Expect better you-에스쁘아

Espoir’s Personal
Information
Protection and
Privacy Policy
(Global)

Espoir’s Personal Information Protection and Privacy Policy (Global)

Espoir Co., Ltd. (“The company” hereinafter) values the personal information and privacy of the users of its Internet site (HTTP://WWW.ESPOIR.COM, or HTTP://WWW.ESPOIRSHOP.CO.KR) service and its off-line shops very highly, and duly does its utmost to protect their personal information and privacy.

The company protects the users’ personal information by adhering to its own policy on user privacy and personal information handling as well as the relevant statutes, including the Personal Information Protection Act and the Act on Promotion of Information And Communications Network Utilization And Information Protection, etc. In addition, the company ensures that the users are able to read its privacy policy easily by displaying it on the first page of its website.

The privacy policy may be modified based on amendments to the relevant statutes or public notices, or the company shall publish any amendments to its privacy policy on its website immediately upon the amendment thereof.

The company’s policy on user privacy and the protection of personal information shall include the following provisions:

Article 1 Consent to and methods of collection of personal information

Article 2 Items of personal information to be collected, and purposes of collection and use

Article 3 Provision of personal information

Article 4 Entrustment of personal information processing

Article 5 Period of retention and use of personal information, destruction procedure and methods

Article 6 Departments responsible for performing services related to personal information protection and the handling of complaints

Article 7 Collection of personal information using devices for the automatic collection of personal information

Article 8 Review, correction etc. of personal information

Article 9 Withdrawal of consent to the collection, use, and provision of personal information

Article 10 Administrative, technical and physical measures for protecting personal information

Article 11 Rights of users and their legal agents, and methods of exercising such rights

Article 12 Obligation to publish amendments to the privacy policy

Article 1 Consent to and methods of collection of personal information: (1) The company may operate its brand sites (HTTP://WWW.ESPOIR.COM and HTTP://WWW.ESPOIRSHOP.CO.KR) in an integrated manner so as to allow users to access them by logging in using one ID and one password. The company shall publicly inform new users of the integrated operation when they newly subscribe to the membership, and shall only provide the service to those who consent to the privacy policy.; (2) “Members” shall refer to persons who have been registered as a member of the service upon providing the company with their personal information.; (3) “Non-members” shall refer to persons who use the services provided by the company without subscribing to the membership, including the company’s website.; (4) The users shall consent to the company’s collection of their personal information online and offline by expressing their agreement based on the company’s policy on privacy and personal information protection. Upon checking Agree, the users shall be regarded as having consented to the collection of their personal information.

Article 2 Items of personal information to be collected, and purposes of collection and use

(1) The company collects the minimum amount of personal information required to provide its service when a person subscribes to the membership. However, the company requests users to enter additional items of personal information selectively in order to provide them with customized services. Their access to the service will not be restricted in the event of failure to enter these optional items.

(2) The company shall not collect sensitive items of personal information that may infringe the basic human rights of the users without the separate consent thereof, including but not limited to information related to their ideas, creed, participation in or withdrawal from labor unions or political parties, political views, health, sexual orientation, medical history, religion, place of birth, or criminal record.

(3) The company collects the following items of personal information at the time of the user’s subscription to the membership for the following main purposes:

Classification	Items collected	Collection paths		Purposes of collection or use	Use or retention period
Classification	Items collected	Website	All stores	Purposes of collection or use	Use or retention period
Essential items	Name in full, customer identification (CI) value	O	X	- Used for the user identification procedure prior to use of the service, verification of age of membership subscribers, prevention of unauthorized or illegitimate use by delinquent or fraudulent users.	Until withdrawal of membership (See Article 5)
	ID and PW	O	X
	E-mail address, whether to receive e-mail messages	O	X	- When consented, provide information or messages related to new services, new products and new offers, and deliver gift items or products
	Whether to receive information (DM/SMS/MMS)	O	X
	Particulars of purchases, points accumulated or used	O	O	- Basic information required to manage the services in connection with members’ use of the services and purchase of goods from the company.
Optional items	Address, wire phone number	O	X	- Additional communication channels secured to deliver notices, check users’ intentions, or settle complaints.
	Address, wire phone number	O	X	- When consented, provide information or messages related to new services, new products and new offers, and deliver gift items or products
	Date of birth (solar/lunar calendar distinguished), skin type	O	O	- Basic information required to provide individually customized services, including the provision of solutions based on skin types.

(4) The IP address, cookies, login time and date, service use records, illegitimate use records, etc. may be collected by automatic generation in the process of online service use or business processing.

(5) Information concerning the user’s devices (operating system, date installed, etc.) may be collected when the service is used online (including mobile service) to authenticate the user, provide the service or prevent its illegitimate use. In the case of mobile services, the mobile phone service operator data may be additionally collected or used in order to provide the service based on the nature of mobile services, including the provision of a push service (limited to cases where consented by the customers) and the upgrading of apps.

When purchasing products or services from the company, the user may be required to enter the following additional information in order to effect payment for or delivery of products or obtain a refund:
*Depending on the payment method:
- Card payment: Minimum information for payment, including the type of credit card, card number, and validity.
- Wire transfer: Bank name, account number, and name of payer.
* Information required for the delivery of products, including the name, address, phone number or other contact address of the sender and the recipient of the products.

(7) The company shall collect personal information other than those items collected for membership subscription on the website or at stores in the following cases by obtaining the user’s consent after specifying the purpose of collection:
* Response to queries: Personal information required to reply to user queries or to handle user requests.
* At the time of customer counseling: Personal information required to prepare and archive customer cards for customer counseling and dispute settlement.
* Questionnaire survey or gift events: Personal information entered optionally for statistical analysis or the provision of gift items.
* Selection of monitoring agents or prosumers: Application forms for appointment as monitoring agent or prosumer.

(8) The company collects and uses the users’ personal information for such purposes as user authentication, delivery of gift items, and marketing data for statistical analysis in order to provide the optimum service tailored to the users’ tastes. The company does not use the personal information for purposes other than the purposes informed to the users in advance or disclose it to any outside [third] parties unless consented to by the user in advance or as provided under the relevant statutes.

(9) The users may refuse to give their consent to the collection or use of their personal information. However, the user may not be able to use the service if he or she refuses to consent to the collection or use of essential information. When the user refuses to consent to the collection or use of optional information, membership may be subscribed but the provision of services and benefits requiring the user’s consent to provide optional information may be restricted.

Article 3 Provision of personal information: (1) The company shall not use the user’s personal information or disclose it to any third parties in excess of the extent notified under Article 2 unless otherwise consented to by the user in advance or provided under the relevant statutes. However, the user’s personal information may be provided to third parties in the following cases without the user’s consent:
1. When it is required to settle the service rates;
2. When the personal information is provided to research organizations, questionnaire survey or research agencies after processing the information into formats that make it impossible to identify specific individuals among cases where the provision of personal information is required for statistical purposes, academic research or market surveys; or
3. When otherwise provided under the relevant statutes, including the Personal Information Protection Act, the Act on the Promotion of Information And Communications Network Utilization And Information Protection, etc, the Protection of Communication Secrets Act, the Framework Act on National Taxes, the Act on Real-Name Financial Transactions and Confidentiality, the Credit Information Use and Protection Act, the Framework Act on Telecommunications, the Telecommunications Business Act, Local Tax Act, the Consumer Protection Act , and the Criminal Procedure Act.; (2) The users may refuse to consent to the provision of their personal information to third parties. However, if they refuse to consent to the provision of their personal information to third parties, their use of the service may be restricted.; (3) When the company provides personal information to any third parties located overseas, it shall inform the users of the details thereof to obtain their consent.

Article 4 Entrustment of personal information processing

(1) The company outsources the management of the user’s personal information to outside specialized companies in order to enhance its service through smooth computer processing.

(2) When the management of the users’ personal information is outsourced, the company still controls and supervises the outsourced services in order to protect the users’ information by ensuring that the service providers strictly follow its instructions related to the protection of personal information, maintain the confidentiality of personal information, and are prohibited from providing the personal information to any third parties without obtaining the users’ consent in advance.

(3) The company outsources the duties to the following subcontractors:

Subcontractors outsourced with processing duties	Details of duties outsourced
IBM Korea	- Management and computerized processing of personal information
Amore Pacific Co., Ltd., Zeniel Co., Ltd.	- Recruitment of members, management of members’ information, query, accumulation and use of points, organization of various events and promotions and provision of related information, customer counseling service
KR Partners Co., Ltd	- Payment and billing service, including credit card payments, wire transfer, payment by mobile phone, real-time account transfer, and payment with points
ePOST, DHL International GmbH	- Delivery of products and gift items
CJ Olive Networks Co., Ltd., LGU+ Co., Ltd.	- Transmission of SMS, MMS, and other text messages
Smart Logis Co., Ltd	- Delivery service on behalf of Espoir

(4) The personal information entrusted to Amore Pacific shall be limited to those users who join the Beauty Points Integrated Membership.

Article 5 Period of retention and use of personal information, destruction procedure and methods: (1) The company shall retain and use the users’ personal information continuously to provide the services for as long as the users wish to continue using the services provided by the company. The users’ personal information registered on the company’s computers may not be printed out in the form of a document unless otherwise approved by the employee or manager responsible for the control of personal information.; (2) The company shall take immediate action in the event that a user desires to have their personal information deleted or to withdraw from the membership. The information shall be deleted completely from the disks by methods that disable the retrieval or reconstitution of the records for future review or use.; (3) The company shall destroy files or records containing the user’s personal information by deleting them from the disks or shredding printed materials based on the company’s internal procedure for the destruction thereof when the purpose of the company’s collection or provision of personal information has been accomplished or when any of the following arises:
* In the case of information provided for membership subscription: When the user withdraws or is removed from the membership.
* In the case of information for payment: Upon expiry of the full payment date or extinctive prescription of claims.
* In the case of information for delivery: When the products or service are delivered or provided.
* When information is collected for questionnaire surveys or events: When the questionnaire survey or event is over.; (4) The company may retain the users’ personal information for a given period as specified below when it is necessary to archive the information pursuant to the Commercial Act, the Act on Consumer Protection in Electronic Commerce, the Framework Act on National Taxes, or other statutes even when the purpose of its collection or provision has been accomplished.
* Records concerning cancellation of the contract or subscription: 5 years
* Records concerning payment or supply of products etc.: 5 years
* Records concerning consumers’ complaints or handling of disputes: 3 years
* Records concerning visits to the website: 3 months

Article 6 Departments responsible for performing services related to personal information protection and the handling of complaints: (1) The company shall designate departments to manage the functions for protecting the users’ personal information and the handling of complaints related to their personal information. Further, the company shall appoint personal information protection managers and representatives to promptly handle queries and complaints related to the users’ personal information.
[Personal information protection manager]
Name in full: Seong-hee Kim, team leader
Organization: Business Strategy Team

[Personal information protection department]
Department responsible: Business Strategy Team, Espoir Co., Ltd.
Phone No.: 080-619-8888, 02-6020-2699 (09:00~18:00 weekdays, exclusive of holidays)
Email: espoirmall@espoir.com
fax: 02-6020-2700; (2) The users may contact the organizations listed below or the company’s department responsible for personal information protection under paragraph 1 in the event that they require counseling because their personal information has been or is suspected of having been infringed:
- Personal Information Infringement Notification Center , Korea Internet & Security Agency (KISA) (privacy.kisa.or.kr/02-405-5118)
- Information protection mark certification committee (www.eprivacy.or.kr/02-580-0533~4)
- Online Public Service Center , Supreme Prosecutor's Office (www.spo.go.kr/minwon/02-3480-2000)
- National Police Agency Cyber Terror Response Center (www.ctrc.go.kr/1566-0112)

Article 7 Collection of personal information using devices for the automatic collection of personal information: (1) The company may use cookies that save or locate the user information as required (devices for the automatic collection of personal information, including files containing records of access to the Internet). Cookies contain a small amount of information that the servers use to operate the company’s website transmit to the user’s browser (Netscape, Internet Explorer etc.), and are sometimes stored on the user’s computer hard disc. The company’s computer allows the users to use its service without entering their name in full or other additional information as the company’s computer may locate some additional information concerning the users saved on their computer by reading the contents of the cookie on their browser. The cookies do not identify the users individually but they do identify the user’s computer.; (2) The company uses cookies to provide the service support or reorganization required to operate its sites, to analyze frequency of access and visit duration by members and non-members, and to survey their number of visits to the site.; (3) The company also uses cookies to grant to users differentiated opportunities to participate in various events promoted by the company by gauging their participation frequency and number of visits, or to provide differentiated information according to their areas of interest.; (4) The users are given the option to permit or refuse the installation of cookies. Therefore, the users may either totally or partially permit the use of cookies or reject them completely by setting the options on their web browser.
1. Method of permitting or refusing cookie installation (in cases where Internet Explorer 6.0 is used):
a. Select [Internet option] after clicking [Tools] on the Task Bar on the Internet Explorer screen.
b. Click the [Personal Information] tab.
c. Set whether to allow cookies under [Level of Protection of Personal Information].

2. - Method of viewing received cookies (in cases where Internet Explorer 6.0 is used):
a. Select [Internet option] after clicking [Tools] on the Task Bar on the Internet Explorer screen.
b. Select [Setting] for temporary Internet files on the Basic tab.
c. Select [View files].

Article 8 Review, correction etc. of personal information: (1) The users may request the review, correction, deletion, or suspension of the handling or processing of their personal information at any time by directly reviewing or correcting their personal information by clicking [Correction of Member Information] after logging on the company’s website, by requesting any of the member stores or those who have been entrusted to process their personal information, or by contacting the company’s personal information protection departments by phone, letter or e-mail. The company shall take the necessary actions upon the user’s request without delay..; (2) When a user requests the correction of errors in his/her personal information, the company shall not use or provide the relevant personal information to any third party until it has been corrected. Further, when any incorrect personal information data have been processed, the company shall reflect the corrections without delay.; (3) The review or correction of personal information may be restricted in the following cases:
1. When it is suspected that the rights or benefits of a third party have been damaged to a significant extent;
2. When it is feared to remarkably impede the company’s operations; or
3. When any statute is violated.

Article 9 Withdrawal of consent to the collection, use, and provision of personal information: (1) The users may withdraw their consent to the collection, use or provision of their personal information [to third parties] at any time. The users may withdraw their consent (from the membership) by logging on at the company’s website directly, by requesting a member store or any person entrusted to process personal information, or by contacting the department responsible for the personal information protection by letter, phone or e-mail. The company shall take the necessary action at the user’s request without delay, including withdrawal of the user from the membership and destruction of his/her personal information.; (2) The company shall take all necessary actions to enable the users to withdraw their consent to the collection of their personal information (withdrawal of membership) more easily than the method of its collection.

Article 10 Administrative, technical and physical measures for protecting personal information: (1) The company shall develop and implement internal management plans for the safe processing of personal information, and shall also educate its personnel accordingly.; (2) The company has introduced the following technical safety so as to ensure that the users’ personal information is not lost, stolen, leaked, tampered with, or damaged during the handling thereof.; (3) The users’ personal information is maintained by an internal network to which access or intrusion by external networks is disabled. Important data are thoroughly protected using separate security functions including file and transmitted data encryption or a function for locking files.; (4) The company takes every possible measure to keep the internal network secure from hacking or other intrusion attempts from the outside by using a firewall or installing an intrusion detection system on every server.; (5) The company also prevents personal information from being infringed by installing vaccine programs that inspect and handle the intrusion of malicious programs, such as computer viruses or spyware, on the personal information processing systems or computing appliances used by those who handle personal information.; (6) The company restricts its employees’ authority to access the users’ personal information to the minimum. It has developed an internal procedure for accessing and managing the personal information and installed access control and locking devices. It ensures that its employees familiarize themselves with the procedure and comply with it at all times.; (7) The functions of those responsible for handling personal information are transferred or taken over thoroughly in a state where security is maintained. The company has clarified the accountability for incidents related to personal information after recruitment and or retirement.; (8) The users should maintain accurate information by personally checking or managing the personal information they provide to the company. They may not only be sanctioned by the company but also be subject to civil and criminal punishment if they use personal information belonging to another person or infringe the rights of others in the process of using the Internet site.; (9) The company will not be held responsible for any problems caused by the user’s negligence or leakage of personal information because of a problem on the Internet, including their ID, password, and resident registration code. Therefore, each individual user shall adequately maintain his or her ID and password to protect his or her personal information, and shall take responsibility for any problem caused by their leakage. When any personal information is lost, leaked, tampered with, or damaged due to other mistakes by internal managers or technical mishap, however, the company shall inform the users immediately and take the appropriate countermeasures, including adequate compensation.

Article 11 Rights of users and their legal agents, and methods of exercising such rights: (1) The users and their legal agents may exercise their rights concerning the query, correction, or revision of their personal information or withdrawal of membership as the subject persons that have provided the company with such information or as the proxy.; (2) To protect the personal information of children in particular, the company shall collect the personal information of minors below 14 years of age only upon obtaining the consent of their legal agent (parents and other guardians).; (3) The users and their legal agents may exercise their rights in connection with their personal information by Internet, phone or writing, whereupon the company shall take all necessary actions without delay.

Article 12 Obligation to publish amendments to the privacy policy: This policy on privacy and personal information handling may be amended based on the relevant statutes, government policies or internal operational policies of the company or based on changes in security technologies. The company shall publish the reason for and details of any such amendment on the first page of its website without delay.