Article 1 (Purpose)

• ① The institute shall collect personal information at a minimum level to perform its duties and handle civil complaints, and publishes it on the website operated by each center/project group to get confirmed by information entities.
• ② The institute shall register and disclose the personal information according to Article 32 of the Personal Information Protection Act, and the files are as follows:

  No.	Type	Operational basis	Objective of Personal Information Processing
  1	Access permission of visitors	Article 54 of Enforcement rule of security regulations	Identification of visitors
  2	Security check	Article 33 of security operative regulations	Security check for long-term visitors
  3	Management for customer satisfaction	Article 33 of Act on the management of public institutions	Investigating customer satisfaction in public institutions
  4	Homepage management for ACE integrated support center	Article 15-1-1 of Personal information protection	act Providing information on SMEs trends
  5	Homepage management for KSTAR	Article 15-1-1 of Personal information protection	Member management
  6	Homepage management for Nuclear fusion computer	Article 15-1-1 of Personal information protection	Member management

• ③ he personal information files operated by each department of the institute are available on the "Comprehensive Personal Information Support Portal."

※ Personal Information Protection Commission (www.privacy.go.kr) => Personal Information Complaint => Claim for Personal Information Access => Search for Personal Information File => Enter "Korea Institute of Fusion Energy" in the name of the institution for details

Article 2 (Processing and Retention Period of Personal Information)

Article 3 (Providing Information to Third Parties)

① The institute collects and uses personal information within the scope notified by the data entities for the purpose of processing personal information, and does not provide personal information to third parties such as others, other companies, or institutions.

Article 4 (Outsourcing of Personal Information)

• ① The institute may outsource the personal information to take care of business affairs as follows.

  No.	Activities	Agency	Entrusted personal information
  1	Public-service Customer Satisfaction Index	Research Lab Co.Ltd.	Name, address (work), E-mail, contact no. (work), mobile phone number, affiliated organization name, job title
  2	Sending newsletters	Hive Partners Co. Ltd.	E-mail
  3	Subscribing newsletter	Plani Co. Ltd.	E-mail
  4	Applying for field trip	Plani Co. Ltd.	Name, E-mail, cell phone number, name of an organization
  5	Image processing equipment (CCTV)	maintenance Mirae M Co. Ltd. Genesis Technology Industry Co. Ltd.	CCTV Video information
  6	Management of employment	MIDAS Information Technology Co. Ltd.	Name, nationality, address, E-mail, cell phone number, veterans and persons with disabilities (including documentary evidence), military service performance (military service certificate or a copy of resident registration), any types of certification, awards, any educational certificates
  7	Homepage management for KSTAR	Plani Co. Ltd.	ID,Name,affiliated organization name,contact no.(work, cellphone),E-mail
  8	Homepage management for Nuclear fusion computer	Plani Co. Ltd.	ID,Name,E-mail,affiliated organization name

• ② Under Article 25 of the Personal Information Protection Act, the institute stipulates in documents such as the prohibition of personal information processing, technical and management protection measures, re-entrustment restrictions, management and compensation for trustees, and supervises whether the trustee handles personal information safely.
• ③ If the details of the entrusted information or the trustee change, the institute shall disclose it through this personal information processing policy without delay.

Article 5 (Matters Concerning Rights and Duties of a Subject of Information, and How to Exercise Them)

• ① A subject of any personal related information managed by the institute may exercise the following rights at any time.
  • 1.Request for Inspection of Personal Information
  • 2.Request for Correction of Personal Information
  • 3.Request for Deletion of Personal Information
  • 4.Request for Suspension of Management of Personal Information
• ② A subject of information referred to above may submit a request form via telephone, E-mail, and FAX according to Article 41(1) of the Enforcement Decree of the Personal Information Protection Act, and the institute will take a measure without delay.
• ③ The rights of the subject may be restricted pursuant to Articles 35 (5) and 37 (2) of the Personal Information Protection Act for requesting suspension of personal information access and processing.
• ④ A request for correction and deletion of personal information cannot be requested to delete personal information if it is specified in other laws and regulations.
• ⑤ The institute verifies whether the person who submitted the request for inspection, correction, and deletion according to the right of the subject of the information is him/herself or a legitimate agent.
• ⑥ The exercise of rights under paragraph (1) may be conducted through a legal representative of the subject or an agent of information, such as a delegated person. In this case, the person must submit a Power of Attorney in accordance with attached Form 11 of the Enforcement Rules of the Personal Information Protection Act.

Article 6 (Personal Information Items to be Processed)

• ① The institute processes the following personal information items.

  No.	Type		Personal Information Items
  1	Access permission of visitors	Required	Name of organization, name, contact number(cellphone)
  		Selective	Vehicle number
  2	Security check	Required	Name, resident registration number
  		Selective	Address(home/work), E-mail, contact number(home/work/cellphone)
  3	Management for customer satisfaction	Required	Name, address (Work), E-mail, contact number (work/cell phone)
  		Selective	Affiliated organization name, Job title
  4	Homepage management for ACE integrated support center	Required	ID, password, name, e-mail
  		Selective	Contact number(work/cellphone), Department, Job title
  5	Homepage management for KSTAR	Required	ID,password,name,abbreviation for one's name, Affiliated organization name,contact number (cell phone),E-mail
  		Selective	Contact number(work)
  6	Homepage management for Nuclear fusion computer	Required	Name,E-mail,Affiliated organization name
  		Selective	-

• ② In the process of using the Internet service, the following personal information items may be automatically generated and collected.

  - IP address, cookie, MAC address, service usage record, visit record, bad usage record, and others

Article 7 (Destruction of Personal Information)

• ① When the purpose of personal information management has been achieved, the institute, in principle, shall destroy the personal information without delay.
• ② After or as soon as the purpose of retaining personal information has been achieved, it shall be transferred to a separate storage unit like DataBase, stored for a certain period, and destroyed pursuant to internal policies and other Acts and subordinate statutes.
• ③ Procedures for and methods for destroying personal information are as follows.
  • 1.Procedures of Destruction

    The institute establishes and destroys a personal information destruction plan for personal information (or personal information file) that must be destroyed. The institute selects personal information (or personal information file) where the reason for destruction occurs and destroys personal information (or personal information file) with the approval of the person in charge of personal information protection.

  • 2.Method for Destruction

    he institute destroys personal information recorded and stored in the form of an electronic file so that the record cannot be reproduced and destroys personal information recorded and stored in paper documents by crushing or incinerating them.

Article 8 (Matters Concerning the Installation, Operation, and Rejection of Automatic Personal Information Collection Devices)

①The institute's website does not use 'cookie' that stores user information and reads it from time to time to provide individually customized services.

Article 9 (Measures to Ensure the Safety of Personal Information)

①The institute takes measures for technical, administrative, and physical safety as follows.

• 1.Establishment and implementation of internal management plan

  The institute establishes and implements an internal management plan following the 'Standards of Measures to Secure Personal Information Safety.'

• 2.Minimization of the number of staff managing personal information and staff training

  The institute designates and manages just the necessary number of staff who manages personal information and trains such staff, on safe management practices of personal information.

• 3.Access restriction of personal information

  The institute takes necessary measures to control access to personal information by granting, revising, and eliminating access rights to the database system that manages personal information and also prevents unauthorized access from external parties through the use of firewall systems.

• 4.Storage of access records and prevention of forgery

  Access records (weblogs, summary information, and others) to the Personal Information Management System shall be stored and managed for a minimum of 6 months.

• 5.Encryption of personal information

  Personal information is safely stored and managed via methods such as encryption. Additional security functions are also employed, such as, for example, encrypting essential data during storage and transfer.

• 6.Technical measures for hacking

  The institute prevents personal information leakage and damage caused by hacking or computer viruses by installing security programs and updates, inspecting systems where access is restricted from the outside, and monitors and blocking them technically and physically regularly.

• 7.Access control against unauthorized persons

  The institute operates the Personal Information System, which stores personal information at a physically separate storing place and establishes and runs access control procedures.

• 8.Physical safety measures of personal information processing system

  Under Article 12 (1) of the Notice of Personal Information Safety, the institute established and runs a response manual for disasters and crises for the personal information processing system to ensure a quick recovery and resume the business affairs.

Article 10 (Processing of alias information)

①The researcher pseudonymizes the personal information collected for statistics preparation, scientific research, and public record preservation so that specific individuals cannot be recognized, and processes it as follows. All.

• 1.Matters concerning the processing of pseudonym information - Not applicable
• 2.Matters concerning the provision of pseudonym information to third parties - Not applicable
• 3.Matters concerning the consignment of alias information processing - not applicable
• 4.Matters concerning measures to secure the safety of pseudonym information under Article 28-4 (Obligation of Safety Measures for pseudonym information, etc.) of the Act;
  • Management measures: Establishing and implementing an internal management plan, and training employees regularly
  • Technical measures: management of access rights of personal information processing systems, installation of access control systems, encryption of unique identification information, and installation of security programs
  • Physical Measures: Access control of computer rooms, data storage rooms, etc

Article 11 (Personal Information Protection Officer and Person in Charge)

• ① The institute is responsible for overall personal information processing and designates the person in charge of personal information protection to handle complaints and damages of information subjects related to personal information processing.

  Type	Personal information protection officer	Personal information protection Person in charge
  Name	Im Jinho	Hwang Seongha
  Job title	Director	Person in charge
  Job rank	Senior technical manager	Senior technical manager
  Contact number	042-879-5050	042-879-5088
  E-mail	jhlim@kfe.re.kr	shhwang@kfe.re.kr

• ② The information subject can contact the personal information protection manager and the department in charge of personal information protection, handling complaints, and relief of damage caused by using the institute's service (or business). The institute will respond to and process the inquiries of the information subject without delay.

Article 12 (Request for Access to Personal Information)

• ① The information subject may request the department, according to Paragraph 10, to view personal information under Article 35 of the Personal Information Protection Act. The institute will try to expedite the request for access to personal information by the subject of information.

  Department	Personal information file	Person in charge	Contact
  Safety team	Entry Permission Management for Visitors	Kim Jong-chun	Phone: 042-879-6833 Fax: 042-879-6999 Address: 169-148 Science-ro, Yuseong-gu, Daejeon
  	A background check
  Planning team	Customer satisfaction information management	Chae Gyu-jin	Phone: 042-879-6262 Fax: 042-879-6999 Address: 169-148 Science-ro, Yuseong-gu, Daejeon
  Performance management team	Homepage member management (ACE Integrated Support Center)	Lee Tae-woo	Phone: 042-879-6236 Fax: 042-879-6999 Address: 169-148 Science-ro, Yuseong-gu, Daejeon
  Pedestal Stability Research Team	Homepage member management(KSTAR Homepage)	Wi Han-Min	Phone: 042-879-5155 Fax: 042-879-6999 Address: 169-148 Science-ro, Yuseong-gu, Daejeon
  Simulation Team	Homepage member management(Nuclear Fusion Computer Homepage)	Park Jin-Seop	Phone: 042-879-5237 Fax: 042-879-6999 Address: 169-148 Science-ro, Yuseong-gu, Daejeon

• ② In addition to the reception and processing department of the request for perusal under paragraph (1), the information subject may request for the perusal of personal information through the Ministry of Public Administration and Security's website (www.privacy.go.kr).

  ▶ The Ministry of Public Administration and Security's comprehensive personal information protection support portal → Personal information complaint → Request for personal information access (I-PIN must be present for personal identification)

Article 13 (Resolution for Infringement on Rights and Interests)

In order to receive relief from personal information infringement, the information subject may apply for dispute resolution or consultation with the Personal Information Dispute Mediation Committee and the Korea Internet & Security Agency's Personal Information Infringement Report Center. In addition, please contact the institution below for reports and counseling of other personal information violations.

• 1.Personal Information Dispute Mediation Committee: (Without National Number) 1833-6972 (www.kopico.go.kr)
• 2.Personal Information Infringement Report Center: 118 (privacy.kisa.or.kr)
• 3.Supreme Prosecutors' Office Cyber Investigation Division: 1301 (www.spo.go.kr)
• 4.National Police Agency Cyber Investigation Bureau: 182 (ecrm.cyber.go.kr/minwon/main)

A person whose personal information-related rights or interests have been infringed upon by measures taken by the head of a public institution against a request by such a person for the inspection, correction/deletion, and the suspension of management of personal information may make an administrative appeal pursuant to the Administrative Appeals Act under Articles 35 (View of Personal Information), 36 (Correction/Delete of Personal Information, etc.). ※Please refer to the information provided by the Central Administrative Appeals Commission (www.simpan.go.kr).

Article 14 (Personal Information Management Level Diagnosis Results)

• ①To safely manage the personal information of the data subject, the researcher receives the "level diagnosis of personal information management" conducted by the Personal Information Protection Committee every year under Article 11 of the Personal Information Protection Act.
• ②The researcher obtained the grade of 'Insufficient' in the 2021 Personal Information Management Level Diagnosis Evaluation.
• ③The researcher took the following improvement measures according to the results of the 2021 personal information management level diagnosis.
  • Establishing a foundation for personal information protection
  • Strengthening the protection of personal information by entrusting the processing of personal information
  • Strengthening access control and access record inspection of personal information processing systems

Article 15 (Installation and Operation of Video Information Processing Devices)

①The institute installs and operates video information processing devices as follows.

• 1.The reason and purpose for installation of video information processing devices:

  facility safety and fire prevention of the institute

• 2.Number and location of installation and scope of photography:

  203 units for major facilities such as the lobby of the building and the surrounding areas for filming ranges

• 3.Management manager, department in charge, and authorized persons:

  Kim Hee-soo, team manager of the safety team

• 4.Time, storage period and location, and processing method of video surveillance
  • Video surveillance time: 24 hours
  • Storage period: 30 days from video surveillance (90 days for KSAR laboratory)
  • Storage location and processing method: Storage and Processing in the Integrated Situation Room Image Processing Device Control Room
• 5.Method and location of verification of video information:

  Please request the management manager

• 6.Measures for requesting access to video information by the subject of information:

  Personal video information shall be requested for access and confirmation of its existence, and access shall be permitted only when the subject of the information is photographed or clearly necessary for the benefit of life, body, and property

• 7.Technical, management, and physical measures to protect image information:

  The institute shall establish internal management plans, control access, restriction of access rights, application of safe storage and transmission technology, and storage and forgery prevention measures.

Article 16 (Standards for Additional Use and Provision of Personal Information)

• ①Where the institute intends to use or provide personal information without the consent of the subject of information pursuant to Article 15 (3) or 17 (4) of the Act (hereinafter referred to as "additional use or provision of personal information, the following matters should be considered.
  • 1.Whether it is related to the original purpose of the collection
  • 2.Whether additional use or provision of personal information is predictable in light of the circumstances or processing practices of collecting personal information
  • 3.Whether it unfairly infringes on the interests of the subject of information
  • 4.Whether measures necessary for securing safety, such as pseudonym processing or encryption, have been taken
• ②The institute shall disclose in advance the criteria for determining the matters under each subparagraph of paragraph (1) to the personal information processing policy under Article 30 (1) of the Act and check whether the person in charge of personal information is additionally using or providing personal information according to the relevant standards.

Article 17 (Change of Personal Information Processing Policy)

This personal information processing policy is applied from August 1, 2022.