Privacy Policy
Otena Clinic (hereinafter referred to as the "Clinic") processes personal information lawfully and manages it safely in compliance with the Personal Information Protection Act and related laws to protect the freedom and rights of data subjects. Accordingly, in accordance with Article 30 of the Personal Information Protection Act, we establish and disclose this Privacy Policy to inform data subjects of the procedures and standards for processing and protecting personal information, and to promptly and smoothly handle related grievances.
1. Purpose of Processing Personal Information, Items Collected, and Retention Period
The Clinic processes personal information for the following purposes. The processed personal information is not used for purposes other than those listed below.
Personal Information Processing and Retention Items
| Category | Purpose of Collection | Items Collected | Retention Period |
|---|---|---|---|
| Medical Services | Patient Diagnosis and Treatment | Name, Unique Identification Information, Contact Information, Address, Sensitive Information (Health, Medical Treatment Information, etc.) | Article 15 of the Enforcement Rule of the Medical Service Act (Medical Records: 10 years) |
| Reservation Service | Smooth Provision of Appointment Reservation Services | Name, Date of Birth, Gender, Contact Information | Destroyed upon achieving reservation purpose or upon patient request |
| Online Consultation | Patient Counseling and Complaint Handling | Name, Contact Information (Phone Number, Email), Consultation Details | 3 years (Personal Information Protection Act) |
| Marketing | Delivery of promotional information such as clinic news, procedure information, events, and benefits | Name, Contact Information, Email | Until the data subject withdraws consent |
| Certificate Issuance | Provision of Medical Documents (Diagnosis Certificates, Confirmation Letters, etc.) | Name, Unique Identification Information, Contact Information, Medical Details | 3 years (Article 15 of the Enforcement Rule of the Medical Service Act) |
| Payment/Settlement | Medical Fee Collection and Payment | Name, Payment/Settlement Information | 5 years (Article 85-3 of the Framework Act on National Taxes) |
| CCTV | Patient Safety and Clinic Asset Protection | Video Information | 30 days |
When personal information becomes unnecessary, such as when the retention period has expired or the processing purpose has been achieved, the relevant personal information will be destroyed without delay.
2. Procedure and Method of Destroying Personal Information
The Clinic destroys personal information without delay when it becomes unnecessary, such as when the retention period has expired or the processing purpose has been achieved.
If personal information must continue to be retained under other laws despite the expiration of the agreed retention period or achievement of the processing purpose, the personal information is moved to a separate database (DB) or stored in a different location.
The procedure and method for destroying personal information are as follows:
- Destruction Procedure: Personal information subject to destruction is selected, and destroyed after approval by the Chief Privacy Officer.
- Destruction Method: Information in electronic file format is permanently deleted so that it cannot be recovered, and personal information recorded or stored on paper is shredded.
3. Processing of Personal Information of Children Under 14 Years of Age
When collecting personal information from children under 14 years of age, the Clinic obtains consent from their legal representative and collects the minimum personal information necessary to perform the relevant service.
Required Items for Children
- Legal Representative's Name, Contact Information
Additionally, when processing personal information of children, we verify whether the person is a legitimate legal representative.
Legal representatives of children can request access to, correction of, deletion of, and suspension of processing of the child's personal information.
4. Provision of Personal Information to Third Parties
In principle, the Clinic processes personal information within the scope specified in the purpose of collection and use, and does not provide it to third parties beyond the original scope without the prior consent of the data subject.
However, exceptions are made in the following cases:
- When separate consent is obtained from the data subject
- When there are special provisions in law or it is unavoidable to comply with legal obligations
- When it is unavoidable for a public institution to perform its duties prescribed by law
- When the data subject or legal representative is unable to express intention or prior consent cannot be obtained due to unknown address, and it is clearly necessary for the urgent benefit of life, body, or property of the data subject or third party
- When providing personal information in a form where specific individuals cannot be identified for purposes such as statistical compilation and academic research
5. Entrustment of Personal Information Processing
The Clinic entrusts personal information processing as follows for smooth handling of personal information tasks.
| Trustee | Entrusted Work |
|---|---|
| Eterlab Co., Ltd. | Website operation and management, DB management and storage, delivery of promotional information such as clinic procedures, events, cosmetics, and cosmetic events |
When concluding entrustment contracts, in accordance with Article 26 of the Personal Information Protection Act, matters such as prohibition of processing personal information beyond the purpose of performing entrusted work, technical and administrative protection measures, restrictions on re-entrustment, management and supervision of the trustee, and liability including compensation for damages are specified in the contract and other documents, and we supervise whether the trustee safely processes personal information.
If the content of the entrusted work or the trustee changes, we will disclose it through this Privacy Policy without delay.
6. Rights and Obligations of Data Subjects and How to Exercise Them
Data subjects can exercise the following rights regarding personal information:
- Request to access personal information
- Request for correction in case of errors
- Request for deletion
- Request for suspension of processing
Rights can be exercised by contacting the Clinic in writing, by phone, or by email, and the Clinic will take action without delay.
Rights can also be exercised through a legal representative or an authorized agent. In this case, a power of attorney according to Form No. 11 of the Notification on Personal Information Processing Methods (No. 2020-7) must be submitted.
Requests for access to and suspension of processing of personal information may be restricted by law pursuant to Article 35(4) and Article 37(2) of the Personal Information Protection Act.
Requests for correction and deletion of personal information cannot be requested if the personal information is specified as a collection target in other laws.
The Clinic verifies whether the person making the request for access, correction/deletion, or suspension of processing is the data subject or a legitimate representative.
7. Measures to Ensure the Safety of Personal Information
The Clinic takes the following technical, administrative, and physical measures required by the Personal Information Protection Act to ensure security:
- Minimization and training of employees handling personal information
- Establishment and implementation of internal management plans
- Technical measures against hacking, etc.
- Encryption of personal information
- Storage and prevention of forgery/alteration of access records
- Restriction of access to personal information
- Access control for unauthorized persons
8. Rights of Data Subjects Regarding Automated Decisions
The Clinic does not make automated decisions (decisions that process personal information solely based on automated processing) that significantly affect the rights of data subjects.
9. Chief Privacy Officer
The Clinic has designated a Chief Privacy Officer as follows to oversee personal information processing and handle complaints and remedy damages related to personal information processing by data subjects.
Chief Privacy Officer
Name: Eunkyung Jang
Position: Vice Director of Administration
Phone: 02-6949-1235
Email: info@otena.co.kr
Data subjects can contact the Chief Privacy Officer with any inquiries, complaints, and requests for remedy related to personal information protection that arise while using the Clinic's services (or business). The Clinic will respond to and process inquiries from data subjects without delay.
10. How to Seek Remedies for Rights Infringement
If you need consultation regarding personal information infringement, please contact the following organizations:
Personal Information Infringement Report Center (operated by Korea Internet & Security Agency)
Services: Personal information infringement reports, consultation applications
Website: privacy.kisa.or.kr
Phone: (no area code) 118
Personal Information Dispute Mediation Committee
Services: Personal information dispute mediation applications, collective dispute mediation (civil resolution)
Website: www.kopico.go.kr
Phone: (no area code) 1833-6972
Supreme Prosecutors' Office Cyber Investigation Division
Website: www.spo.go.kr
Phone: (no area code) 1301
National Police Agency Cyber Crime Investigation Unit
Website: police.go.kr
Phone: (no area code) 182
11. Changes to the Privacy Policy
This Privacy Policy is effective from January 1, 2025.
Previous versions of the Privacy Policy can be found below.