The Dining Brands Group
Personal Information Processing Policy
The Dining Brands Group (hereinafter referred to as “the Company”) legally processes and securely manages personal information in compliance with those specified under 「Personal Information Protection Act」 and relevant laws in order to protect freedom and rights of information holders. As such, the Company informs information holders of procedures and criteria about personal information processing and protection under Article 30 of 「Personal Information Protection Act」 and establishes and discloses the Company’s personal information processing policy to promptly and smoothly process any relevant complaints or concerns.
1. Purpose of processing personal information
The Company processes personal information for following purposes. Personal information being processes will not be used for any purposes other than below, and in case the purpose of use changes, the Company will implement necessary measures such as obtaining separate consent from information holders in accordance with 「Personal Information Protection Act」.
①To confirm an intention to become a member, to identify and verify upon membership service provision, to manage and maintain member eligibility, to provide integrated membership service, to prevent misuse of services and unauthorized use of services, to verify age, to send various notifications and notices, to address complaints and customers counseling, to keep records for dispute resolution
②To provide information regarding signing up and inquiries about brands under The Dining Brands Group, receipt and processing of reports received through the Ethics Management Reporting System
③To develop and specialize new services (products), to deliver promotional information such as events, etc. to provide services and advertise following demographic characteristics, to identify site visit frequency or to conduct statistical analysis of members’ use of services, to conduct and manage service satisfaction survey
2. Items of personal information to be processed
①The Company will categorize minimum personal information needed for service provision as “mandatory items” and other personal information as “optional items” and prepare a procedure to allow members to provide separate consent to each item. Also, the Company does not refuse to provide services for reasons that the user does not provide personal information other than those minimally required.
| Category |
Type |
Items to be collected |
| Upon signing up for integrated membership of the Dining Brands Group |
Mandatory |
Name, date of birth, ID, password, mobile no. email address, connecting information (CI) |
| Optional |
Address |
| Inquiry about overseas business |
Mandatory |
Name, contact no., title, email address |
| Filing a report through the Ethics Management Reporting System |
Mandatory |
Name, mobile no. email address, details of report |
②Information as below may be automatically created and collection in the process of service provision.
- IP address, access log, country, cookies, service use record, records of misuse, device information (OS, model name, unique number such as UUID, etc., advertising identifier, language, mobile carrier information)
※
Additional information may be collected in the process of service use in which case the Company will request separate consent to personal information collection and use.
※
The Company does not collect personal information of a person who is younger than 14 years old.
3. Period of processing and retaining personal information
The Company, in principle, immediately destroys information once the collection and purpose of use of personal information is done. However, the Company will keep the information for the period as specified under relevant laws or an information holder gave a consent.
①In principle, user’s personal information is immediately destroyed once the purpose of collection or the purpose for which the information is provided is achieved. However, before destroying personal information, the Company retains it for 3 months after receiving a request for member withdrawal to prevent a case where a user withdraws due to unwanted cause such as appropriation of personal information, etc. and to prevent a case of misuse where a user repeatedly withdraws and signs up again.
②In case personal information should be kept for a certain period under the provisions of relevant laws, the Company securely keeps personal information for such period and delete it. In this case, the Company uses the information for purpose of keeping and the period of retention is as below.
| Retention items |
Period of retention |
Legal grounds |
| Record about execution or withdrawal of a contract |
5 years |
Article 6 of the Act on the Consumer Protection in Electronic Commerce, etc. and Article 6 of the Enforcement Decree of the Same act |
| Record about payment and provision of goods, etc. |
5 years |
Article 6 of the Act on the Consumer Protection in Electronic Commerce, etc. and Article 6 of the Enforcement Decree of the Same act |
| Record about processing consumer complaints or disputes |
3 years |
Article 6 of the Act on the Consumer Protection in Electronic Commerce, etc. and Article 6 of the Enforcement Decree of the Same act |
| Records about display and advertisement |
6 months |
Article 6 of the Act on the Consumer Protection in Electronic Commerce, etc. and Article 6 of the Enforcement Decree of the Same act |
| Record about website visit |
3 months |
Paragraph 2 of Article 15 of Protection of Communications Secrets Act and Article 41 of the Enforcement Decree of the Same Act |
4. Procedure and method of personal information destruction
The Company immediately destroys personal information if the retention period expires or it does not need personal information anymore because processing purpose is achieved, etc.
①Destruction procedure
Information that a user input to become a member will be destroyed after being stored for a certain period under this Personal Information Processing Policy and other relevant laws and regulations.
※ Details can be found under 3. Period of processing and retaining personal information.
②Method of destruction
The Company will destroy personal information recorded and stored in electronic file format in a way not able to be played and personal information recorded and stores in a paper document by shredding or burning it.
5. Third-party provision of personal information
The Company processes user’s personal information within the scope specified under the purpose of personal information processing and will not provide personal information to a third-party person except for cases that fall under Article 17 and Article 18 of 「Personal Information Protection Act」where a user has consented to it or there is a special regulation under the laws.
①The Company provides personal information to the extent minimally required after getting a user consent under subparagraph 1, paragraph 1, Article 17 of Personal Information Protection Act.
| Recipient party |
Purpose of provision |
Items to be provided |
Retention and use period |
| The applicable Dining Brands Group company as needed to investigate a report which was filed through the Ethics Management Reporting System Management Reporting System |
Facts checking and investigation, follow-up measure such as recognition and discipline, monitoring to protect a reporter, etc. |
Name, mobile No. email Address, details of report |
Until the purpose of processing personal information is achieved |
6. Outsourcing processing of personal information
The Company outsources processing of personal information as below to ensure smooth processing.
| Outsourcing vendor |
Outsourced work |
| CND Factory Co. Ltd |
Service operation, system management and operation, system maintenance, membership user management |
| Hao Communication |
Operation of services on homepage |
※
If the content of outsourced work or an outsourcing vendor is changed, the Company will disclose it immediately through this personal information processing policy.
When signing an outsourcing contract, the Company specifies in the contract document matters such as prohibition of processing personal information for purpose other than performing outsourced work, technological and administrative protection measure, restriction in re-outsourcing, management and supervision of outsourced party, responsibilities such as compensation for damages, etc. in accordance with Article 26 of 「Personal Information Protection Act」and oversees whether the outsourced party securely processes personal information.
7. Measures to keep personal information secured
The Company takes followings measures to ensure that personal information is secure.
①Administrative measure: establishment and implementation of internal control plan, operation of a dedicated team, regular employee training
②Technological measure: management of access to personal information processing system, etc. Installation of access control system, encryption of personal information, installation and renewal of security program
③Physical measure: The Company establishes and operates procedures about access control to physical storage place such as a server room which stores personal information
8. Matters related to installation, operation and rejection of device that automatically collects personal information
The Company stores use information to provide users with customized services and convenience and uses cookies that it frequently fetches. Cookies are a small amount of information which a server (http) that is used to operate a website sends to a user’s browser and is stored in a user’s PC or a mobile.
1) A user may allow or block cookies through a web browser settings page. However, if a user rejects to store cookies, he or she may have difficulties in using customized service.
①Allowing/blocking cookies on a web browser
-
Chrome: Web browser settings > Privacy and Security > Delete browsing data
-
Edge: Web browser settings > Cookies and site permissions > Manage and delete cookies and site data
②Allowing/blocking cookies on a mobile browser
-
Chrome: Web browser settings > Privacy and Security > Delete browsing data
-
Safari: Mobile device settings > Safari > Advanced > Block all cookies
-
Samsung internet: Mobile browser settings > Browsing data > Delete browsing data
9. Rights and obligations of users and legal representatives and method of exercise
①Users can exercise rights against the Company at any time such as requesting to access, revise, delete, suspend processing and withdraw personal information (hereinafter referred to as “exercise of rights”).
②Users can exercise rights against the Company using a written form, electronic mail, FAX, etc. in accordance with paragraph 1 of Article 41 of the Enforcement Decree of 「Personal Information Protection Act」to which the Company will respond immediately.
③If the personal information is specified as a subject of collection in other laws and regulations, the user cannot request to delete such personal information.
④The Company verifies whether the person who exercised rights is the information holder or a just representative.
10. Policy on Operation and Management of Fixed Visual Data Processing Devices
The Company hereby informs the purpose and method of using personal visual data information through this policy on operation and management of fixed visual data processing devices.
①
Reason and purpose behind the installation of fixed visual data processing devices
- The Company installs and operates fixed visual data processing devices for purposes of facility safety and management, and crime and fire prevention in accordance with paragraph 1 of Article 25 of 「Personal Information Protection Act」.
②
Number of installed devices, location of installation and scope of recording
| Installation location |
Number of installed devices |
Scope of recording |
| Headquarter |
21 |
Entrance and inside the office, etc. |
| Training hall |
9 |
Entrance and inside the office, etc. |
| R&D center |
19 |
Entrance and inside the office, etc. |
| Logistics center |
34 |
Entrance and inside the office, warehouse, etc. |
| Production factory |
28 |
Entrance and inside the office, factory, etc. |
| Direct management store |
9 |
Entrance and inside the store, etc. |
③
Person in charge of management and a person in charge of granting access
- To protect users’ personal data and to address complaints related to personal visual data, the Company has following persons in charge of management and granting access.
| Category |
Person in charge |
Contact information |
| Person in charge of management |
General affairs team leader |
02-6204-3406 |
| Person in charge of granting access |
Responsible person at general affairs team |
| Head of each place of installation and security guards |
④
Period of recording, storage, place of storage and processing method of personal visual data
| Location of installation |
Recording time |
Storage period |
Place of storage |
Headquarter, training hall,
R&D center, direct management stores |
24 hours |
10 days |
Inside the office |
| Logistics center, production factory |
24 hours |
30 days (depends on the capacity of recording) |
Inside the office |
-
Processing method: The Company records and manages cases of personal visual data use for purposes other than intended, provision to a third-party person, matters related to destruction, disclosure, etc. and automatically deletes permanently in a way that is not restorable if the storage period is over (to destroy or burn in case of printed materials). However, in case personal visual data are deleted through an automatic deletion function, this may not subject to preparation of personal visual data destruction management log which is limitedly applied to the headquarter, training hall, R&D center, and direct management stores.
⑤
Matters related to outsourcing of installation and management of fixed visual data processing devices
-
The Company outsources the installation and management of fixed visual data processing devices as below and specifies matters necessary to ensure that personal data is safely managed upon signing an outsourcing contract in accordance with the relevant laws.
| Outsourcing vendor |
Responsible person |
Contact no. |
| S1 Co. Ltd. |
Kang WonGu, principal |
1588-3112 |
⑥
Matters related to the method and place to check personal visual data
-
Check method: a person who wants to check his or her personal visual data can do so by contacting the person in charge of management in advance and visit the place of checking.
-
Place to check: Business office and stores where a requestor wants to check personal visual data
⑦
Measures regarding the user request to access personal visual data, etc.
-
A person who wants to access or check the existence of his or her personal visual data or delete personal visual data can request to the operator of fixed visual data processing devices at any time. However, this will only apply to the personal visual data that recorded the person himself or herself.
-
The Company, upon request for access or verification of existence and deletion of personal visual data, will take necessary measures immediately.
⑧
Measures to ensure security of personal visual data
-
Personal visual data processed by the Company is being securely management through encryption measure, etc. Also, the Company grants tiered access to personal information as a control measure to protect personal visual data and records the date and time of creation of personal visual data and the purpose, the person who accessed and the date and time of access to the personal visual data to prevent forgery and falsification of personal visual data. In addition, the Company installs lock devices to securely store personal visual data at a physical space.
⑨
Matters related to changes in the policy on the operation and management of fixed visual data processing devices
-
If there is any addition, deletion and amendment to the policy upon changes in laws, policy or security technology, the Company will announce the reason and details of change on its homepage at least 7 days before the enforcement.
-
Date of enforcement: February 18, 2025
11. Personal Information Protection Officer and Department responsible for personal information protection
The Company designates a personal information protection officer as below who would take general responsibility about personal information processing work and address complaints of information holders related to personal information processing and remedies for damage. Users can inquire personal information protection officer and the responsible department about matters related to personal information protection, complaints processing, remedies for damage, etc. that arose from using the Company’s services. The Company will respond to a user’s inquiry and process immediately.
-
Personal information protection officer: a head of compliance office
-
Department in charge of personal information protection: Personal Information Protection Part
-
Contact no: 02-6204-3406
-
Email: privacy@diningbrands.co.kr
Also, users can request for dispute resolution or consultation to Personal Information Dispute Mediation Committee, the privacy call center at Korea Internet Security Agency, etc. to get remedies for personal information infringement. For any other reporting and counseling related to personal information infringement, please contact below institutions.
-
Personal Information Dispute Mediation Committee: (no regional code) 1833-6972 (www.kopico.go.kr)
-
The privacy call center: (no regional code) 118 (privacy.kisa.or.kr)
-
Prosecution Service: (no regional code) 1301 (www.spo.go.kr)
-
Korea National Police Agency: (no regional code) 182 (ecrm.police.go.kr)
12. Changes in personal information processing policy
This personal information processing policy will be applied from February 18, 2025.
View previous version of Privacy Policy>
