present identity card to identify yourself (identity card, driver's license, passport, etc.)
   • In case of a representative, present your identity card and a power of attorney to identify your representative

   • [Attachment 8 of the Notice on the Method of Processing Personal Information] Presentation of a Request for Access to Personal Information

   • [Attachment 11 of the Notice on the Method of Processing Personal Information] Presentation of a power of attorney

   • Requests for correction, deletion, or suspension of processing of personal information may also be made by specifying the relevant details in the Request for Access to Personal Information (Attachment 8)

8. 8. Requests for access, correction, deletion, and suspension of personal information management will be processed in the following procedure.
   

   search of personal informaition file list

   (request of reviewing)

   1. request of reviewing
   2. confirmation of request subject and confirmation of personal information reviewing range
   3. confirmation of personal information reviewing restriction range
      1. notification of reviewing decision(permit/limit/postpnoement)
         1. reviewing
      2. notification of reviewing decision(reject)

   (correct/deletion, requestto suspend processing)

   1. correct/deletion, requestto suspend processing
   2. confirm request subject and personal informaition correct/deletion, check processing suspension range
   3. personal informaition correct/deletion, check restriction of processing suspension, correction/deletion
      1. correction/deletion, notification of result of suspension of processing
      2. correction/deletion, notification of restriction of processing suspension(rejection, other law, and others)

9. 9. Pursuant to Article 38 (Method and Procedure for Exercising Rights) of the Personal Information Protection Act, if a data subject objects to a refusal of a request for access to personal information, he or she may file a complaint.
   1. 1) (Data Subject) Submission of objection.
   2. 2) (KOTRA) Receipt of objection and complaints related to personal information processing
   3. 3) (KOTRA) Review and take necessary measures on the received matters
   4. 4) (KOTRA) Notification of the result of the objection, etc Objection Application Form download
10. 10. Within 14 days from the date of receiving an objection, KOTRA reviews the details of the objection, takes measures as appropriate based on the results, and informs the data subject in accordance with the result notice regarding the request for access, rectification, deletion, suspension of processing, or withdrawal of consent of personal information. Download Procedure for Exercising Data Subject Rights download

1. 1. buyKOREA processes the following personal information items based on the data subject’s consent and the Enforcement Decree of the Act on Consumer Protection in Electronic Commerce, etc.

   The management and retention period of each of personal information is specified as follows.

   No.	Name of personal information file	Personal information items recorded in the personal information file	Legal Basis for Collection
   1	Member for buyKOREA overseas buyers	Required: Name, ID(E-mail), Password, Gender, Company Name, Country/City, Social Login Type Optional: Mobile Phone Number, Telephone Number, Fax Number, Job position, Address	Article 15(1)(1) of the Personal Information Protection Act (“Consent of the data subject”) Article 15(1)(2) of the Personal Information Protection Act (“Special provisions under the law”) ① Article 6 of the Enforcement Decree of the Act on the Consumer Protection in Electronic Commerce, etc. (“Records to be retained by business operators”)
   2	Member for buyKOREA Korean sellers	Required: ID, Password, Name, Mobile Phone Number, E-mail, CI (Connection Information) Optional: Telephone Number, Fax Number, Address, Company Name (※Required for corporate members)
   3	buyKOREA B2B Inquiry- related Information	[Overseas buyers] In the case of an inquiry • Required: Name, ID(E-mail), Company Name, Country/City • Optional: Mobile Phone Number In the case of a trade show • Required: Name, ID(E-mail), Company Name, Country/City [Korean sellers] In the case of a trade show • Required: Name, Mobile Phone Number, E-mail, Company Name, Trade Show Contact Information (Name, Email, Mobile phone number)
   4	buyKOREA B2B Transaction Information	[Overseas buyers] Required: Name, ID(E-mail), Company Name, Shipping Address Optional: Mobile Phone Number, Telephone Number, Fax Number [Korean sellers] Required: Name, Mobile Phone Number, E-mail, Address, Company Name Optional: Telephone Number, Fax Number

2. 2. During the use of internet services, the following personal information may be automatically generated and collected.
   • buyKOREA Website(Cookie): IP address, Browser type and version, Operating system type, Type of device used, Visited pages, Number of visits, Time of visit, Country of access, Recently viewed products, Recently viewed inquiries, Saved login ID, Auto-login enabled status, Popup dismissal status, Quotation and invoice view status

1. 1. buyKOREA promptly destroys personal information once it becomes unnecessary, such as upon the expiration of the retention period or achievement of the processing purpose. However, this does not apply where retention is required under other laws.
2. 2. If the retention period consented to by the data subject has expired, or the processing purpose has been achieved, but retention is still required under other laws, buyKOREA preserves the relevant personal information (or personal information files) by transferring it to a separate database (DB) or storing it in a different location.
3. 3. The procedures, timelines, and methods of destroying personal information by buyKOREA are as follows.
   1. 1) Destruction procedure

      Unnecessary personal information and personal information files are destroyed with the approval of the personal information protection officer in accordance with internal policies and procedures, as follows.

      • Destruction of personal information.
        Personal information that has passed the retention period will be destroyed without delay from the end date
      • Destruction of personal information files
        When the personal information file becomes unnecessary such as the purpose of personal information file management being achieved, abolition of service, or the end of the business, the personal information file is destroyed without delay from the date when personal information management is recognized as unnecessary.
   2. 1) How to destroy
      1. ① Electronic forms of information use technological methods that cannot reproduce the records.
      2. ② Personal information printed on paper is shredded by shredder or destroyed by incineration.

1. 1. buyKOREA, pursuant to Article 29 of the 「Personal Information Protection Act」, takes the technical, administrative and physical measures necessary for ensuring safety as follows.
   1. 1) Establishment and implementation of an internal management plan buyKOREA establishes and implements an internal management plan in accordance with the 'Standard for measures to secure safety of personal information'.
   2. 2) Minimization and education of persons in charge of handling personal information We designate a person in charge of handling personal information and implement measures to manage personal information by minimizing it.
   3. 3) Restrictions on access to personal information We are taking necessary measures to control access to personal information through granting, changing, and deleting access to the database system that processes personal information, and controlling unauthorized access from outside using the intrusion prevention system.
   4. 4) Storage of access records and prevention of forgery and alteration Records (web logs, summary information, etc.) connected to the personal information processing system have been kept and managed for at least a year. However, the personal information processing system that processes personal information or processes unique identification information or sensitive information for more than 50,000 information subjects has been kept and managed for more than two years.
   5. 5) Encryption of personal information Your personal information is encrypted, stored, and managed. We also use separate security features such as encryption and use of sensitive data when storing and transferring.
   6. 6) Installing and periodically inspecting and renewing security programs buyKOREA installs security programs and periodically updates and checks them to prevent personal information leakage or damage caused by hacking or computer viruses.
   7. 7) Access control procedures are established and operated separately for the physical storage of the personal information system that holds personal information on unauthorized persons.
2. 2. buyKOREA, in accordance with Article 28-2 of the Personal Information Protection Act, pseudonymizes collected personal information so that a specific individual cannot be identified for purposes such as preparing statistics, conducting scientific research, or preserving records in the public interest. Pursuant to Article 28-4 of the same Act, buyKOREA takes the following administrative, technical, and physical measures necessary to ensure the security of pseudonymized information:
   1. 1) Administrative measures: Establishment and implementation of an internal management plan for pseudonymized information, regular employee training, etc.
   2. 2) Technical measures: Separate storage of pseudonymized information and additional information, destruction of additional information when no longer necessary, separation of access rights and installation of access control systems for pseudonymized and additional information, storage and inspection of processing and access logs, installation of security programs, etc.
   3. 3) Physical measures: Access control of computer rooms, data storage rooms, and other facilities where pseudonymized information is kept, etc.

1. 1. buyKOREA takes overall responsibility for personal information processing and designates the following Personal Information Protection Officer to handle complaints and provide remedies related to personal information processing.
2. 2. Data subjects may contact the Personal Information Protection Officer and the department in charge of personal information protection for any inquiries, complaints, or remedies related to personal information protection arising while using buyKOREA’s services. KOTRA will respond to and handle such inquiries without delay.

   The Article 9 (Each Contact Person and Contact Points in charge of Personal Information Protection)

   Division	Name of department	Name	Contact point
   buyKOREA Personal Information Protection Officer	Digital Trade- Investment Office	Jeonghun Lee, Vice President Head of Digital Trade and Investment Division	Tel: +82-2-3460- 7400
   buyKOREA General Customer Information Division Manager	Digital Platform Office	Byungjoo Jeon, Director	Tel: +82-2-3460- 3451
   buyKOREA General Customer Information Management Manager	Digital Business Team	Dooho Cho, Deputy Director	Tel: +82-2-3460- 3453 email : dhcho@kotra.or.kr

1. 1. Data subjects may request access to their personal information pursuant to Article 35 of the Personal Information Protection Act by contacting the department below. buyKOREA will make every effort to ensure that requests for access to personal information are handled promptly.
   1. 1) The department of reception and handling of request to access personal information
      • Name of department: Digital Transformation Department
      • Contact person: Jaehwan Park, Vice President
      • Contact point: Tel +82-2-3460-3245 / Email. windy80x@kotra.or.kr
2. 2. In addition to the department receiving and processing requests for perusal under paragraph 1, the information subject may request perusal of personal information through the Personal Information Protection Portal (www.privacy.go.kr) of the Personal Information Protection Committee.
   • Personal Information Protection Commission Personal Information Portal → Personal Services → Request for Access to Personal Information
     (real-name verification required via mobile phone or i-PIN)

The owner of information can inquire damage relief, consultation, and others about infringement of personal information to the following institutions. (As the following institutions are separate from KOTRA, when you are not satisfied with KOTRA's own personal information complaints handling, damage relief results, or need further assistance, please contact them.)

1. 1. Reporting Center for Infringements on Personal Information (operated by The Korea Internet and Security Agency)
   • Affairs: Reporting personal information infringement, application for consultation
   • Homepage: privacy.kisa.or.kr
   • Telephone: (Without an area code) 118
   • Address: (58324) 9 Jinheung-gil, Naju, Jeollanam-do, Republic Of Korea
2. 2. Personal Information Dispute Mediation Committee (The Korea Internet and Security Agency)
   • Affairs: Personal information dispute mediation application, collective dispute mediation (civil settlement)
   • Homepage: www.kopico.go.kr
   • Tel: 1833-6972
   • Address: (03171) 209 Sejong Daero Road, Jongno-gu, Government Seoul Office 4F Personal Information Dispute Mediation Committee
3. 3. Supreme Prosecutors' Office:
   • 1301 ( www.spo.go.kr, cid@spo.go.kr )
4. 4. Korean National Police Agency:
   • 182 (ecrm.cyber.go.kr)

In addition, a person who is infringed the rights or interests due to administrative disposition or omission by the head of public institution for the request of owner of information on personal information correction, deletion or suspension, etc, can request the administrative appeals as provided by the Administrative Appeals Act.

Refer to the telephone number of the Central Administrative Appeals Commission. (www.simpan.go.kr)

1. 1. buyKOREA uses “cookies,” which store and retrieve usage information from time to time, in order to provide data subjects with personalized services and convenience.
2. 2. A cookie is a small piece of information sent by the server (http) used for website operation to the browser of the data subject, stored on the data subject’s computer or mobile device, and automatically transmitted back to the server by the browser when accessing the website.
3. 3. Data subjects may allow or block cookies by configuring the settings of their browser options.
   1. 1) Cookie settings on web browsers
      • Chrome: Select the “⋮” icon in the upper right corner of the browser > New Incognito Window (shortcut: Ctrl+Shift+N)
      • Edge: Select the “...” icon in the upper right corner of the browser > New InPrivate Window (shortcut: Ctrl+Shift+N)
   2. 2) Cookie settings on mobile browsers
      • Chrome: Select the “⋮” icon in the upper right corner of the mobile browser > New Incognito Tab
      • Safari: Mobile device Settings > Safari > Advanced > Block All Cookies
      • Samsung Internet: Select the “Tabs” icon at the bottom of the mobile browser > Turn on Secret Mode > Start

buyKOREA may send personalized advertisements and information using the personal information for which you have given consent to collect and use, through various electronic transmission methods such as email and push notifications. These marketing messages may be sent between 8:00 AM and 9:00 PM.

• Delivery Channels: Email, Push Notifications.
• Delivery Time: From 8:00 AM to 9:00 PM

This consent is optional, and you may refuse to provide it. However, if you do not consent, you will not receive notifications about events, promotions, or other useful advertisements. Please note that essential notifications related to business activities and platform operations—such as transactions, account updates, or system alerts—may be sent regardless of time.

You can change your consent settings for marketing information at any time by:

1. 1) Requesting changes through the buyKOREA Customer Center (buykorea@kotra.or.kr)
2. 2) Email: Log in to buyKOREA via web browser > My Page
3. 3) Push Notifications: Log in to the buyKOREA mobile app > Settings > Push Notification Settings

1. 1. Pursuant to Article 15(3) or Article 17(4) of the Personal Information Protection Act and Article 14-2 of its Enforcement Decree, buyKOREA may additionally use or provide personal information without the consent of the data subject.
2. 2. Accordingly, in order to additionally use or provide personal information without the consent of the data subject, buyKOREA has considered the following matters:
   1. 1) Whether the additional use or provision is related to the original purpose of collection;
   2. 2) Whether the additional use or provision of personal information was reasonably foreseeable in light of the circumstances under which the personal information was collected or the general processing practices;
   3. 3) Whether the rights and interests of the data subject would be unfairly infringed;
   4. 4) Whether necessary measures to ensure security, such as pseudonymization or encryption, have been taken.

The owner of information can inquire damage relief, consultation, and others about infringement of personal information to the following institutions. (As the following institutions are separate from KOTRA, when you are not satisfied with KOTRA's own personal information complaints handling, damage relief results, or need further assistance, please contact them.)

1. 1. This policy will take effect on 17th October, 2025.
2. 2. The previous document could be found below.
   • Privacy Policy, June 30, 2025 ~ October 16, 2025
   • Privacy Policy, April 22, 2025 ~ June 29, 2025
   • Privacy Policy, September 26, 2024 ~ April 21, 2025
   • Privacy Policy, July 16, 2024 ~ September 25, 2024
   • Privacy Policy, December 15, 2023 ~ July 15, 2024

A controller is responsible for the collection and processing of your personal data in accordance with the General Data Protection Regulation (GDPR) as well as further applicable data protection laws.

Please find your controller and its contact information as follows.

• Organization Name: Korea Trade-Investment Promotion Agency (KOTRA)
• Address: 13 Heolleung-ro, Seocho-gu, Seoul, Republic of Korea
• Email: buykorea@kotra.or.kr

A controller is responsible for the collection and processing of your personal data in accordance with the General Data Protection Regulation (GDPR) as well as further applicable data protection laws.

Please find your controller and its contact information in [Table 1].

We generally collect your personal data directly from you, when, for example, you submit a Message, attend events or seminars, use or engage in our services or provide us with your contacts. With your consent, we may sign up your membership and register Inquiries on your behalf. From time to time, we may gain access to your business contact details via recognised business data providers or an official website of your organisation. We may also receive your contact details through our primary contacts at your organisation if they think you may benefit from our services. As we work closely with other organisations, public agencies or governments of South Korea, we may also receive information about you from them.

When you visit our website, computer and technology information (e.g. browser type, IP address, unique device ID, etc.) is automatically collected via your browsers.

We do not collect more information than we need to fulfil our purposes mentioned in this Policy and will not retain it for longer than is necessary. The types of personal data we collect and share depend on the nature of your relationship with us and the requirements of applicable laws.

• We collect your ID(E-mail), password, Country/City when you sign up for membership.
• We collect data regarding orders, purchases, and Inquiries that you provide in your transaction.
• We collect content that you share with other members through services such as inquiries, feedbacks, and price quotes.
• We collect your payment details, shipping, billing, and other information you provide in connection with the purchase or shipping of items.
• We gather your contact information and details of your comments, requests or any other issues you’ve raised regarding our services.
• We collect data that is generated through your actions which is linked to your account such as items placed in your shopping cart or your favorites.
• The personal data that we process may include any other personal data that is provided to us during the course of our services.
• When you visit our website, we collect and store information that your browser automatically transmits to us such as IP address, date and time of your access, your browser type, operating system type, and cookie-related data. For more information about our use of Cookies, please see 9. Cookies.

As KOTRA is a public agency of South Korea, we process personal data for a number of different purposes that arise from our missions to contribute to the development of the national economy through global business support activities. laws.

We may process your personal data for the following purposes:

• To provide you with e-commerce services including offer, negotiation, contract, payment, and shipping between members
• To permit your membership registration and to prevent damages that may occur during business relations between members
• To sign up your membership and register Inquiries on your behalf
• To contact you or communicate with you concerning our services
• To respond to your requests, inquiries or concerns regarding our services
• To contact you with regard to business opportunities which we believe might interest you

For visitors to our website

The information collected automatically when you visit our website will be processed for the following purposes:

• To ensure our website stays securely by preventing, detecting, mitigating and investigating fraud and security breaches
• To ensure the performance of our website
• To ensure that the content of our website is presented in the most effective manner for you and your computer

The provision of your personal data will generally be voluntary and there is no statutory nor contractual obligation to provide your personal data. We generally do not contractually require the provision of your personal data but note that in any event, non-provision of personal data might exclude you from using some of our services or parts thereof.

Our services are not intended for use by children. Under applicable national laws, we do not knowingly collect personal data from users who are considered children. According to our User Agreement, children are not permitted to use our services.

Where KOTRA is processing personal data for the performance of its functions, the primary legal bases under the GDPR are as follows:

• Where the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract in accordance with Art. 6 (1) (b) of the GDPR. (i.e. using e-commerce services, signing up membership)
• Where the processing is necessary for the legitimate interests pursued by KOTRA or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data in accordance with Art. 6 (1) (f) of the GDPR. (i.e. preventing or detecting security issues)
• Where we have obtained a data subject’s consent to the processing in accordance with Art. 6 (1) (a) of the GDPR. (i.e. signing up membership and registration of Inquiry on your behalf)
• Where the processing is necessary to comply with legal obligations in accordance with Art. 6 (1) (c) of the GDPR.

We do not sell or disclose your personal data to third parties for their marketing or advertising purposes without your consent. We only disclose your personal data when it is necessary for the purposes mentioned in this Policy or when we have obtained your consent.

Third party service providers may access to your personal data on a need to know basis for the purpose of providing services on behalf of us. They cannot do anything with your personal data without our permission. They will not share your personal data with any organisation apart from us, nor will they keep your personal data for longer than the period we instruct.

When necessary, we share your personal data with the following the data processors and recipients as far as necessary for the purposes described in this Policy:

• KOTRA headquarters in Korea and KOTRA offices in charge
• Other members of the website
• Payment service providers
• Shipping companies
• External operators of websites, applications, and services
• Law enforcement agencies, courts, government agencies or public authorities, intergovernmental or supranational bodies
• Third parties who are involved in judicial proceedings, in particular, if they submit a legal order, court order or equivalent legal order to us.

As KOTRA is a public agency of South Korea, your personal data may be transferred to South Korea for the purposes mentioned in this Policy. As South Korea has not sought nor received “adequacy decision” from the European Commission, we use Standard Contractual Clauses adopted by the European Commission to provide appropriate safeguards for the transfer of your personal data.

Given the nature of KOTRA’s missions and functions, we may also disclose your personal data to recipients overseas. To ensure an adequate level of data protection when transferring your personal data from the European Economic Area (EEA) to third countries (outside the EEA), we will only transfer your personal data on the basis of an adequacy decision or appropriate safeguards such as Standard Contractual Clauses adopted by the European Commission. Upon request, we will provide you with a copy of the relevant information.

Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work or work more efficiently. We use cookies that are necessary for the operation of this website to enhance your experience when you use our website. You can control your cookies through the browser settings. Please visit the browser developer's website if you want to find out how to manage your cookies on your browser.

If you want to know more about cookies, please visit www.aboutcookies.org or www.allaboutcookies.org.

We have implemented technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised access or disclosure of personal data.

We restrict access to your personal data to those who need to know that information to provide benefits or services to you. In addition, we train our employees to help them be well aware of risks associated with data security and confidentiality.

We strive to keep our processing activities with respect to your personal data as limited as possible. Your personal data will be retained only for as long as we need it to fulfil the purpose for which we have collected it and, if applicable, as long as required by statutory retention requirements. In case of consent, your personal data will be at the latest deleted without undue delay after the withdrawal of such consent.

You have the rights, at any time:

• without giving reasons according to Art. 15 of the GDPR to obtain information about your data stored with us. With the exception of any connection fees charged by your provider, you will not incur any costs as a result of the inquiry;
• to have the data rectified in accordance with Art. 16 of the GDPR;
• to have the data erased in accordance with Art. 17 of the GDPR;
• to obtain from the controller restriction of processing in accordance with Art. 18 of the GDPR;
• to object to the processing for sending the newsletter according to Art. 21 (2) of the GDPR;
• to object to other forms of processing of your personal data in accordance with Art. 21 (1) of the GDPR;
• to withdraw any consent to the collection and use of data given to us at any time, without affecting the lawfulness of processing based on consent before its withdrawal in accordance with Art. 7 (3) of the GDPR;
• to receive your personal data in a machine-readable format and to transmit them to another person responsible in accordance with Art. 20 of the GDPR;

If you would like to exercise any of these rights, you can contact the Data Protection Officer or Data Protection Manager responsible for your region. You can find the contact information of our Data Protection Managers and Data Protection Officer here.

No cost will be charged for any response to acceptable requests. If for some reasons the request is denied, we will provide an explanation as to why the request has been denied.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes for the period we hold your data.

We take any complaints we receive from you very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We also welcome any suggestions for improving our procedures.

We ask that you first submit any such complaints directly to the Data Protection Officer or Data Protection Manager in your country. If you aren't satisfied with our response or have concerns about how we process your personal data, you have the right to lodge a complaint with the appropriate data protection authority in your region.

You may find links to other websites on our websites. We recommend that you read the privacy policies on the other websites you visit. This Policy does not cover how other websites collect and process personal data.
 

[Table 1]