KEPCO Nuclear Fuel (hereinafter referred to as the “Company”) establishes and discloses the following Privacy Policy in accordance with the Personal Information Protection Act to protect the personal information of data subjects and to handle grievances related to personal information promptly and smoothly.
Privacy Policy Table of Contents
- Purpose of personal
information processing - Processing of personal information and registration of personal information files
- Results of personal information
impact assessment - Provision of personal
information to third parties - Outsourcing of personal
information processing tasks - Procedure and method of destruction of personal information
- Rights and obligations of data subjects and their legal representatives
and exercise methods - Criteria for determining
additional use or provision without consent - Devices that automatically
collect personal information - Processing of pseudonymized
information - Chief Privacy Officer
and Manager - Department in charge of
requests for access - Remedies for
infringement of rights - Results of personal
information management level assessment - Measures to ensure security
- Changes to the
Privacy Policy
Section 1 (General Provisions)
- “Personal information” means information about a living individual, including information that can identify the individual by name, phone number, address, etc. contained in the information (including information that cannot identify a specific individual by itself but can be easily combined with other information to do so).
- This Privacy Policy applies to all personal information processed by the Company.
- The Company values the personal information of its employees and users of all services, complies with the Personal Information Protection Act and other relevant laws, and has established this Privacy Policy accordingly to protect the rights and interests of employees and users.
Section 2 (Purpose of Personal Information Processing)
The Company processes personal information for the following purposes. Personal information being processed will not be used for purposes other than those specified below, and if the purpose of use changes, the Company will take necessary measures such as obtaining separate consent. The list of personal information (files) being processed is as follows.
| Personal Information Processing Tasks | Purpose of Processing | Name of Personal Information File |
|---|---|---|
| Management of job applications | Talent recruitment | Job applications |
| Provision of training services to outsiders | Provision of training services | Provision of training services to outsiders |
| Access control | Prevention of security incidents and terrorism | Access control |
| Radiation-controlled area access control (radiation workers) | Radiation safety management of entrants to nuclear material processing facilities | Radiation-controlled area access control for radiation workers |
| Radiation-controlled area access control (temporary and occasional entrants) | Radiation safety management of entrants to nuclear material processing facilities | Access control for radiation-controlled areas |
| Management of human rights violation reports | Civil complaint handling | Not registered (Reason: 0 cases) |
| Management of public innovation proposals | Civil complaint handling | Not registered (Reason: 0 cases) |
| Employee personnel management | Processing of employee personnel tasks | Employee personnel management |
| Employee training management | Processing of employee training tasks | Employee training management |
| Appointment of executives | Appointment and dismissal of executives | Not registered (Reason: 0 cases) |
| Management of requests for disclosure of information | Disclosure of information | Not registered (Reason: 0 cases) |
Section 3 (Processing of Personal Information and Registration of Personal Information Files)
The Company processes and retains personal information within the retention period prescribed by law or within the period of use consented to by the data subject at the time of collection of personal information. The items of personal information processed by the Company are as follows.
| Personal Information Processing Tasks | Items of Personal Information | Retention Period |
|---|---|---|
| Management of job applications | Name, date of birth, phone number, mobile phone number, email address, veteran status, disability status, low-income status, overseas university graduate status, local talent status, youth status, high school graduate talent status, personal statement, education details, qualification details, foreign language proficiency, foreign language details, career and experience details, research achievements | 1 year |
| Provision of training services to outsiders | Name, affiliation, contact information | Until completion of training |
| Access control |
Korean nationals: Name, date of birth, affiliated organization, contact information, address Foreign nationals: Passport number, foreigner registration number, name, contact information, affiliated organization, address |
10 years |
| Radiation-controlled area access control (radiation workers) | Name, resident registration number, affiliated organization, contact information | Until the termination of the processing business |
| Radiation-controlled area access control (temporary and occasional entrants) | Name, resident registration number, affiliated organization, contact information | 10 years |
| Management of human rights violation reports | Name, address, contact information, affiliated organization | 5 years |
| Management of public innovation proposals | Name, age group, contact information, email address | 2 years |
| Employee personnel management | Name, resident registration number, phone number, mobile phone number, email address, veteran status, disability status, low-income status, overseas university graduate status, local talent status, youth status, high school graduate talent status, personal statement, education details, qualification details, foreign language proficiency, foreign language details, career and experience details, research achievements | Permanent |
| Employee training management | Name, date of birth, phone number, mobile phone number, email address | Permanent |
| Appointment of executives | Name, contact information, resident registration number, address, academic background, career background | Permanent |
| Management of requests for disclosure of information | Name, contact information, address | 3 years |
Pursuant to Article 32 of the Personal Information Protection Act, the detailed registration status of the personal information files registered and disclosed by the Company can be checked through the comprehensive portal for personal information protection of the Personal Information Protection Commission.
| Name of Personal Information File | Items of Personal Information | Retention Period |
|---|---|---|
| Job applications | Name, date of birth, phone number, mobile phone number, email address, veteran status, disability status, low-income status, overseas university graduate status, local talent status, youth status, high school graduate talent status, personal statement, education details, qualification details, foreign language proficiency, foreign language details, career and experience details, research achievements | 1 year |
| Provision of training services to outsiders | Name, affiliation, contact information | Until completion of training |
| Access control |
Korean nationals: Name, date of birth, affiliated organization, contact information, address Foreign nationals: Passport number, foreigner registration number, name, contact information, affiliated organization, address |
10 years |
| Radiation-controlled area access control for radiation workers | Name, resident registration number, affiliated organization, contact information | Until the termination of the processing business |
| Temporary and occasional radiation-controlled area access control | Name, resident registration number, affiliated organization, contact information | 10 years |
| Employee personnel management | Name, resident registration number, phone number, mobile phone number, email address, veteran status, disability status, low-income status, overseas university graduate status, local talent status, youth status, high school graduate talent status, personal statement, education details, qualification details, foreign language proficiency, foreign language details, career and experience details, research achievements | Permanent |
| Employee training management | Name, date of birth, phone number, mobile phone number, email address | Permanent |
| Executive appointment | Name, contact information, resident registration number, address, academic background, career background | Permanent |
Section 4 (Results of Personal Information Impact Assessment)
The Company has no subject to conduct a personal information impact assessment.
Section 5 (Provision of Personal Information to Third Parties)
The Company does not, in principle, provide collected personal information to third parties. However, personal information may be provided in the following cases, except when it is likely to unfairly infringe upon the interests of the data subject or a third party:
- Where there are special provisions under the law
- Where separate consent is obtained from the data subject
- Where the data subject or legal representative is unable to express intent, or where prior consent cannot be obtained due to reasons such as an unknown address, and it is deemed necessary for the clear protection of the urgent life, body, or property interests of the data subject or a third party
- Where it is necessary for purposes such as compiling statistics or academic research, and the personal information is provided in a form that does not allow the identification of a specific individual
- Where the personal information is used for purposes other than its intended use or provided to a third party, and failure to do so would make it impossible to perform duties prescribed by other laws, and the case has undergone deliberation and resolution by the Personal Information Protection Commission
- Where it is necessary to provide the information to a foreign government or international organization for the implementation of treaties or other international agreements
- Where it is necessary for the investigation of crimes, and for the initiation or maintenance of public prosecution
- Where it is necessary for the performance of judicial duties by the court
- Where it is necessary for the execution of criminal punishment, custody, or protective disposition
- Where urgently necessary for public health, safety, and welfare
Section 6 (Outsourcing of Personal Information Processing Tasks)
- The Company outsources personal information processing tasks as follows to facilitate smooth personal information processing:
Table describing entrusted parties and the details of outsourced tasks. Entrusted Party (Trustee) Details of the Outsourced Tasks RATOZ E&G External exposure inspection Korea Atomic Energy Research Institute Internal exposure inspection Iljin Rad Co., Ltd. Access training for controlled areas KNF Partners Co., Ltd. Special security services and access control NICE Information Service Co., Ltd. Identity verification when applying for access on the website Saramin HR Co., Ltd. Talent recruitment - When entering into an outsourcing agreement, the Company specifies in documents the prohibition of processing personal information for purposes other than performing the outsourced tasks, technical and managerial protective measures, restrictions on re-outsourcing, management and supervision of the consignee, liability for damages, etc., and supervises the consignee to ensure that personal information is processed safely.
Section 7 (Procedure and Method of Destruction of Personal Information)
- When personal information becomes unnecessary, such as upon expiration of the retention period or achievement of the processing purpose, the Company destroys the personal information without delay within 5 days, unless otherwise required to preserve it under other laws. However, if preservation is necessary according to other laws, it is not subject to destruction.
- Where personal information must be retained as evidence of civil or criminal liability, prescription, or disputes
- Where required to preserve under laws such as the Value-Added Tax Act (5 years), the Basic National Tax Act (5 years), and the Labor Standards Act (3 years)
- Other similar justifiable reasons
- Even if the retention period has expired or the purpose has been achieved, if personal information must continue to be preserved under other laws, the information will be moved to a separate database or stored in a different location. Such personal information will not be used for any other purpose unless required by law.
- Electronic files are permanently deleted in an irreversible manner, and printed materials are shredded or incinerated.
Section 8 (Rights and Obligations of Data Subjects and Legal Representatives and How to Exercise Them)
- Data subjects (including legal representatives for those under 14 years of age) may exercise the following rights related to personal information against the Company at any time:
- Request for access and transmission of personal information
- Request for correction if errors exist
- Request for deletion
- Request for suspension of processing
- Notice of collection sources, etc.
- A customer who has accessed their personal information may request correction or deletion from the Company if the information is incorrect or unverifiable. However, if the personal information is explicitly designated as subject to collection under other laws, deletion cannot be requested.
- Data subjects may request the Company to suspend processing of their personal information. However, in the following cases, the Company may notify the customer of the reason and reject the request:
- Where required by law or unavoidable to comply with legal obligations
- Where there is a risk of harming another person’s life or body, or unreasonably infringing upon another person’s property and other interests
- Where it is difficult to perform the contract, such as providing agreed goods or services, without processing the personal information, unless the other party clearly expresses intent to terminate the contract
- The Company shall process and notify the result of the request under paragraph 1 within 10 days, and if the data subject has any complaints or objections, they may raise objections through the same procedure.
- The request under paragraph 1 shall be made by filling out the request form in Appendix 8 of the “Notice on Personal Information Processing Methods” and submitting it via visit, email, etc., referring to Section 12 (Department in charge of requests for access to personal information). If submitted through a legal representative or delegated person, the power of attorney form in Appendix 11 of the same Notice must be filled out and submitted.
Request form (Appendix 8 of the Notice on Personal Information Processing Methods) Power of attorney form (Appendix 11 of the Notice)
- Where a data subject requests correction or deletion due to errors, the Company will not use or provide the relevant personal information until correction or deletion is completed.
Section 9 (Criteria for Determining Additional Use or Provision without the Consent of the Data Subject)
- The criteria for determining additional use or provision of personal information without the consent of the data subject are as follows:
- Whether it is related to the original purpose of collection
- Whether additional use or provision is reasonably foreseeable in light of the circumstances under which the personal information was collected or practices of processing
- Whether it unfairly infringes on the interests of the data subject
- Whether necessary measures, such as pseudonymization or encryption, have been taken to ensure security
Section 10 (Devices that Automatically Collect Personal Information)
The Company does not operate devices that automatically collect personal information.
Section 11 (Processing of Pseudonymized Information)
The Company does not process pseudonymized information.
Section 12 (Chief Privacy Officer and Manager)
The Company designates the following Chief Privacy Officer and Manager to protect personal information and handle grievances and remedies of data subjects related to personal information processing.
| Division | Chief Privacy Officer | Privacy Manager |
|---|---|---|
| Name | Yoonhee Han | Jinho Yeon |
| Department | Digital Security Office | Digital Security Office |
| Position | Director | Manager |
| Contact | 042-868-1008 | 042-868-1418 |
| yhhan@knfc.co.kr | jhyeon@knfc.co.kr |
Section 13 (Department in Charge of Receiving and Processing Requests for Access to Personal Information)
The Company provides the following contact information for each task to protect the personal information of data subjects and promptly and accurately handle related requests and inquiries.
| No. | Personal information processing task | Department | Person in charge | Contact | |
|---|---|---|---|---|---|
| 1 | Management of job applications | Human Resources Development Department | Seunghyun Baek | ☎ 042-868-1394 ✉ shhan925@knfc.co.kr |
|
| 2 | Access control | Security and Protection Department | Soojong Lee | ☎ 042-869-3240 ✉ yisj@knfc.co.kr |
|
| 3 | Radiation-controlled area access control (radiation workers) | Radiation Control Department | Gyudong Choi | ☎ 042-868-1619 ✉ gdchoi@knfc.co.kr |
|
| 4 | Radiation-controlled area access control (temporary and occasional entrants) | ||||
| 5 | Appointment of executives | ESG Strategy Team | Sujin Park | ☎ 042-869-3313 ✉ sjpark@knfc.co.kr |
|
| 6 | Management of requests for disclosure of information | General Affairs Department | Kyeongim Jang | ☎ 042-868-1274 ✉ kijang@knfc.co.kr |
|
Section 14 (Remedies for Infringement of Rights of Data Subjects)
Data subjects may contact the following agencies regarding remedies, consultation, etc. for personal information infringement. These agencies are separate from the Company. If you are not satisfied with the Company’s handling of complaints and remedies, or if you need more detailed help, please contact them.
- Personal Information Dispute Mediation Committee: 1833-6972 (https://www.kopico.go.kr)
- Personal Information Infringement Report Center: 118 (without area code) (https://privacy.kisa.or.kr)
- ePrivacy Certification Committee: 02-550-9531~2 (http://eprivacy.or.kr)
- Cyber Bureau, Korean National Police Agency: 182 (without area code) (http://cyberbureau.police.go.kr)
Section 15 (Results of Personal Information Management Level Assessment)
- To safely manage the personal information of data subjects, the Company undergoes an annual “Personal Information Management Level Assessment” conducted by the Personal Information Protection Commission in accordance with Article 11 of the Personal Information Protection Act.
- In the 2023 assessment, the Company received a grade of “B.”
Section 16 (Measures to Ensure Security of Personal Information)
In order to secure the safety of personal information, the Company takes the following technical, administrative, and physical measures in accordance with Article 29 of the Personal Information Protection Act:
- Administrative measures
- The Company designates a Chief Privacy Officer, establishes an internal management plan, and conducts personal information protection training to prevent leaks and misuse by employees. Regular inspections are conducted to ensure thorough management and supervision of personal information.
- The Company limits the number of personal information handlers, grants differential access rights, and promptly changes or deletes access rights upon personnel changes such as transfers or retirements.
- The Company keeps and manages access records to personal information processing systems for at least one year (two years if processing personal information of more than 50,000 subjects, or processing unique identifiers or sensitive information).
- Technical measures
- Personally identifiable information and passwords are stored and managed in encrypted form. Important data is protected using encryption or separate security functions such as access control systems.
- Security programs are installed and regularly updated/inspected to prevent leakage and damage from hacking or viruses.
- Secure transmission measures (SSL security server) are adopted to safely transmit personal information and authentication information on the network.
- Personal information processing systems are installed on internal networks controlled from external access, and intrusion prevention systems monitor them 24 hours.
- Physical measures
- The Company designates restricted areas such as data centers and document storage rooms, installs locks, and strictly controls access.
Section 17 (Changes to the Privacy Policy)
- The current Privacy Policy shall apply from the effective date, and in the event of any additions, deletions, or corrections due to changes in laws or policies, the Company will disclose the changes on its website from 7 days prior to the effective date.
Comparison table of the previous and revised Privacy Policy (as of September 27, 2024)
- Notice date: September 19, 2024
- Effective date: September 26, 2024
- Previous versions of the privacy policy can be found below.
- Privacy Policy (November 23, 2023 ~ September 26, 2024)
- Privacy Policy (October 10, 2023 ~ November 22, 2023)
- Privacy Policy (October 12, 2022 ~ October 9, 2023)
- Privacy Policy (June 14, 2021 ~ October 11, 2022)
- Privacy Policy (October 29, 2020 ~ June 13, 2021)
- Privacy Policy (June 2, 2020 ~ October 28, 2020)
- Privacy Policy (June 21, 2019 ~ June 1, 2020)
- Privacy Policy (June 12, 2019 ~ June 20, 2019
- Privacy Policy (June 8, 2018 ~ June 11, 2019)
- Privacy Policy (June 21, 2017 ~ June 7, 2018)
- Privacy Policy (June 29, 2016 ~ June 19, 2017)