Supplemental Website Data Privacy Notice for Korean Data Subjects

Effective January 2, 2024

Cook Medical Korea (hereinafter referred to as “Company”) establishes and discloses the following personal information privacy notice in order to protect the personal information of information subjects and to promptly and smoothly handle complaints related thereto in accordance with Article 30 of the Personal Information Protection Act.

Cook Medical, the company’s headquarters, has established and operates a separate personal information statement as an internal policy, and if there is a conflict between this notice and the personal information statement, the company will use and retain personal information in accordance with stricter procedures.

Article 1 (Personal information items collected)

The company processes the following personal information items. Resident registration numbers are processed only when processing of resident registration numbers is specifically requested or permitted by the Withholding Tax Withholding Act, Presidential Decree, National Assembly Notifications, Supreme Court Notifications, Constitutional Court Notifications, National Election Commission Notifications, and Board of Audit and Inspection Notifications.

  1. Health care professional’s name, address, affiliated medical institution and address, major and position, phone number, bank account number.
  2. The name, address, phone number, business name, mobile phone number, e-mail address, business registration number, account number, etc. of the contract counterparty (if a corporation, the representative of the corporation), such as a supplier in a business relationship with the company, and financial institutions. Account information (if the contracting party is a corporation, including the names, phone numbers, e-mail addresses, and workplace addresses of affiliated executives and employees)
  3. The applicant’s name, photo, gender, date of birth, home phone number, mobile phone number, e-mail address, education, work experience, qualifications and licenses, and other information listed in documents such as resumes, self-introductions, and transcripts submitted to the company.
  4. Inquiries about the company’s products, customer’s gender, age, contact information, health information, etc.

Article 2 (Purpose of collection and use of personal information)

The company processes personal information for the following purposes. Personal information being processed will not be used for purposes other than the following, and if the purpose of use changes, necessary measures will be taken, such as obtaining separate consent.

  1. The company’s medical research and promotional activities: Education, training, and medical information acquisition and delivery activities for healthcare professionals, provision of information on company-hosted events such as product-related information and product presentations, and requests for services such as lectures and consultations. Prior review including identity verification, conclusion and implementation of related contracts, income tax withholding, other product-related marketing activities, etc.
  2. Provision of services and information: Performance of contracts and contracts according to service provision, sending of invoices, payment settlement, delivery of goods, and provision of product-related services and information, etc.
  3. Job applicant management: Administrative processing of job applications, job recruitment, and responses to recruitment-related inquiries, recruitment of job applicants, operation of various employment-related tasks, provision of employee welfare benefits, etc.
  4. Fulfillment of the company’s legal and administrative obligations: reporting side effects and adverse reactions, issuing tax invoices, reporting various taxes, handling complaints and managing safety information, responding to product-related inquiries, verifying the identity of the complainant, confirming complaints, and investigating facts. Contact, notification, notification of processing results, reporting, evaluation and management of product safety information and quality complaints, etc.

Article 3 (Processing and retention period of personal information)

The company destroys the personal information without delay when the purpose of collecting and using personal information is achieved or the retention and use period with the consent of the information subject has ended. However, if there is a need to preserve the information in accordance with the provisions of relevant laws and regulations, the company retains the personal information for the period specified in the relevant laws and regulations as follows.

  • All transaction books and evidentiary documents: 5 years (Article 85-3 of the Framework Act on National Taxes and Article 112 of the Corporate Tax Act)
  • Important documents related to the company’s business: 10 years (Article 33 of the Commercial Act)

Article 4 (Provision of personal information to third parties)

  1. The company processes the personal information of the information subject only within the scope specified in Article 1 (Purpose of processing personal information), and personal information is provided to third parties only in cases that fall under Article 17 of the Personal Information Protection Act, such as the consent of the information subject or special provisions of the law.
  2. The company provides personal information to third parties as follows.
(Contact Information)
Country of origin Recipient’s purpose of using personal information Items of personal information provided Retention and use period of personal information of the recipient Contact of Data
Protection Officer
The company’s headquarters and affiliates [Affiliates can be checked at] US and some other affiliates in Australia, Ireland and Hong Kong Special Administrative Region, etc.) Decision on whether to make a contract, performance of the contract including payment of service fees such as consultation fees, confirmation of legal conclusion and performance of the contract, analysis of information related to the contract such as lectures and consultations, audit to confirm compliance with company regulations and laws of each country. (Including internal investigation or response to various disputes, monitoring), etc. All collected personal information (excluding resident registration number) Until the purpose of use of the recipient is achieved
Ministry of Health and Welfare (129) Republic of Korea Submission of transparency reports on details of provision of economic benefits, etc. in accordance with medical device act and its enforcement Name, affiliation Until the retention period according to the regulations of the Ministry of Health and Welfare 김혜진044-202-2194
Korea Medical Devices Industry Association (02-596-7404) Republic of Korea Inspection of compliance with reporting obligations in accordance with the Korea Medical Device Industry Association Fair Competition Code and compliance with the lecture/consulting fee upper limit standard in the KMDIA Code Name, affiliation, payment amount, date and place, purpose and subject Until 5 years from January 1 of the year following the year in which the lecture or consultation date 김명정 070-7725-8706
Health and medical authorities in the countries where the company’s headquarters and affiliates are located, including the Ministry of Food and Drug Safety and the U.S. FDA US, etc. Reporting of adverse reactions according to relevant laws and regulations Name, gender, date of birth, age (at the time of occurrence), patient’s past medical history and complications, information on adverse events, etc. Until the retention period according to the regulations of the Ministry of Food and Drug Safety

Article 5 (Entrustment of personal information processing)

  1. In order to smoothly process personal information, the company entrusts personal information processing tasks as follows.
  2. If the contents of the outsourced work or the outsourcer changes, we will disclose it through this personal information processing notice without delay.
Outsourced/Data Recipient
(if overseas, enter the name of the country)
Contents of outsourced work
The company’s headquarters and affiliates (including the headquarters in the US and some other affiliates in Australia, Ireland and Hong Kong Special Administrative Region, etc.) [Affiliates can be checked at] System operation management and maintenance for company internal planning and cost execution (US) Operation and management of customer database and training and education related systems
Qualtrics (US) Collection and storage of the survey results
Trackwise (US) Handling of adverse cases and customer complaints
Concur (US) Management of financial transactions including expense processing
Navision (US) Ordering/sales processing
Trico Report withholding tax amount
CSTech Management and delivery of goods such as medical devices for booth exhibition

Article 6 (Rights, obligations and exercise methods of information subjects)

  1. The information subject may exercise the following rights related to personal information protection against the company at any time.
    • Request to view personal information
    • Request for correction if there is an error, etc.
    • Request for deletion
    • Request to suspend processing
  2. You may request the Company to exercise your rights pursuant to Paragraph 1, and the Company will take action without delay.
  3. If the information subject requests correction or deletion of errors in personal information, the company will not use or provide the personal information until correction or deletion is completed.
  4. The exercise of rights under paragraph 1 may be done through an agent, such as the information subject’s legal representative or a person authorized to do so. In this case, you must submit a power of attorney in the form No. 11 of the Personal Information Protection Act Enforcement Rule.
  5. The information subject must not violate the personal information and privacy of the information subject or others processed by the company in violation of relevant laws such as the Personal Information Protection Act.

Article 7 (Destruction of personal information)

In principle, the company destroys the information without delay after the purpose of collecting and using personal information has been achieved.

  1. Destruction procedure
    • After the purpose is achieved, the customer’s personal information is transferred to a separate database (in the case of paper, a separate filing cabinet) and stored for a certain period of time and then destroyed in accordance with the company’s internal policy and other relevant laws and regulations for information protection.
    • Personal information transferred to a separate DB will not be used for any other purpose unless required by law, etc.
  2. Destruction method
    The company takes measures to prevent recovery or reproduction as follows.

    • Personal information stored in electronic file format is deleted using technical methods that render the records unrecoverable.
    • Personal information printed on paper is destroyed by shredding or incineration.

Article 8 (Measures to ensure the safety of personal information)

The company is taking the following measures to ensure the safety of personal information.

  1. Management measures: regular employee training, etc.
  2. Technical measures: Management of access rights to personal information processing systems, installation of access control systems, encryption of unique identification information, installation of security programs, etc.
  3. Physical measures: Access control to server rooms, data storage rooms, etc.

Article 9 (Matters related to installation, operation and rejection of automatic personal information collection devices)

  1. The company uses ‘cookies’ to retain use information and retrieve it from time to time in order to provide individualized services to users.
  2. Cookies are a small amount of information that the server (http) used to run the website sends to the user’s computer browser and are sometimes stored on the hard disk of the user’s PC computer.
    • Purpose of use of cookies: They are used to provide optimized information to users by identifying visitation and use patterns, popular search terms, secure access, etc. for each service and website visited by the user.
    • Installation, operation, and refusal of cookies: You can refuse to store cookies through option settings in the Tools>Internet Options>Personal Information menu at the top of your web browser.
    • If you refuse to store cookies, you may have difficulty using customized services.

Article 10 (Personal Information Protection Department)

In order to protect the personal information of information subjects and handle complaints related to personal information, the company designates a person in charge of personal information protection as shown below and has a department to handle related complaints. Information subjects can report all personal information protection-related complaints related to the company to the personal information department. The company will provide a prompt and sufficient response to the information subject’s report.

  • Personal information protection manager and grievance department
    Violet, Shan
    Data Privacy Manager and Data Protection Officer, APAC
    Phone: +86-21-5451-9599

Article 11 (Methods for relief from rights infringement)

In order to receive relief from personal information infringement, the information subject may apply for dispute resolution or consultation to the Personal Information Dispute Mediation Committee, the Korea Internet & Security Agency’s Personal Information Infringement Reporting Center, etc. If you need to report or consult about other personal information infringements, please contact the following organizations:

  • Personal Information Infringement Reporting Center ( 118)
  • Personal Dispute Mediation Committee ( 1833-6972)
  • Information Protection Mark Certification Committee ( 02-580-0533~4)
  • Supreme Prosecutors’ Office Cyber Crime Investigation Team ( 1301)
  • National Police Agency Cyber Safety Bureau ( 182)

Article 12 (Change in personal information processing policy)

The company’s personal information processing policy may be changed in accordance with relevant laws, guidelines, and the company’s internal operating policy. If the company changes its personal information processing policy, the company will notify you of the change in accordance with relevant laws and regulations, such as the Personal Information Protection Act.