Privacy Policy on Handling of Personal Information

Privacy Policy on Handling of Personal Information

Doosan Enerbility Co., Ltd. (hereinafter “Company”) complies with the relevant laws and regulations dealing with personal information protection, including the Personal Information Protection Act and the Act on Promotion of Information Communications Network Utilization and Information Protection. The Company is doing its utmost to protect the rights and interests of its customers and website users (hereinafter “Data Subjects”) in accordance with the Privacy Policy on Handling of Personal Information, which was devised based on the relevant laws.

The Privacy Policy on Handling of Personal Information is used by the Company to notify the data subjects of how and for what purpose the personal information is being used and what measures are being taken for the protection of personal information. In the event of any amendments to the policy, notification will be given on the amendments via the company website or individual notice.

The Company’s policies regarding the handling of personal information consist of the following: (1) “Privacy Policy on Handling of Personal Information,” which contains stipulations concerning the protection of data subjects’ personal information handled by the Company, and (2) “Policy on Operation & Management of Video Information Processing Devices,” which contains stipulations concerning the protection of personal video information. However, in case of other Doosan affiliates’ websites, each have their own respective privacy policy established.

The Company greatly values the personal information of its customers or data subjects who are users of the company website(www.doosanenerbility.com) and as such, does its best to ensure the protection of such personal information. To this end, the Company is complying with the relevant laws, such as the Personal Information Protection Act and the Act on Promotion of Information Communications Network Utilization and Information Protection (hereinafter “Information Communications Network Act”).

Current effective date 2022.11.04
01. Scope of Collected Personal Information
1. The Company uses fair and lawful methods to collect the data subjects’ personal information.
2. The personal information collected by the Company shall be limited to the minimum information that is required for the provision of services, and unless permitted by law or given consent by the data subject, the Company shall not collect any sensitive personal information, which has the risk of clearly infringing upon the privacy of data subjects (personal ideology & beliefs, political views, health, sexual orientation, genetic information, criminal record, etc.), nor shall any personal identification information that can be used to identify specific individuals be gathered.
02. Types of Personal Information Collected & Data Collecting Method
The types of personal information collected by the Company on the data subjects are as listed below. During the course of using the company website, the data items specified under No. 2 may be automatically generated and collected.
1. Handling of Complaints
  • Mandatory Data : Name, Email Account
  • Optional Data: Location (City, Province), Phone Number (Contact Info.), Country Name, Company Name
2. Analysis of Services & Enhancement of Service Quality: Data automatically generated and collected during the use of Internet services
  • Service usage log, access log, cookies, IP connection information
3. Recruiting & Hiring
  • General Information: Name (in Korean, Chinese, English), Date of Birth, Gender, Photo, Password, Home Phone Number, Home Address, Mobile Number, Email, Academic Background, Military Service Record (Performance of Military Service(Yes/No), Service Period, Military Branch, Rank), Foreign Language Proficiency, Qualifications, Eligibility for Patriot & Veteran Treatment, Work Experience, Social Experience, Research Experience.
  • Sensitive Information: Person with Disability (Yes/No), Disability Rating
03. Collection of Personal Information & Purpose of Collected Information
The Company collects the personal information of data subjects for the following purposes:
1. Customer Related Information
  • Analysis of Services & Enhancement of Service Quality: By analyzing the service usage, the users are provided with better services and an improved company website (Analysis of services and enhancement of service quality), etc.
  • Handling of Complaints: Confirmation of registered complaints, contact & notification for fact findings, notifications on outcome, etc.
2. Recruiting Related Information
  • Recruiting & Hiring Related Information: Personal identity & real name verification, recruitment screening and contact with applicants, traits of ideal candidate defined based on relevant legal requirements, i.e., Act on the Honorable Treatment of and Support for Persons of Distinguished Services to the State, Act on the Employment Promotion and Vocational Rehabilitation of Persons with Disabilities (Information regarding those eligible for honorable treatment of veterans & patriots, information relating to disabilities, etc.)
04. Personal Information Retention & Usage Period
1. Handling of Complaints
  • Data Held: Name, Email Account, Location (City, Province), Phone Number (Contact Info), Country, Company
  • Retention Period: 1 year
2. Analysis of Service & Enhancement of Service Quality
  • Data Held: Service usage log, access log, cookies, IP connection information
  • Retention Period: 3 years
3. Recruiting & Hiring
  • Data Held: Name (in Korean, Chinese, English), Photo, Password, Home Phone Number, Home Address, Mobile Number, Email, Academic Background, Military Service Record (Performance of Military Service: Yes/No), Service Period, Military Branch, Rank), Foreign Language Proficiency, Qualifications, Eligibility for Patriot & Veteran Treatment, Work Experience, Social Experience, Research Experience, Sensitive Information Related to Having a Disability (Yes/No), Disability Rating.
  • Retention Period
    • For those who were not hired, such people’s information shall be held for five years following after the end of the recruiting process, provided that their consent was obtained on the data retention period (To be registered on the recruiting site’s human resources database and held for the purpose of managing data on candidates available for future hiring)
    • For those who were hired, their data shall be held until the purpose of the data has been served, provided that their consent was obtained on the data retention period.
05. Personal Information Disposal Process & Method
1. Disposal Process
The Company shall dispose of the personal information within five days from the end of the personal information retention and usage period. If the personal information is no longer needed owing to reasons, such as fulfillment of the purpose of the personal information handling, shutdown of the relevant service or closing of the business, the personal information shall be disposed of within five days from the day it was recognized that the information is no longer needed.
2. Disposal Method
  • Personal Information on Paper & Printouts : To be shredded or incinerated
  • Personal Information Saved in Electronic File Format: To be permanently deleted using technology that prevents recovery of the deleted records
06. Disclosure of Personal Information to Third Parties
The Company shall not disclose any of the personal information to third parties without just cause, unless it is required by law or prior consent was obtained from the data subject. However, the following cases shall be exceptions:
  • Consent was obtained from the data subject
  • Disclosure of the information is requested in specific provisions of relevant laws or is deemed unavoidable if one wishes to fulfill legal obligations
  • The data subject or his/her legal representative is in a state in which an opinion or intent cannot be expressed or prior consent cannot be gained owing to an invalid address, but disclosure to a third party is urgently needed for the sake of the data subject or third party’s life, physical well-being or the person’s interests, such as those related to his/her property.
The Company currently provides the following types of personal information :
Table by personal information
Data Recipient Data Provided Purpose of Data Retention Period
Multicampus Co., Ltd. Name, Date of Birth, Test Date, Registration Number, Score Personal identification required when checking OPIc score Immediately disposed of once score is confirmed
Korea TOEIC Committee Name, Date of Birth, Test Date, Registration Number, Score Personal identification required when checking TOEIC Speaking Test score Immediately disposed of once score is confirmed
07. Commissioning of Personal Information Handling Service
The Company commissions an outside agency to handle some of the work required for provision of services and has a set of regulations set up to manage and monitor matters for the purpose of ensuring that the personal information can be safely handled as stipulated in the relevant laws. The commissioned service for handling of personal information is as follows :
Table by Commissioning of Personal Information Handling Service
Information Recipient Description of Commissioned Service
Doosan Corporation Digital Innovation Operation & Management of company’s IT systems, including website (Maintenance)
08. Rights & Obligations of Data Subjects and Method for Exercising Rights
1. The data subjects may request for the viewing, modification or withdrawal of consent at any time in regard to their personal information. Should the data subject contact the department in charge of personal information in order to file a written request or make a request by phone or email, proper action shall be immediately taken without delay to address the matter.
2. In the event of a request by the data subject for the correction of an error in his/her personal information, the Company shall not use or disclose the personal information until correction of the error has been completed.
3. In the case of minors who are of the age 14 or younger, the child’s legal representative has the right to view or amend the child’s personal information, as well as the right to withdraw the consent given on the collection and usage of personal information.
4. In the event of a request for the cancellation or deletion of personal information by the data subject or his/her legal representative, this shall be handled in accordance with the Privacy Policy on Handling of Personal Information, and the personal information shall not be viewed or used for any other purposes.
09. Installation, Operation or Declining of Automatic Personal Data Collecting Tool
1. The Company operates “cookies” which are used to store and track information about the data subjects. Cookies are small blocks of text files that are sent by a website server to be stored on the user’s computer hard drive.
2. The data subject has the option of choosing to accept the cookies or not. Options can be set to either accept all cookies, confirm each time a cookie is about to be stored or decline all cookies. However, if the data subject decides to decline installation of the cookies, some difficulties may be encountered in using the services.
10. Personal Information Safeguarding Measures
In accordance with Article 29 of the Personal Information Protection Act and Article 28 of the Information Communications Network Act, the Company is taking technical, administrative and physical measures aimed at ensuring the security of personal information.
1. Personal information handling personnel kept to a minimum
  • To ensure the protection of personal information, minimal authority is granted to those assigned with handling personal information
2. Training conducted on regular basis for relevant personnel
  • Training is conducted on a regular basis to promote awareness of the importance of personal information protection.
3. Internal inspections conducted on regular basis
  • The Company conducts inspections on a regular basis to ensure the security of personal information
4. Creating and implementing personal information management plans
  • The Company shall create and manage a corporate plan for the safe handling and management of personal information.
5. Encryption of Personal Information
  • The data subject’s personal information and password are stored and managed in encrypted format and a security mechanism is applied in the data transmission process to ensure that the data is safely managed.
6. Anti-Hacking Measures
  • The Company has security programs installed to prevent personal information leaks and damages from occurring due to computer hacking or virus infections, and has periodic updates and inspections performed, which may lead to the installation of security systems in designated off-limits areas, enabling the Company to perform technical and physical surveillance and protect the system against infiltrations.
7. Restriction of Access to Personal Information
  • Measures such as granting, changing and cancelling of authority for accessing the personal information management system are being taken to effectively control the access to personal data, and an infiltration prevention system is being used to control unauthorized access by outsiders.
8. Storing of Access Logs and Prevention of Forgeries
  • A system access log containing records of the access made to the personal information management system is stored and managed for a minimum period of six months, and a security mechanism is used to prevent any data forgery, theft or loss from occurring to the log.
9. Lock Devices Used for Document Security
  • Documents and data storage devices containing personal information are kept in a safe place with a lock device.
10. Access Control for Unauthorized People
  • A separate physical location for storing personal information is kept, with an access control process being set up and applied.

However, the Company shall not be liable for incidents that arise due to the data subject’s own fault or owing to basic risks inherent in the Internet.

11. Personal Information Protection Administrator and Managing Department
1. The Company has appointed the following department and person to be in charge of the protection of personal information and the handling of associated complaints.
A. Personal Information Protection Administrator
B. Department in Charge of Personal Information Protection
2. Should you need to file a report or receive consultation on a personal information infringement case, please contact the following agencies:
  • Korea Internet & Security Agency (KISA)’s Personal Information Infringement Reporting Center (www.privacy.kisa.or.kr Tel: 118)
  • Supreme Prosecutor’s Office Cybercrime Investigation Division (www.spo.go.kr Tel: 1301)
  • Korean National Police Agency’s Cyber Security Division (www.cyberbureau.police.go.kr Tel: 182)
12. Notification of Privacy Policy Amendments
In the event of any additions, deletions and modifications to the Privacy Policy on Handling of Personal Information, the Company shall post the reason for the amendment and description on the company website prior to putting the amended policy into effect.

Date of Enforcement : November 4, 2022

01. Scope of Collected Personal Information
1. The Company uses fair and lawful methods to collect the data subjects’ personal information.
2. The personal information collected by the Company shall be limited to the minimum information that is required for the provision of services, and unless permitted by law or given consent by the data subject, the Company shall not collect any sensitive personal information, which has the risk of clearly infringing upon the privacy of data subjects (personal ideology & beliefs, political views, health, sexual orientation, genetic information, criminal record, etc.), nor shall any personal identification information that can be used to identify specific individuals be gathered.
02. Types of Personal Information Collected & Data Collecting Method
The types of personal information collected by the Company on the data subjects are as listed below. During the course of using the company website, the data items specified under No. 2 may be automatically generated and collected.
1. Handling of Complaints
  • Mandatory Data : Name, Email Account
  • Optional Data: Location (City, Province), Phone Number (Contact Info.), Country Name, Company Name
2. Analysis of Services & Enhancement of Service Quality: Data automatically generated and collected during the use of Internet services
  • Service usage log, access log, cookies, IP connection information
3. Recruiting & Hiring
  • General Information: Name (in Korean, Chinese, English), Date of Birth, Gender, Photo, Password, Home Phone Number, Home Address, Mobile Number, Email, Academic Background, Military Service Record (Performance of Military Service(Yes/No), Service Period, Military Branch, Rank), Foreign Language Proficiency, Qualifications, Eligibility for Patriot & Veteran Treatment, Work Experience, Social Experience, Research Experience.
  • Sensitive Information: Person with Disability (Yes/No), Disability Rating
03. Collection of Personal Information & Purpose of Collected Information
The Company collects the personal information of data subjects for the following purposes:
1. Customer Related Information
  • Analysis of Services & Enhancement of Service Quality: By analyzing the service usage, the users are provided with better services and an improved company website (Analysis of services and enhancement of service quality), etc.
  • Handling of Complaints: Confirmation of registered complaints, contact & notification for fact findings, notifications on outcome, etc.
2. Recruiting Related Information
  • Recruiting & Hiring Related Information: Personal identity & real name verification, recruitment screening and contact with applicants, traits of ideal candidate defined based on relevant legal requirements, i.e., Act on the Honorable Treatment of and Support for Persons of Distinguished Services to the State, Act on the Employment Promotion and Vocational Rehabilitation of Persons with Disabilities (Information regarding those eligible for honorable treatment of veterans & patriots, information relating to disabilities, etc.)
04. Personal Information Retention & Usage Period
1. Handling of Complaints
  • Data Held: Name, Email Account, Location (City, Province), Phone Number (Contact Info), Country, Company
  • Retention Period: 1 year
2. Analysis of Service & Enhancement of Service Quality
  • Data Held: Service usage log, access log, cookies, IP connection information
  • Retention Period: 3 years
3. Recruiting & Hiring
  • Data Held: Name (in Korean, Chinese, English), Photo, Password, Home Phone Number, Home Address, Mobile Number, Email, Academic Background, Military Service Record (Performance of Military Service: Yes/No), Service Period, Military Branch, Rank), Foreign Language Proficiency, Qualifications, Eligibility for Patriot & Veteran Treatment, Work Experience, Social Experience, Research Experience, Sensitive Information Related to Having a Disability (Yes/No), Disability Rating.
  • Retention Period
    • For those who were not hired, such people’s information shall be held for five years following after the end of the recruiting process, provided that their consent was obtained on the data retention period (To be registered on the recruiting site’s human resources database and held for the purpose of managing data on candidates available for future hiring)
    • For those who were hired, their data shall be held until the purpose of the data has been served, provided that their consent was obtained on the data retention period.
05. Personal Information Disposal Process & Method
1. Disposal Process
The Company shall dispose of the personal information within five days from the end of the personal information retention and usage period. If the personal information is no longer needed owing to reasons, such as fulfillment of the purpose of the personal information handling, shutdown of the relevant service or closing of the business, the personal information shall be disposed of within five days from the day it was recognized that the information is no longer needed.
2. Disposal Method
  • Personal Information on Paper & Printouts : To be shredded or incinerated
  • Personal Information Saved in Electronic File Format: To be permanently deleted using technology that prevents recovery of the deleted records
06. Disclosure of Personal Information to Third Parties
The Company shall not disclose any of the personal information to third parties without just cause, unless it is required by law or prior consent was obtained from the data subject. However, the following cases shall be exceptions:
  • Consent was obtained from the data subject
  • Disclosure of the information is requested in specific provisions of relevant laws or is deemed unavoidable if one wishes to fulfill legal obligations
  • The data subject or his/her legal representative is in a state in which an opinion or intent cannot be expressed or prior consent cannot be gained owing to an invalid address, but disclosure to a third party is urgently needed for the sake of the data subject or third party’s life, physical well-being or the person’s interests, such as those related to his/her property.
The Company currently provides the following types of personal information :
Table by personal information
Data Recipient Data Provided Purpose of Data Retention Period
Multicampus Co., Ltd. Name, Date of Birth, Test Date, Registration Number, Score Personal identification required when checking OPIc score Immediately disposed of once score is confirmed
Korea TOEIC Committee Name, Date of Birth, Test Date, Registration Number, Score Personal identification required when checking TOEIC Speaking Test score Immediately disposed of once score is confirmed
07. Commissioning of Personal Information Handling Service
The Company commissions an outside agency to handle some of the work required for provision of services and has a set of regulations set up to manage and monitor matters for the purpose of ensuring that the personal information can be safely handled as stipulated in the relevant laws. The commissioned service for handling of personal information is as follows :
Table by Commissioning of Personal Information Handling Service
Information Recipient Description of Commissioned Service
Doosan Corporation Digital Innovation Operation & Management of company’s IT systems, including website (Maintenance)
08. Rights & Obligations of Data Subjects and Method for Exercising Rights
1. The data subjects may request for the viewing, modification or withdrawal of consent at any time in regard to their personal information. Should the data subject contact the department in charge of personal information in order to file a written request or make a request by phone or email, proper action shall be immediately taken without delay to address the matter.
2. In the event of a request by the data subject for the correction of an error in his/her personal information, the Company shall not use or disclose the personal information until correction of the error has been completed.
3. In the case of minors who are of the age 14 or younger, the child’s legal representative has the right to view or amend the child’s personal information, as well as the right to withdraw the consent given on the collection and usage of personal information.
4. In the event of a request for the cancellation or deletion of personal information by the data subject or his/her legal representative, this shall be handled in accordance with the Privacy Policy on Handling of Personal Information, and the personal information shall not be viewed or used for any other purposes.
09. Installation, Operation or Declining of Automatic Personal Data Collecting Tool
1. The Company operates “cookies” which are used to store and track information about the data subjects. Cookies are small blocks of text files that are sent by a website server to be stored on the user’s computer hard drive.
2. The data subject has the option of choosing to accept the cookies or not. Options can be set to either accept all cookies, confirm each time a cookie is about to be stored or decline all cookies. However, if the data subject decides to decline installation of the cookies, some difficulties may be encountered in using the services.
10. Personal Information Safeguarding Measures
In accordance with Article 29 of the Personal Information Protection Act and Article 28 of the Information Communications Network Act, the Company is taking technical, administrative and physical measures aimed at ensuring the security of personal information.
1. Personal information handling personnel kept to a minimum
  • To ensure the protection of personal information, minimal authority is granted to those assigned with handling personal information
2. Training conducted on regular basis for relevant personnel
  • Training is conducted on a regular basis to promote awareness of the importance of personal information protection.
3. Internal inspections conducted on regular basis
  • The Company conducts inspections on a regular basis to ensure the security of personal information
4. Creating and implementing personal information management plans
  • The Company shall create and manage a corporate plan for the safe handling and management of personal information.
5. Encryption of Personal Information
  • The data subject’s personal information and password are stored and managed in encrypted format and a security mechanism is applied in the data transmission process to ensure that the data is safely managed.
6. Anti-Hacking Measures
  • The Company has security programs installed to prevent personal information leaks and damages from occurring due to computer hacking or virus infections, and has periodic updates and inspections performed, which may lead to the installation of security systems in designated off-limits areas, enabling the Company to perform technical and physical surveillance and protect the system against infiltrations.
7. Restriction of Access to Personal Information
  • Measures such as granting, changing and cancelling of authority for accessing the personal information management system are being taken to effectively control the access to personal data, and an infiltration prevention system is being used to control unauthorized access by outsiders.
8. Storing of Access Logs and Prevention of Forgeries
  • A system access log containing records of the access made to the personal information management system is stored and managed for a minimum period of six months, and a security mechanism is used to prevent any data forgery, theft or loss from occurring to the log.
9. Lock Devices Used for Document Security
  • Documents and data storage devices containing personal information are kept in a safe place with a lock device.
10. Access Control for Unauthorized People
  • A separate physical location for storing personal information is kept, with an access control process being set up and applied.

However, the Company shall not be liable for incidents that arise due to the data subject’s own fault or owing to basic risks inherent in the Internet.

11. Personal Information Protection Administrator and Managing Department
1. The Company has appointed the following department and person to be in charge of the protection of personal information and the handling of associated complaints.
A. Personal Information Protection Administrator
B. Department in Charge of Personal Information Protection
2. Should you need to file a report or receive consultation on a personal information infringement case, please contact the following agencies:
  • Korea Internet & Security Agency (KISA)’s Personal Information Infringement Reporting Center (www.privacy.kisa.or.kr Tel: 118)
  • Supreme Prosecutor’s Office Cybercrime Investigation Division (www.spo.go.kr Tel: 1301)
  • Korean National Police Agency’s Cyber Security Division (www.cyberbureau.police.go.kr Tel: 182)
12. Notification of Privacy Policy Amendments
In the event of any additions, deletions and modifications to the Privacy Policy on Handling of Personal Information, the Company shall post the reason for the amendment and description on the company website prior to putting the amended policy into effect.

Date of Enforcement : July 26, 2021

Article 1 (Items of personal information collected and collection method)
1. Items of personal information to be collected
The company collects the following personal information from the users who use its website:
Table by collect data
Classification Essential items
Items of personal information collected – name in full, phone number, e-mail address, organization

※ The company does not collect any sensitive information that may seriously infringe the privacy of its users (information concerning their ideology, credo, current and past memberships in labor unions or political parties, political opinions, health, sex life, etc.) or their unique identification unless permitted under statutes or consented to by the relevant users.

2. Method of collecting personal information
The company collects personal information using the following means:
  • Webpage-based tour application, Contact Us, Suggestions, Voice of a power company customer, Technical Support Center for Power Group Companies, Cyber Reporting Center, Win-Win Call Center, Subscription to Newsletter
  • Collection of information that is automatically generated by the system when the service is used

※ When requesting for the consent of users to its collection or use of their personal information, the company provides on its website a procedure wherein users may to opt to “Agree,” “Disagree,” “Agree to the provision of essential information,” or “Agree to the provision of optional information” as to the details of all information.

Article 2 (Purposes of collection or use of personal information)
1. The company shall use the personal information it collects for the following purposes:
Table by Purposes of collection or use of personal information
Classification Items of personal information Purposes of use
tour application Essential item Name of visiting organization, Address, Phone number, Name of applicant, Mobile phone number of the applicant, e-mail address of the applicant For identifying the organization, reviewing or replying to tour applications, or providing useful information
Contact Us Essential Items Name, e-mail address, phone number, company name For replying to questions about or requests for products or services or providing useful information
suggestion uploading Essential items Name, e-mail address, organization For replying to suggestions or providing useful information
Voice from Power Group Customers Essential items Name in full, name of power generating company, office phone number, e-mail address For identifying the organization, replying to questions about or requests for products or services, or maintaining records
Technical Support Center for Power Group Companies Essential items Name in full, name of power generating company, office phone number, e-mail address For identifying the organization or replying to requests for technical support
Cyber Report Center Essential items Name in full, mobile phone number, e-mail address For replying to reports
Win-Win Call Center Essential items Company name, position, name in full, e-mail address, phone number For identifying the organization or replying to questions or requests
Subscription to Newsletter Essential items Name, e-mail address, phone number For providing Newsletter
2. The personal information under processing shall not be used for purposes other than its intended use. The company shall take the necessary actions if the intended use is modified, including securing separate consent as required under the relevant statutes.
Article 3 (Period of retention and use of personal information)
1. The company shall process or retain personal information for the intended purposes only within the period of retention or use of personal information set forth under the statutes or within the period consented to by the information subjects at the time their personal information is collected.
2. The company shall process or retain personal information whose collection was consented to by the information subjects for 5 years
3. The following periods of processing or retaining personal information are set forth under the statutes as follows:
Table by Period of retention and use of personal information
Items retained periods retained statutory grounds
User’s Internet log data / Data for tracking users’ access place 3 months Act on the Protection of Communication Confidentiality
Data for verifying communication 12 months
Article 4 (Procedure and method for destroying personal information)
1. The company shall destroy the relevant personal information without delay when the period of retaining personal information lapses or when it is no longer necessary since the processing purpose has been achieved. The following procedures or methods shall be used by the company for destroying the personal information:
1. Destruction procedures
The relevant personal information shall be destroyed by the company when the period of retaining personal information lapses, when it is no longer necessary since the processing purpose has been achieved, or when the retention period lapses pursuant to the relevant statutes.

2. Destruction methods
The company shall delete the personal information stored in digital files using irrecoverable technical means or incinerate or shred personal information that is recorded or outputted on paper.
Article 5 (Entrustment of the collected personal information)
1. The company shall entrust an outside specialized vendor with the following services of processing personal information in order to perform services or duties smoothly:
Table by Entrustment of the collected personal information
Name of the vendor entrusted Details of duties or services entrusted
Doosan Corporation Information & Communications Operation, improvement, repair or maintenance of the relevant system
2. In order to ensure that the relevant personal information is protected securely, the company shall clearly define matters related to responsibilities for confidentiality and damage compensation when personal information processing is entrusted, including prohibition of personal information processing for purposes other than the performance of the entrusted duties or services and technical, administrative, or physical measures for protecting security, while monitoring the vendor to supervise whether it processes the personal information securely.
3. The company shall disclose the information through this policy for handling personal information without delay when any change is made in the entrusted duties or vendors.
Article 6 (Provision of personal information to third parties)
1. The company shall not provide the users’ personal information to any third party without the users’ consent. Note, however, that the following shall be treated as exceptions:
1. When it is unavoidable to comply with the specific provisions or duties set forth under the statutes;
2. When clearly deemed urgently necessary for the life, body, or property of the information subject or third parties in a situation wherein the information subject or legal agent is unable to express his/her intent or it is difficult to secure prior agreement since their address is not available;
3. When it is required under the provisions of laws or requested by law enforcement authorities for investigation according to the procedure and methods set forth under the statutes
2. The company shall provide personal information to any third party completing a procedure for securing the users’ consent anew when the third party is replaced or when personal information whose collection was consented to by the users needs to be provided anew.
Article 7 (Rights of users or their legal agents and exercise methods)
1. The users or their legal agents may review their personal information registered with the company, withdraw their consent, or request for the termination of their subscription at any time. Note, however, that all of part of the company’s services may be restricted in such cases.
2. To that end, the company shall take actions without delay when such request is made by users on its website, for the attention of the personal information manager or the department responsible for personal information, in writing, or by phone or e-mail.
3. The company may refuse the review, correction, or deletion of all or part of the personal information in any of the following cases:
1. When review is prohibited or restricted under the statutes; or 2. When it is feared that the user request may harm other persons’ life or body or may unfairly infringe other persons’ properties or other benefits
4. When the user requests for the correction of errors in his/her personal information, the company shall neither use nor provide the personal information to a third party before the correction is finished. The company shall notify the third party of the correction details if any incorrect personal information has already been provided to any third party.
5. The company shall handle the personal information of a user who has been deleted or whose processing has been discontinued based on the request of the user or his/her legal agent as set forth under “3. Period of Retention or Use of Personal Information” so that the deleted information may not be viewed or used for any other purpose.
6. The users shall enter their latest personal information correctly. The user shall be responsible for any mishap that may arise because of incorrect information he/she enters. His/Her user eligibility may be revoked if someone else’s or false information is entered.
7. The users shall protect themselves and refrain from infringing information belonging to others in addition to their right to the protection of their personal information. The users shall work to prevent their personal information from being leaked or refrain from tampering with the personal information belonging to others. The users may be punished according to the pertinent statute if they fail to fulfill their obligations or damage the personal information or dignity of others.
Article 8 (Provisions on the installation, operation, or refusal of devices automatically collecting personal information)
The operator of www.doosanenerbility.com shall not use software cookies that store and occasionally search information concerning the customers who visit the website.
Article 9 (Other policies for handling personal information)
1. Measures for ensuring security for protecting personal information
The company shall take the following administrative, technical, and physical actions to secure safety in handling the users’ personal information to prevent loss, theft, leak, forgery, or tampering:
1. Administrative actions for the development, observance, supervision, or regular education of internal policies that need to be followed to protect personal information
2. Technical actions for the management of access authority to personal information processing systems, installation of access control systems, encryption of unique identification information, or installation of security programs
3. Physical actions for the control of access to computer or data storage rooms or installation of systems for access clearance or monitoring
2. Policy concerning refusal of unauthorized collection of e-mail addresses

The company shall refuse the unauthorized collection of displayed e-mail addresses using e-mail collection programs or other technical devices. Any violation shall be punished pursuant to the Act on the Promotion of ICT Network or Protection of Information.

Article 10 (Information concerning the personal information manager or responsible department)
1. The company shall designate as follows its manager and department responsible for handling personal information, with both inclusively responsible for functions related to the handling of personal information as well as handling complaints or relief of the information subjects involved in personal information handling:
Personal information administrator or manager
Department responsible for personal information
  • Organization: Changwon CR Team
  • Phone : 055-278-3047
  • Fax : 055-278-8409
  • Office hours: 08:00~17:00 (Mon to Fri), closed on holidays (Sat to Sun)
2. The information subjects may contact the company’s manager or department responsible for personal information concerning all matters related to the protection of their personal information, handling of complaints, or relief of damages that arise during their use of the company’s services (programs). The company shall reply to or handle the questions by the information subjects without delay.
3. The information subjects may contact the following agencies to request for or inquire about counseling on the relief of damages caused by the infringement of their personal information (they are agencies independent from the company; you may contact them for help or detailed information if you are dissatisfied with the company’s handling of your complaint or outcome of relief actions):
1. Center for Reporting Infringements of Personal Information (operated by KISA)
  • Functions: Accepts reports or requests for counseling on the infringement of personal information
  • Website : privacy.kisa.or.kr
  • Phone number: 118
  • Address: KISA Center for Reporting Infringements of Personal Information, 135 Jungdae-ro, Songpa-gu, Seoul 138-950
2. Commission for Mediating Disputes Related to Personal Information (operated by KISA)
  • Functions: Accepts requests for mediation of disputes related to personal information or collective disputes (civil settlement)
  • Website : privacy.kisa.or.kr
  • Phone number: 118
  • Address: KISA Center for Reporting Infringements of Personal Information, 135 Jungdae-ro, Songpa-gu, Seoul 138-950
3. Cyber Crime Investigation Group, Supreme Prosecutors’ Office : 02-3480-3571, cybercid@spo.go.kr(www.spo.go.kr)
4. Cyber Terror Response Center, Korean National Police Agency : 1566-0112 (www.netan.go.kr)
Article 11 (Amendment to policies for handling personal information)
1. This policy for handling personal information (Version 4.0) shall enter into force on 2 October 2015.

Doosan Enerbility Co., Ltd. (hereinafter “Company”) hereby uses this Visual data processing device Operation & Management Policy to clarify the purpose and method being applied for the usage and management of visual data that is processed by the Company.

Current effective date 2022.11.04
01. Grounds and Purpose of Visual data processing device Installation
The Company installs and operates visual data processing device (IIPE) for the following purposes in accordance with Article 25-1 of the “Personal Information Protection Act.”
  • Safety of facilities and prevention of fire outbreaks
  • Crime prevention to ensure the safety of employees and visitors
  • Prevention of vehicle theft and damage
  • Any other purpose within the scope permitted under the relevant laws
02. Visual data processing device Installation & Operation Status
Classification Installation Count1) Location Shooting Scope
Changwon Headquarters 274 units Inside /Outside the buildings, entranceways, around the facilities, parking lots, etc. Inside/Outside the buildings, common areas inside the buildings, entranceways, parking lots, etc.
Bundang Doosan Tower 430 units
Dongtan Nuclear I&C 39 units
1) Provided it is in line with the installation purpose, the installation count may be adjusted due to circumstances, such as relocation/new establishment/ environmental improvement of the company’s business site.
03. Shooting Time, Data Retention Period, Location and Processing Method
(1) Shooting Time, Data Retention Period and Data Storing Location
Shooting Time Retention Period2) Data Storing Location
24 hours For 30 days from shooting date Changwon : Administrative Office (Main Bldg 2nd floor, Main Gate, inside Employee Dormitory) CCTV installation Location,
Bundang : Central Control Center
Dongtan : Nuclear I&C System Control Room
2) However, if the data retention period is stipulated in some other relevant law, the retention period specified in that law shall be applied.
(2) Information Processing Method
A log shall be kept and managed on any requests for using the personal visual data for purposes other than the intended purpose or requests to transfer the information to a third party or destroy/ view the information, and once the data retention period has expired, the information shall be permanently deleted, using a data wiping method that ensures that the deleted data cannot be retrieved (in case of hard copies, shall be shredded or incinerated). In case of visual data that are exceptions and stipulated by law to be kept and not destroyed, such information shall be stored and managed separately from that of other visual data.
04. Information Management Administrators & Data Access Authorizers
Personal visual data management administrators and data access authorizers are designated as follows to safeguard the visual data of the data subjects and to effectively handle the complaints concerning personal visual data.
Installation Location Classification Name Position Organization Contact Number
Changwon Headquarters Administrator Kiseung Kim General Manager General Administration Team +82-55-278-7240
Administrator Kyungchul Shin General Manager Facility Operating Team +82-55-278-7315
Access Authorizer Hyeonjong Hong General Manager General Administration Team +82-55-278-7170
Access Authorizer Sangrok Lee General Manager General Administration Team +82-55-278-7172
Access Authorizer Hyunjoong Kim General Administration Team +82-55-278-7173
Access Authorizer Taehyeon Kwon Senior Manager General Administration Team +82-55-278-7239
Bundang Doosan Tower Administrator Dongsu Yoon General Managerss Doosan Cuvex IBS FM +82-31-5179-3961
Access Authorizer Jonghyuck Yoon Manager Doosan Cuvex IBS FM +82-31-5179-3971
Dongtan Nuclear I&C Administrator Sangpil Yoon General Manager Nuclear I&C Manufacturing/ Test Team +82-31-270-7088
Access Authorizer Byeonggyu Seo Manager Nuclear I&C Manufacturing/ Test Team +82-31-270-7653
05. Outsourced Installation & Management of Visual data processing device
The Company outsources the installation and management of the IIPE as follows and complies with the relevant laws by specifying the requirements needed to ensure the safe management of personal information when engaging in such outsourcing contracts.
Contractor Person-in-Charge Contact Number
CAPSTEC Kunoh Hong, Security Manager (Changwon HQ) +82-55-278-8911
Doosan Cuvex Dongkon Lee (Changwon HQ) +82-55-279-2117
Dongsu Yoon (Bundang Doosan Tower) +82-31-5179-3961
Jonghyuck Yoon (Bundang Doosan Tower) +82-31-5179-3971
Jaedu Cho (Dongtan Nuclear I&C) +82-31-270-7190
06. Method & Place for Viewing Personal Visual data
  • Method of Information Confirmation: Can view the information after contacting the data access authorizer at the relevant site prior to one’s arrival at the site
  • Place of Information Confirmation: Restricted Security Area at each business site
  • Required Documentation for Viewing Personal Visual data
Classification Required Documentation
Individual Oneself Certificate of Personal Identification (Resident Registration Card, Driver’s License, Passport)
Request Form for Viewing Personal Visual data3)
Legitimate Representative 1 copy each of the personal identification of the person concerned and the legitimate representative, authorization letter, certificate of personal seal
Request Form for Viewing Personal Visual data, etc.3)
Public Institute
(Court of Law, Investigative Agency)		 1 copy of public official’s ID (front & back side of ID card), warrant or court order,
1 copy of official cooperation request from investigative agency (signature/seal of agency head required)
3) Request Form Template for Viewing Personal Visual data, etc.
07. Handling of Data Subject’s Requests for Viewing Personal Visual data
If one wishes to view, confirm the existence of or delete one’s personal visual data, the request can be made at any time to the IIPE operator. However, the personal visual data allowed for viewing shall be limited to the personal images taken of the data subject or personal visual data deemed as being clearly and urgently needed for the sake of the data subject’s livelihood or physical or pecuniary interests.
Despite a request being filed by the data subject for viewing his/her personal visual data, the request may be denied in the case of the following exceptions. In the case of such events, the administrator shall notify the data subject of the reason for the rejection, such as by written notice, within 10 days from the date of rejection.
  • Owing to expiration of the data retention period, the personal visual data was destroyed.
  • The act of viewing the personal visual data poses a high risk of invading upon someone’s privacy or legitimate interests.
  • Some other just cause exists for denying the information viewing request.
08. Visual data Safeguard Measures
The Company shall take the necessary safeguard measures to ensure the safety of the personal visual data, such as performing data encryptions. Furthermore, as part of the measures taken to effectively manage the personal visual data, the Company shall grant differing levels of authority for accessing the personal information, and keep a log of relevant details, such as the date and time of data generation, purpose of data viewing, the data viewer and data viewing time, for the sake of preventing any forgeries or modifications of the information. In addition, the personal visual data shall be separately stored in a restricted area with a lock installed to ensure the safe physical storage of the information.
09. Amendments to Visual data processing device Operation & Management Policy
The Visual data processing device Operation & Management Policy was enacted on 1 November 2022, and in the event of any additions, deletions or modifications to the policy due to changes in the relevant laws, policies or security technologies, the reason for the amendment and a description shall be posted on the company website before the amendment is adopted.

Date of Public Notification : November 4, 2022
Date of Enforcement : November 4, 2022

01. Grounds and Purpose of Image Information Processing Equipment Installation
The Image Information Processing Equipment Operation & Management Policy (“the Policy”) sets forth the rules for Doosan Enerbility to comply with concerning the installation and operation of the image information processing equipment (IIPE), and personal image information protection requirement under Article 25 of the Personal Information Protection Act. The Policy aims to promote the adequate performance of work and to contribute to the protection of the rights and interests of the persons providing personal information.
02. Protection Principles of Personal Image Information
Doosan Enerbility will collect personal image information within the narrow scope in line with the purpose of installing the IIPE and will insure that persons providing personal information will be able to clearly recognize the installation purpose, and will not use the information for any purpose other than the aforementioned purpose. Doosan Enerbility will safely mange the personal image information, disclose the matters related to the processing of such information, and guarantee the rights of those persons on their personal image information.
03. Appointment of an Administrator
Doosan Enerbility manages the installation and operation of the personal IIPE through each business division, and the following information are disclosed on websites separately operated by each business division:
  • Person in charge: Jung Hwan-yeob.(Phone: +82-55-278-7300, e-mail address : web.master@doosan.com)
  • Department responsible: Emergency Planning Team
  • Person in charge: Kim Jae-sam (phone: +82-55-278-7170, e-mail address : web.master@doosan.com)
  • Number, locations, or capturing scope of image information processing appliances
  • Capturing hours, data retention period, and place of image information processing appliances
  • Matters concerning the outsourcing of installation and maintenance functions of image information processing appliances
04. Information Sign Posting
Doosan Enerbility will take a necessary action such as posting an information sign containing the following so that the persons providing their own person information can easily notice the installation and operation of the IIPE:
  • The purpose, location, shooting scope and time, controller’s name, position, and contact number.
  • In the case the installation and control is outsourced, the outsourced person/company’s name and contact number.
The information sign shall be posted in a place where those who provide their own personal information can easily see it within the shooting scope. The size of the information sign shall be 40x30cm. However, the size is subject to change, according to the circumstances of the installation location.
05. Request of the Persons Providing Their Own Personal Information, Such As Requesting to View/Inspect Their Personal Information
A person providing their own personal information (“a person”) can request Doosan Enerbility to view/inspect and confirm the identification (”Viewing/Inspection”) regarding their own personal image information.
Request Form
Doosan Enerbility will take a necessary action upon receiving a request for veiwing/inspection. In doing so, Doosan Enerbility may check through a submitted ID including resident registration card or driver’s license to confirm whether the requesting person is the person concerned or a legitimate representative.
Doosan Enerbility may reject such a request in the following cases and in such cases, Doosan Enerbility will give notice, in writing, to the requesting person or the representative of the reason for rejection or the method for appealing within 10 days of receiving the request:
  • When the personal image information was destroyed because of the expiration of the retention period.
  • When other legitimate reasons exist to reject such a viewing/inspection request.
06. Image Information Control
When the personal image information is used for the purpose other the intended purpose of the collection or when it is transferred to a third party pursuant to your consent or according to the provisions of laws and regulations, the following will be recorded in the Personal Image Information Log:
  • Name of the personal image information file
  • Name of the user or person to whom the transfer was made
  • Purpose of use or transfer
  • In the event it exists, the legal grounds of use or transfer
  • If it exists, period when the use or transfer occurred
  • Type of use or transfer
When destroying personal image information, the following shall be recorded in the Personal Image Information Log:
  • Destroyed personal image information (items)
  • Date of destruction (destruction frequency, etc., when automatic deletion takes place preset destruction period)
  • Person in charge of personal image information destruction
07. Retention and Destruction
Doosan Enerbility will immediately destroy the collected personal image information upon the expiration of the retention period specified in the Policy. However, it will not do so if required by specific provisions in relevant laws and regulations. The methods of destroying personal image information are as follows:
  • The hardcopy recordings (photo, etc.) of personal image information will be shredded or incinerated.
  • Electronic file format information will be permanently deleted in the technical manner through which the deleted personal image information cannot be retrieved.
08. Administrative, Technical, and Physical Actions
The right to access personal image information collected and processed by the IIPE is limited to a minimum number of people, including the controller and the person in charge of the work.
The place where the personal image information transmitted by the IIPE is viewed/inspected and retrieved is designated as being a restricted area, and only the authorized people are allowed to access and view/inspect the information.
Doosan Enerbility immediately changes or withdraws the access rights of a person, whose access right changes, due to HR changes such as job transfer or retirement.

We take necessary safeguards to ensure the safety of personal image information, including setting a password in the event that we process personal image information or send and receive such a file so that it cannot be lost, stolen, leaked, modified, or damaged.
We regularly inspect the status of the operation of the IIPE to prevent the forgery or modification of personal image information.

Date of Public Notification: September 30, 2011
Date of Enforcement: September 30, 2011