Advocates for Public Interest Law (hereinafter “APIL”) processes personal information lawfully and manages it securely in compliance with the Personal Information Protection Act and related laws and regulations to protect the freedom and rights of data subjects. Accordingly, APIL establishes and publishes the following Privacy Policy to inform data subjects about the procedures and standards for personal information processing and to ensure prompt and smooth handling of related grievances, pursuant to the Personal Information Protection Act.
1. Purposes of Processing Personal Information
APIL processes personal information for the following purposes. The personal information being processed shall not be used for any purpose other than those stated below; should the purpose of use change, necessary measures, such as obtaining separate consent in accordance with the Personal Information Protection Act, will be implemented.
1) Donor and Regular Member Registration and Management
Confirmation of intent to join as a donor or regular member, maintenance and management of membership status, preparation and provision of the corporation's membership roster and supervision by the competent authority, prevention of fraudulent service use, confirmation of legal representative's consent for processing personal information of children under 14 years of age, and handling various notices, membership withdrawal, etc.
2) Donation (Regular Membership Fees) Management and Issuance of Donation Receipts
Confirmation of donation/membership fee payment, issuance and retention of donation receipts, etc.
3) Events/Campaigns
Execution of specific events/campaigns such as forums, education sessions, and signature campaigns; prevention of fraudulent service use; confirmation of legal representative's consent when processing personal information of children under 14 years of age, etc.
4) Organizational Promotion
Promotion of organizational activities; solicitation of sponsorship and increased contributions; encouragement of participation in various activities such as volunteering and signature campaigns.
5) Consultation and Grievance Handling
Listening to and responding to inquiries, requests, consultations, reports, and opinions via phone, email, in-person visits, etc.
6) Volunteers
Guidance for volunteer registration and performance, issuance of volunteer certificates, etc.
2. Processed Personal Information Items
APIL processes the following personal information items.
Data subjects are not disadvantaged in any way regarding the use of the organization's services even if they do not consent to the optional items.
1) Membership Registration and Management
1-1) Individual Donors
– Required Items: Name, date of birth, mobile phone number, and if under 14 years or age, name and contact information of the legal representative
– Optional Items: Email, address, registration channel, areas of interest
1-2) Sole Proprietor Donors
– Required Items: Sole proprietorship name, mobile phone number
– Optional Items: Email, address, representative name, contact person name, registration channel, areas of interest
1-3) Regular Members
– Required Items: Name, date of birth, mobile phone number, email
2) Donation (Regular Membership Fees) Management and Issuance of Donation Receipts
2-1) Automatic Transfer (CMS)
– Required Items: Financial institution name, account number, account holder name, account holder's date of birth (first six digits of resident registration number, first six digits of alien registration number, business registration number, etc.), payment amount, payment date, payment start month, payment cycle.
2-2) Credit Card (Debit Card, Virtual Account, Real-time Account Transfer, etc.)
– Required Items: Payment amount, withdrawal date, payment start month, payment cycle, card number, mobile phone number, items collected for payment outsourcing to NICE Information & Telecommunication Co., Ltd.
2-3) Issuance of Donation Receipts
– Required Items: Name (business name), resident registration number (business registration number), donation amount, donation date, donation code
– Optional Item: Address
3) Events/Campaigns
– Required Items: Items required based on the purpose of the event/campaign (name, date of birth, address, etc.); [for labor cost payments] name, resident registration number, address, income amount, account information, payment date
– Optional Items: Contact information (email or mobile phone number), opinions on the event/campaign
4) Newsletter Subscription
– Required Items: Name, contact information (email or mobile phone number)
– Optional Items: Registration channel, areas of interest
5) Consultation and Grievance Handling
– Required Items: Basic information related to consultation and grievances (name, contact information, etc.), sensitive information necessary for consultation such as ideology/beliefs, political opinions, health, sexual life, and information on race or ethnicity
6) Volunteers
– Required Items: Name, email, mobile phone number, volunteer period, occupation and affiliation, applied area of volunteer
– Optional Items: Translation/interpretation experience, language skills, preferred volunteer task, motivation for volunteer application
7) The following personal information items may be automatically generated and collected during the use of internet services:
– Required Items: IP address, cookies, MAC address, service usage records, visit records, improper usage records, etc.
3. Processing and Retention Period of Personal Information
1) APIL processes and retains personal information within the retention/use period as prescribed by law or within the period agreed upon by the data subject at the time of collection.
2) The processing and retention periods for each type of personal information are as follows:
2-1) Membership (Donor and Regular Member) Registration and Management: Within 5 working days upon membership withdrawal. However, in the case of donors, information is retained for 10 years for the issuance of donation receipts.
2-2) Donation Management and Receipt Issuance: Prepared in accordance with Article 160-3 of the Income Tax Act; retained for 5 years from the date of issuance (not applicable when issuing electronic donation receipts)
2-3) Events/Campaigns: Within 5 working days after the event period ends. For events conducted with external organizations, the retention period follows the partner organizations’ requirement. [For personnel expense payments] Related supporting documents are retained for 10 years from the end date of payment
2-4) Organizational Promotion: Within 5 working days upon receiving an opt-out request
2-5) Consultation and Grievance Handling: Content related to consultation and grievances is retained semi-permanently for future legal issues
4. Destruction of Personal Information
1) APIL destroys the personal information within 5 working days when the personal information becomes unnecessary due to the expiration of the retention period or the achievement of the processing purpose.
2) In cases where the retention period agreed upon with the data subject has expired or the processing purpose has been achieved, yet personal information must still be retained under other laws, such information will be preserved by transferring it to a separate database or storing it in a different location.
3) The procedure and method for the destruction of personal information are as follows:
3-1) Destruction Procedure
Personal information to be destroyed is selected and, upon approval by the personal information protection officer, it is destroyed
3-2) Destruction Method
Personal information recorded and stored in electronic file format is destroyed in a manner that prevents its reproduction. Personal information recorded and stored on paper documents is destroyed by using a shredder
5. Provision of Personal Information to Third Parties
1) APIL processes data subjects' personal information only within the scope specified for the purpose of processing personal information, and provides personal information to a third party only in cases falling under Articles 17 and 18 of the Personal Information Protection Act, such as with the data subject's consent or under special legal provisions; otherwise, personal information is not provided to third parties.
2) However, personal information is provided to third parties with the minimum items necessary for the purpose, only under the following legal grounds or with the data subject's consent:
2-1) When a member/donor requests issuance of a donation receipt for year-end tax adjustment:
– Recipient of Personal Information: National Tax Service
– Purpose of Use by Recipient: Issuance of donation receipts and tax deduction
– Personal Information Items Provided: Name, resident registration number, address, donation amount, donation date, donation code
– Retention/Use Period by Recipient: 10 years
2-2) When paying project personnel costs net of withholding tax:
– Recipient of Personal Information: National Tax Service (Income Tax), Seoul Metropolitan Government (Local Tax)
– Purpose of Use by Recipient: Imposition of income tax (Article 164 of the Income Tax Act), Imposition of local tax (Full text of the Local Tax Act)
– Personal Information Items Provided: Name, resident registration number, address, income amount, payment date
– Retention/Use Period by Recipient: Permanent (Income Tax), Semi-permanent (Local Tax)
6. Outsourcing of Personal Information Processing
1) APIL outsources personal information processing tasks as follows for smooth handling of personal information operations:
1-1) Automatic Transfer (CMS) Processing
– Outsourced Party (Recipient): Korea Financial Telecommunications and Clearings Institute
– Content of Outsourced Tasks: Approval and settlement of withdrawal transfers
– Personal Information Items Transferred: Financial institution name, account number, account holder name, account holder's date of birth (first six digits of resident registration number, first six digits of alien registration number, business registration number, etc.), payment amount, payment date, payment cycle
– Retention/Use Period by Recipient: Until the termination of the outsourcing contract
1-2) Card Payment Processing
– Outsourced to (Recipient): NICE Payments Co., Ltd.
– Content of Outsourced Tasks: Payment and settlement of card payments
– Personal Information Items Transferred: Name, payment amount, payment details entered by type (credit card, real-time account transfer, etc.)
– Retention/Use Period by Recipient: Until the termination of the outsourcing contract
1-3) Membership Management System Operation
– Outsourced to (Recipient): Human Software Co., Ltd.
– Content of Outsourced Tasks: Management of member database and membership fee payment, sending text messages and emails
– Personal Information Items Transferred: Member personal information items (referring to items 2, Sub-items 1 and 2)
– Retention/Use Period by Recipient: Until the termination of the outsourcing contract
1-4) Newsletter Distritubtion
– Outsourced to (Recipient): Stibee Co., Ltd.
– Content of Outsourced Tasks: Distribution of newsletters and various news updates
– Personal Information Items Transferred: Name, email, mobile phone number, areas of interest
– Retention/Use Period by Recipient: Until the termination of the outsourcing contract
2) APIL, upon concluding an outsourcing contract, stipulates in the Personal Information Outsourcing Contract Pledge or other relevant documents, pursuant to Article 26 of the Personal Information Protection Act, matters concerning the prohibition of processing personal information for purposes other than the outsourced tasks, technical and administrative protective measures, restrictions on re-outsourcing, management and supervision of the recipient, and liability for damages, and supervises the recipient to ensure the safe processing of personal information.
3) Should the content of the outsourced task or the recipient change, APIL shall disclose the changes through this Privacy Policy without delay.
7. Rights and Obligations of Data Subjects and Legal Representatives, and Method of Exercise
1) Data subjects can exercise their rights to access, rectify, erase, or request suspension of processing of their personal information at any time.
2) Rights can be exercised through written form, email, telephone, or facsimile (FAX) in accordance with Article 41 (1) of the Enforcement Decree of the Personal Information Protection Act. Requests for exercising rights will be handled by the responsible person for receiving/processing personal information access requests (Refer to Item 11) within 10 days of receipt.
3) Rights can also be exercised through a legal representative of the data subject or a person who has been delegated the authority. In this case, a power of attorney equivalent to Form No. 11 of the Personal Information Processing Method Notification (No. 2020-7) must be submitted.
4) Requests for access and suspension of processing of personal information may be restricted under Article 35(4) and Article 37(2) of the Personal Information Protection Act.
5) Erasure of personal information cannot be requested if that information is explicitly mandated for collection by other laws.
6) APIL confirms whether the person making the request for access, rectification, erasure, or suspension of processing is the data subject themselves or a legitimate representative.
7) Requests for membership information inquiry/change, membership cancellation/withdrawal, or withdrawal of consent can be processed directly by clicking 'Edit Member Information' on the website, or by submitting a request in a free format via written document, phone, email, or facsimile (FAX) to the department responsible for receiving and processing personal information access requests (Refer to Item 11).
***
## 8. Measures to Ensure Safety of Personal Information
APIL takes the following measures to ensure the safety of personal information:
1) Administrative Measures
– Minimization of personnel handling personal information and designation of dedicated personnel.
– Regular employee training.
2) Technical Measures
– Management of access rights to personal information processing systems.
– Encryption of personal information.
– Installation and update of security programs.
3) Physical Measures
– Online management of data storage, not in physical locations.
***
## 9. Matters Concerning Installation, Operation, and Refusal of Automatic Personal Information Collection Devices
1) APIL uses 'cookies' to store and retrieve usage information periodically to provide customized services to users. A cookie is a small piece of information that the server (http) used to operate the website sends to the user's computer browser, and it may be stored on the users' devices (PC, smartphone, etc.).
1-1) Purpose of Cookie Use: Used to provide optimized information to users by identifying their visit and usage patterns for each service and website, popular search terms, and security connection status.
1-2) Refusing to store cookies may cause difficulties in using customized services.
1-3) Users can individually set how much they allow or refuse cookies and tracking devices in their web browser. Since these settings may be continuously updated, please refer to the information provided by each browser.
* [Chrome Link]
* [Firefox Link]
* [Edge Link]
* [Safari Link]
2) APIL automatically collects the access and usage records (user's IP address, referrer, device, and browser information) of website visitors for the purpose of website management and improvement.
3) APIL uses analytics services from Google (Analytics) and Meta (Pixel) located abroad for website visitor statistics and analysis. When a user visits the website, user identifiers and behavioral information (visit history, search history, etc.) are automatically generated and collected, immediately provided to Google and Meta, and used for their customized advertising.
***
## 10. Processing of Pseudonymized Information
APIL processes personal information using pseudonymization for the following purposes:
– Purpose of Pseudonymized Information Processing: Fact-finding survey for human rights promotion.
– Personal Information Items Pseudonymized: Minimum necessary personal information for the fact-finding survey.
– Processing and Retention Period of Pseudonymized Information: Within 5 working days after the survey response.
– Provision of Pseudonymized Information to Third Parties: Fact-finding organizations.
– Outsourcing of Pseudonymized Information Processing: None.
– Compliance with safety measures for pseudonymized information as per Article 28-4 of the Act.
***
## 11. Chief Privacy Officer (CPO)
1) APIL designates a Chief Privacy Officer (CPO) as follows to oversee personal information processing operations and handle data subjects' complaints and relief for damages related to personal information processing:
1-1) Chief Privacy Officer (CPO)
– Name: Lee Il
– Title: Representative
– Phone: 02-3478-0529
– Email: info@apil.or.kr
– Fax: 02-3478-0527
1-2) Person in Charge of Receiving and Processing Personal Information Access Requests
– Name: Yoon Ina
– Title: Operations Team Manager
– Phone: 02-3478-0529
– Email: give@apil.or.kr
– Fax: 02-3478-0527
1-3) Person in Charge of Member Information Management
– Name: Yoon Ina
– Title: Operations Team Manager
– Phone: 02-3478-0529
– Email: give@apil.or.kr
– Fax: 02-3478-0527
2) Data subjects can contact the CPO regarding all inquiries, complaints, and relief for damages related to personal information protection that arise while using APIL's services (or business). APIL will respond to and process the data subject's inquiries within 10 days.
***
## 12. Methods for Remedying Infringement of Rights
1) Data subjects may apply for dispute resolution or consultation to the Personal Information Dispute Mediation Committee, the Korea Internet & Security Agency's Personal Information Infringement Report Center, etc., to seek relief from personal information infringement. For other reports or consultations regarding personal information infringement, please contact the following organizations:
1-1) Personal Information Dispute Mediation Committee: 1833-6972 (www.kopico.go.kr)
1-2) Personal Information Infringement Report Center: 118 (privacy.kisa.or.kr)
1-3) Supreme Prosecutors' Office: 1301 (www.spo.go.kr)
1-4) Korean National Police Agency: 182 (ecrm.cyber.go.kr)
2) APIL strives to guarantee the data subject's right to self-determination regarding personal information and provide consultation and relief for damages caused by personal information infringement. If reporting or consultation is needed, please contact the person in charge below:
* Personal Information Protection Consultation and Report
* Person in Charge: Yoon Ina
* Phone: 02-3478-0529
* Email: give@apil.or.kr
* Fax: 02-3478-0527
***
## 13. Changes to the Privacy Policy
1) This Privacy Policy will be applied starting from November 5, 2024.
2) Previous versions of the Privacy Policy can be checked below:
– Applied from 2022.09.01 to 2024.11.04