MEDIUM

MEDIUM CO., LTD. (“Company”) has created and published this Privacy Policy as set out below, for the purpose of protecting data subjects’ privacy in accordance with Article 30 of the Personal Information Protection Act, and of handling related grievances promptly and efficiently.

Article 1 [Purposes of Processing of Personal Information]

The Company processes personal information for the purposes provided herein. The personal information being processed will not be used for any purpose other than those described below, and any changes to this Privacy Policy will be made with the data subject’s consent, or with any such action taken as may be deemed necessary under Article 18 of the Personal Information Protection Act.

1. 1. Processing InquiriesPersonal information is processed for such purposes as verifying the identity of the inquirer, verifying the content of the inquiry, contacting or sending notice to the inquirer for a fact check, and answering the inquiry.
2. 2. HiringPersonal information is processed for hiring purposes.

Article 2 [Use and Retention Periods of Personal Information]

1. ① The Company processes and retains personal information during the retention and use periods prescribed by applicable laws, or during the retention and use periods agreed upon when said personal information was collected from the data subject.
2. ② The personal information will be used and retained until the inquiry in question has been verified, answered, and processed completely.
3. ③ An application submitted by a candidate will be retained from the date of collection until the final hiring decision is made

Article 3 [Rights, Duties and Exercise of Rights of Data Subject and Their Legal Representative]

1. ① Data subjects are entitled to exercise their rights at any time, including requesting access to, correction or deletion of, or refusal of use of their personal information.
2. ② The rights referred to in ① may be exercised in writing, electronically, or via fax, in accordance with paragraph 1 of Article 41 of the Enforcement Decree of the Personal Information Protection Act, and the Company will promptly take such steps as may be deemed necessary.
3. ③ The rights referred to in ① may be exercised by the data subject through their legal representative or otherwise duly authorized person, in which case a power of attorney must be provided in the form specified in Exhibit 11 of the Enforcement Rules of the Personal Information Protection Act.
4. ④ A request for access to or refusal of use of personal information may restrict the data subject’s rights in accordance with paragraph 5 of Article 35 and paragraph 2 of Article 37 of the Personal Information Protection Act.
5. ⑤ When a request for correction or deletion of personal information is made, a request for deletion cannot be made if said information is to be collected in accordance with other applicable laws.
6. ⑥ When the data subject makes a request for access to, correction or deletion of, and refusal of use by exercise of their rights, the Company shall determine if said request is made by the data subject himself/herself, or by their duly authorized representative.

Article 4 [Types of Personal Information Processed]

Below are the types of personal information processed by the Company:

1. 1. Processing inquiries-Required: Company name/department, name/job title, direct line, email address, inquiry
2. 2. Hiring-Required: Email address, mobile phone number, home address, home phone number, gender, date of birth, name, job title, department, company name, marital status, education, and any other information provided on the resume.

Article 5 [Destruction of Personal Information]

1. ① The Company destroys any personal information without delay when the purpose for which said information was collected is no longer being served because the retention period has expired, or because the purpose of processing has been fulfilled.
2. ② Should retaining said personal information be required by other applicable laws even though the retention period agreed upon by the data subject has expired or the purpose of processing has been fulfilled, said personal information shall be transferred to another database or kept in a separate place.
3. ③ Personal information will be destroyed through the procedure and method described below:
   1. 1. Destruction procedureThe Company selects personal information to be destroyed for any legitimate reason and destroys said information with the approval of the Company’s Chief Privacy Officer.
   2. 2. Destruction methodIf the personal information was recorded and stored electronically in a digital file, it will be destroyed irrecoverably; if said information was recorded and stored on paper documents, it will be destroyed by shredding or incineration.

Article 6 [Safeguarding Personal Information]

1. ① The Company takes the following measures to safeguard privacy:
   1. 1. Administrative safeguards: Establishing and implementing in-house management plans, periodic employee training, etc.
   2. 2. Technical safeguards: Managing access to personal information systems, installing an access control system
   3. 3. Physical safeguards: Restricting access to computer rooms and archives

Article 7 [Enabling, Operating, and Refusal of Automatic Collection of Personal Information]

The Company does not use cookies that store and persistently retrieve the user information of data subjects.

Article 8 [Chief Privacy Officer]

1. ① The Company has appointed the Chief Privacy Officer and the Privacy Office as described below, who are responsible for overseeing the processing of personal information, as well as handling grievances from data subjects and remedies for breaches in relation to the processing of personal information:
   • ▶ Chief Privacy OfficerName: Moon Ki-ho
     Title: Head of Administrative Division
     Call or email: 02-391-2348
   • ▶ Privacy OfficeDepartment: Administrative Division
     Officer: Kim Sung-jin
     Call or email: 02-391-2348, sungjin.kim@themedium.io
2. ② All data subjects are welcome to contact the Chief Privacy Officer or the Privacy Office if they have any questions about privacy, grievances, or concerns about remedies that arise during their use of the Company’s service. The Company will respond to and process any inquiries from data subjects without delay.

Article 9 [Request for Access to Personal Information]

Data subjects are entitled to request the following department for access to personal information in accordance with Article 35 of the Personal Information Protection Act. At the Company, we will do the best we can to grant said data subject’s request for access.

1. ▶ Department responsible for receiving and processing personal information access requestsName: Administrative Division
   Officer: Kim Sung-jin
   Call or email: 02-391-2348, sungjin.kim@themedium.io

Article 10 [Remedies for Infringement of Data Subjects Rights]

The following organization operates independently of the Company, but you can contact the organization if you are not satisfied with the handling of privacy grievances or the remedy provided by MEDIUM (“https://www.themedium.io” or “MEDIUM Website”), or if you want help or detailed information.

1. Personal Information Infringement Report Center (operated by Korea Internet & Security Agency)
   -Responsibilities: Reports on personal information infringements and consultations
   -Website: www.privacy.kisa.or.kr
   -Telephone: 118 (with no area code)
   -Address: Personal Information Infringement Report Center, 3rd floor, 9, Jinheung-gil, Naju-si, Jeollanam-do (301-2, Bitgaram-dong) (58324)
2. Personal Information Dispute Mediation Committee
   -Responsibilities: Requests for mediation of personal information disputes, mediation of collective disputes (civil mediation)
   -Website: www.kopico.go.kr
   -Telephone: 1833-6972 (with no area code)
   -Address: 4th floor, Government Complex Seoul, 209, Sejong-daero, Jongno-gu, Seoul (03171)
3. Cybercrime Investigation Division of Supreme Prosecutors’ Office: 02-3480-3573 (www.spo.go.kr)
4. Korean National Police Agency Cyber Bureau: 182 (http://cyberbureau.police.go.kr)

Article 11 [Changes to Privacy Policy]

① The effective date of this Privacy Policy is June 1, 2020.