Guide for the Operation and Management of Fixed Image Data Processing Devices

Samsung C&T Ltd. E&C group (hereinafter called “the Company”) informs you of the purpose and the way that the Company uses and manages the collected image data in the Company with Guide for the Operation and Management of Fixed Image Data Processing Devices.

The Guide for the Operation and Management of Fixed Image Data Processing Devices is applicable to the Company’s Seoul Office (B building, Global Engineering Center, 26, Sangil-ro 6-gil, Gangdong-gu, Seoul), and for employees in outside workplaces including sites, refer to the each places’ Guide for the Operation and Management of Fixed Image Data Processing Devices.

1. Installation Grounds and Purpose

Pursuant to the Item 1 of Article 25 of the Personal Information Protection Act, the Company installs and operates fixed image data processing devices with the purpose of matters mentioned below.
- Facility Safety and Prevention of fires
- Prevention of Crimes for customer’s safety

2. The Number and Locations of Cameras, and Scope of Image Data Recording

The person in charge responsible for protecting individual’s image data and handling concerns related to it are as follow.

The Number and Locations of Cameras, and Scope of Image Data Recording
Number of Cameras	locations of cameras, and scope of image data recording
41	Main entrance and lobby, emergency staircase, elevator hall and southern gate in the first floor

3. Management and Authorized Personnel

The person in charge responsible for protecting individual’s image data and handling concerns related to it are as follow.

Management and Authorized Personnel
Category	Name	Position	Department	Telephone
Processing Device Manager	SeungKyun Choi	Manager Associate	HR Team	02-2145-6115
Authorized Personnel to the data	Soonchang Nam Myoungsik Ihn	Team Leader Associate	S1 Corporation	02-2145-6115

4. Recording Time, Retention Period, Archive and Management Details

Recording Time, Retention Period, Archive and Management Details
Recording Time	Retention Period	Archive
24hrs	5 days from the recording date ※ However, the CCTV footage from main entrance and lobby, southern gate in the first floor will be stored for 30 days from the recording date.	Security Situation Room in the Company

- Management details: Activities including using private image data to non-promised purposes, providing to the third party, erasing and accessing the data will be recorded in a written form. When retention period expires, the record will be permanently erased in a non-reversible way. (In case of hard copy, it will be shredded)

5. Entrusting the Installation and Management

The Company entrusts the installation and management of Fixed Image Data Processing Devices and when a contract is made, according to the relevant Act, the Company makes the regulations so that the personal information can be managed in a safe manner.

Entrusting the Installation and Management
Entrusted Company	Person in Charge	Telephone
S1 Corporation	Soonchang Nam Myoungsik Ihn	02-2145-6115

6. The Way to Access Personal Image Data

- How to: Individuals can access their personal data by visiting the Company after making a contact with Image Data Processing Device Manager.
- Location: Security Situation Room in the Company

7. Requests by a Subject of the Data

Individuals reserve the right to request access to or confirmation or deleting the existence of image data processed by the Company. Types of image data for which individuals may submit the requests are limited to image data in which they are a subject of the data and image data that is unquestionably needed in the interest of the individual’s life, wellbeing, or estate.
Upon receiving the requests of access, or confirmation or deleting the existence of the image data, the Company must immediately offer its full cooperation.

8. Security Steps

The personal image data being used inside of the Company has been managed in a safe way including an encrypted form. Also, as a means of protecting personal image data, the Company grants different levels of access authorities to the personnel in charge. In order to prevent forgery and alteration of personal image data, the Company records and manages the recording date of image data and access purpose, accessing personnel and accessing date. In addition to this, the Company safely stores physical form of data at apparatuses established in a restricted areas within the Company.

9. Amendment

This Guide for the Operation and Management of Fixed Image Data Processing Devices was written on July 20, 2016 and when adding or deleting details, or making changes, due to the changes of Acts, Policies and development of security technologies, the Company shall notice the reasons for the changes and details through the Company’s website not less than 7 days.
- Announcement Date : June 21, 2024
- Enforcement Date : June 28, 2024
- Amendment Reason: Changing the name and terminology of the policy.

Samsung C&T Ltd. E&C group (hereinafter called “the Company”) informs you of the purpose and the way that the Company uses and manages the collected image data in the Company with Guide for the Operation and Management of Image Data Processing Devices.

The Guide for the Operation and Management of Image Data Processing Devices is applicable to the Company’s Seoul Office (B building, Global Engineering Center, 26, Sangil-ro 6-gil, Gangdong-gu, Seoul), and for employees in outside workplaces including sites, refer to the each places’ guide for the operation and management of image Data Processing Devices.

1. Installation Grounds and Purpose

Pursuant to the Item 1 of Article 25 of the Personal Information Protection Act, the Company installs and operates image data processing devices with the purpose of matters mentioned below.
- Facility Safety and Prevention of fires
- Prevention of Crimes for customer’s safety

2. The Number and Locations of Cameras, and Scope of Image Data Recording

The person in charge responsible for protecting individual’s image data and handling concerns related to it are as follow.

The Number and Locations of Cameras, and Scope of Image Data Recording
Number of Cameras	locations of cameras, and scope of image data recording
41	Main entrance and lobby, emergency staircase, elevator hall and southern gate in the first floor

3. Management and Authorized Personnel

The person in charge responsible for protecting individual’s image data and handling concerns related to it are as follow.

Management and Authorized Personnel
Category	Name	Position	Department	Telephone
Processing Device Manager	SeungKyun Choi	Manager Associate	HR Team	02-2145-6115
Authorized Personnel to the data	Soonchang Nam Myoungsik Ihn	Team Leader Associate	S1 Corporation	02-2145-6115

4. Recording Time, Retention Period, Archive and Management Details

Recording Time, Retention Period, Archive and Management Details
Recording Time	Retention Period	Archive
24hrs	5 days from the recording date ※ However, the CCTV footage from main entrance and lobby, southern gate in the first floor will be stored for 30 days from the recording date.	Security Situation Room in the Company

- Management details: Activities including using private image data to non-promised purposes, providing to the third party, erasing and accessing the data will be recorded in a written form. When retention period expires, the record will be permanently erased in a non-reversible way. (In case of hard copy, it will be shredded)

5. Entrusting the Installation and Management

The Company entrusts the installation and management of image data processing devices and when a contract is made, according to the relevant Act, the Company makes the regulations so that the personal information can be managed in a safe manner.

Entrusting the Installation and Management
Entrusted Company	Person in Charge	Telephone
S1 Corporation	Soonchang Nam Myoungsik Ihn	02-2145-6115

6. The Way to Access Image Data

- How to: Individuals can access their personal data by visiting the Company after making a contact with Image Data Processing Device Manager.
- Location: Security Situation Room in the Company

7. Requests by a Subject of the Data

Individuals reserve the right to request access to or confirmation or deleting the existence of image data processed by the Company. Types of image data for which individuals may submit the requests are limited to image data in which they are a subject of the data and image data that is unquestionably needed in the interest of the individual’s life, wellbeing, or estate.
Upon receiving the requests of access, or confirmation or deleting the existence of the image data, the Company must immediately offer its full cooperation.

8. Security Steps

The image data being used inside of the Company has been managed in a safe way including an encrypted form. Also, as a means of protecting personal image data, the Company grants different levels of access authorities to the personnel in charge. In order to prevent forgery and alteration of personal image data, the Company records and manages the recording date of image data and access purpose, accessing personnel and accessing date. In addition to this, the Company safely stores physical form of data at apparatuses established in a restricted areas within the Company.

9. Amendment

This Guide for the Operation and Management of Image Data Processing Devices was written on July 20, 2016 and when adding or deleting details, or making changes, due to the changes of Acts, Policies and development of security technologies, the Company shall notice the reasons for the changes and details through the Company’s website not less than 7 days.
- Announcement Date : April 15, 2022
- Enforcement Date : April 22, 2022
- Amendment Reason: CCTV operation status (Locations and Number of Cameras) and change of Image Data Processing Device Manager

Samsung C&T Ltd. E&C group (hereinafter called “the Company”) informs you of the purpose and the way that the Company uses and manages the collected image data in the Company with Guide for the Operation and Management of Image Data Processing Devices.

The Guide for the Operation and Management of Image Data Processing Devices is applicable to the Company’s Seoul Office (B building, Global Engineering Center, 26, Sangil-ro 6-gil, Gangdong-gu, Seoul), and for employees in outside workplaces including sites, refer to the each places’ guide for the operation and management of image Data Processing Devices.

1. Installation Grounds and Purpose

Pursuant to the Item 1 of Article 25 of the Personal Information Protection Act, the Company installs and operates image data processing devices with the purpose of matters mentioned below.
- Facility Safety and Prevention of fires
- Prevention of Crimes for customer’s safety

2. The Number and Locations of Cameras, and Scope of Image Data Recording

The person in charge responsible for protecting individual’s image data and handling concerns related to it are as follow.

The Number and Locations of Cameras, and Scope of Image Data Recording
Number of Cameras	locations of cameras, and scope of image data recording
39	Main entrance and lobby, emergency staircase, elevator hall and southern gate in the first floor

3. Management and Authorized Personnel

The person in charge responsible for protecting individual’s image data and handling concerns related to it are as follow.

Management and Authorized Personnel
Category	Name	Position	Department	Telephone
Processing Device Manager	Yongkyun Jeong Taehoon Lee	Manager Associate	HR Team	02-2145-6115
Authorized Personnel to the data	Soonchang Nam Myoungsik Ihn	Team Leader Associate	S1 Corporation	02-2145-6115

4. Recording Time, Retention Period, Archive and Management Details

Recording Time, Retention Period, Archive and Management Details
Recording Time	Retention Period	Archive
24hrs	5 days from the recording date ※ However, the CCTV footage from main entrance and lobby, southern gate in the first floor will be stored for 30 days from the recording date.	Security Situation Room in the Company

- Management details: Activities including using private image data to non-promised purposes, providing to the third party, erasing and accessing the data will be recorded in a written form. When retention period expires, the record will be permanently erased in a non-reversible way. (In case of hard copy, it will be shredded)

5. Entrusting the Installation and Management

The Company entrusts the installation and management of image data processing devices and when a contract is made, according to the relevant Act, the Company makes the regulations so that the personal information can be managed in a safe manner.

Entrusting the Installation and Management
Entrusted Company	Person in Charge	Telephone
S1 Corporation	Soonchang Nam Myoungsik Ihn	02-2145-6115

6. The Way to Access Image Data

- How to: Individuals can access their personal data by visiting the Company after making a contact with Image Data Processing Device Manager.
- Location: Security Situation Room in the Company

7. Requests by a Subject of the Data

Individuals reserve the right to request access to or confirmation or deleting the existence of image data processed by the Company. Types of image data for which individuals may submit the requests are limited to image data in which they are a subject of the data and image data that is unquestionably needed in the interest of the individual’s life, wellbeing, or estate.
Upon receiving the requests of access, or confirmation or deleting the existence of the image data, the Company must immediately offer its full cooperation.

8. Security Steps

The image data being used inside of the Company has been managed in a safe way including an encrypted form. Also, as a means of protecting personal image data, the Company grants different levels of access authorities to the personnel in charge. In order to prevent forgery and alteration of personal image data, the Company records and manages the recording date of image data and access purpose, accessing personnel and accessing date. In addition to this, the Company safely stores physical form of data at apparatuses established in a restricted areas within the Company.

9. Amendment

This Guide for the Operation and Management of Image Data Processing Devices was written on July 20, 2016 and when adding or deleting details, or making changes, due to the changes of Acts, Policies and development of security technologies, the Company shall notice the reasons for the changes and details through the Company’s website not less than 7 days.
- Announcement Date : November 28, 2018
- Enforcement Date : December 5, 2018
- Amendment Reason: CCTV operation status (Locations and Number of Cameras) and change of Image Data Processing Device Manager

Article 1 - Purpose

This Guide for the Operation and Management of Image Data Processing Devices (the “Guide” hereafter) serves to define the operation and management of image data processing devices installed at the owned and leased premises (the “Offices” hereafter) of Samsung C&T’s Engineering & Construction Group (the “Company” hereafter), pursuant to Article 25 of the Personal Information Protection Act (the “Act” hereafter) and Article 25 of said act’s enforcement decree.

Article 2 – Terminology

Image data processing devices are security cameras, CCTV components, recording units (such as DVRs and NVRs), and other devices installed at the Offices of the Company for the purposes of recording images of individuals and objects and transmitting those recorded images to a remote location via either a closed-wireless or a closed-cable transmission circuit.
Image data refers to images that were recorded and/or processed by image data processing devices and depict the likeness, behavior, or any other identifying personal quality or trait of an individual.
Processing refers to the collection of image data using image data processing devices and to the logging in, storage, referencing, rendering, editing, deletion, destruction, recovery, playback, printing, publication, or any other similar use of the collected image data.
Image data processing device manager refers to an appointed or commissioned individual overseeing the installation, operation, and management of image data processing devices.
Subject of the data refers to a natural person who is identifiable in the concerned image data and is therefore its main subject.

Article 3 – Scope

The guidelines herein, unless specified otherwise under the law, dictate the protection of image data recorded and processed by image data processing devices installed inside and outside the Offices and apply to the Company, parties authorized by the Company, and all individuals involved in the operation and management of image data processing devices and the handling of image data thereof.

Article 4 – Installation Objective and Operational Status

Image data processing devices are installed inside and outside the Offices for the safety of the facility and customers and the preventions of fires, accidents, and crimes in accordance with Items 1 and 2 of Article 1 of the Act. The operational status of image data processing devices in use by the Company is as follows:

Image Data Processing Devices in Use
Leased Office

Installation Objective and Operational Status
Category	CCTV Cameras
Category	Interior	Exterior
Seocho Office	260	14
Leased Office	148	13
Camera Locations	Main entrance, lobby, emergency staircase, inside and outside of elevators, and the parking lot (Seocho office)

Scope of Image Data Recording
Scope of image data recording includes areas inside and outside the Offices requiring the installation of image data processing devices for the safety of the facility and the customer and/or the prevention of fires and crimes.

Image Resolution
Images recorded by image data processing devices are stored at a resolution high enough to satisfy the concerned installation objective.

Article 5 – Management Responsibilities

Individuals responsible for the installation of image data processing devices and the handling of image data thereof are as follows:

Management Responsibilities
Category	Name	Affiliation	Department	Telephone
Image Data Processing Device Manager	Lee Gyeong-cheol	Samsung C&T Corporation	Human Resources Team	02-2145-3112
Image Data Processing Device Manager	Kim Jun-wu	Samsung C&T Corporation	Human Resources Team	02-2145-3112
Service Provider Personnel	Cho Sang-ho	S1 Corporation	Seoul TS Group (C&T Seocho)	02-2145-6115
Service Provider Personnel	Lee Yeong-seon	S1 Corporation	Seoul TS Group (Alpharium Tower)	02-2145-6115

Image data processing device managers perform the following tasks as per the privacy-protection requirements stipulated in Article 31-2 of the Act:

ㆍEstablishment and implementation of a plan for the protection of private image data;
ㆍPeriodic review and improvement of private image data handling and related practices;
ㆍProcessing of complaints concerning the handling of private image data and arrangement of compensation for damages;
ㆍDeployment of an internal regulatory system for the prevention of unauthorized disclosure, misuse, and abuse of private image data;
ㆍEstablishment and implementation of a plan for education and training concerning the protection of private image data;
ㆍManagement and supervision of private image data protection and destruction;
ㆍSupervision of the service provide to ensure the secure and proper handling of image data and training of the service provider on the prevention of image data loss, theft, leakage, alteration, and damage; and
ㆍOther tasks related to the protection of private image data.

Image data processing device managers may delegate tasks related to the installation and operation of image data processing devices to individuals or a third party and are responsible for ensuring the secure handling of image data by the designated individual and/or third party. The approved third party to which said tasks may be delegated is S1 and, specifically, its TS team leads whose territories include the Offices. In delegating tasks to this third-party service provider, the image data processing device manager must do so in writing by including each of the following information:

ㆍPurpose and scope of the delegation;
ㆍExplicit prohibition of further delegation of the tasks to other parties;
ㆍAccess restriction to the image data and other security-related steps;
ㆍA description of data-management inspections; and
ㆍA description of indemnification and other liabilities in the event of the service provider’s failure to fulfill its responsibilities.

Article 6 – Management & Operation Standards

As a rule, image data processing devices installed at the Offices are to record continuously for 24 hours a day at the highest possible settings.
Image data processing devices may not be operated at one’s discretion, be used in areas beyond the scope of image data recording, or be used with the “record audio” function turned on. Image data collected using image data processing devices may not be stored for longer than one month and must be destroyed without delay upon expiration. The devices are to be set up and run so that the image data is destroyed (deleted) automatically.
Storage of the recorded data is restricted to the situation room where the recording device is located. Should it be necessary to relocate the data for storage at a different location, however, the image data processing device operator must first be informed before proceeding with the relocation. The new storage site is to then be noted in the inspection journal and managed accordingly.
Data collected and transmitted by image data processing devices may only be monitored from designated locations and must be protected so that only the image data processing device manager and the designated personnel of the service provider may monitor it when needed. This designated location where monitoring of the image data is permitted is to be noted in the security-facility-inspection journal and managed accordingly.
Image data processing devices are to be inspected for normal functionality at least once a day. Results of these inspections are to be noted in the security-facility-inspection journal and managed accordingly.

Article 7 – Image Data Handling

The image data processing device operator is prohibited from using the image data for any other purpose than collection and from providing the image data to an unauthorized third party, except in any one of the following circumstances:

ㆍWith the consent of the subject of the data;
ㆍDoing so is permitted under the Act or another law;
ㆍIf doing so is unquestionably necessary in the interest of the subject of the data or a third party’s life, wellbeing, or estate and consent could not be gained in advance due to the subject of the data or their legal representative not being able to express their intent or being unreachable; or
ㆍThe data is provided for a statistics-compilation or academic purpose and in a format where individuals cannot be identified.

Individuals wishing to view image data in which they are a subject may do so by contacting the image data processing device manager of the Office in question in advance, filling out the image data confirmation request form that’s available at the information desk, and presenting the form to the image data processing device manager.
Should the image data be used for a purpose other than collection or provided to a third party, the image data processing device operator must make note of each of the following and manage the event accordingly:

ㆍName of the image data file;
ㆍName of the organization or individual who used or received the data;
ㆍThe purpose of the data’s use or provision;
ㆍLegal basis for the data’s use or provision (if one exists);
ㆍPermitted duration of the data’s use or provision (if defined); and
ㆍThe manner of the data’s use or provision.

When destroying image data, the image data processing device operator must make note of each of the following and manage the event accordingly:

ㆍName of the image data file to be destroyed;
ㆍTime and date of the image data’s destruction (destruction cycle if being deleted automatically and auto-delete verification schedule); and
ㆍName of the person responsible for the data’s destruction.

Article 8 – Requests by a Subject of the Data

Individuals reserve the right to request access to or confirmation of the existence of image data processed by the Company (the “Requests” hereafter). Types of image data for which individuals may submit the Requests are limited to image data in which they are a subject of the data and image data that is unquestionably needed in the interest of the individual’s life, wellbeing, or estate.
When making the Requests, the principal needs to present their identification (resident registration card, driver’s license, or passport) and the legal representative of the principal needs to present their identification and a letter of attorney. Both the principal and the legal representative of the principal must also fill out and submit the data confirmation request form, which is available at the security desk of the Offices.
Upon receiving the Requests, the Company must immediately inform the relevant image data processing device manager and offer its full cooperation.
However, the Company may refuse the Requests by informing the principal of its reason in writing within ten days in any one of the following circumstances:

ㆍCompliance with the Requests may severely impede a criminal investigation, an arraignment, or a trial;
ㆍThe concerned image data has exceeded its duration of storage and has already been destroyed; or
ㆍThere exists a sufficient cause to deny the Requests.

When processing the Requests, the image data processing device operator is to make note of each of the following and manage the concerned Requests accordingly. The image data processing device operator is to report to the image data processing device manager prior to taking any action in response to the Requests or, if unable to do so, report to the image data processing device manager immediately after taking action in response to the Requests.

ㆍName and contact information of the principal behind the Requests;
ㆍName and content of the concerned image data file;
ㆍThe purpose of the Requests; and
ㆍThe reason for denying the Requests (if applicable).

The image data processing device operator is required to perform, under the supervision and management of the image data processing device manager, each of the following to secure and protect the image data against loss, theft, leakage, alteration, and damage:

ㆍRestriction of access to the image data and limitation of access privileges;
ㆍImplementation of technologies for the safe storage and transmission of the image data;
ㆍImplementation of measures for the storage of processing records and the prevention of forgery and alteration of processing records; and
ㆍFacilitation of facilities and apparatuses for the secure storage of the image data in physical form.

Article 9 – Signs

The Offices at which image data processing devices have been installed are required to inform the individuals at the Offices of the presence and use of the devices by posting signs that contain the following information:

ㆍInstallation purpose and locations;
ㆍScope of image data recording and hours; and
ㆍName and contact information of the image data processing device operator.

If multiple image data processing devices have been installed at the Office, a sign explaining the entire facility or scene is under surveillance may be used. For image data processing devices installed outdoors, a separate sign needs to be used for each device.

Article 10 – Revisions

The Guide was established on 1 September 2011 and is subject to additions, subtractions, and revisions along with new changes in the law, in policy, and/or security technologies. Changes to the Guide are announced, along with the reasons behind them, via the Company’s website at least seven days prior to taking effect.

- Announcement Date: 20 June 2016
- Enforcement Date: 20 June 2016
- Revision Date: 2 September 2017
- Revision: Image Data Processing Devices in Use

Article 1 - Purpose

This Guide for the Operation and Management of Image Data Processing Devices (the “Guide” hereafter) serves to define the operation and management of image data processing devices installed at the owned and leased premises (the “Offices” hereafter) of Samsung C&T’s Engineering & Construction Group (the “Company” hereafter), pursuant to Article 25 of the Personal Information Protection Act (the “Act” hereafter) and Article 25 of said act’s enforcement decree.

Article 2 – Terminology

Image data processing devices are security cameras, CCTV components, recording units (such as DVRs and NVRs), and other devices installed at the Offices of the Company for the purposes of recording images of individuals and objects and transmitting those recorded images to a remote location via either a closed-wireless or a closed-cable transmission circuit.
Image data refers to images that were recorded and/or processed by image data processing devices and depict the likeness, behavior, or any other identifying personal quality or trait of an individual.
Processing refers to the collection of image data using image data processing devices and to the logging in, storage, referencing, rendering, editing, deletion, destruction, recovery, playback, printing, publication, or any other similar use of the collected image data.
Image data processing device manager refers to an appointed or commissioned individual overseeing the installation, operation, and management of image data processing devices.
Subject of the data refers to a natural person who is identifiable in the concerned image data and is therefore its main subject.

Article 3 – Scope

The guidelines herein, unless specified otherwise under the law, dictate the protection of image data recorded and processed by image data processing devices installed inside and outside the Offices and apply to the Company, parties authorized by the Company, and all individuals involved in the operation and management of image data processing devices and the handling of image data thereof.

Article 4 – Installation Objective and Operational Status

Image data processing devices are installed inside and outside the Offices for the safety of the facility and customers and the preventions of fires, accidents, and crimes in accordance with Items 1 and 2 of Article 1 of the Act. The operational status of image data processing devices in use by the Company is as follows:

Image Data Processing Devices in Use
Leased Office

Image Data Processing Devices in Use
Category	CCTV Cameras
Category	Interior	Exterior
Seocho Office	260	14
Leased Office	148	13
Camera Locations	Main entrance, lobby, emergency staircase, inside and outside of elevators, and the parking lot (Seocho office)

Scope of Image Data Recording
Scope of image data recording includes areas inside and outside the Offices requiring the installation of image data processing devices for the safety of the facility and the customer and/or the prevention of fires and crimes.

Image Resolution
Images recorded by image data processing devices are stored at a resolution high enough to satisfy the concerned installation objective.

Article 5 – Management Responsibilities

Individuals responsible for the installation of image data processing devices and the handling of image data thereof are as follows:

Management Responsibilities
Category	Name	Affiliation	Department	Telephone
Image Data Processing Device Manager	Lee Gyeong-cheol	Samsung C&T Corporation	Human Resources Team	02-2145-3112
Image Data Processing Device Manager	Kim Jun-wu	Samsung C&T Corporation	Human Resources Team	02-2145-3112
Service Provider Personnel	Cho Sang-ho	S1 Corporation	Seoul TS Group (C&T Seocho)	02-2145-6115
Service Provider Personnel	Lee Yeong-seon	S1 Corporation	Seoul TS Group (Alpharium Tower)	02-2145-6115

Image data processing device managers perform the following tasks as per the privacy-protection requirements stipulated in Article 31-2 of the Act:

ㆍEstablishment and implementation of a plan for the protection of private image data;
ㆍPeriodic review and improvement of private image data handling and related practices;
ㆍProcessing of complaints concerning the handling of private image data and arrangement of compensation for damages;
ㆍDeployment of an internal regulatory system for the prevention of unauthorized disclosure, misuse, and abuse of private image data;
ㆍEstablishment and implementation of a plan for education and training concerning the protection of private image data;
ㆍManagement and supervision of private image data protection and destruction;
ㆍSupervision of the service provide to ensure the secure and proper handling of image data and training of the service provider on the prevention of image data loss, theft, leakage, alteration, and damage; and
ㆍOther tasks related to the protection of private image data.

Image data processing device managers may delegate tasks related to the installation and operation of image data processing devices to individuals or a third party and are responsible for ensuring the secure handling of image data by the designated individual and/or third party. The approved third party to which said tasks may be delegated is S1 and, specifically, its TS team leads whose territories include the Offices. In delegating tasks to this third-party service provider, the image data processing device manager must do so in writing by including each of the following information:

ㆍPurpose and scope of the delegation;
ㆍExplicit prohibition of further delegation of the tasks to other parties;
ㆍAccess restriction to the image data and other security-related steps;
ㆍA description of data-management inspections; and
ㆍA description of indemnification and other liabilities in the event of the service provider’s failure to fulfill its responsibilities.

Article 6 – Management & Operation Standards

As a rule, image data processing devices installed at the Offices are to record continuously for 24 hours a day at the highest possible settings.
Image data processing devices may not be operated at one’s discretion, be used in areas beyond the scope of image data recording, or be used with the “record audio” function turned on. Image data collected using image data processing devices may not be stored for longer than one month and must be destroyed without delay upon expiration. The devices are to be set up and run so that the image data is destroyed (deleted) automatically.
Storage of the recorded data is restricted to the situation room where the recording device is located. Should it be necessary to relocate the data for storage at a different location, however, the image data processing device operator must first be informed before proceeding with the relocation. The new storage site is to then be noted in the inspection journal and managed accordingly.
Data collected and transmitted by image data processing devices may only be monitored from designated locations and must be protected so that only the image data processing device manager and the designated personnel of the service provider may monitor it when needed. This designated location where monitoring of the image data is permitted is to be noted in the security-facility-inspection journal and managed accordingly.
Image data processing devices are to be inspected for normal functionality at least once a day. Results of these inspections are to be noted in the security-facility-inspection journal and managed accordingly.

Article 7 – Image Data Handling

The image data processing device operator is prohibited from using the image data for any other purpose than collection and from providing the image data to an unauthorized third party, except in any one of the following circumstances:

ㆍWith the consent of the subject of the data;
ㆍDoing so is permitted under the Act or another law;
ㆍIf doing so is unquestionably necessary in the interest of the subject of the data or a third party’s life, wellbeing, or estate and consent could not be gained in advance due to the subject of the data or their legal representative not being able to express their intent or being unreachable; or
ㆍThe data is provided for a statistics-compilation or academic purpose and in a format where individuals cannot be identified.

Individuals wishing to view image data in which they are a subject may do so by contacting the image data processing device manager of the Office in question in advance, filling out the image data confirmation request form that’s available at the information desk, and presenting the form to the image data processing device manager.
Should the image data be used for a purpose other than collection or provided to a third party, the image data processing device operator must make note of each of the following and manage the event accordingly:

ㆍName of the image data file;
ㆍName of the organization or individual who used or received the data;
ㆍThe purpose of the data’s use or provision;
ㆍLegal basis for the data’s use or provision (if one exists);
ㆍPermitted duration of the data’s use or provision (if defined); and
ㆍThe manner of the data’s use or provision.

When destroying image data, the image data processing device operator must make note of each of the following and manage the event accordingly:

ㆍName of the image data file to be destroyed;
ㆍTime and date of the image data’s destruction (destruction cycle if being deleted automatically and auto-delete verification schedule); and
ㆍName of the person responsible for the data’s destruction.

Article 8 – Requests by a Subject of the Data

Individuals reserve the right to request access to or confirmation of the existence of image data processed by the Company (the “Requests” hereafter). Types of image data for which individuals may submit the Requests are limited to image data in which they are a subject of the data and image data that is unquestionably needed in the interest of the individual’s life, wellbeing, or estate.
When making the Requests, the principal needs to present their identification (resident registration card, driver’s license, or passport) and the legal representative of the principal needs to present their identification and a letter of attorney. Both the principal and the legal representative of the principal must also fill out and submit the data confirmation request form, which is available at the security desk of the Offices.
Upon receiving the Requests, the Company must immediately inform the relevant image data processing device manager and offer its full cooperation.
However, the Company may refuse the Requests by informing the principal of its reason in writing within ten days in any one of the following circumstances:

ㆍCompliance with the Requests may severely impede a criminal investigation, an arraignment, or a trial;
ㆍThe concerned image data has exceeded its duration of storage and has already been destroyed; or
ㆍThere exists a sufficient cause to deny the Requests.

When processing the Requests, the image data processing device operator is to make note of each of the following and manage the concerned Requests accordingly. The image data processing device operator is to report to the image data processing device manager prior to taking any action in response to the Requests or, if unable to do so, report to the image data processing device manager immediately after taking action in response to the Requests.

ㆍName and contact information of the principal behind the Requests;
ㆍName and content of the concerned image data file;
ㆍThe purpose of the Requests; and
ㆍThe reason for denying the Requests (if applicable).

The image data processing device operator is required to perform, under the supervision and management of the image data processing device manager, each of the following to secure and protect the image data against loss, theft, leakage, alteration, and damage:

ㆍRestriction of access to the image data and limitation of access privileges;
ㆍImplementation of technologies for the safe storage and transmission of the image data;
ㆍImplementation of measures for the storage of processing records and the prevention of forgery and alteration of processing records; and
ㆍFacilitation of facilities and apparatuses for the secure storage of the image data in physical form.

Article 9 – Signs

The Offices at which image data processing devices have been installed are required to inform the individuals at the Offices of the presence and use of the devices by posting signs that contain the following information:

ㆍInstallation purpose and locations;
ㆍScope of image data recording and hours; and
ㆍName and contact information of the image data processing device operator.

If multiple image data processing devices have been installed at the Office, a sign explaining the entire facility or scene is under surveillance may be used. For image data processing devices installed outdoors, a separate sign needs to be used for each device.

Article 10 – Revisions

The Guide was established on 1 September 2011 and is subject to additions, subtractions, and revisions along with new changes in the law, in policy, and/or security technologies. Changes to the Guide are announced, along with the reasons behind them, via the Company’s website at least seven days prior to taking effect.

- Announcement Date: 20 June 2016
- Enforcement Date: 20 June 2016
- Revision Date: 2 September 2017
- Revision: Image Data Processing Devices in Use