Company
Samsung C&T will become a total solution provider in all areas of the construction business
– planning, design, purchasing, construction, and management.
Home Company 글로벌네트워크
search input btn-search

Global Network

Our Worldwide Network

With the aim of making the world a better place to live in, Samsung C&T Engineering & Construction Group is
Working hard to expand its network throughout the globe.

View by Region EUROPE AFRICA & MIDDLE EAST ASIA OCEANIA AMERICA

You can view detailed information on Samsung C&T
regional offices if you click an area of interest.

Asia

  • SAMSUNG C&T CORPORATION SINGAPORE BRANCH OFFICE Address
    Nation : Singapore
    location: Singapore
    Foundation Date : ‘93.1
    Address : Samsung C&T 3 Church Street #21-01, Singapore 049483
    Tel : 65-6550-8201
    Fax : 65-65383779
  • SAMSUNG C&T CORPORATION INDONESIA Address
    Nation: Indonesia
    location : Jakarta
    Foundation Date : ‘91.8
    Address : 12920 IFC tower 2 19th FL Jl. Jend. Sudirman Kav. 22-23 Jakarta
    Tel : 62-21-2995-0161(Trading) / 62-21-2988-0418(Buiding)
    Fax : 62-21-2995-0180 (Trading) / 62-21-2988-0417(Buiding)
  • SAMSUNG C&T (KL) SDN BHD Corporation
    Nation: Malaysia
    location : Kuala Lumpur
    Foundation Date : ‘91.9
    Address : Samsung C&T (KL) Sdn. Bhd. Suite 9-02, Level 9 Menara Binjai No.2, Jalan Binjai 50450 Kuala Lumpur, Malaysia
    Tel : 603-2330-1548
    Fax : 603-2858-9388
  • SAMSUNG C&T CORPORATION UEM CONSTRUCTION JV SDN BHD
    Nation: Malaysia
    location : Kuala Lumpur
    Foundation Date : ‘15.11
    Address : 19-2 mercu UEM, Jalan Stesen Sentral 5, Kuala Lumur Sentral, 50470 Kuala Lumpur
  • Samsung C&T Corporation
    Nation : Hongkong
    location : Hong Kong
    Foundation Date : ‘12.6
    Address : 280 Suite 3605, 36th Fl., Central Plaza, 18 Harbour Road, Wanchai Hong Kong
    Tel : 852-3746-9313, 070-7110-8266
    Fax : 852-3746-9300
  • Samsung C&T India Private Limited
    Nation : India
    Location : Gurgaon
    Foundation Date : ‘07.10
    Address : Samsung C&T India 15th Floor, Block B Building No.5 Epitome Cyber City DLF Phase III Gurgaon - 122002 India
    Tel : 91-124-498-1200, 070 - 7110 – 8273
    Fax : 91-124-498-1202
  • 三星物産建設 (上海) 有限公司
    Nation : China
    Location : Shanghai
    Foundation Date : ‘04.5
    Address : 200122 China Shanghai Pudong New Distric 9F HNA Tower,No.898 Puming Rd.
    Tel : 070-7110-8441, 86-21-5208-0077 (Ext2000)
    Fax : 86-21-5208-2499
  • 三星物産建設 (西安) 有限公司
    Nation : China
    Location : West Coast
    Foundation Date : ‘16.6
    Address : 西安市 高新區 綜合保稅區通海一路 5 號通笑服務中心裙樓二層 201 湖
    Tel : 86-29-9818-8906
  • 三星物産株式會社 東京事務所
    Nation : Japan
    location: Tokyo
    Foundation Date : ‘88.8
    Address : Shinagawa Grand Central Tower 6F, 2-16-4, Konan, Minato-ku, Tokyo 108-0075, Japan
    Tel : 81-3-6369-6625
    Fax : 81-3-6369-6688
  • S&WOO CONSTRUCTION PHILIPPINES, INC
    Nation : Philippines
    location: Kalimba
    Foundation Date : ‘15.9
    Address : 2nd floor, BLDG 3A, Located at Panorama Compound 1 Blk6, CPIP Brgy, Batino, Calamba, Laguna Philippines
  • SCTM LLC (Samsung C&T Mongolian LLC)
    Nation : Mongolia
    location: Olan Bator
    Foundation Date : ’12.6
    Address : Sukhbaatar Districk, Ulaanbaatar, Phase 2 Project Samsung C&T Corporation. Ulaanbaatar Mongolia
    Tel : 070-7110-8504, 976-8802-5304
  • SCTECM LLC(Samsung C&T Engneering Construction in Mongolia )
    Nation : Mongolia
    location: Olan Bator
    Foundation Date : ‘15.9
    Address : Khan Uul Tower 6th, 12th Fl., 3rd Khoroo, Khan-Uul District, Ulaanbaatar, Mongolia
    Tel : 070-7110-8956
  • CÔNG TY TNHN CHEIL INDUSTRIES INC. VIETNAM
    Nation : Vietnam
    location: Hanoi
    Foundation Date : ‘15.12
    Address : 3rd floor, Yen Phong industrial zone operation Center Yen Phong District, Bac Ninh Province Vietnam
    Tel : 84-241-369-9337
  • Samsung C&T Corporation AK
    Nation : Kazakhstan
    location: Almaty
    Foundation Date : ‘14.12
    Address : Dostyk Ave 38, 3th Florr Almaty City Republic of Kazakhstan 050010
    Tel : 7-495-258-2173

Privacy Policy

Samsung C&T Corporation’s Engineering and Construction Group (hereinafter referred to as the “Company”) establishes and discloses personal information handling policy (hereinafter referred to as the “Policy”) as below, with an aim to protect personal data of Users and Data Subjects, and to deal with related grievances promptly and efficiently in compliance with applicable personal data protection laws including but not limited to the Republic of Korea’s Act on Promotion of Information and Communications Network Utilization and Information Protection, Personal Information Protection Act and the EU’s General Data Protection Regulation (2016/679) (hereinafter referred to as the “Applicable Law”).

The subject to the Policy shall be limited to Users and Data Subjects specified in Article 1. As for other subjects not specified herein, appropriate personal data processing policies are separately established and disclosed.

Article 1 (Purpose of Handling Personal Data)

The Company shall handle personal data submitted by the Company’s applicants, clients, partners and site workers (hereinafter referred to as the “Users and Data Subjects”) for purposes stated below, and shall not use the personal data for any other purpose unless otherwise agreed by the Users and Data Subjects.

In the event that the purpose of use changes, the Company shall take necessary measures such as receiving a separate consent from Users and Data Subjects unless otherwise specified in the Applicable Law.


  • 1. Personal Data of the Company’s Applicants :
    Personal data of the Applicants including workers directly hired by sites or part-time employees who do not go through online application process of the Company’s recruitment webpage is processed for purposes including recruitment procedures, provision of recruitment-related information such as result by process stage.
  • 2. Personal Data of the Company’s Clients :
    • 1) Contract Clients (B2B)
      Clients’ personal data is processed for purposes including the signing and enforcement of contracts, registration of information in the Company system, execution of tasks entrusted by Clients and compliance with the Applicable Law.
    • 2) Visitors to Business Sites
      Clients’ personal data is processed for purposes including smooth process of the visit and security.
    • 3) Clients Using Q&A Section in the Company Website
      Clients’ personal data is processed for purposes including provision of responses/guides to the Clients’ online enquiries and feedback regarding the Company business through Q&A section.
  • 3. Personal Data of the Company’s Subcontractors and Suppliers :
    Subcontractors and Suppliers ’ personal data is processed for purposes including tender participation, signing and enforcement of contracts, submission of estimates and management of delivery, issuance of tax invoice, settlement for payment, evaluation and training of Subcontractors and Suppliers’ employees, and sending official notices and documents.
  • 4. Personal Data of the Company’s Site Workers:
    Site Workers refer to laborers of the Company, Subcontractors or Suppliers who are mobilized for project execution at (business) sites. The personal data of the Site Workers (Laborers) is processed for purposes including fulfillment of legal obligations, health and safety management and handling of industrial accidents.

Article 2 (Items of Personal Data to be Processed)

The Company processes items of personal data in the following. However, personal data items subject to collection and processing shall be limited to those specified in the Agreement on Collection and Use of Personal Data of Users and Data Subjects.


  • 1. Personal Data of Applicants :
    - Collected Items: name, nationality, address, contact number, academic background, completed courses and grades, career, language and other qualifications, records of awards, hobby, talent, and other related information
  • 2. Personal Data of Clients :
    • 1) Contract Clients (B2B)
      - Collected Items: name, company (department), contact number, E-mail address, other personal data necessary for the signing and enforcement of contracts
    • 2) Visitors to Business Sites
      - Collected Items: name, company (department), contact number, vehicle number (if used)
    • 3) Clients Using Q&A Section in the Company Website
      - Mandatory Items: name, E-mail
      - Optional Items: company (department), contact number
  • 3. Personal Data of Subcontractors and Suppliers :
    • 1) Basic Information
      - Collected Items: company name, corporation number, date of incorporation, country name, name of CEO, contact number and E-mail address, size (scale) of the company, etc.
    • 2) Representative Business Site
      - Collected Items: business registration number, name of business site, name of CEO, address of business site, contact number, date of incorporation, business conditions (status), type of business, etc.
    • 3) Relevant Staff of Subcontractors and Suppliers
      - Collected Items: name, contact number, E-mail, position, type of occupation, final degree/education, technical qualifications and levels, etc.
  • 4. Personal Data of the Company’s Site Workers :

    - Collected Item: name, date of birth, nationality, gender, address, contact number, E-mail, bank account number, technical qualifications and levels, etc.
    ※ However, in the case of medical consultation, treatment, application for hospitalization and the follow-up measures due to accidents, relevant documents including medical report and doctor’s note and a copy of ID card will be collected.

Article 3 (Personal Data Processing and Retention Period)

  • ① The Company shall process and store personal data within the period required by laws or within the period agreed by Users and Data Subjects when collecting personal data.
  • ② Unless otherwise requested by Users and Data Subjects, the retention period for each type of personal data shall be as follows.

  • 1. Personal Data of Local Applicants
    With respect to an applicant not yet hired by the Company, until the hiring decision is made. However, the Company’s Policy shall apply after the applicant is hired as an employee of the Company.
  • 2. Personal Data of Clients
    • 1) With respect to Contract Client (B2B), until the fulfilment of contract
    • 2) With respect to Visitors to Business Site, for three (3) months after the visit to the Company (site)
    • 3) With respect to Clients Using Q&A Section of the Company Website, until the clients withdraw their consent
  • 3. Personal Data of Subcontractors and Suppliers
    • 1) With respect to information registration in the Company system (for outsourcing, finance & accounting, materials, etc.), implementation of contract, tender participation and signing of contract until their business relations with the Company are effective
    • 2) With respect to safety and health management or application for medical care (shutdown) benefits, until the period specified in the Applicable Law
  • 4. Personal Data of Site Workers
    • 1) Until the completion of the relevant tasks for which the Site Workers are mobilized
    • 2) With respect to personal data processed for medical treatment, application for hospitalization and its follow-up measures, until the corresponding cases are completed

Article 4 (Provision of Personal Data to Third Party)

  • ① The Company shall handle personal data of Users and Data Subjects only for the purposes stated in Article 1 (Purpose of Handling Personal Data), and is entitled to provide the personal data to a third party with Users and Data Subjects’ prior consent, or without such consent if allowed under the Applicable Law.
  • ② The Company is entitled to provide personal data to a third party as follows subject to Users and Data Subjects’ prior consent, or without such consent if allowed under the Applicable Law.

  • 1. Personal Data of Local Applicants :
    • 1) Medical check-up (if necessary)
      - Third party: hospitals designated by the Company
      - Purpose: medical checkup
      - Items provided: name, date of birth
      - Retention and usage period: until the hiring decision is made
  • 2. Personal Data of Clients :
    • 1) Contract Client (B2B)
      - Third party: Samsung SDS
      - Purpose: operation and maintenance/repair of work platforms of the Company including ERP system for contract signing and implementation
      - Items provided: name, department, contact number, E-mail
      - Retention and usage period: until the full implementation of the contract
    • 2) Visitors of Business Sites
      - Third party
      ∙ For Seoul Office: S1, S-Tec system
      ∙ For (Business) Site: security companies designated by each (business) site
      - Purpose: facility access and security management
      - Items provided: company, name, contact number, vehicle number (in case of use)
      - Retention and usage period: for three (3) months after the last visit
    • 3) Clients using Q&A Section in the Company Website
      - Third party: Media4th & Company, Samsung SDS
      - Purpose: website operation, maintenance and repair
      - Items provided: name, contact number, E-mail, and department
      - Retention and usage period: until the client withdraw his/her consent
  • 3. Personal Data of Subcontractors and Suppliers :
    • 1) Management System
      - Third party: Samsung SDS
      - Purpose: entrustment of system operation, maintenance and repair
      - Items provided: company, name, date of birth, mobile phone number, telephone number, E-mail, duty, position, and career
    • 2) Online Training
      - Third party: Credu
      - Purpose: application for training of Subcontractors and Suppliers’ employees
      - Items provided: company of applicant, name of applicant, date of birth, mobile phone number and E-mail
      - Retention and usage period: until the purpose is accomplished
    • 3) Evaluation :
      - Third party: SECL, Samsung Heavy Industries
      - Purpose: evaluation of Subcontractors and Suppliers’ employees and on-site inspection
      - Items provided: company name of the employees subject to evaluation, name, date of birth, contact number, E-mail, duty in charge, position, and career
      - Retention and usage period: until the purpose is accomplished
  • 4. Personal Data of Site Workers
    Personal Data of Site Workers - Third Party, Items to be Provided, Purpose of Usage, Retention and Usage Period
    Third Party Items to be Provided Purpose of Usage Retention and Usage Period
    Each (business) site’s security company Name, date of joining, entrance/exit record Access management Until the worker leaves the Company
    Safety and health training institutions(Domestic) Name, date of birth, address, contact number, company (department),E-mail Application for training courses on safety/health

Article 5 (Transfer of Personal Data to Third Country)

  • ① The Company may transfer personal data to a third country including the Republic of Korea with consent of Users and Data Subjects, and only in the cases where such transfer is inevitable for the purposes of personal data handling specified in Article 1 and Article 3 agreed between the Company registered in the Republic of Korea, Users and Data Subjects. In the aforementioned case, the Company shall use the transferred personal data only for the intended purposes.
  • ② The Company shall destroy personal data transferred to a third country without undue delay, upon the expiry of retention and usage period, accomplishment of the purpose of collection and usage, or requests by Users and Data Subjects in accordance with the Applicable Law. However, the Company may retain personal data whose retention and usage period expired, “if further retention is required according to the Applicable Law” or “with separate consent of Users and Data Subjects.”
  • ③ The types of personal data transferred to a third country are as follows.
    • - Purpose, transferred items, retention and usage period: purpose of handling personal data, collection items, and retention and usage period specified in Article 1 and 2 shall be applied.
    • - Target system and transfer destination (country)
      Target system and transfer destination (country) - Users and Data Subjects, Target system(Transfer destination)
      Users and Data Subjects Target system(Transfer destination)
      Contract client ERP system and other work platforms(the Republic of Korea)
      Client using the Company website (Q&A) Company website(the Republic of Korea)
      Subcontractors and Suppliers of the Company Subcontractor/Supplier information system(the Republic of Korea)
      Site workers of the Company(transfer when an accident occurs) Safety support & accident prevention system(the Republic of Korea)

Article 6 (Installation and Operation of Automatic Personal Data Collection Device)

  • ① The Company installs and operates automatic personal data collection devices including cookie that frequently saves and finds user information. Cookie is a very small text file that a server, used for the operation of the Company website, sends to user’s browser, and is stored in the computer hard disk of users.
    Website, Content, Purpose of Collection
    Website Content Purpose of Collection
    www.secc.co.kr The Company websites(PR, Q&A, etc.) Collecting data of pop-up usage to increase user convenience
    www.samsungcnt.com
    www.secc-partners.co.kr Subcontractors and Suppliers’ sign-up and use of SRM system Providing automatic setting functions including User ID and Language on the Log-in page.
  • ② Cookie settings can be changed in the option tab in the web-browser setting, where you can choose to permit all cookies, to check every cookie before saving, or refuse to save all cookies.
  • ③ In the case of the Internet Explorer, by selecting an option on the top of the web browser from Tool → Internet Option → Personal Data, you can permit all cookies, or check every cookie before saving or refuse to save all cookies. However, a refusal to install cookie may cause limited access to services.

Article 7 (Guarantee of Rights of Data Subjects)

The Company shall ensure the rights of employees according to the Applicable Law, and notify relevant information about their personal data processing as follows.


  • 1. The Company shall designate a person in charge of supervising protection of personal data (hereinafter "DPO", "Data Protection Officer"). DPO shall be an executive in charge of security of the Company (Head of Human Resources Team), and be engaged in all matters related with personal data protection in a swift and appropriate manner. DPO is obligated to keep and maintain secrecy when performing his/her duty according to the Applicable Law.
  • 2. The Company shall designate Project Manager (PM) to be in charge of on-site security, as the local agent of personal data protection. The PM is obligated to ensure rights of Data Subjects respond to relevant complaints and remedy damage arising from personal data processing.
  • 3. If there is a need of transferring personal data to a third country, the Company shall transfer the information online through the Company’s safely encoded IT network. In this case, appropriate technical and managerial protection measures shall be applied to the system which is used for the transfer.
  • 4. Users and Data Subjects are entitled to withdraw consent on personal data processing including its transfer to a third country, and to file relevant complaints with the department in charge. Upon withdrawal of consent, their personal data shall be deleted or its processing shall be limited without undue delay, except for a case where the deletion is impossible for reasons including compliance with the Applicable Law.
  • 5. Users and Data Subjects are entitled to request to the Company access to their personal data and relevant information, to know how their personal data are processed and whether it is legitimate. In the above case, the Company shall provide relevant information to Users and Data Subjects without undue delay.
    With respect to personal data not directly collected from Users and Data Subjects, the Company shall provide Users and Data Subjects relevant information regardless of their request, whichever comes first among the following:
    • ⅰ) within one month after obtaining the personal data
    • ⅱ) if such personal data is going to be used for communication purposed between the Company and Users and Data Subjects, at the time of the first communication to them at the latest and
    • ⅲ) If a disclosure of relevant data to a third party is envisaged, at the time of the first such disclosure at the latest.
  • 6. Users and Data Subjects are entitled to request for correction of their personal data, if the data they provided to the Company are inaccurate or incomplete. In this case, the Company shall correct the personal data within one (1) month after receiving such request. However, if a request for correction is complicated, the abovementioned period may be extended by two (2) months.
  • 7. If there is personal data provided according to consent or agreement or automatically collected and processed, Users and Data Subjects are entitled to receive the personal data in commonly used and reliable formats, and transfer such data to another “Controller” without interruption by the Company. Also, if technically available, Users and Data Subjects are entitled to make the Company transfer their personal data to another “Controller.” For the purpose of this Article, “Controller” refers to a natural or legal person who, independently or jointly, determines the purpose and means of handling personal data of employees.
  • 8. In the following cases, Users and Data Subjects are entitled to request for limited processing of personal data instead of requesting for its modification or deletion:
    • ⅰ) as for Users and Data Subjects who raised an objection about the accuracy of personal data, during the period in which the Company can verify its accuracy
    • ⅱ) when the processing of personal data is illegal Users and Data Subjects oppose to the deletion of the personal data and request the limited use of the data instead
    • ⅲ) when the Company no longer needs the personal data for processing, but Users and Data Subjects need the data to establish, exercise or defend their legal rights or
    • ⅳ) when Users and Data Subjects oppose to their personal data being processed under the Applicable Law, until it is established that the Company’s legal grounds prevail over theirs. In either of the above cases, the Company shall only retain the personal data and suspend its processing, unless otherwise specified in the Applicable Law. The Company shall inform the Users and Data Subjects of the limited processing of their personal data before the limitation is lifted.
  • 9. Users and Data Subjects are entitled to oppose to their personal data being processed by the Company at any time. In the event of opposition by Users and Data Subjects, the Company shall suspend the processing of personal data without undue delay, except for cases where the suspension is impossible for reasons including compliance with the Applicable Law.
  • 10. Users and Data Subjects are entitled to make the Company delete their personal data without undue delay in either of the following cases:
    • ⅰ) when their personal data has become no longer needed with regards to the purpose of collection
    • ⅱ) when Users and Data Subjects have withdrawn their consent and where there is no other legal ground for the processing
    • ⅲ) when Users and Data Subjects oppose to the processing and where the Company does not have predominant grounds for the processing
    • ⅳ) when the personal data has been processed illegally

Article 8 (Person in Charge of Personal Data Protection)

  • ① The Company has designated the person and department in charge of personal data protection as follows, for protecting personal data of Users and Data Subjects and ensuring rights of Data Subjects specified in Article 7.
    • 1. Data Protection Officer, DPO: Head of Human Resources Team
    • 2. Department in charge of personal data protection: Human Resources Team’s Information Security Center
    • 3. EU Data Protection Representative: PM or Head of Branch Office
  • ② Users and Data Subjects may contact the below institutions for an inquiry about damage relief and consultation, etc.
    • 1. The Republic of Korea
      Privacy Call Center (operated by Korea Internet Security Agency)
      Personal Information Dispute Mediation Committee (operated by Korea Internet Security Agency)
      Supreme Prosecutors’ Office, Cyber Crime Division
      National Police Agency, Cyber Terror Response Center
    • 2. EU Region: Agencies in charge in each EU country
  • ③ In the event that Users and Data Subjects’ rights under the Applicable Law of EU are infringed, the Users and Data Subjects have a right to file lawsuits with supervisory agencies, receive effective judicial relief based on those agencies’ legally binding decisions and receive effective legal remedies according the Applicable Law.
  • ④ The following department of personal data protection is in charge of dealing with matters specified in Article 7 including withdrawal of consent on personal data collection and usage, filing of grievances, access, correction of data and limit on processing, opposition to collection and processing, deletion and relevant inquires.

    - Department in Charge: Samsung C&T Engineering & Construction Group, Information Security Center
    (Contact number: +82-2-2145-6115, E-mail:security.cnt@samsung.com)
Samsung C&T Corporation E&C Group (hereinafter referred to as “Samsung C&T”) will inform you how and for what purposes your personal information has been used, and what measures have been taken for its protection, in compliance with 「Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. 」 and 「Personal Information Protection Act」 and, specifically, Article 30 of 「Personal Information Protection Act」

Article 1 (Website)

Samsung C&T E&C Group’s Website: http://www.secc.co.kr

Article 2 (Purpose of Collection and Use of Personal Information)

A. Online Consultation Center
- Receiving users’ opinions
- Answer/guidance to the inquiries received
B. Inquiry
- Receiving opinions regarding building/civil/plant/residential projects
- Answer/guidance to the inquiries received

Article 3 (Items of Personal Information to be Collected and Methods of Collection)

  • A. Items of personal information to be collected are as follows.
    Division Required Information Optional Information
    Online Consultation Center Name, E-mail Mobile phone number, Company Name
    Making an inquiry
    (about building/civil/plant/residential projects)
    Name, E-mail Mobile phone number

    * Even if you do not provide optional information, there will be no limitation in use.

  • B. Collection Method
    Samsung C&T collects personal information on its website in the following cases.
    - Online consultation and handling inquiries (about building/civil/plant/residential projects)

Article 4 (Period of Retaining and Using Personal Information)

Samsung C&T destroys your personal information without delay, once the purpose of collection and usage of personal information is accomplished.

- Record of consulting client
Period of retention: Until answers/guidance to the received inquiry are provided

However, your personal information may be retained further, if required by relevant laws, even after the purpose of collection and usage is accomplished.

Article 5 (Provision of Personal Information to a Third Party)

Except for cases where you provide consent or required by relevant laws, Samsung C&T will neither use your personal information nor provide it to a third person or organization beyond the scope stipulated in the 「Purpose of Collection and Use of Personal Information」. However, the followings are to be excluded.
- When users or information subjects provided consent in advance
- When the provision of relevant laws requires such use or provision, or an investigation agency makes a request in compliance with legal procedures and methods for the purpose of investigation.

Article 6 (Consignment of Personal Information Handling)

Samsung C&T outsources the following personal-information-handling tasks to ensure the stable operation of Samsung C&T’s website and provision of services:

Samsung C&T outsources the following personal-information-handling tasks - Outsourced Task, Service Provider
Outsourced Task Service Provider
Website development and maintenance Media4th & Company
Samsung SDS

In order to protect personal information, Samsung C&T clearly stipulates, in its consignment agreement and as per Article 25 of 「Personal Information Protection Act, the compliance with directives regarding personal information protection, restrictions in dealing with personal information, and liability for an incident.
In case there are changes in works consigned to a third party or the third party itself, Samsung C&T will notify the changes in its personal information protection policy.

Article 7 (Procedure and Method of Destroying Personal Information)

In principle, personal information of users will be destroyed without delay once the purpose of collection and use is accomplished.
The procedure and method of destroying personal information in Samsung C&T is as follows.

  • A. Destruction Procedure
    - The information that you input for online consultation and inquiry submission will be destroyed after the purpose of its collection and use is accomplished.
    - The personal information will not be used for any purpose other than retention, unless otherwise required by laws.
  • B. Destruction Method
    - Personal information stored in the form of electronic files will be destroyed using technology that will make its restoration impossible.

Article 8 (Rights of Users and Ways of Exercising the Rights)

Users and information subjects may, at any time, request to read, revise, delete, stop processing their personal information registered in the system and withdraw their consent to its use. In case you want to read, revise, delete, stop processing and withdraw your consent to your personal information, you may call General Directory Number (02-2145-6442) or contact the person in charge of personal information protection in writing, phone or email. Then the person in charge will process your request without delay after verifying your identity.
In case users or information subjects request to correct errors in personal information, his/her personal information will not be used until the correction is completed.
Samsung C&T processes the personal information which was unsubscribed or deleted upon the request of users according to the "4. Period of Retaining and Using Personal Information" and makes sure that such information is not read or used otherwise.

Article 9 (Measures to Secure Safety of Personal Information)

When handling personal information of users, Samsung C&T takes technical/managerial measures for the safety of the personal information by preventing any loss, theft, leakage, falsification or damage.

  • A. Establishment and Enforcement of Internal Management Plan
    Samsung C&T will establish and implement its internal management plan in compliance with notifications of Korea Communications Commission.
  • B. Minimizing the Number of Personal Information Handlers and their Training
    Samsung C&T designates the minimum number of personal information handlers and conducts training programs frequently, thereby ensuring safe management of personal information.
  • C. Limitation of Access to Personal Information
    Samsung C&T takes necessary measures for control of access to personal information, through grant, change and deprivation of access to database system that processes personal information; and uses an intrusion prevention system to control unauthorized access from outside.
  • D. Storage of Access Record and Prevention of Falsification
    Samsung C&T stores and manages access record of personal information processing system at least for six (6) months, and uses its security functions in order to prevent any falsification, theft or loss of the access records.
  • E. Encryption of Personal Information
    Your important personal information is encrypted, stored and managed. Also, Samsung C&T uses a separate security function such as encryption of important data when saving/transferring them.
  • F. Technical Countermeasures against Hacking, etc.
    Samsung C&T does its best to prevent any leakage or damage of personal information by hacking or a computer virus. Specifically, Samsung C&T backs up the data on a regular basis to prevent any damage to personal information; uses the latest vaccine programs to prevent any leakage or damage of users’ personal information; and ensures safe transmission of personal information over the network through cryptographic communications, etc. Also, Samsung C&T controls unauthorized access from outside by using intrusion prevention system, and makes an effort to set up all possible technical devices to ensure other system security.
  • G. Physical Measures for Safe Storage of Personal Information
    Samsung C&T sets aside physical storage place of the personal information storage system; establishes and operates a procedure of controlling access to this place. Also, Samsung C&T takes physical measures including installation of locking devices for safe storage of documents that contain personal information.
  • H. Operation of a Dedicated Organization for Personal Information Protection
    Through a dedicated organization for personal information protection in the company, Samsung C&T checks whether measures for protecting personal information have been taken, or the managers in charge of personal information protection have performed their duties; and ensures corrective measures are taken immediately in case any issue is found.

Article 10 (Installation/Operation and Rejection of Automatic Personal Information Collection Devices)

Samsung C&T operates “cookie” that frequently stores and searches your personal information. The cookie is a very small text file sent to your browser by the server which is used to operate the website of Samsung C&T’s E&C Group; and is stored on your computer hard-disk.
Samsung C&T uses cookie for the following purposes.

  • 1. Cookie is used as a measure of target-marketing and service improvement, by analyzing the access frequency and visiting time of members and non-members and figuring out users’ preference and areas of interest.
  • 2. You may allow all cookies or to be notified upon cookie installation or refuse all cookies in settings of Tool > Internet Option Tab on the top menu of the web browser.
  • 3. In case you refuse the installation of cookies, there may be some limitation when using Samsung C&T services.

Article 11 (Contact of the Person in Charge of Personal Information Protection)

Samsung C&T has a person in charge of protecting your personal information and dealing with related grievances. Should you have any inquiry regarding personal information treatment, please contact the person in charge stated below. The person in charge will provide a prompt and faithful response to your questions.

  • The Person in Charge of Personal Information Protection •Name: Seokjin Yun
    •Post: HR Team Leader
    •Contact Information: (T) 02-2145-6115, (F) 02-2145-5555
    security.cnt@samsung.com

Article 12 (Remedies to Infringement on the Rights of Users)

In case you need to report and consult about infringement on personal information, you may inquire about consultation or remedies to the below organizations.
< The below organizations are independent organs of Samsung C&T. Please contact the below organizations if you are not satisfied with the company’s handling of grievances or remedies related with personal information treatment. >
The Privacy Call Center: (Without area code) 118 (http://privacy.kisa.or.kr)
Personal Information Dispute Mediation Committee: 1833-6972 (www.kopico.go.kr)
Cyber Investigation Division of the Supreme Prosecutor’s Office: (Without area code) 1301, cid@spo.go.kr(http://spo.go.kr)
The Cyber Security Bureau of the National Police Agency: (Without area code) 182 (http://cyberbureau.police.go.kr)

Article 13 (Changes in Personal Information Handling Policy (Duty of Notification))

Any addition, deletion or revision of the current personal information handling policy will be notified on the website at least seven (7) days before the Enforcement Date of the new version.
- Notification Date of Personal Information Handling Policy: 17-Jan-2018
- Enforcement Date of Personal Information Handling Policy: 22-Jan-2018

Samsung C&T Corporation E&C Group (hereinafter referred to as “Samsung C&T”) will inform you how and for what purposes your personal information has been used, and what measures have been taken for its protection, in compliance with 「Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. 」 and 「Personal Information Protection Act」.

Article 1 (Website)

Samsung C&T E&C Group’s Website: http://www.secc.co.kr

Article 2 (Purpose of Collection and Use of Personal Information)

A. Online Consultation Center
- Receiving users’ opinions
- Answer/guidance to the inquiries received
B. Inquiry
- Receiving opinions regarding building/civil/plant/residential projects
- Answer/guidance to the inquiries received

Article 3 (Items of Personal Information to be Collected and Methods of Collection)

  • A. Items of personal information to be collected are as follows.
    Division Required Information Optional Information
    Online Consultation Center Name, E-mail Mobile phone number, Company Name
    Making an inquiry
    (about building/civil/plant/residential projects)
    Name, E-mail Mobile phone number

    * Even if you do not provide optional information, there will be no limitation in use.

  • B. Collection Method
    Samsung C&T collects personal information on its website in the following cases.
    - Online consultation and handling inquiries (about building/civil/plant/residential projects)

Article 4 (Period of Retaining and Using Personal Information)

Samsung C&T destroys your personal information without delay, once the purpose of collection and usage of personal information is accomplished.

- Record of consulting client
Period of retention: Until answers/guidance to the received inquiry are provided

However, your personal information may be retained further, if required by relevant laws, even after the purpose of collection and usage is accomplished.

Article 5 (Provision of Personal Information to a Third Party)

Except for cases where you provide consent or required by relevant laws, Samsung C&T will neither use your personal information nor provide it to a third person or organization beyond the scope stipulated in the 「Purpose of Collection and Use of Personal Information」. However, the followings are to be excluded.
- When users or information subjects provided consent in advance
- When the provision of relevant laws requires such use or provision, or an investigation agency makes a request in compliance with legal procedures and methods for the purpose of investigation.

Article 6 (Consignment of Personal Information Handling)

In case of consigning personal information handling work to an outside agency for providing services, Samsung C&T will seek the consent of users and inform them of the consignment agency as well as the consigned work.
In order to protect personal information, Samsung C&T clearly stipulates, in its consignment agreement, the compliance with directives regarding personal information protection, restrictions in dealing with personal information, and liability for an incident.
In case there are changes in works consigned to a third party, Samsung C&T will notify the changes in its personal information protection policy.

Article 7 (Procedure and Method of Destroying Personal Information)

In principle, personal information of users will be destroyed without delay once the purpose of collection and use is accomplished.
The procedure and method of destroying personal information in Samsung C&T is as follows.

  • A. Destruction Procedure
    - The information that you input for online consultation and inquiry submission will be destroyed after the purpose of its collection and use is accomplished.
    - The personal information will not be used for any purpose other than retention, unless otherwise required by laws.
  • B. Destruction Method
    - Personal information stored in the form of electronic files will be destroyed using technology that will make its restoration impossible.

Article 8 (Rights of Users and Ways of Exercising the Rights)

Users and information subjects may, at any time, request to read, revise, delete, stop processing their personal information registered in the system and withdraw their consent to its use. In case you want to read, revise, delete, stop processing and withdraw your consent to your personal information, you may call General Directory Number (02-2145-6442) or contact the person in charge of personal information protection in writing, phone or email. Then the person in charge will process your request without delay after verifying your identity.
In case users or information subjects request to correct errors in personal information, his/her personal information will not be used until the correction is completed.
Samsung C&T processes the personal information which was unsubscribed or deleted upon the request of users according to the "4. Period of Retaining and Using Personal Information" and makes sure that such information is not read or used otherwise.

Article 9 (Measures to Secure Safety of Personal Information)

When handling personal information of users, Samsung C&T takes technical/managerial measures for the safety of the personal information by preventing any loss, theft, leakage, falsification or damage.

  • A. Establishment and Enforcement of Internal Management Plan
    Samsung C&T will establish and implement its internal management plan in compliance with notifications of Korea Communications Commission.
  • B. Minimizing the Number of Personal Information Handlers and their Training
    Samsung C&T designates the minimum number of personal information handlers and conducts training programs frequently, thereby ensuring safe management of personal information.
  • C. Limitation of Access to Personal Information
    Samsung C&T takes necessary measures for control of access to personal information, through grant, change and deprivation of access to database system that processes personal information; and uses an intrusion prevention system to control unauthorized access from outside.
  • D. Storage of Access Record and Prevention of Falsification
    Samsung C&T stores and manages access record of personal information processing system at least for six (6) months, and uses its security functions in order to prevent any falsification, theft or loss of the access records.
  • E. Encryption of Personal Information
    Your important personal information is encrypted, stored and managed. Also, Samsung C&T uses a separate security function such as encryption of important data when saving/transferring them.
  • F. Technical Countermeasures against Hacking, etc.
    Samsung C&T does its best to prevent any leakage or damage of personal information by hacking or a computer virus. Specifically, Samsung C&T backs up the data on a regular basis to prevent any damage to personal information; uses the latest vaccine programs to prevent any leakage or damage of users’ personal information; and ensures safe transmission of personal information over the network through cryptographic communications, etc. Also, Samsung C&T controls unauthorized access from outside by using intrusion prevention system, and makes an effort to set up all possible technical devices to ensure other system security.
  • G. Physical Measures for Safe Storage of Personal Information
    Samsung C&T sets aside physical storage place of the personal information storage system; establishes and operates a procedure of controlling access to this place. Also, Samsung C&T takes physical measures including installation of locking devices for safe storage of documents that contain personal information.
  • H. Operation of a Dedicated Organization for Personal Information Protection
    Through a dedicated organization for personal information protection in the company, Samsung C&T checks whether measures for protecting personal information have been taken, or the managers in charge of personal information protection have performed their duties; and ensures corrective measures are taken immediately in case any issue is found.

Article 10 (Installation/Operation and Rejection of Automatic Personal Information Collection Devices)

Samsung C&T operates “cookie” that frequently stores and searches your personal information. The cookie is a very small text file sent to your browser by the server which is used to operate the website of Samsung C&T’s E&C Group; and is stored on your computer hard-disk.
Samsung C&T uses cookie for the following purposes.

  • 1. Cookie is used as a measure of target-marketing and service improvement, by analyzing the access frequency and visiting time of members and non-members and figuring out users’ preference and areas of interest.
  • 2. You may allow all cookies or to be notified upon cookie installation or refuse all cookies in settings of Tool > Internet Option Tab on the top menu of the web browser.
  • 3. In case you refuse the installation of cookies, there may be some limitation when using Samsung C&T services.

Article 11 (Contact of the Person in Charge of Personal Information Protection)

Samsung C&T has a person in charge of protecting your personal information and dealing with related grievances. Should you have any inquiry regarding personal information treatment, please contact the person in charge stated below. The person in charge will provide a prompt and faithful response to your questions.

  • The Person in Charge of Personal Information Protection •Name: Chanbeom Jeong
    •Post: HR Team Leader
    •Contact Information: (T) 02-2145-6115, (F) 02-2145-5555
    security.cnt@samsung.com

Article 12 (Remedies to Infringement on the Rights of Users)

In case you need to report and consult about infringement on personal information, you may inquire about consultation or remedies to the below organizations.
< The below organizations are independent organs of Samsung C&T. Please contact the below organizations if you are not satisfied with the company’s handling of grievances or remedies related with personal information treatment. >
The Privacy Call Center: (Without area code) 118 (http://privacy.kisa.or.kr)
Personal Information Dispute Mediation Committee: 1833-6972 (www.kopico.go.kr)
Cyber Investigation Division of the Supreme Prosecutor’s Office: (Without area code) 1301, cid@spo.go.kr(http://spo.go.kr)
The Cyber Security Bureau of the National Police Agency: (Without area code) 182 (http://cyberbureau.police.go.kr)

Article 13 (Changes in Personal Information Handling Policy (Duty of Notification))

Any addition, deletion or revision of the current personal information handling policy will be notified on the website at least seven (7) days before the Enforcement Date of the new version.
- Notification Date of Personal Information Handling Policy: 2017. 12. 13
- Enforcement Date of Personal Information Handling Policy: 2017. 12. 20

Samsung C&T corporation (hereinafter referred to as Samsung C&T) values personal information of the information entity, and enacts and complies with the 'Samsung C&T personal information handling policy (hereinafter referred to as "policy")' to comply with related laws such as the 'Personal Information Protection Act'.

  • This policy is subject to change according to enactment and amendment, change in governmental policy and change in internal policy of Samsung C&T.
  • In case Samsung C&T changes this policy, it shall announce (or individually notify) in the notice board of the company homepage (www.samsungcnt.com).
  • The information entity shall frequently check this policy by visiting the 'Samsung C&T homepage (www.samsungcnt.com)'.
  • This policy contains the following contents.
    • Article 1 (General rules)
    • Article 2 (Collected personal information item and collection method)
    • Article 3 (Collecting purpose, and processing and possessing period of personal information)
    • Article 4 (Provision and sharing personal information)
    • Article 5 (Consignment of handling collected personal information)
    • Article 6 (Possession and utilization period and disposal of personal information)
    • Article 7 (Rights and obligations of user and legal deputy and method of action)
    • Article 8 (Personal information protection manager)
    • Article 9 (Measures to secure safety to protect personal information)
    • Article 10 (Changes in Personal Information Handling and Management Policy)

Article 1 (General rules)

  • ① "Personal information" refers to the information on a living individual and refers to the identifiable information of the relevant individual (including those identifiable in combination with other information although it cannot identify the individual on its own) such as name and resident registration number.
  • ② "Information entity" refers to the personnel identifiable by information handled by Samsung C&T and the personnel that becomes the entity of the information.
  • ③ Samsung C&T highly values personal information protection of the information entity, and complies with personal information protection regulation of the "Personal Information Protection Act" and "Standard Personal Information Protection Guidelines" enacted by the Ministry of Security and Public Administration. Through this policy, Samsung C&T notifies how personal information provided by the information entity is used and what measures are taken to protect personal information.
  • ④ To consistently improve this policy, Samsung C&T states necessary procedures to amend this policy. When this policy is amended, the version number will be issued so that the information entity can easily identify amendments.

Article 2 (Collected personal information item and collection method)

  • ① Samsung C&T provides diverse and convenient service to the information entity and collects personal information in the following methods for personal identification of information entity.
    • 1) Personal information item collected
      Type Collected items
      Handling of customer inquiries Email
      Information created and collected in the process of using services Cookies, service usage records, access logs, access IP information
      Security notification (Report) Email
    • 2) Personal information collection method
      • Access via homepage or homepage link Collect from available system
      • Samsung C&T provides a procedure for the information entity to "agree" or "disagree" with each content of a personal information collection agreement or agreement of utilization of Samsung C&T and regards that the collection of personal information is agreed to if "Agree" is selected.
    • 3) Personal information collection range
      • The above collection item and collection method are subject to change according to service purpose and type.
  • ② However, sensitive personal information that may breach basic human rights of the information entity (race and ethnic group, belief and ideology, place of origin and legal domicile, political tendencies and criminal record, health state and sexual life) will not be collected.

Article 3 (Collecting purpose, and processing and possessing period of personal information)

  • ① Samsung C&T collects personal information for the following purpose within the minimum range required for provision of satisfactory service.
    Handling personal information, viewing, correcting, deleting and suspending process of personal information, civil processes such as submitting and processing reports on breach of personal information, cancelling customer agreements and replies to customer inquiries
  • ② Processing and possessing period: Until agreement is cancelled

Article 4 (Provision and sharing personal information)

  • ① Samsung C&T shall not utilize personal information of the information entity over the notified range in "Article 3" or provide to others or other companies/institutions except in cases according to related laws and regulations or with consent of the information entity. However, personal information is utilized and provided with care.
    • In case of fully transferring and succeeding the rights and obligations of the service provider due to dispositions and mergers, the valid reason and procedure will be announced in detail in advance and the right to choose to cancel the agreement on personal information shall be granted.
    • In case of providing and sharing personal information of the entity, the right to refuse agreement to provide or share personal information to the personnel provided to or shared with shall be notified in writing or email including any disadvantages for refusal of agreement and the consent on this shall be asked.
  • ② In the following cases, personal information can be provided without consent of the information entity according to related laws.
    • Execution of contract on service provision
    • In case of request by investigative institution according to legal procedure and method based on regulations of related laws or for purpose of investigation
    • In case of providing in format not identifiable of a specific individual for statistical purposes, academic research or market research.

Article 5 (Consignment of handling collected personal information)

  • ① In case of consigning personal information handling external professional partners for executing service, Samsung C&T shall ask for consent of information entity according to law, and notify the consigned work of the partner. The company consigns personal information handling as below.
    Entrusted company Entrusted tasks
    Media4th&Company Maintenance and management of website
  • ② In case of consigning personal information processing, to protect personal information, the compliance of instructions related with personal information protection, confidentiality of personal information, prohibition of provision to third party, liability in case of an accident, consignment period and return and disposal of personal information after completion of process shall be clearly defined and the relevant contract term shall be stored in writing or electronically.
  • ③ In case the content of work consigned to the partner is changed, it shall be notified by one or more methods in writing, email, phone, SMS or other similar methods.

Article 6 (Possession and utilization period and disposal of personal information)

  • ① Samsung C&T shall dispose personal information of the entity without delay when the entity cancels an agreement or the purpose of collecting and receiving personal information has been fulfilled. The handling, processing and possessing period of personal information of a customer are as below.
    Type Period for handling, management and retention
    Personal information collected and used when inevitable according to special regulations of laws or legal obligations For the retention period required by the relevant laws
    Personal information collected and used according to individual consent (via email) Until the purpose of its collection and use is fulfilled
  • ② However, in case it needs to be possessed for a certain period of time for identification of rights and obligations related to transaction according to related laws such as commercial law, it shall be possessed for a certain period of time.
    ※ Possess information based on related laws (commercial law, national tax basic law, corporate tax law, consumer protection from electronic commerce transaction act, etc.)
  • ③ Disposal procedure and method
    • Personal information of the entity in the disposal procedure shall be moved to a separate DB after the entity cancels an agreement or the collection purpose is fulfilled, and shall be disposed after storing for a certain period of time according to internal policy or other related laws (refer to possessing and utilization period). This personal information will not be used for any other purposes than possessing according to law.
      Cancellation of agreement can be done by a set procedure by contacting the personal information department (Article 8).
    • Disposal method: Personal information printed on paper shall be disposed by shredding with a document shredder or burning. Personal information in an electronic file will be deleted by using the technical method to prevent regeneration.

Article 7 (Rights and obligations of user and legal deputy and method of action)

  • ① The information entity may view or request for correction, deletion, suspension of processing and cancel agreements on registered personal information. To view, correct, delete, suspend processing and cancel agreement of personal information, contact the representative phone (02-2145-6442) or the personal information protection manager in writing, by phone or email to take action without delay through the personal identification procedure.
  • ② In case the information entity requests for correction of error in personal information, the relevant personal information shall not be utilized or provided until correction is completed. Also, in case wrong personal information has already been provided to a third party, the corrected processing result will be notified to said third party without delay for correction to take effect.
  • ③ Samsung C&T shall process personal information requested for deletion by entity according to the possession and utilization period of collected personal information and other laws and shall prohibit viewing and utilization for other purposes.
  • ④ Please prevent inevitable accidents by accurately entering the latest personal information. The entity shall be responsible for accidents from entering incorrect information and may also face legal breach for illegally using information of others or entering false information.
  • ⑤ The information entity has the right to be protected of personal information as well as obligations to protect itself and not to breach information of others. Be careful not to leak personal information of the entity or damage personal information of others including postings. In case of failing to comply with these responsibilities and damaging the personal information and dignities of others, the personnel may be punished by related laws.
  • ⑥ The user and legal deputy may view personal information of itself or a child under 14 and request for deletion. To view and correct personal information of oneself and the child under 14, contact the personal information manager in writing or by phone or email to take measure without delay after the personal identification procedure ("Article 8"). In case the user or legal deputy requested for correction of error in personal information, the relevant information shall not be utilized or provided until correction is made. Also, when wrong personal information has already been provided to a third party, the correction result shall be notified to said third party without delay to take effect. The company processes cancelled or deleted personal information by request of the user or legal deputy as stated in "Possession and utilization period of personal information collected by the company" and prohibits viewing and utilization for any other purposes.

Article 8 (Personal information protection manager)

  • ① To protect personal information of the entity and process complaints and inquiries regarding personal information, Samsung C&T appoints related departments and the personal information protection manager as below.
    Personal information protection manager
  • ② Personal information department: To respond to demands related with personal information of the entity, Samsung C&T is operating related departments.
    • Business hours: Weekdays 08:00~17:00
    • Closed on Saturdays/Sundays and public holidays
    • Manager: Boyeon Han (hongboteam@samsung.com, 02-2145-6441)
  • ③ For report and consultation on breach of personal information, please inquire at the below institution.

Article 9 (Measures to secure safety to protect personal information)

When handling personal information of the entity, to prevent loss, theft, leakage, forgery or damage of personal information, Samsung C&T is taking the following technical, administrative and physical measures.

  • 1) Samsung C&T stores and manages encoded personal information.
  • 2) Measures against hacking
    • To prevent leakage or damage of personal information of the entity from hacking and computer viruses, Samsung C&T is taking the best efforts.
    • To deal with damage to personal information, data is frequently backed up, personal information or data is prevented from leakage or damage using the latest vaccine programs and personal information is securely sent on a network through encoded communication.
    • An invasion blocking system is used, illegal access from outside is controlled and all possible technical measures are equipped to secure system security.
  • 3) Minimization and education of handling employees
    • Employees of Samsung C&T handling personal information is limited to manager, separate passwords are granted and regularly renewed, and through frequent training of the manager, personal information is safely managed.
    • Transfering duties of an employee handling personal information is conducted under strict security, and responsibility on accidents involving personal information after entering and exiting the company is ensured.
    • The computing room and data archive are designated as special protected zones and strictly controlled.
  • 4) Operation of exclusive organizations for personal information protection
    • Through exclusive organizations for personal information protection in the company, execution of personal information protection measures and compliance of the manager shall be confirmed, and immediate correction shall be taken on the discovery of the problem. However, a problem occurring from leakage of personal information due to negligence of an individual or internet problem shall not be responsible by Samsung C&T.

Article 10 (Changes in Personal Information Handling and Management Policy)

This policy takes effect on April 28, 2016.

Samsung C&T Corporation (“the company”) strives to protect the personal information of its customers by observing all regulations related to personal information protection under the relevant laws, including the Personal Information Protection Act and Act on Promotion of Information and Communications Network Utilization and Information Protection.

  • The company informs all the relevant parties of policies related to the handling and management of personal information provided by customers, such as items and purpose of handling and managing personal information collected, period for handling, management and retention, rights and obligations of customers and methods of exercising rights, measures to secure safety of personal information through the Personal Information Handling and Management Policy of Samsung C&T Corporation (“this policy”). The company shall publicly announce any changes in this policy by posting a public notice on its website (http://www.samsungcnt.com/EN/cnt/index.do).
  • This policy contains the following contents.
    • 1. Items of Personal Information Collected, and Methods of Collection
    • 2. Purpose of Collection and Use of Personal Information
    • 3. Provision of Personal Information to a Third Party
    • 4. Entrustment of Management of Personal Information
    • 5. Period for Handling, Management and Retention of Personal Information
    • 6. Rights of User and Legal Representative, and Methods of Exercising Rights
    • 7. Destruction of Personal Information and Its Procedures and Methods
    • 8. Installation, Operation, and Denial of Device for Automatic Collection of Personal Information
    • 9. Securing the Safety of Personal Information
    • 10. Contact Information of Personal Information Protection Supervisor and Manager
    • 11. Changes in Personal Information Handling and Management Policy

1. Items of Personal Information Collected, and Methods of Collection

  • (1) The company collects the following types of personal information.
    Type Collected items
    Handling of customer inquiries Email
    Information created and collected in the process of using services Cookies, service usage records, access logs, access IP information
    Security notification (Report) Email
  • (2) The methods of collection are as follows.
    • Customer inquiries posted on the website and reports to the security report center
    • Data gathering tool

2. Purpose of Collection and Use of Personal Information

The company handles and manages personal information for the following purposes. The handled and managed personal information shall not be used for any purpose other than the following purposes, and if there is any change in the purpose of using personal information, necessary measures such as obtaining a separate consent shall be taken in accordance with the Personal Information Protection Act.

  • (1) Handling of customer inquiries

    Personal information is handled and managed for the purpose of making contact and replying to the customer for confirmation and fact finding in the event of customer inquiries.

  • (2) Security notification (Report)

    Personal information is handled and managed to reply to complaints, and provide security notifications (Report).

3. Provision of Personal Information to a Third Party

  • (1) The company uses the personal information of its users within the scope specified under "2. Purpose of Collection and Use of Personal Information." The company shall not go beyond the purpose of use and make such information public without the prior consent of the user, except in the following circumstances:
    • If the user gives consent in advance
    • If it does so pursuant to the regulations of the laws, or if there is a request by an investigative authority according to the procedures and methods established by laws for investigation purposes
  • (2) The company currently does not provide the personal information of users to third parties.

4. Entrustment of Handling and Management of Personal Information

The company entrusts the handling and management of personal information as follows to improve service quality, and regulates matters required to safely manage personal information when signing an entrustment contract in accordance with the relevant laws.

  • (1) The company entrusts the handling and management of personal information as follows.
    Entrusted company Entrusted tasks
    Samsung SDS Maintenance and management of website
  • (2) The company shall specify matters related to the following in official documents such as the contract in accordance with Article 26 of the Personal Information Protection Act and Article 25 of Act on Promotion of Information and Communications Network Utilization and Information Protection: prohibition of handling personal information for purposes other than conducting entrusted tasks, technical and managerial protection measures, restriction of re-entrustment, management and supervision over the entrusted company and compensation for damages,. The company supervises the entrusted company to ensure the safe handling of personal information.
  • (3) If any change is made in the contents of entrusted tasks or the entrusted company, such information shall be reported through this policy.

5. Period for Handling, Management and Retention of Personal Information

Period for the handling, management and retention of personal information is as follows.

  • Type Period for handling, management and retention
    Personal information collected and used when inevitable according to special regulations of laws or legal obligations For the retention period required by the relevant laws
    Personal information collected and used according to individual consent (via email) Until the purpose of its collection and use is fulfilled

The company destroys personal information without delay once the period for handling, management and retention of personal information has passed or the purpose of its collection and use has been fulfilled. However, the company may retain personal information for which the period of retention and use has elapsed if the information must be “retained according to other laws” or when “individual consent from the customer has been received.”

6. Rights of User and Legal Representative, and Method of Exercising Rights

  • (1) Viewing of personal information
    • The customer may request to view his or her personal information handled and managed by the company through the personal information manager under Article 10 of this policy, and the company shall allow the customer to view his or her personal information within 10 days from the date of receiving such request. However, if there is a justifiable reason for the access to not be permitted within the above period, the handling of the request can be delayed by notifying the customer of the reason, and when the corresponding reason is no longer valid, the information can be viewed by the customer without delay.
    • If the company intends to delay, restrict or refuse access to the information, the company shall notify the customer of the reason for such delay, restriction or refusal and of a method through which the customer can make an objection through writing, email or facsimile within 5 days from the date the request for inquiry has been received. The company may restrict or refuse customers’ request to view his or her personal information after notifying the subject of the information in any of the following circumstances: the request is prohibited or restricted subject to relevant laws; the request may be threatening to other peoples' lives or health; or the request may unfairly infringe on properties and benefits of other people.
  • (2) Modification and deletion of personal information
    • The customer who makes a request to view his or her personal information according to the preceding paragraph may request the company's personal information manager to modify or delete the information. However, if the information is stated in other laws as the subject of collection, the customer cannot request deletion.
    • When the request for modification and deletion of personal information is made, the company must immediately investigate the personal information and take necessary measures such as modification and deletion of information upon the request of the customer, and notify the result to the customer except when there are special procedures related to modification or deletion of personal information specified in other laws.
    • If a customer requests that an error in personal information be corrected, the personal information concerned will not be used or provided before such correction is completed. If the incorrect personal information has already been provided to a third party, the company will immediately notify the correction to the third party to request a consequent correction.
    • When the company deletes personal information, it must be deleted in a manner that will prevent its restoration or reproduction, and if the personal information the customer has requested to be modified or deleted cannot be deleted because the corresponding information is defined as a subject of collection under other laws, the customer must immediately be notified.
    • When investigating information following a customer’s request for modification and deletion of personal information, the company may ask the customer to submit relevant data confirming the request for modification and deletion.
    • The detailed methods and procedures for modification and deletion of personal information are subject to those of viewing personal information.
  • (3) Suspension of handling and management of personal information
    • Customers may request the company to suspend the handling and management of their personal information through the personal information manager.
    • The company shall immediately suspend the handling and management of personal information in whole or in part at the request of the customer. However, the company may reject such request in any of the following circumstances:
      • If there are special regulations under laws that inevitably require the company to collect and handle such information;
      • If a risk is posed to the life and health of other people, or the properties and benefits of other people may be unfairly infringed upon; and,
      • If it is difficult to fulfill a contract with the customer if personal information is not handled and managed, and the customer has not clearly indicated intent to cancel the contract.
    • If the company rejects the customer’s request to suspend its handling and management of personal information, the company shall immediately notify the reason to the customer.
    • When the handling and management of personal information has been suspended according to the request of the customer, the company shall immediately take necessary measures, such as destruction of the corresponding information.
    • The detailed methods and procedures for suspension of handling and management of personal information are subject to those of viewing personal information.
  • (4) Methods and procedures of exercising rights
    • Customers may request a representative to view, modify, delete, and obtain information regarding the handling and management of his or her personal information (“requests such as viewing”) based on the methods and procedures specified in Article 45 of the Personal Information Protection Act.
    • The company may demand the payment of commission and postage fee (only when a mailed copy is requested) from a person who makes a request such as a request to view personal information in accordance with the Personal Information Protection Act.
    • Customers may make a request such as a request to view personal information through the personal information manager, and contact the personal information manager if there are any additional inquiries.

7. Destruction of Personal Information and Its Procedures and Methods

The company immediately destroys personal information once the personal information of customers is no longer necessary, for reasons such as the lapse of the personal information retention period and/or the achievement of the purpose of handling and management of personal information. However, if personal information must be stored in accordance with another law (Protection of Communications Secrets Act), the corresponding personal information is transferred to a separate database (DB) or stored in a different storage place. Detailed destruction procedures and methods are as follows:

  • (1) Destruction procedure
    • The company selects personal information to be destroyed, and destroys such information upon the approval of the personal information supervisor of the company.
  • (2) Destruction method
    • Personal information saved in the form of an electronic file shall be permanently deleted through a technical method that prevents its reproduction, while printed and/or written documents that record personal information are shredded or incinerated.

8. Installation, Operation, and Denial of Device for Automatic Collection of Personal Information

  • (1) What are cookies?
    • The company uses cookies to store and load user information, thereby providing personalized and customized service.
    • Cookies are small text files that are sent from the company web server to the user’s browser, and are stored on the user’s hard drive. When users visit the website in the future, the website server will read the cookies in the hard drive to maintain the user’s settings and provide customized service.
  • (2) Purpose of using cookies

    Cookies are used to identify the user’s website usage pattern, whether the user accesses through secure connection, and the number of the users in order to provide optimal customized service.

  • (3) Installation, operation, and denial of cookies
    • Users have the right to opt in or out of installation of cookies. Users may choose to allow all cookies, to confirm every time cookies are enabled, or to block all cookies by making adjustments in the web browser settings.
    • Denying installation of cookies may limit the usage of the services provided.
    • How to enable cookies (Internet Explorer):
      (Top right side of the browser)
      Tools > Internet Options > Privacy > Advanced Privacy Settings

9.Securing the Safety of Personal Information

The company takes administrative, technical and physical measures to secure the safety of personal information.

  • (1) Administrative measures
    • Establish and implement internal administrative plans for the safe handling and management of personal information
    • Establish and implement training plans for employees or other staffs entrusted to directly handle and process personal information
    • Conduct regular internal inspection according to internal administrative plans
  • (2) Technical measures
    • Restriction and management of rights to access personal information
    • Identification and verification to confirm rights to access personal information
    • System installation or other measures to block unauthorized access to personal information
    • Encryption of personal information for safe storage and transfer
    • Measures for storage of access records and prevention of forging and falsification of such records
    • Installation of security program and its regular renewal and inspection
  • (3) Physical measures
    • Access control and locking device for safe storage of personal information

10.Contact Information of Personal Information Protection Supervisor and Manager

The company designates a department in charge of personal information management, personal information supervisor and personal information manager as follows to protect the personal information of customers, process and address complaints, and remedy issues related to handling and processing of personal information.

  • Department: Human Resources Team
  • Supervisor: Vice President Cheolwoong Lee
  • Manager: Senior Manager Chansu Jun
  • Tel: 82-2-2145-2114

Customers may report any complaint and/or request relief to the personal information protection supervisor or manager for damages related to the handling and management of personal information. The company will promptly respond and address customer reports.

To report or receive counselling concerning violation of personal privacy, please contact the following agencies:

11.Changes in Personal Information Handling and Management Policy

This policy takes effect on September 1, 2015.

Security Reporting Center

If you have detected any security issues or unauthorized disclosure of technical or business information, please report the fact to the following :


E-Mail : security_secc@samsung.com

By mail : Tower B, 26, Sangil-ro 6-gil, Gangdong-gu, Seoul, Korea


All information, including your identify will be kept strictly confidential.

Guide for the Operation and Management of Image Data Processing Devices

Samsung C&T Ltd. E&C group (hereinafter called “the Company”) informs you of the purpose and the way that the Company uses and manages the collected image data in the Company with Guide for the Operation and Management of Image Data Processing Devices.

The Guide for the Operation and Management of Image Data Processing Devices is applicable to the Company’s Seoul Office (B building, Global Engineering Center, 26, Sangil-ro 6-gil, Gangdong-gu, Seoul), and for employees in outside workplaces including sites, refer to the each places’ guide for the operation and management of image Data Processing Devices.

1. Installation Grounds and Purpose

Pursuant to the Item 1 of Article 25 of the Personal Information Protection Act, the Company installs and operates image data processing devices with the purpose of matters mentioned below.
- Facility Safety and Prevention of fires
- Prevention of Crimes for customer’s safety

2. The Number and Locations of Cameras, and Scope of Image Data Recording

The person in charge responsible for protecting individual’s image data and handling concerns related to it are as follow.

The Number and Locations of Cameras, and Scope of Image Data Recording
Number of Cameras locations of cameras,
and scope of image data recording
39 Main entrance and lobby, emergency staircase, elevator hall and southern gate in the first floor
3. Management and Authorized Personnel

The person in charge responsible for protecting individual’s image data and handling concerns related to it are as follow.

Management and Authorized Personnel
Category Name Position Department Telephone
Image Data Jikang Ryu Manager HR Team 02-3458-3112
Processing Device
Manager
Yongkyun Jeong Manager
Authorized Personnel
to the data
Soonchang Nam
Myoungsik Ihn
Team Leader
Associate
S1 Corporation 02-2115-6115
4. Recording Time, Retention Period, Archive and Management Details
Recording Time, Retention Period, Archive and Management Details
Recording Time Retention Period Archive
24hrs 5 days from the recording date
※ However, the CCTV footage from main entrance and lobby, southern gate in the first floor will be stored for 30 days from the recording date.
Security Situation Room in the Company

- Management details: Activities including using private image data to non-promised purposes, providing to the third party, erasing and accessing the data will be recorded in a written form. When retention period expires, the record will be permanently erased in a non-reversible way. (In case of hard copy, it will be shredded)

5. Entrusting the Installation and Management

The Company entrusts the installation and management of image data processing devices and when a contract is made, according to the relevant Act, the Company makes the regulations so that the personal information can be managed in a safe manner.

Entrusting the Installation and Management
Entrusted Company Person in Charge Telephone
S1 Corporation Soonchang Nam
Myoungsik Ihn
02-2145-6115
6. The Way to Access Image Data

- How to: Individuals can access their personal data by visiting the Company after making a contact with Image Data Processing Device Manager.
- Location: Security Situation Room in the Company

7. Requests by a Subject of the Data

Individuals reserve the right to request access to or confirmation or deleting the existence of image data processed by the Company. Types of image data for which individuals may submit the requests are limited to image data in which they are a subject of the data and image data that is unquestionably needed in the interest of the individual’s life, wellbeing, or estate.
Upon receiving the requests of access, or confirmation or deleting the existence of the image data, the Company must immediately offer its full cooperation.

8. Security Steps

The image data being used inside of the Company has been managed in a safe way including an encrypted form. Also, as a means of protecting personal image data, the Company grants different levels of access authorities to the personnel in charge. In order to prevent forgery and alteration of personal image data, the Company records and manages the recording date of image data and access purpose, accessing personnel and accessing date. In addition to this, the Company safely stores physical form of data at apparatuses established in a restricted areas within the Company.

9. Amendment

This Guide for the Operation and Management of Image Data Processing Devices was written on July 20, 2016 and when adding or deleting details, or making changes, due to the changes of Acts, Policies and development of security technologies, the Company shall notice the reasons for the changes and details through the Company’s website not less than 7 days.
- Announcement Date: November 28, 2018
- Enforcement Date: December 5, 2018
- Amendment Reason: CCTV operation status (Locations and Number of Cameras) and change of Image Data Processing Device Manager

Article 1 - Purpose

This Guide for the Operation and Management of Image Data Processing Devices (the “Guide” hereafter) serves to define the operation and management of image data processing devices installed at the owned and leased premises (the “Offices” hereafter) of Samsung C&T’s Engineering & Construction Group (the “Company” hereafter), pursuant to Article 25 of the Personal Information Protection Act (the “Act” hereafter) and Article 25 of said act’s enforcement decree.

Article 2 – Terminology

Image data processing devices are security cameras, CCTV components, recording units (such as DVRs and NVRs), and other devices installed at the Offices of the Company for the purposes of recording images of individuals and objects and transmitting those recorded images to a remote location via either a closed-wireless or a closed-cable transmission circuit.
Image data refers to images that were recorded and/or processed by image data processing devices and depict the likeness, behavior, or any other identifying personal quality or trait of an individual.
Processing refers to the collection of image data using image data processing devices and to the logging in, storage, referencing, rendering, editing, deletion, destruction, recovery, playback, printing, publication, or any other similar use of the collected image data.
Image data processing device manager refers to an appointed or commissioned individual overseeing the installation, operation, and management of image data processing devices.
Subject of the data refers to a natural person who is identifiable in the concerned image data and is therefore its main subject.

Article 3 – Scope

The guidelines herein, unless specified otherwise under the law, dictate the protection of image data recorded and processed by image data processing devices installed inside and outside the Offices and apply to the Company, parties authorized by the Company, and all individuals involved in the operation and management of image data processing devices and the handling of image data thereof.

Article 4 – Installation Objective and Operational Status

Image data processing devices are installed inside and outside the Offices for the safety of the facility and customers and the preventions of fires, accidents, and crimes in accordance with Items 1 and 2 of Article 1 of the Act. The operational status of image data processing devices in use by the Company is as follows:

Image Data Processing Devices in Use
Leased Office
Image Data Processing Devices in Use
Category CCTV Cameras
Interior Exterior
Seocho Office 260 14
임차사옥 148 13
Camera Locations Main entrance, lobby, emergency staircase, inside and outside of elevators, and the parking lot (Seocho office)
Scope of Image Data Recording

Scope of image data recording includes areas inside and outside the Offices requiring the installation of image data processing devices for the safety of the facility and the customer and/or the prevention of fires and crimes.

Image Resolution

Images recorded by image data processing devices are stored at a resolution high enough to satisfy the concerned installation objective.

Article 5 – Management Responsibilities

Individuals responsible for the installation of image data processing devices and the handling of image data thereof are as follows:

Management Responsibilities
Category Name Affiliation Department Telephone
Image Data Processing Device Manager Lee Gyeong-cheol Samsung C&T Corporation Human Resources Team 02-2145-3112
Image Data Processing Device Manager Kim Jun-wu Samsung C&T Corporation Human Resources Team 02-2145-3112
Service Provider Personnel Cho Sang-ho S1 Corporation Seoul TS Group (C&T Seocho) 02-2145-6115
Service Provider Personnel Lee Yeong-seon S1 Corporation Seoul TS Group (Alpharium Tower) 02-2145-6115

Image data processing device managers perform the following tasks as per the privacy-protection requirements stipulated in Article 31-2 of the Act:
• Establishment and implementation of a plan for the protection of private image data;
• Periodic review and improvement of private image data handling and related practices;
• Processing of complaints concerning the handling of private image data and arrangement of compensation for damages;
• Deployment of an internal regulatory system for the prevention of unauthorized disclosure, misuse, and abuse of private image data;
• Establishment and implementation of a plan for education and training concerning the protection of private image data;
• Management and supervision of private image data protection and destruction;
• Supervision of the service provide to ensure the secure and proper handling of image data and training of the service provider on the prevention of image data loss, theft, leakage, alteration, and damage; and
• Other tasks related to the protection of private image data.

Image data processing device managers may delegate tasks related to the installation and operation of image data processing devices to individuals or a third party and are responsible for ensuring the secure handling of image data by the designated individual and/or third party. The approved third party to which said tasks may be delegated is S1 and, specifically, its TS team leads whose territories include the Offices. In delegating tasks to this third-party service provider, the image data processing device manager must do so in writing by including each of the following information:
• Purpose and scope of the delegation;
• Explicit prohibition of further delegation of the tasks to other parties;
• Access restriction to the image data and other security-related steps;
• A description of data-management inspections; and
• A description of indemnification and other liabilities in the event of the service provider’s failure to fulfill its responsibilities.

Article 6 – Management & Operation Standards

As a rule, image data processing devices installed at the Offices are to record continuously for 24 hours a day at the highest possible settings.
Image data processing devices may not be operated at one’s discretion, be used in areas beyond the scope of image data recording, or be used with the “record audio” function turned on. Image data collected using image data processing devices may not be stored for longer than one month and must be destroyed without delay upon expiration. The devices are to be set up and run so that the image data is destroyed (deleted) automatically.
Storage of the recorded data is restricted to the situation room where the recording device is located. Should it be necessary to relocate the data for storage at a different location, however, the image data processing device operator must first be informed before proceeding with the relocation. The new storage site is to then be noted in the inspection journal and managed accordingly.
Data collected and transmitted by image data processing devices may only be monitored from designated locations and must be protected so that only the image data processing device manager and the designated personnel of the service provider may monitor it when needed. This designated location where monitoring of the image data is permitted is to be noted in the security-facility-inspection journal and managed accordingly.
Image data processing devices are to be inspected for normal functionality at least once a day. Results of these inspections are to be noted in the security-facility-inspection journal and managed accordingly.

Article 7 – Image Data Handling

The image data processing device operator is prohibited from using the image data for any other purpose than collection and from providing the image data to an unauthorized third party, except in any one of the following circumstances:

• With the consent of the subject of the data;
• Doing so is permitted under the Act or another law;
• If doing so is unquestionably necessary in the interest of the subject of the data or a third party’s life, wellbeing, or estate and consent could not be gained in advance due to the subject of the data or their legal representative not being able to express their intent or being unreachable; or
• The data is provided for a statistics-compilation or academic purpose and in a format where individuals cannot be identified.

Individuals wishing to view image data in which they are a subject may do so by contacting the image data processing device manager of the Office in question in advance, filling out the image data confirmation request form that’s available at the information desk, and presenting the form to the image data processing device manager.
Should the image data be used for a purpose other than collection or provided to a third party, the image data processing device operator must make note of each of the following and manage the event accordingly:

• Name of the image data file;
• Name of the organization or individual who used or received the data;
• The purpose of the data’s use or provision;
• Legal basis for the data’s use or provision (if one exists);
• Permitted duration of the data’s use or provision (if defined); and
• The manner of the data’s use or provision.

When destroying image data, the image data processing device operator must make note of each of the following and manage the event accordingly:

• Name of the image data file to be destroyed;
• Time and date of the image data’s destruction (destruction cycle if being deleted automatically and auto-delete verification schedule); and
• Name of the person responsible for the data’s destruction.

Article 8 – Requests by a Subject of the Data

Individuals reserve the right to request access to or confirmation of the existence of image data processed by the Company (the “Requests” hereafter). Types of image data for which individuals may submit the Requests are limited to image data in which they are a subject of the data and image data that is unquestionably needed in the interest of the individual’s life, wellbeing, or estate.
When making the Requests, the principal needs to present their identification (resident registration card, driver’s license, or passport) and the legal representative of the principal needs to present their identification and a letter of attorney. Both the principal and the legal representative of the principal must also fill out and submit the data confirmation request form, which is available at the security desk of the Offices.
Upon receiving the Requests, the Company must immediately inform the relevant image data processing device manager and offer its full cooperation.
However, the Company may refuse the Requests by informing the principal of its reason in writing within ten days in any one of the following circumstances:

• Compliance with the Requests may severely impede a criminal investigation, an arraignment, or a trial;
• The concerned image data has exceeded its duration of storage and has already been destroyed; or
• There exists a sufficient cause to deny the Requests.

When processing the Requests, the image data processing device operator is to make note of each of the following and manage the concerned Requests accordingly. The image data processing device operator is to report to the image data processing device manager prior to taking any action in response to the Requests or, if unable to do so, report to the image data processing device manager immediately after taking action in response to the Requests.

• Name and contact information of the principal behind the Requests;
• Name and content of the concerned image data file;
• The purpose of the Requests; and
• The reason for denying the Requests (if applicable).

The image data processing device operator is required to perform, under the supervision and management of the image data processing device manager, each of the following to secure and protect the image data against loss, theft, leakage, alteration, and damage:

• Restriction of access to the image data and limitation of access privileges;
• Implementation of technologies for the safe storage and transmission of the image data;
• Implementation of measures for the storage of processing records and the prevention of forgery and alteration of processing records; and
• Facilitation of facilities and apparatuses for the secure storage of the image data in physical form.

Article 9 – Signs

The Offices at which image data processing devices have been installed are required to inform the individuals at the Offices of the presence and use of the devices by posting signs that contain the following information:

• Installation purpose and locations;
• Scope of image data recording and hours; and
• Name and contact information of the image data processing device operator.

If multiple image data processing devices have been installed at the Office, a sign explaining the entire facility or scene is under surveillance may be used. For image data processing devices installed outdoors, a separate sign needs to be used for each device.

Article 10 – Revisions

The Guide was established on 1 September 2011 and is subject to additions, subtractions, and revisions along with new changes in the law, in policy, and/or security technologies. Changes to the Guide are announced, along with the reasons behind them, via the Company’s website at least seven days prior to taking effect.

  • - Announcement Date: 20 June 2016
  • - Enforcement Date: 20 June 2016
  • - Revision Date: 2 September 2017

- Revision: Image Data Processing Devices in Use

Article 1 - Purpose

This Guide for the Operation and Management of Image Data Processing Devices (the “Guide” hereafter) serves to define the operation and management of image data processing devices installed at the owned and leased premises (the “Offices” hereafter) of Samsung C&T’s Engineering & Construction Group (the “Company” hereafter), pursuant to Article 25 of the Personal Information Protection Act (the “Act” hereafter) and Article 25 of said act’s enforcement decree.

Article 2 – Terminology

Image data processing devices are security cameras, CCTV components, recording units (such as DVRs and NVRs), and other devices installed at the Offices of the Company for the purposes of recording images of individuals and objects and transmitting those recorded images to a remote location via either a closed-wireless or a closed-cable transmission circuit.
Image data refers to images that were recorded and/or processed by image data processing devices and depict the likeness, behavior, or any other identifying personal quality or trait of an individual.
Processing refers to the collection of image data using image data processing devices and to the logging in, storage, referencing, rendering, editing, deletion, destruction, recovery, playback, printing, publication, or any other similar use of the collected image data.
Image data processing device manager refers to an appointed or commissioned individual overseeing the installation, operation, and management of image data processing devices.
Subject of the data refers to a natural person who is identifiable in the concerned image data and is therefore its main subject.

Article 3 – Scope

The guidelines herein, unless specified otherwise under the law, dictate the protection of image data recorded and processed by image data processing devices installed inside and outside the Offices and apply to the Company, parties authorized by the Company, and all individuals involved in the operation and management of image data processing devices and the handling of image data thereof.

Article 4 – Installation Objective and Operational Status

Image data processing devices are installed inside and outside the Offices for the safety of the facility and customers and the preventions of fires, accidents, and crimes in accordance with Items 1 and 2 of Article 1 of the Act. The operational status of image data processing devices in use by the Company is as follows:

Image Data Processing Devices in Use
Leased Office
Image Data Processing Devices in Use
Category CCTV Cameras
Interior Exterior
Seocho Office 260 14
임차사옥 148 13
Camera Locations Main entrance, lobby, emergency staircase, inside and outside of elevators, and the parking lot (Seocho office)
Scope of Image Data Recording

Scope of image data recording includes areas inside and outside the Offices requiring the installation of image data processing devices for the safety of the facility and the customer and/or the prevention of fires and crimes.

Image Resolution

Images recorded by image data processing devices are stored at a resolution high enough to satisfy the concerned installation objective.

Article 5 – Management Responsibilities

Individuals responsible for the installation of image data processing devices and the handling of image data thereof are as follows:

Management Responsibilities
Category Name Affiliation Department Telephone
Image Data Processing Device Manager Lee Gyeong-cheol Samsung C&T Corporation Human Resources Team 02-2145-3112
Image Data Processing Device Manager Kim Jun-wu Samsung C&T Corporation Human Resources Team 02-2145-3112
Service Provider Personnel Cho Sang-ho S1 Corporation Seoul TS Group (C&T Seocho) 02-2145-6115
Service Provider Personnel Lee Yeong-seon S1 Corporation Seoul TS Group (Alpharium Tower) 02-2145-6115

Image data processing device managers perform the following tasks as per the privacy-protection requirements stipulated in Article 31-2 of the Act:
• Establishment and implementation of a plan for the protection of private image data;
• Periodic review and improvement of private image data handling and related practices;
• Processing of complaints concerning the handling of private image data and arrangement of compensation for damages;
• Deployment of an internal regulatory system for the prevention of unauthorized disclosure, misuse, and abuse of private image data;
• Establishment and implementation of a plan for education and training concerning the protection of private image data;
• Management and supervision of private image data protection and destruction;
• Supervision of the service provide to ensure the secure and proper handling of image data and training of the service provider on the prevention of image data loss, theft, leakage, alteration, and damage; and
• Other tasks related to the protection of private image data.

Image data processing device managers may delegate tasks related to the installation and operation of image data processing devices to individuals or a third party and are responsible for ensuring the secure handling of image data by the designated individual and/or third party. The approved third party to which said tasks may be delegated is S1 and, specifically, its TS team leads whose territories include the Offices. In delegating tasks to this third-party service provider, the image data processing device manager must do so in writing by including each of the following information:
• Purpose and scope of the delegation;
• Explicit prohibition of further delegation of the tasks to other parties;
• Access restriction to the image data and other security-related steps;
• A description of data-management inspections; and
• A description of indemnification and other liabilities in the event of the service provider’s failure to fulfill its responsibilities.

Article 6 – Management & Operation Standards

As a rule, image data processing devices installed at the Offices are to record continuously for 24 hours a day at the highest possible settings.
Image data processing devices may not be operated at one’s discretion, be used in areas beyond the scope of image data recording, or be used with the “record audio” function turned on. Image data collected using image data processing devices may not be stored for longer than one month and must be destroyed without delay upon expiration. The devices are to be set up and run so that the image data is destroyed (deleted) automatically.
Storage of the recorded data is restricted to the situation room where the recording device is located. Should it be necessary to relocate the data for storage at a different location, however, the image data processing device operator must first be informed before proceeding with the relocation. The new storage site is to then be noted in the inspection journal and managed accordingly.
Data collected and transmitted by image data processing devices may only be monitored from designated locations and must be protected so that only the image data processing device manager and the designated personnel of the service provider may monitor it when needed. This designated location where monitoring of the image data is permitted is to be noted in the security-facility-inspection journal and managed accordingly.
Image data processing devices are to be inspected for normal functionality at least once a day. Results of these inspections are to be noted in the security-facility-inspection journal and managed accordingly.

Article 7 – Image Data Handling

The image data processing device operator is prohibited from using the image data for any other purpose than collection and from providing the image data to an unauthorized third party, except in any one of the following circumstances:

• With the consent of the subject of the data;
• Doing so is permitted under the Act or another law;
• If doing so is unquestionably necessary in the interest of the subject of the data or a third party’s life, wellbeing, or estate and consent could not be gained in advance due to the subject of the data or their legal representative not being able to express their intent or being unreachable; or
• The data is provided for a statistics-compilation or academic purpose and in a format where individuals cannot be identified.

Individuals wishing to view image data in which they are a subject may do so by contacting the image data processing device manager of the Office in question in advance, filling out the image data confirmation request form that’s available at the information desk, and presenting the form to the image data processing device manager.
Should the image data be used for a purpose other than collection or provided to a third party, the image data processing device operator must make note of each of the following and manage the event accordingly:

• Name of the image data file;
• Name of the organization or individual who used or received the data;
• The purpose of the data’s use or provision;
• Legal basis for the data’s use or provision (if one exists);
• Permitted duration of the data’s use or provision (if defined); and
• The manner of the data’s use or provision.

When destroying image data, the image data processing device operator must make note of each of the following and manage the event accordingly:

• Name of the image data file to be destroyed;
• Time and date of the image data’s destruction (destruction cycle if being deleted automatically and auto-delete verification schedule); and
• Name of the person responsible for the data’s destruction.

Article 8 – Requests by a Subject of the Data

Individuals reserve the right to request access to or confirmation of the existence of image data processed by the Company (the “Requests” hereafter). Types of image data for which individuals may submit the Requests are limited to image data in which they are a subject of the data and image data that is unquestionably needed in the interest of the individual’s life, wellbeing, or estate.
When making the Requests, the principal needs to present their identification (resident registration card, driver’s license, or passport) and the legal representative of the principal needs to present their identification and a letter of attorney. Both the principal and the legal representative of the principal must also fill out and submit the data confirmation request form, which is available at the security desk of the Offices.
Upon receiving the Requests, the Company must immediately inform the relevant image data processing device manager and offer its full cooperation.
However, the Company may refuse the Requests by informing the principal of its reason in writing within ten days in any one of the following circumstances:

• Compliance with the Requests may severely impede a criminal investigation, an arraignment, or a trial;
• The concerned image data has exceeded its duration of storage and has already been destroyed; or
• There exists a sufficient cause to deny the Requests.

When processing the Requests, the image data processing device operator is to make note of each of the following and manage the concerned Requests accordingly. The image data processing device operator is to report to the image data processing device manager prior to taking any action in response to the Requests or, if unable to do so, report to the image data processing device manager immediately after taking action in response to the Requests.

• Name and contact information of the principal behind the Requests;
• Name and content of the concerned image data file;
• The purpose of the Requests; and
• The reason for denying the Requests (if applicable).

The image data processing device operator is required to perform, under the supervision and management of the image data processing device manager, each of the following to secure and protect the image data against loss, theft, leakage, alteration, and damage:

• Restriction of access to the image data and limitation of access privileges;
• Implementation of technologies for the safe storage and transmission of the image data;
• Implementation of measures for the storage of processing records and the prevention of forgery and alteration of processing records; and
• Facilitation of facilities and apparatuses for the secure storage of the image data in physical form.

Article 9 – Signs

The Offices at which image data processing devices have been installed are required to inform the individuals at the Offices of the presence and use of the devices by posting signs that contain the following information:

• Installation purpose and locations;
• Scope of image data recording and hours; and
• Name and contact information of the image data processing device operator.

If multiple image data processing devices have been installed at the Office, a sign explaining the entire facility or scene is under surveillance may be used. For image data processing devices installed outdoors, a separate sign needs to be used for each device.

Article 10 – Revisions

The Guide was established on 1 September 2011 and is subject to additions, subtractions, and revisions along with new changes in the law, in policy, and/or security technologies. Changes to the Guide are announced, along with the reasons behind them, via the Company’s website at least seven days prior to taking effect.

  • - Announcement Date: 20 June 2016
  • - Enforcement Date: 20 June 2016
  • - Revision Date: 2 September 2017

- Revision: Image Data Processing Devices in Use