SFMI Volunteer Group offers various volunteer services for local communities.

Chapter 1. General Provisions
Article 1 (Purpose)
This internal management plan for personal information aims to set forth the specifics of technological, managerial, and physical measures implemented by Samsung Fire & Marine Insurance Co., Ltd.(hereinafter referred to as the “Company”)to protect personal information of customers and employees against loss, theft, leakage, falsification, or corruption in accordance with the Personal Information Protection Act and the Act on Promotion of Information and Communication Network Utilization and Information Protection, etc.
Article 2 (Scope of Application)
  • This Plan applies to anyone who performs duty in a contractual relationship with the Company including but not limited to employees (both contract-based and outsourced positions), customers, and prospective customers.
  • This Plan applies to personal information of customers and employees, which is collected, used, provided, or managed through both information and communication networks for the purpose of providing services and means other than information and communications network.
  • Other matters not explicitly stated herein shall be determined by relevant laws, regulations, and bylaws of the Company.
Article 3(Definition of Terms)
The terms used in this Plan shall be defined as follows.
  • "Personal information" refers to information that pertains to a living person, such as the name and resident registration number by which the individual in question can be identified when the information is used alone or with other relevant data.
  • "Subject of information" refers to a person who can be identified by the managed information and therefore is the subject of the given piece of information.
  • "Personal information file" refers to an aggregate of personal information systematically arranged or organized according to specific rules in order for the personal information to be readily retrievable.
  • "Management" refers to the act of collecting, creating, interworking, recording, saving, holding, processing, editing, searching, correcting, recovering, using, providing, disclosing, or destroying personal information and other acts similar thereto.
  • "Personal information protection officer" refers to a general manager in charge of personal information protection affairs.
  • "Personal information manager" refers to an employee, dispatched worker, or part-time worker who handles personal information under the direction and supervision of personal information protection officer.
  • "Personal information management system" refers to a systemically organized system such as database to enable management of personal information.
  • "Password" refers to a string of secret characters entered into a system to verify the identity of an individual who has a proper authority to access an office computer or corporate communications network.
  • "Biological (bio) information" refers to bodily or behavioral data of an individual by which a person can be identified, such as fingerprints, face, iris, vein, voice, handwriting, and information generated from the data.
  • "Access history" refers to electronic records of the work performed by personal information manager when accessing personal information management system, including the account of personal information manager, access time, access spot, subject of information, work performed, etc. “Access” herein means a state where the personal information manager is connected to a personal information management system which enables data transmission or reception.
  • "Information and Communications Network" refers to information and communications system to collect, process, save, search, transmit, or receive information by using telecommunication facilities, telecommunication technologies, or computer technologies pursuant to Article 2 Paragraph 2 of the Telecommunications Basic Act.
  • "Authentication information" refers to information used to verify the identity of an individual requested by personal information management system or information and communications network management system.
  • "P2P(Peer to Peer)" refers to a computer network system to share files directly between network participants through information and communications network without the need for central coordination by servers. "Sharing settings" refers to an arrangement to allow other persons to browse, modify, or copy files of computer owners.
  • "Mobile device" refers to portable computing devices for wireless communications such as mobile phone, tablet PC, etc.
  • "Auxiliary storage memory" refers to a memory to store files, either connected with or separated from the personal information management system and personal computer, such as portable hard disk(HDD), USB memory, CD(Compact Disk), DVD(Digital Versatile Disk), etc.
  • "CCTV" refers to a closed circuit television camera, which is placed in a specific space to record and transmit videos on people or objects for monitoring and surveillance.
  • "Intranet" refers to a private network used by an organization, which blocks or controls external access by physical network separation or access control system.
  • "Control terminal" refers to a terminal that directly access personal information management system to manage for management, operation, development, or security purposes.
Chapter 2. Development and
implementation of internal management plan
Article 4 (Development and approval of internal management plan)
  • Information Security Department shall develop and implement the internal management plan for personal information with approval from CISO.
  • Information Security Department shall acquire approval from CISO to revise the internal management plan.
Article 5 (Proclamation of Internal Management Plan)
The personal information protection officer proclaims the personal information internal management plan to make it available to employees by posting the plan on the company intranet.
Article 6 (Designation of personal information protection officer)
  • The Company shall designate a personal information protection officer in charge of personal information security work to prevent loss, theft, leakage, falsification, or corruption of personal information of customers, employees, or other individual persons
  • The Company shall designate personal information protection officer in accordance with the Personal Information Protection Act and the Enforcement Ordinance of the Act.
Article 7 (Duty and responsibility of personal information protection officer)
Personal information protection officer shall perform his/her duty under the following items.
  • Personal information protection officer shall perform his/her duty under the following items.
  • Regular examination and improvement of personal (video) information processing status and practice
  • Grievance resolution and damage redress associated with personal (video) information processing
  • Establishment of internal control system to prevent leakage, misuse, and abuse of personal (video) information
  • evelopment and implementation of education plan on personal (video) information protection
  • Protection, management, and supervision of personal (video) information files
  • Development, modification, and implementation of personal information management method
  • anagement of materials related to personal information protection
  • Disposal of personal information, of which the management purpose has been achieved or the holding period has expired.
  • Taking immediate action upon gaining knowledge of any breach of personal information and reporting to CEO if deemed necessary.
Article 8 (duty and responsibility of personal information manager)
Personal information protection officer shall perform his/her duty under the following items.
  • Personal information manager refers to an individual who collects, saves, manages, uses, provides, handles, or disposes of personal information of customers within the company, and may include regular workers, temporary workers, or contract-based workers.
  • Personal information manager shall fulfill the following roles and responsibilities to protect customers’ personal information.
    • Participation in personal information protection activities
    • Observance and implementation of internal management plan
    • Compliance with technological, administrative, and physical standards to safeguard personal information
    • Review on any illegal or illicit violation of personal information by an employee or a third party
    • Implementation of other tasks required to protect personal information of customers
Chapter 4. Technological, managerial, physical safety measure for personal information management
Article 9 (management of access authority)
  • The Company shall establish and operate a framework to control access to personal information management system.
  • The Company shall review the need for system access by personal information managers and grant them a required minimum authority to access personal information management system to a varying extent in accordance with their responsibility.
  • The Company shall modify or remove personal information managers’ authority to access personal information management system without delay upon their retirement or transfer at work.
  • The Company shall keep the records of access authority to personal information management system including modification, removal, etc. for five years.
  • The Company shall issue a separate user account by personal information manager, when issuing a user account for access to personal information management system, and the account shall not be shared with other personal information managers.
  • The Company shall establish and apply password setting rules for personal information managers or subjects of information to use a safe password.
  • The Company shall establish and apply password-setting rules for personal information managers as set forth below.
    • Set a password with at least 8 digits including alphabets, numbers, or special characters.
    • Recommend not to use a password that is easy to guess, including personal information such as the birthday or phone number, or a series of numbers, or a password similar to the user id.
    • Change the password at least once every quarter by setting an expiration date.
  • The Company shall take necessary technical measures for only authorized personal information managers to access personal information system, such as limiting access to personal information management system after multiple failed attempts with a wrong password or incorrect account information,
Article 9-2 (Access control)
  • The Company shall take measures including the functions in the following items to prevent illegal access through information and communications network or infringement of personal information.
    • Control unauthorized access to personal information management system by limiting access to internet protocol (IP) address, etc.
    • Detect and respond to attempts to leak personal information by analyzing internet protocol (IP) address, etc. that has accessed personal information management system
  • The Company shall apply a safe access method including virtual private network (VPN), leased line, etc. and a safe authorization method including public key certificate, etc. for personal information managers to access personal information management system through information and communications network outside the Company.
  • The Company shall take measures to control access to personal information management system, office computer, mobile devices, control terminal, etc. in order to prevent disclosure or leakage of personal information to unauthorized parties through internet web site, P2P, sharing settings, public wireless network, etc.
  • The Company shall check any vulnerability in the web site at least once a year and take necessary measures to prevent unique identification information from leakage, falsification, or corruption.
  • The Company shall shut down personal information management system automatically to prevent illegal access to personal information management system or infringement of personal information in case where personal information is left unattended by a personal information manager for a certain time period.
Article 10(Encryption of personal information)
  • The Company shall encode personal information including resident registration number, passport number, driver’s license number, alien registration number, password, credit card number, account number, biological data, etc. through safe encryption algorithms to receive or transmit such information through information and communications network, forward them by using auxiliary memories, or save them in office computers or mobile devices.
  • The Company shall store passwords by using a one-way encryption to prevent them from decoding.
  • The Company shall encode unique identification information to store them in the internet zone and in the Demilitarized Zone (DMZ) between the internet and intranet firewalls.
  • The Company shall encode users’ personal information and authentication information by installing a safe security server to receive or transmit such information through information and communications network, and the security server shall be equipped with any of the following functions in the items set forth below.
    • A function to install a sockets layer (SSL) certificate in a web server to encode and transmit information
    • A function to install an encryption application program in a web server to encode and transmit information
    • A function to install a VPN in other internet to encode and transmit information
  • The Company shall establish and enforce procedures on creation, use, retention, distribution, and disposal of a safe encryption key to store encoded personal information in a safe manner.
Article 11 (Retention and review of access history)
  • The Company shall take a regular examination and supervision on the access records of personal information management system by personal information managers on a monthly basis, and retain and manage the history for at least two years to check on any irregularities on the system.
  • The Company shall store the access records by personal information managers through a regular back-up in a separate storage memory to prevent any falsification, theft, or loss of the access history.
  • The Company shall monitor cases of personal information downloaded through personal information management system and investigate the reason why it has been downloaded.
Article 12 (Installation and management of security program)
The Company shall install and operate a security program such as vaccine software to prevent or remove malware, etc. and observe in the following
  • Use automatic update of security programs or execute daily update to keep the security programs up to date
  • Execute an immediate update in case where a malware warning has been issued or security update has been notified by production companies of application programs or operating system software.
  • Deletion of identified malware, etc. or other responsive measures

Article 13 <deleted>

Article 14(Internet site security)
  • In the case of web sites managing personal information (collection, use, access, search, etc.) among internet sites (including cyber work sites) under direct management by the company or in commissioned operation, the Company shall acquire a prior written consent by relevant departments in each phase from web site development to modification or removal of major functions, except the representative web site of the Company (www.samsungfire.com).
  • In the case of web sites managing personal information (collection, use, access, search, etc.) among internet sites (including cyber work sites) under direct management by the company or in commissioned operation, the Company shall acquire a prior written consent by relevant departments in each phase from web site development to modification or removal of major functions, except the representative web site of the Company (www.samsungfire.com).
    • Information Security Department : laws and regulations on personal information, supervisory regulations, and internal regulations
    • Home Page Management Department: laws and regulations on information and communications, compliance with supervisory regulations and internal regulations
    • IT Security Department: laws and regulations on IT security, compliance with supervisory regulations, technical and physical security standards within internal regulations, etc.
Article 15 (Disposal of personal information)
  • The Company shall dispose of personal information without delay when the purpose of personal information management is achieved, when it has passed the retention period, or when the personal information is rendered unnecessary, except for cases where it needs to maintain the information in accordance with other laws and regulations.
  • ther specific items on the disposal of personal information shall be determined by separate guidelines.
Article 16 (Physical safety measure)
  • The Company shall develop and operate access control procedures in case where it operates a physical storage containing personal information such as computing room and data archive.
  • The Company shall maintain documents and auxiliary memories containing personal information in a place with safety locks.
  • The Company shall develop safety measures to control the use of auxiliary memories containing personal information.
Article 16-2 (Emergency preparation and safety measures)
  • The Company shall establish emergency response manuals to protect the personal information management system in case of emergency such as fire, flood, power failure, and natural disaster.
  • Personal information managers shall develop plans to back up and restore personal information management system in case of emergency such as fire, flood, power failure, and natural disaster.
Article 16-3 (Risk analysis and response)
Risk analysis and responsive measures shall be determined in a separate guide.
Article 17 (Protective measure in printing or copying)
  • The Company shall confine the purpose of printing personal information in the personal information management system (print, screen display, file generation, etc.) and minimize printing items in accordance with the purpose.
  • The Company shall develop protective measures for printing and copying of personal information to manage paper documents or external memories containing such information in a safe manner.
Article 18 (Installation and management of CCTV)
  • The Company shall inform its CCTV installation and operation to the subject of information by taking necessary measures including installation of signage containing information in the following items.
    • Purpose and site of installation
    • Scope and time of recording
    • Name and contact information of managing staff
    • Name of contact information of trustee in case where installation and operation of CCTV has been entrusted
  • The Company shall not use or provide personal video data to any third party for any purpose other than the intended objectives, except for the cases in the following items:
    • In case where the Company acquired approval from the subject of information
    • In case where there are special regulations stipulated in other laws and regulations
    • In case where it is clearly deemed necessary for urgent protection of life, body, or property of the subject of information or a third party, when the subject of information or his/her legal agent is not available to express intent, or where a prior consent cannot be obtained because of an unknown address, etc.
    • In case where personal video data is provided for the purpose of statistics compiling or academic research with individuals in the video have been illegibly blurred
  • The Company shall delete personal video data without delay upon the expiration of the retention period prescribed in the CCTV operation and management guidelines, except for cases where there are other special regulations stipulated by law.
  • The Company shall record and manage the following items in case where it uses personal video data for any purpose other than its intended objectives or provides the data to any third party
    • Title of personal video data file
    • Name of user or recipient of personal video data (public institution or individual)
    • Purpose of use or provision
    • Legal ground for use or provision (if any)
    • Period of use or provision (if any predefined time period)
    • Type of use or provision
  • The Company shall record and manage the following item to dispose of personal video data.
    • Title of personal video information subject to disposal
    • Date of disposal of personal video data (disposal cycle and disposal result in the case of automatic deletion on predesignated disposal dates)
    • Staff in charge of disposal of personal video data
Article 19 (Development and disclosure of personal information management rules)
  • The Company shall develop and disclose the specifics under the following items in accordance with Article 30 of the Personal information Protection Act.
    • Objective of personal information management
    • Period of personal information management and retention
    • Provision of personal information to any third party
    • Entrustment of personal information management
    • Rights and duty of the subject of information and legal agent and their exercise
    • Name of personal information protection officer, title and contact information of department in charge of personal information protection and grievance resolution thereof
    • Installation and operation of devices collecting personal information such as internet access files, and denial thereof
    • Other personal information management items stipulated by the Personal Information Protection Act
  • The Company shall keep posting personal information management guidelines on its internet web site.
Article 19-2 (Entrustment of personal information management)
  • The Company shall educate and supervise a trustee by reviewing the information management status, etc. to prevent loss, theft, leakage, falsification, or corruption of personal information of the subject of information, in case where it entrusts personal information management.
  • Other specific items on the delegation of personal information management shall be determined by separate guidelines
Chapter 5. Protection of Information Subject
Article 20 (Development and enforcement of response measures to information leakage)
  • The Company shall notify the leakage of personal information to the subject of information in accordance with relevant laws and regulations without delay upon acquiring knowledge of such accident.
  • The Company shall report the leakage of personal information in a certain size defined by relevant laws and regulations without delay upon acquiring knowledge of such accident.
  • Personal information protection officers shall govern affairs associated with protection of the subject of information such as notification or reporting pursuant to relevant laws and regulations, and personal information protection officers may direct relevant departments to protect the subject of information in accordance with the company bylaws and rules on organization and personnel management.
  • Other specific items on the response to any information accident shall be determined by separate guidelines.
Article 21 (Access to personal information by the subject of information)
  • The Company shall approve access to personal information by the subject of information within 10 days at the request of the subject of information in accordance with the method and procedures stipulated in relevant laws and regulations, in case where the subject of information requests such access by submitting the request form pursuant to Appendix 1 (Request for access to personal information).
  • The Company may postpone or reject the request for access to personal information by informing the subject of information of the reason, in case where the request falls under reasons for postponement or rejection.
  • The Company shall notify the specifics from Paragraphs 1 and 2 of this Article to the subject of information in accordance with the form pursuant to Appendix 2.
Article 22 (Correction and deletion of personal information)
  • The Company shall correct or delete personal information within 10 days at the request of the subject of information in accordance with the method and procedures stipulated in relevant laws and regulations, in case where the subject of information requests such correction or deletion by submitting the request form pursuant to Appendix 1 (Request for correction or deletion of personal information).
  • The Company may reject the request for correction or deletion of personal information by informing the subject of information of the reason for rejection, in case where the request falls under unacceptable reasons in accordance with relevant laws and regulations.
  • The Company shall notify the results from Paragraphs 1 and 2 of this Article to the subject of information in accordance with the form pursuant to Appendix 3.
Article 23 (Suspension of personal information management)
  • The Company shall suspend the management of personal information within 10 days at the request of the subject of information in accordance with the method and procedures stipulated in relevant laws and regulations, in case where the subject of information request such suspension by submitting the request form pursuant to Appendix 1 (Request for correction or deletion of personal information).
  • The Company may reject the request for suspension of personal information management by informing the subject of information of the reason for suspension, in case where the request falls under unacceptable reasons.
  • The Company shall notify the results from Paragraphs 1 and 2 of this Article to the subject of information in accordance with the form pursuant to Appendix 3.
Article 24 (Notification of personal information use)
  • The Company shall notify the records of personal information use to users on a regular basis, except for cases where it did not collect personal information such as contact numbers.
  • The types of information to be notified to users pursuant to the foregoing Paragraph 1 are as set forth below.
    • Purpose of collection and use of personal information and items of collected personal information
    • A person provided with personal information, purpose of provision, and items of personal information that has been provided
    • A person commissioned to manage personal information and the details of commissioned management tasks
  • Notification pursuant to Article 1 shall be made at least once a year by e-mail, mail, facsimile, telephone or any other similar means of communication.
Chapter 6. Personal information security training and regular review Chapter 7. Miscellaneous provisions
Article 25 (Personal information security training)
  • The Company shall conduct personal information protection training as set forth below to safeguard personal information and prevent any breach of information.
    • Frequency of training: at least twice per year
    • Subject of training: personal information protection officers, personal information managers
    • Content and method of training: education for secure management of personal information and prevention of infringement through a suitable means to a specific situation such as group education, department training, groupware application, etc.
  • Personal information protection officers shall maintain material evidence of personal information security training for a minimum of three years.
[2019 Employee Education & Training on Information Security ]
  • Education program title:
    Understanding of Information Security & Personal Information Protection
  • Trainees: All employees including contract-based workers
  • Number of trainees: 5,826
  • Total training time: 34,956 (5,826 * 6 Hour)
Article 26(Enforcement of internal review)
  • The Company shall enforce an internet review on an annual basis to examine implementation of technical, managerial, physical measures to protect personal information such as access authority management, access history retention and review, data encryption, etc.
  • The results of internal review shall be reported to personal information protection officers with potential solutions to any detected problem.
  • The results of internal review shall be shared among employees through regular training sessions, and personal information managers shall take necessary measures to resolve issues including alteration of internal management plan.
  • Personal information managers shall retain the internal review results for a minimum of three years.
Article 27 (Personal information management and protection organization)
General affairs on internal control and protection of personal information shall be implemented by designated departments by each segment pursuant to Appendix 1, provided that the overall personal information management shall be governed by the Information Security Department.
Article 28 (Person with Authority)
The authority to amend or abolish this Plan lies with Chief Information Security Officer (CISO).

Addendum <April 2, 2012>

Article 1(Date of enforcement)
This plan shall take effect on April 2, 2012.

Addenda <April 1, 2013>

Article 1(Date of enforcement)
This plan shall take effect on April 1, 2013.
Article 2(Interim measure)
Any matters implemented before the enforcement date of this Plan shall be deemed to have been implemented under this Plan.

Addenda <July 2, 2014>

Article 1 (Date of enforcement)
This plan shall take effect on February 7, 2014.
Article 2(Interim measure)
Any matters implemented before the enforcement date of this Plan shall be deemed to have been implemented under this Plan.

Addenda <November 3, 2014>

Article 1(Date of enforcement)
This plan shall take effect on November 3, 2014, provided that Article 15 of this plan shall take effect on January 1, 2015. The current disposal standards shall be applied to the period prior to the enforcement of this plan.
Article 2 (Interim measure)
Any matters implemented before the enforcement date of this Plan shall be deemed to have been implemented under this Plan.

Addenda <January 20, 2015>

Article 1(Date of enforcement)
This plan shall take effect on January 20, 2015.
Article 2(Interim measure)
Any matters implemented before the enforcement date of this Plan shall be deemed to have been implemented under this Plan.

Addenda <December 31, 2015>

Article 1(Date of enforcement )
This plan shall take effect on December 31, 2015.
Article 2(Interim measure)
Any matters implemented before the enforcement date of this Plan shall be deemed to have been implemented under this Plan.

Addenda <October 18, 2016>

Article 1(Date of enforcement)
This plan shall take effect on October 18, 2016.
Article 2(Interim measure)
Any matters implemented before the enforcement date of this Plan shall be deemed to have been implemented under this Plan.

Addenda <May 22, 2017>

Article 1(Date of enforcement )
This plan shall take effect on May 22, 2017.
Article 2(Interim measure)
Any matters implemented before the enforcement date of this Plan shall be deemed to have been implemented under this Plan.

Addenda <July 15, 2019>

Article 1(Date of enforcement)
This plan shall take effect on July 15, 2019.
Article 2(Interim measure)
Any matters implemented before the enforcement date of this Plan shall be deemed to have been implemented