Personal information processing purpose

1. ① The NLK processes personal information for the following purpose, personal information processed is not used for uses other than the following purposes and if use purpose is changed, in accordance with the Personal Information Protection Act Article 18, necessary measures will be implemented including getting a separate consent.
2. ② The purpose of personal information processing that the NLK registers & discloses in accordance with the 「Personal Information Protection Act」 Article 32 is as the following. [Current status of personal information files]
3. ③ The purpose of personal information file processing is also available at the Personal Information Protection Commission Personal Information Protection Portal(www.privacy.go.kr) → Civil compaints → Request for access to personal information, etc. → Search personal information file catalogue → enter “National Library of Korea” for the institution name

Personal information processing and retention period

1. ① The personal information processed at the NLK is processed and retained in accordance with the legislation or within the personal retention and use period agreed with when collecting personal information from the information subject.
2. ② The personal information processing and retention period can be viewed at [Current status of personal information files] of the policy Article 1 Paragraph

Personal information items that are processed

1. ① The personal information items that are processed at the NLK are minimal personal information items decided in accordance with the library’s work and law and when collecting personal information after getting consent from the data subject, personal information is collected by informing specifically the fact that the person may not agree with collecting personal information other than the minimal information needed.
2. ② The personal information items processed at the NLK can be viewed in the policy Article 1 Paragraph ② ‘Current status of personal information files’.

Personal information impact assessment results

1. ① To investigate, analyze and assess the impact of the personal information processing system run by the NLK on the data subject‘s personal information file, in accordance with the 「Personal Information Protection Act」 Article 33, the NLK receives the “Personal information impact assessment”.
2. ② The NLK conducted impact assessment on the following personal information files.

   개인정보파일 영향평가 수행 표 - 개인정보파일 명, 수집 항목, 영향평가 수행연도로 구성됨

   Personal information file name	Collected items	The year impact assessment was conducted
   ISNI registrant information	name, e-mail etc.	2020
   Information on applicants who requested for changing National authority·ISNI	name, e-mail etc.
   National authority data	name, e-mail, birth and death dates etc.
   Information on applicants for movie watching	name, cell phone number etc.
   Donor list	name, cell phone number etc.
   List of people for redonation	name, cell phone number etc.
   Community service applicant list	name, birth date, cell phone number etc.
   Research information service seminar room applicant	name, cell phone number, e-mail etc.
   Research information service applicant	name, cell phone number, e-mail etc.
   List of applicants for mail copy service	name, cell phone number, 배송지 etc.
   NLK member information	name, birth date, address, cell phone number etc.
   Library One Service user information	name, birth date etc.
   Wedding hall rental applicant list	name, address, cell phone number etc.
   Library One Service user information	name, birth date etc.	2021

Provision of personal information to a third party

1. ① The NLK processes personal information of the data subject within the scope stipulated in Article 1(Purpose of personal information processing) and personal information is provided to a third party only in accordance with the data subject’s consent, special regulation etc., Personal Information Protection Act, Article 17 and 18.
2. ② he NLK provides personal information to a third party as the following. [Personal information provision status]

Commission of personal information processing

1. ① For smooth personal information processing, the NLK commissions personal information processing work as the following.
2. ② The current status of commissioning personal information processing work at the NLK is as the following. [Personal information processing commission status]]
3. ③ In accordance with the Article 26 of the Personal Information Protection Act, when signing a consignment contract, the NLK stipulates responsibilities such as prohibiting the processing of personal information for other than the purpose of consignment, technical and administrative protection measures, re-consignment restrictions, management and supervision of the trustee and supervises whether the trustee handles personal information safely.
4. ④ If the details of the consignment work or the trustee changes, the NLK will disclose through this personal information processing policy without delay.

Procedures for destroying personal information and destruction methods

1. ① The NLK will destroy the personal information without delay if the retention period of the personal information has expired or the purpose of processing has been achieved.
2. ② If the retention period of personal information the data subject agreed with has expired or the purpose of processing has been achieved but the personal information still needs to be preserved according to other laws, the personal information is transferred to a separate database (DB) or stored in a different place.
3. ③ The procedures and methods of destroying personal information are as follows.
   1. 1. Destruction procedure
      1. 1) The NLK establishes a plan to destroy unnecessary personal information.
      2. 2) The NLK selects personal information with reason for destruction, and destroys personal information by getting the approval from the library's personal information protection officer.
   2. 2. How to destroy
      1. 1) The NLK uses a technical method that does not allow reproducing records of personal information recorded and stored in the form of electronic files.
      2. 2) Personal information recorded and stored in paper documents is destroyed by crushing with a shredder or incineration.

Matters concerning the rights and obligations of the data subject and legal representative and how to exercise them

1. ① The data subject may exercise the right to view, correct, delete, or suspend processing of personal information at any time. [Download Personal Information Access Request]
※ Requests for access to personal information on children under age 14 must be directly made by a legal representative, and for a data subject who is a minor over age 14, the person may exercise their rights regarding the personal information of the data subject his or herself or through a legal representative.
2. ② The exercise of rights under paragraph (1) may be done through written document, e-mail, or fax in accordance with the attached Form 8 of the Personal Information Protection Committee (Personal Information Protection Committee Notice No. 2020-7), and the NLK will take action without delay.
3. ③ The exercise of rights under paragraph (1) may be done through an agent, such as a legal representative of the data subject or a person who has been delegated. In such cases, the power of attorney in accordance with attached Form 11 of the "Notification on how to process personal information (No. 2020-7)" has to be submitted. [Download power of attorney]
4. ④ For requesting the suspension of reading and processing of personal information, the right of the data subject may be restricted in accordance with Articles 35 (4) and 37 (2) of the Personal Information Protection Act.
5. ⑤ A request for correction and deletion of personal information cannot be made if the personal information is specified as the subject of collection in other laws and regulations.
6. ⑥ If there is request for viewing, correction, deletion, suspension of processing according to the data subject's rights, the NLK checks whether the person who requested access etc. is the data subject or a legitimate agent.
7. ⑦ A person who has been infringed upon his/her rights or interests due to a disposition or omission made by the head of a public institution on a request for viewing, correction, deletion may request an administrative trial as prescribed by the Administrative Trial Act (Article 3).
※ Refer to the phone number guide of the Central Administrative Appeals Commission (www.simpan.go.kr)

Matters concerning measures to ensure the safety of personal information

1. ① The NLK is taking the following measures to ensure the safety of personal information..
   1. 1. administrative measures
      1. 1) Establishment and implementation of an internal management plan for the safe processing of personal information
      2. 2) For staff handling personal information, minimum number of persons required is designated and managed
      3. 3) Conduct education on personal information protection for personal information handlers on a regular basis
   2. 2. Technical measures
      1. 1) Management of access rights for personal information processing systems, etc
      2. 2) Controlling unauthorized access from outside by installing an access control system such as an intrusion prevention system
      3. 3) Encryption technology is applied when storing and transmitting important data such as unique identifiers
      4. 4) Keeping and managing records (account, date and time of access, destination information, information on the subject of the processed information and performed tasks) of access to the personal information processing system for at least one or two years
      5. 5) Using security features to prevent forgery, theft and loss of access records
      6. 6) Installation of security programs to prevent leakage and damage of personal information, such as hacking and computer viruses, and periodic updates and inspections
   3. 3. Physical measures
      1. 1) Establishment and operation of access control procedures for restricted access areas such as computer rooms and data storage rooms
      2. 2) Physical measures, such as the provision of storage facilities or installation of locks, for the safe storage of personal information

Matters concerning the installation and operation of devices that automatically collect personal information and the refusal of it

1. ① In order to provide individually customized services to users, the NLK uses "cookies" that store and frequently import usage information.
2. ② Cookies are small amounts of information sent by the server (http) used to run the website to the user's computer browser and are also stored on hard disks in the user's PC computer.
   1. 1. The purpose of using cookies: It is used to provide optimized information to users by identifying the visit and use of each service and website visited by the user, popular search words, secure connection etc.
   2. 2. Installation, operation and rejection of cookies: You can reject saving cookies through the tool at the top of the web browser → Internet options → Options on the personal information menu
   3. 3. If you refuse to save cookies, you may have difficulty using customized services.

Matters concerning the processing of pseudonym information

1. ① The NLK handles personal information collected for statistical preparation, scientific research, and public interest record preservation under a pseudonym so that a specific individual cannot be identified and processed as follows.
2. ② Matters concerning the processing of pseudonym information

   가명정보의 처리에 관한 사항 - 구분, 처리목적, 처리항목, 보유 및 이용기간으로 구성됨

   Class	Processing purpose	Processed items	Retention and use period
   Collection of big data from libraries in Korea	‘Creating statistics’ for reading culture promotion of the public	Member and borrowing data of libraries in Korea (gender, birth year, region, libraries signed up, member history, borrowing information)	Until completion of statistics analysis

3. ③ Matters concerning the commission of the processing of pseudonym information

   가명정보 처리의 위탁에 관한 사항 - 위탁받는 자(수탁자), 위탁업무, 보유 및 이용기간으로 구성됨

   Assignee	Commissioned work	Retention and use period
   Argonet	Analyzing borrowings of members of libraries in Korea	Until completion of statistics analysis

4. ④ Destruction of pseudonym information
   When there is risk of re-identification of pseudonym information, the processing of pseudonyms is immediately stopped and destroyed without delay.
5. ⑤ Matters concerning measures to ensure the safety of pseudonym information
   In accordance with Article 28-4 of the Personal Information Protection Act (Obligation to take safety measures against false name information etc.), various security devices are prepared as administrative, technical and physical measures to ensure the safety of false name information as follows.
   1. 1. 1) Management measures: Establishment and implementation of an internal management plan, regular employee training, preparation, storage and disclosure of pseudonym information
      2. 2) Technical measures: Management of access rights of personal information processing systems etc., installation of access control systems, encryption of unique identification information, installation of security programs, separate storage of additional information
      3. 3) Physical measures: Restricting access to computer rooms, data storage rooms etc.

Matters concerning the person in charge of personal information protection

1. ① The NLK is in charge of handling personal information, and designates the person in charge of personal information protection and personal information protection officers as the following to deal with complaints and remedy damages of data subjects related to personal information processing. Contact information of the person in charge of personal information protection and the personal information protection officer

   개인정보보호책임자 및 담당자 연락처 - 구분, 부서, 이름, 연락처로 구성됨

   Class	Division	Name	Contact
   Person in charge of personal information protection	Information Technology Division	Kim Kyung-young	Phone : 02-590-0569 email : hyewonii@korea.kr@korea.kr fax no : 02-590-0577
   Personal information protection officer	Information Technology Division	Kim Hye-won

2. ② The data subject may contact the person in charge of personal information protection and the division in charge of personal information protection regarding all personal information protection inquiries, complaints, damage relief etc. that occurred while using the services of the NLK. The library will respond and process the data subject's inquiries without delay.

Department that receives and processes requests for access to personal information

1. ① The data subject may make request to the following departments to view personal information under Article 35 of the Personal Information Protection Act. (Children under age 14 can obtain consent from their legal representative)
2. ② The departments that receive and process requests for access to personal information in the NLK are as the following  [Receiving a request for access to personal information]

Remedies for infringement of rights and interests of data subjects

1. ① To receive relief from personal information infringement, the data subject may apply for dispute resolution or consultation with the Personal Information Dispute Mediation Committee and the Personal Information Infringement Reporting Center of the Korea Internet & Security Agency.
   1. 1. Personal Information Dispute Mediation Committee: (without country code) 1833-6972 (www.kopico.go.kr)
   2. 2. Personal Information Infringement Reporting Center: (without country code) 118 (privacy.kisa.or.kr)
   3. 3.Supreme Prosecutors' Office: (Without National Code) 1301 (www.spo.go.kr)
   4. 4. National Police Agency: 182 (cyberbureau.police.go.kr)
2. ② A person who has been infringed on rights or interests due to a disposition or omission made by the head of a public institution upon a request under Articles 35 (Viewing personal information), 36 (Correction and deletion of personal information), and 37 (suspension of processing of personal information) of the Personal Information Protection Act may request an administrative trial as prescribed by the Administrative Trial Act.
   ※ For more information on administrative trials, please refer to the website of the Central Administrative Appeals Commission (www.simpan.go.kr).

Additional use & provision criteria

1. ① The NLK can additionally use & provide personal information without the information subject’s consent in accordance with the Personal Information Protection Act Article 15 paragraph 3 and Article 17 paragraph 4, considering the Personal Information Protection Act enforcement ordinance Article 14-2.
2. ② The NLK considered the following matters to additionally use & provide personal information without the information subject’s consent.
   1. 1. Whether the purpose of additionally using & providing personal information is related with the initial purpose of collecting the information.
   2. 2. Whether there is predictability for additional use & provision in light of the situation of collecting the personal information or processing practice.
   3. 3. Whether additional use & provision of the personal information unfairly infringes upon the information subject’s interest.
   4. 4. Whether measures needed to secure safety were taken including the pseudonymization procedure or encoding etc.
   ※ The criteria for additional use & provision is created & disclosed through the NLK’s autonomous decision making.

Changes in the personal information processing policy

The personal information processing policy is applied starting from November 16 2023.