KOMIPO logo

Purpose of Processing Personal Information

① The company processes personal information for the following purposes. The personal information being processed is not used for any purpose other than those listed below. If the purpose of use is changed, the company will take necessary measures such as obtaining separate consent in accordance with Article 18 of the Personal Information Protection Act.

• Tour Service

  Personal information is processed to verify the identity of the data subject when applying for a tour (Power Plant, Energy World), contact and notify for fact-checking, and inform the results, etc.

• Handling complaints

  Personal information is processed to verify the identity of the data subject related to various complains, confirm the details of the complaint, contact and notify or fact-checking, and inform the results, etc.

• Visitor management

  Personal information is processed to verify the identity of the data subject who requested access to the headquarters and business sites, contact and notify for fact-checking, etc.

② The purposes of processing personal information files that are registered and disclosed by the company are as follows.

※ Other disclosures regarding the company’s registered personal information files can be found on the Personal Information Protection Commission’s Privacy Portal(www.privacy.go.kr)Go to Personal Services → Request for Access to Personal Information → Personal Information File Search, and search for “Korea Midland Power” to view details.

Processing and Retention Period of Personal Information

① The company processes and retains personal information within the period specified by relevant laws or within the period agreed upon by the data subject at the time of collecting personal information.

② The items of personal information processed by the company and their retention periods are as follows.

Provision of Personal Information to Third Parties

The company processes personal information within the scope specified for the purpose of collection and use, and does not process it beyond this scope or provide it to third parties without the data subject’s consent, except in the following cases:

• Where consent is obtained from a data subject;

• Where special provisions exist in other laws;

• Where it is deemed manifestly necessary for the protection of life, bodily or property interests of the data subject or third party from imminent danger where the data subject or his or her legal representative is not in a position to express intention, or prior consent cannot be obtained owing to unknown addresses, etc.;

• Where it is impossible to perform the duties under its jurisdiction as provided for in any Act, unless the personal information controller uses personal information for other purpose than the intended one, or provides it to a third party, and it is subject to the deliberation and resolution by the Commission;

• Where it is necessary to provide personal information to a foreign government or international organization to perform a treaty or other international convention;

• Where it is necessary for the investigation of a crime, indictment and prosecution;

• Where it is necessary for a court to proceed with trial-related duties;

• Where it is necessary for the enforcement of punishment, probation and custody;

• Where it is urgently necessary for the public safety and security, public health, etc.

Outsourcing of Personal Information Processing

① The company outsources personal information processing tasks as follows to ensure efficient business operations.

Rights, Obligations, and Methods of Exercise by Data Subjects and Legal Representatives

① Data subjects may exercise their rights regarding personal information, such as requesting access, correction, deletion, and suspension of processing, at any time against the company.

The company does not collect personal information from children under the age of 14 to protect their privacy.

② Rights can be exercised by submitting a Personal Information Request Form (Access, Correction/Deletion, or Suspension of Processing) via written document, email, or fax, etc. under Article 41(1) of the Enforcement Decree of the Personal Information Protection Act. The company will respond without delay.

③ Rights may also be exercised through a legal representative or an person delegated by the data subject, etc. In such cases, a power of attorney must be submitted in accordance with [Form No. 11] of the “Notification on the Processing of Personal Information.”

④ Rights of data subjects regarding requests for access to or suspension of processing personal information may be restricted pursuant to Articles 35(4) and 37(2) of the Personal Information Protection Act.

⑤ Requests for correction or deletion of personal information may not be accepted if the personal information in question is designated for collection under other laws.

⑥ When data subjects request access, correction, deletion, or suspension of processing according to their rights, the company shall verify whether the requester is the data subject or a legitimate representative.

⑦ These requests may also be submitted through the Personal Information Protection Commission’s Privacy Portal, (www.privacy.go.kr) under the “Personal Services → Request for Access to Personal Information → Personal Information File Search” menu.

⑧ The company provides guidance on the necessary procedures for data subjects to file an objection if they disagree with measures such as the refusal of their access request.

• Grounds for objection

  A. Company’s refusal to grant access in response to information disclosure request
  B. Company’s partial grant of access in response to information disclosure request
  C. When the company fails to notify its disclosure decision within 10 days from the date of information disclosure request

• Objection processing procedure

  A. Objection filing: Within “30 days” from the date the company notifies the data subject of its decision regarding access, or the date the decision of denial is considered to have been made
  B. Administrative appeal: Within “90 days” from the date the data subject becomes aware of the disposition (cannot be filed if 180 days have passed since the date of disposition)
  C. Administrative litigation: Within “90 days” from the date the data subject becomes aware of the disposition, etc. (cannot be filed if 1 year has passed since the date of disposition, etc.)

Destruction of Personal Information

① The company shall promptly destroy personal information once it is no longer necessary, such as upon expiration of the retention period or fulfillment of the processing purpose. However, this does not apply if retention is required under other laws and such information will be stored and managed separately from other personal information.

② The procedures and methods for destruction of personal information are as follows:

• Destruction procedure

  A. The company establishes a plan for destroying personal information (or personal information files) that must be discarded.
  B. When grounds for destruction arise, the company shall isolate the relevant personal information (or files) from other data, obtain approval from the Personal Information Protection Officer, and proceed with its destruction following an annual records appraisal review.

• Destruction method

  Personal information stored in electronic file format shall be destroyed by means that render recovery impossible, and personal information recorded and stored on paper shall be shredded or incinerated.

Measures to Ensure Safety of Personal Information

The company implements the following measures to ensure the security of personal information.

• Administrative measures: Establishment and implementation of internal management plans, regular employee training, etc.

• Technical Measures: Management of access rights to personal information processing systems, etc, installation of access control systems, encryption of unique identification information, etc., installation of security programs, etc.

• Physical Measures: Access control to server rooms, data storage rooms, etc.

• In addition to matters regulated under laws, the company conducts the following activities to enhance security of personal information.

  1. Domestic and international information security certifications: ISMS-P, ISO/IEC 27001

  2. Personal information protection activities: Personal information protection consulting, personal information protection campaigns

Matters Regarding Installation, Operation, and Refusal of Personal Information Automatic Collection Devices

① The company uses cookies, which store and retrieve user information, to provide personalized services for each data subject.

② Cookies are small pieces of data sent by a website's server to the user's browser, which are stored on the user’s hard drive.

• Purpose of cookies: Cookies are used to analyze users’ visits and usage patterns across various services and websites, popular search terms, secure access status, etc., thereby providing optimized information.

• Installation, operation, and refusal of cookies: Users can configure settings such as allowing and blocking cookies through web browser settings.

  - Edge: Settings at the top right of the web browser > Cookies and site permissions > Manage and remove cookies and other site data
  - Chrome: Settings at the top right of the web browser > Privacy and security > Cookies and other site data
  - Whale: Settings at the top right of the web browser > Privacy Protection > Cookies and other site data
  

• Refusing to store cookies may result in difficulties in using personalized services.

Personal Information Protection Officer and Manager

① The company designates a Personal Information Protection Officer who is responsible for overseeing all matters related to personal information processing and handling inquiries, complaints, remedy requests, etc. from data subjects.

② Data subjects may contact the Personal Information Protection Officer or the relevant department for any inquiries, complaints, damage relief, etc. related to personal information protection while using the company’s services (or business sites). The company will respond without delay.

Request to Access Personal Information

① Data subjects may request access to their personal information through the department below in accordance with Article 35 of the Personal Information Protection Act, and the company will promptly handle the request.

② Data subjects may request access to personal information via the Personal Information Protection Commission's “Privacy Portal (www.privacy.go.kr) in accordance with Article 35 of the Personal Information Protection Act.

  - Privacy Portal (www.privacy.go.kr) : Personal Services → Request for Access to Personal Information → Personal Information File Search

Remedies for Infringement of Rights

① Data subjects may seek dispute resolution or consultation, etc. in cases of personal information violations by contacting the Personal Information Dispute Mediation Committee, the KISA Privacy Breach Report Center, etc.

  - Personal Information Dispute Mediation Committee : 1833-6972 (www.kopico.go.kr)
  - Personal Information Dispute Mediation Request (https://www.privacy.go.kr/front/reqDis/reqDisStep1.do)
  - Privacy Breach Report Center : 118 (privacy.kisa.or.kr)
  - Supreme Prosecutors' Office : 1301 (www.spo.go.kr)
  - Korean National Police Agency : 112 (https://ecrm.police.go.kr)

② Data subjects who suffer an infringement of rights or interests due to a disposition or omission by the company in response to a request for access to, correction, deletion, or suspension of processing of personal data may file an administrative appeal in accordance with the Administrative Appeals Act. For more details regarding administrative appeals, please refer to the Central Administrative Appeals Commission(https://www.simpan.go.kr)

Evaluation of Personal Information Protection Level

① In accordance with Article 11(2) of the Personal Information Protection Act, the company undergoes the “Evaluation of Personal Information Protection Level” conducted by the Personal Information Protection Commission to safely manage personal information of data subjects.

② The company has received the " S "grade for six consecutive years (2018？2023) in Evaluation of Personal Information Protection Level (including the former Personal Information Management Level Diagnosis).

Installation and Operation of Fixed Image Data Processing Devices

The company installs and operates fixed image data processing devices in accordance with Article 25(1) of the Personal Information Protection Act as follows.

• Purpose of installation

  A. Crime prevention
  B. Facility safety and fire prevention

• Number of devices, installation locations, and recording scope

  Move from side to side

  Number of devices, installation locations, and recording scope

  This table consists of division, number of installations, installation location, and shooting range.

  Classification	Number of Devices	Installation Locations	Recording Scope
  Headquarters and business sites	232 devices	Facility entrances, elevators, parking lots, etc.	Interior and exterior of buildings and surrounding areas of entrance

• Management officer, responsible department, and authorized personnel for access to image information

  Move from side to side

  Management officer, responsible department, and authorized personnel for access to image information

  It is a table composed of classification, personal image information management manager, and personal image information access authority.

  Classification	Personal Image Data Management Officer	Personal Image Data Access Authorized Personnel
  Name	Yoon Mi-ra	Park Hong-jae
  Responsible Department	Digital Innovation Center	Digital Innovation Center Information Security Office
  Contact Information	070-7511-1600	070-7511-1640
  Email	privacy@komipo.co.kr

• Recording time, retention period, storage location, and processing method of Image Data

  Move from side to side

  Recording time, retention period, storage location, and processing method of Image Data

  This table consists of shooting time, storage period, storage location and processing method, and processing method.

  Recording Time	Retention Period	Storage Location	Processing Method
  24 hours	90 days	Restricted area, communication room	Use of personal image data for purposes other than originally intended, third-party provision, destruction, record of access requests, and destruction upon expiration of the retention period

• Method and location of image data verification

  A. Verification method : Contact the Personal Image Data Management Officer or the Personal Image Data Access Authorized Personnel in advance and visit
  B. Verification location : Headquarters - Digital Innovation Center Information Security Office, Digital Platform Department / Business site - Information Security Office (Team), Information Communication Department

• Measures for requests to access to personal image data, etc.

  Data subjects may request to access to personal image data or verify the existence of personal image data. Such requests are limited to personal image data in which the data subject appears or when the information is clearly necessary to protect the life, body, or property of the data subject. Upon receiving a request to access to personal image data, the company will take necessary measures without delay.

• Measures to ensure security of personal image data

  The company applies and manages measures to ensure security of personal image data, such as establishment of internal management plans, access control and restriction of access rights, secure storage and transmission, storage of processing records, prevention of forgery or tampering, designation of storage facilities, and installation of locking devices.

• Other matters necessary regarding installation, operation, and management of fixed image data processing devices

  When installing fixed image data processing devices, the company complies with matters related to collecting opinions in advance before installation, complying with restrictions on the collection of personal image data, protecting the image data of individuals other than the data subject, conducting inspections on installation and operation, and addressing changes to the operation and management policy.

Changes to Privacy Policy

This Privacy Policy shall be effective from June 23, 2025.

The revised Privacy Policy can be viewed in full and in comparison with the previous version at the following links: