Asan Medical Center

Privacy Policy

  1. Home
  2. Privacy Policy
Twitter Facebook Google E-mail Print

Asan Medical Center (the “Hospital” hereinafter) values your privacy and complies with the Personal Data Protection Act.

Through this Policy, the Company regards personal information of the users as important and inform them of the purpose and method of Company's using the personal information provided by the users and the measures taken by the Company for protection of those personal information.

This Privacy Policy is structured in the following order:

Your personal data is collected and used in the following manner:

1. Purpose of personal data collection

The Hospital collects and uses personal data for the following purposes:

The Hospital agrees that it will obtain a consent from the users, if the Hospital desires to use the information other than those expressly stated in this Policy.

  • To provide medical treatment and care services
  • To provide medical check-related services including delivery of medical check supplies/medical check report
  • To identify and inform users in connection with medical treatment, hospitalization, medical check reservation, reservation inquiry, and other treatment services
  • To support payment administration services including invoicing, receipt, and refund of medical treatment charges
  • To send relevant documents including medical charge calculation sheet, statement, and evidence document
  • To provide AMC website membership services including reservation of medical treatment/inspection/check, medical inspection/check report inquiry, online medical examination, and drug prescription inquiry
  • To obtain minimum dataset required for medical treatment, hospital administration, education, research, statistics, and patient services
  • To provide medical treatment data in response to medical treatment request or other requests for medical treatment purpose made by a medical practitioner in a hospital where applicable patient is forwarded to
  • To provide other medical treatment-related services
  • To obtain basic data for inspection service by a 3rd party contractor or clinical trial evaluation
  • To record phone conversation for booking to improve service quality
  • To facilitate communication with users by providing notices, addressing customer complaints, providing responses to customer inquiries and complaints
  • To register vehicle numbers
  • To store health records entered by users themselves, support medical history inquiry and provide personalized services including ‘My Chart in My Hand’
  • To provide ‘My Chart in My Hand’ and mobile services for ‘Asan Smart Cancer Institute’
  • To provide event notices, medical treatment information and clinical trial information issued by the Hospital
  • To develop new services and deliver personalized services
  • To collect information on dangers and injuries to consumers pursuant to Article 52 of the Framework Act on Consumers
  • To collect data for the Hospital website administration and statistical analysis
  • To compile statistics on service usage
  • To identify applicants for job openings, job candidate credential evaluation, job application correction, confirm recruitment status, verify applicants’ qualification for job openings, etc.
  • To comply with applicable laws or legal obligation

2. Term of personal data processing & retention

The Hospital will delete your personal data immediately upon fulfillment of applicable purpose for collecting or obtaining personal data.

Membership data: when a member opts out or is expelled (personal data for a member account remaining dormant for one year or longer to be stored separately and deleted upon withdrawal of membership)

  • If not employed: six months after the end of applicable recruitment process
  • If collected for survey, event, etc.: when applicable survey or event is finished
  • If collected for medical treatment: according to the standards set forth in the Medical Services Act
  • In the cases of information concerning the collection/processing and use of credit information: for three years pursuant to the Credit Information Use and Protection Act

Your personal data, however, may be further retained even after the purpose for collecting or obtaining personal data is fulfilled if it is still required to be retained under applicable statutory provisions in the Commercial Code, etc.

3. Disclosure of personal data to 3rd parties

The Hospital will process your personal data only within the scope notified in the Purpose of Personal Data Collection section herein or other applicable terms and conditions of service use, and disclose such personal data to 3rd parties only when consented by applicable information subject separately, required by applicable provisions in a relevant law, or requested by law enforcement or supervisory authorities in accordance with procedures and manners specified in statutory documents for investigation and/or examination purposes.

4. Commission for collected personal information

The Hospital contracts out personal data processing operations as follows, specifying in relevant contract documents provisions banning personal data processing for non-contractual purpose, specifying technical/managerial safeguards, restricting sub-contracting practices, stipulating responsibilities and liabilities for contractor control/supervision, damage, etc. and ensuring that applicable contractor processes personal data securely according to Article 26 of the Personal Information Protection Act.

The Hospital will notify users of changes made to the scope of contracted operations or a contractor immediately by amending this Privacy Policy.

Entities to which the Hospital has contracted personal data processing operations and the scope of such operations are as follows:

Commission for collected personal information
Organization Contracted Service
GNIT Server maintenance
DMI Systems Server maintenance
BeatRice NT Server maintenance
StoreTech DISK maintenance
RS IT Server maintenance
AI Soft Backup system maintenance
UGENS DB maintenance
Erasone Server maintenance
E-Active Integrated server system maintenance
JB Line Backup system maintenance
Zungwon Engineering & Systems Server maintenance
GT Plus Weblogic maintenance
Teuin Systems DISK maintenance
Hyosung Information DISK maintenance
SK C&C ARIS development & administration
Lotte Data Communication Clinical trial center CTMS
Logen Medical check preparation kit courier service
Panda Biz Translation of final test results into Chinese language
S Caleb ABC Cost program
Hankook Research Regular patient experience assessment & hospital medical treatment service satisfaction level survey
Good Medi Korea Concierge service
GC Healthcare Concierge service
Live Again Concierge service
Korea Healthcare Service Concierge service
M2-IT AMIS administration support
Jieum Solution AMIS administration support
SCI Information Service Debt collection and credit check
SM Credit Debt collection and credit check
Lab Genomics Anticancer drug susceptibility test
Seoul Clinical Laboratories Immunopathology PD-L1 test
BMS Breast cancer test (Oncotype DX)
Hyupjin Corporation Breast cancer test (MammaPrint)
Hyundai C&R Vehicle parking administration
Kosses Security and guest reception
Darae Parktech Parking facility maintenance
Shinsung Pharm Enteral nutrition formula courier service
Boxter Dialysate courier service
FMC Korea Dialysate courier service
Hyundai Green Food Patient catering service
Convene Korea Symposium
Hangang Process Health lecture
11th Street Financial data storage service for medical charge payment (including Hi-Pass service)
NS Smart Kiosk
Care Max Medical charge reception, refund, patient transfer, outpatient/hospitalization registration and reservation, reception of medical charge following medical treatment or discharge from hospital, AMB vehicle dispatch, etc.
KT IS Phone reservation, phone exchange
Hunet Online training for staff members participating in clinical trials of drugs
Korea Information & Communications Payment of training charges for staff members participating in clinical trials of drugs
EZ Medicom Medical supplies purchase and delivery service
Korean Institute of Tuberculosis Nuclear medicine tests
GC Labs Laboratory medicine/Nuclear medicine tests
Lab Genomics Laboratory medicine test
Seoul Clinical Laboratories Laboratory medicine test
Seegene Medical Foundation Laboratory medicine test
EONE Laboratories Laboratory medicine test
Seoul Research Institute of Public Health and Environment Laboratory medicine test
KCDC Laboratory medicine (immunity)
Health Insurance Review & Assessment Service Laboratory medicine test (NGS molecular screening lab)
BMS Laboratory medicine test
GC Genome Laboratory medicine test
HDC I Service Sports center membership administration
SMLab Nuclear medicine tests
Korea Information & Communications Medical charge credit card payment/refund information transfer
QLine Hospital newsletter delivery (to alumni)
Dream Security Website user authentication
SCI Information Service Mobile phone/real name/i-PIN authentication

5. Rights/obligations of information subjects and their legal representatives

1. The Hospital will respond to customer’s requests for access, correction or deletion of their personal data and comply with their requests without delay. To protect personal data, the Hospital does not support any procedure for accessing, correcting or deleting customer’s personal data by phone, mail or FAX other than in-person visit by customers.

[Access to personal data]
Customers may visit the Hospital to request access to their personal data and the Hospital will comply with such requests promptly.

[Correction/deletion of personal data]
When a customer requires his/her personal data to be corrected/deleted or it is deemed necessary to correct/delete personal data for an error, etc., the Hospital will correct/delete such personal data without delay. The Hospital may request evidence required for factual confirmation of personal data to be corrected/deleted.

2. When a customer requires his/her personal data to be accessed, corrected or deleted, customer’s identity will be verified by an identity document such as resident registration card, passport, driver’s license, etc.

3. When a representative of a customer requires the principal customer’s personal data to be accessed, corrected or deleted, the status of the representative will be verified with customer’s power of attorney, consent form and the representative’s identity document, etc.

4. If there is a legitimate ground for refusing to allow access to, correct or delete personal data in whole or in part, the Hospital will inform applicable customer of such a ground and explain the reason for refusal.

6. Children’s personal data protection

Membership application form for children aged under 14 (the “Children” hereinafter) will be developed separately in a language easy for children to understand and the consent of their legal representative will be sought in all cases in connection with the collection and use of their personal data.

The Hospital will collect minimum information such as name and contact information of children’s legal representatives and seek their consent in a manner prescribed herein.

A child’s legal representative may request access to, correction or deletion of applicable child’s personal data. If the child’s personal data is to be accessed, corrected or deleted, his/her legal representative may click Edit Member Data, verify the status of legal representative and directly access, correct or delete applicable child’s personal data.

7. Type of personal data to be processed

The Hospital will collect only minimum personal data required for service use. You are requested to consent to the collection of required information data and optional data to use the Hospital’s services and you may still use the services without restriction even when not consenting to disclose optional data items.

[Data to be collected for general membership]

  • Members aged at or above 14
    Required information: member type, personal name, ID, password, gender, date of birth, mobile phone no., and e-mail
    Optional: consent to receive mail (Y/N), license no. (applicable only to medical practitioners), employee no. (applicable only to the Hospital employees), and the Hospital registration number (applicable only to patients assigned with such numbers)
  • Members aged under 14
    Required informatiin: member type, personal name, ID, password, gender, date of birth, mobile phone no., and e-mail
    Optional: consent to receive mail (Y/N)
  • In the course of using services, the information as described below may be created and collected:
    Service use record, connection log, cookie, connecting IP address, Other created information

[Data to be collected for booking]

  • First-time visitor booking
    Required information: mobile phone no., personal name, Resident Registration Number(or Alien Registration Number)
  • Non-member booking
    Required information: mobile phone no., personal name, Resident Registration Number(or Alien Registration Number), Hospital registration no.,
  • Booking by representative
    Required information: personal name, Resident Registration Number(or Alien Registration Number), Hospital registration no.,

[Data to be collected for booking]

  • Required information: personal name, phone no., Relation to applicable patient (in detail), patient name, Hospital registration no., patient’s date of birth

[Data to be collected for medical treatment]

  • Required information: Relation to applicable patient (in detail), patient name, Hospital registration no., address
    Optional: e-mail
    Health data: personal health data such as medical history and family history deemed necessary for medical treatment service by a medical practitioner

[Data to be collected during medical charge payment]

  • Required information: (Payment with a credit card) data required for credit card payment such as card issuer name and card no., etc.

[Data to be collected for ‘Chart in My Palm My Chart in My Hand’ service]

  • Optional: Blood sugar level, blood pressure, pulse rate, height, body weight, BMI, cardiovascular risks, metabolic syndrome, allergy, medication being taken, insulin administration, medication consulting, survey form, Hi-Pass payment, hospital arrival data, memo, diet and exercise, Lifestyle check and foot care, diabetes consulting, maximal expiratory level for asthma patient, asthmatic symptoms and medication, atopic symptoms and medication, photo of atopic region, alarm setting, service use inquiry
    * Additional personal data to be collected for other specific purpose over a short-term will be notified separately before collection.

[Data to be collected for services available from Asan Smart Cancer Institute]

  • Optional: Blood sugar level, blood pressure, pulse rate, height, body weight, BMI, cardiovascular risks, metabolic syndrome, allergy, medication being taken, survey form, Hi-Pass payment, memo, hospital arrival data, alarm setting, service use inquiry
    * Additional personal data to be collected for other specific purpose over a short-term will be notified separately before collection.

[Data to be collected for application for job opening]

  • Required information: Name, birth date, gender, password, phone no., mobile phone no., nationality, e-mail, personal photo, postal address, religious faith, hobby, special talent, disability (Y/N), awards and commendations, educational background, family information, professional credentials, career information, military status

[Vehicle parking registration]

  • Patient’s name, Hospital registration no., address, birth date, date of treatment, license plate number

[How to collect personal data]

  • Personal data will be collected by way of:
    Medical treatment reservation, AMC website, mobile app, written form, FAX, phone, counseling BBS, e-mail, and event subscription data collection tool (data gathering tool such as visitor analysis tool)

8. Terms and conditions of personal data destruction

The Hospital will destroy personal data in accordance with the following procedure and manner immediately upon the fulfillment of applicable personal data processing purpose:

Destruction procedure

  • Personal data provided for service subscription, etc. will be destroyed in accordance with the Hospital’s internal policy and information security rules when its intended purpose is fulfilled upon service opt-out, etc.

Destruction method

  • Personal data stored in electronic files will be deleted by technical means that prevents reproduction of applicable records.
  • Hard copy documents stating personal data will be shredded or incinerated.

9. Consent withdrawal/membership opt-out

You may withdraw your consent to the collection, use and disclosure of your personal data made at the time of membership subscription. When you opt-out membership by clicking on ‘Membership Opt-out’ in My Chart menu in AMC website and verifying your ID or contact the Hospital’s privacy complaint handling department by mail, phone or FAX, the Hospital will take necessary actions without delay, including the destruction of your personal data.

When you opt out of AMC website membership, you will opt out of ‘My Chart in My Hand’ and ‘Asan Smart Cancer Institute’ services at the same time.

10. Appointment of Data Protection Officer

The Hospital appoints the following Data Protection officer (DPO) and privacy protection organization to protect your personal data and handle customer complaints related to personal data.

  • DPO of the Hospital: Han Sanggoo
  • Department in charge: Office for Information security
  • Tel.: (02)3010-5350
  • E-mail: amcsecurity@amc.seoul.kr

11. Remedies available to information subjects for violation of their interests

Information subjects may consult the following authorities for violation of their privacy:

Following authorities are separate entities from the Hospital and to be consulted with if you are not satisfied with the Hospital’s customer complaint handling or remedy for damage in connection with personal data or in need of further assistance.

Privacy violation reporting center (run by Korea Internet & Security Agency (KISA))

  • Remit: privacy violation reporting, counseling service
  • Website: privacy.kisa.or.kr
  • Phone: 118 (without dialing code)
  • Address: (58324) Personal Information Violation Reporting Center, Jinheung-gil 9 (Bitkaram-dong), Naju City, Jeonnam Province

Personal Information Dispute Mediation Committee

  • Remit: mediation of personal information disputes, mediation of collective disputes (civil remedy)
  • Website: www.kopico.go.kr
  • Phone: 1833-6972 (without dialing code)
  • Address: (03171) Seoul Government Complex Fl., Sejongdae-ro 209, Jongro-gu, Seoul

Cyber Crime Investigation Division, Supreme Prosecutors’ Office: 1301 (without dialing code), (www.spo.go.kr)

Cyber Security Bureau, National Policy Agency: 182 (without dialing code), (https://cyberbureau.police.go.kr/)

12. Content about securing safety for personal data

[Minimum designation and Education of staffs treating personal information]

  • The Hospital minimizes the number of employees authorized to handle personal data and provides regular training programs to them.

[Periodic in-house audit]

  • In-house audit is conducted regularly at least once a year to ensure the security of personal data.

[Development and enforcement of internal management plan]

  • Internal management plans are developed and enforced to ensure secure processing of personal data.

[Encryption of personal data]

  • As password among user’s personal data is stored and controlled as encrypted, known only to applicable user. All critical data is protected by separate security features including encryption of files and in-transfer data.

[Technical safeguards against hacking attempts]

  • Security programs are installed and regularly updated/checked to prevent personal data from being breached or compromised by hacking attempts or computer viruses. Information systems are installed in restricted areas and monitored/blocked by technical/physical means.

[Restriction of access to personal data]

  • Access to personal data is controlled by granting, changing, and revoking authorization of access to database system where personal data is processed, and unauthorized physical access is controlled by an intrusion control system.

[Storing of connection log and prevention of log forgery/alteration]

  • Connection log to personal data processing system is stored for at least one year and security features are put in place to prevent the connection log from being forged, altered, stolen, or lost.

[Unauthorized physical access control]

  • Personal information system containing personal data is located in a separate physical area for which access control procedure is established and enforced.

13. Installation/operation of automatic personal data collection program and opt-out of such programs

The Hospital will operate cookies that will store and retrieve your information from time to time. Cookie is a very small text file sent by the Hospital’s website hosting server to your web browser and stored in your local computer disk. The Hospital uses such cookies for the following purposes:

To analyze hit frequencies and time, etc. of members and non-members and understand users’ preference and interest to provide inputs for service renewal project, etc.

To track web page hits and user’s interest in such pages to provide personalized services when users visit the website next time.

To provide users with privileges to subscribe to events held by the Hospital differentiated based on user’s enthusiasm for participation and website hit frequency and personalize information service in line with individual user’s interest.

You can opt in/out for cookie installation. You can allow all cookies to be installed, confirmed whenever cookies are stored, or refuse to allow all cookies to be stored by setting your web browser options to your preference.

Example
1) In Microsoft edge: Go to Tools > Setting > Update and Security
2) In Chrome: Go to Setting Menu > Setting > Personal Information and Security > Cookie and other Site Data in the right of your web browser
If you refuse to consent to cookie installation, some services may not be available to you.

14. Terms and conditions of image data processing system operation/control

AMC operates/controls image data processing systems as follows:

[Justification and purpose of system installation]

  • Patient and facility safety, fire and crime prevention, vehicle parking control

[Quantity of system units to be installed, installation location and shooting coverage]

  • Number of units to be installed: 2,165 ea.
  • Installation location and shooting coverage: lobby, hallway, parking lot, road, elevator, etc. total space.

[Responsible manager, department and employees with access authorization]

  • Title: Facility team manager
  • Affiliation: Facility team
  • Phone: 82-2-3010-7324, 7328

[Image data shooting time, retention period, storage location and processing method]

  • Shooting time: 24 hours a day
  • Retention period: 30 days
  • Storage locations: building administration center, parking control office, etc.
  • Processing method: records concerning the use of personal image data for an unintended purpose, its disclosure to 3rd parties, destruction and access request are maintained and personal image data is permanently deleted upon expiration of retention period in a manner that prevents it from being restored (hard copy materials to be shredded or incinerated).

[How and where to request access to personal image data]

  • How to request: request in person after giving a prior notice
  • Where to request: Security Control Team
  • Phone: 82-23010-7324

[Response to information subject’s request for access to image data]

  • You may request our image data processing system administrator to grant access to or confirm the existence of your personal image data anytime. However, such personal image data is restricted to personal image data containing your image or clearly required for urgently protecting information subject’s live, health and/or property.
  • Notwithstanding an information subject’s request for access, requests for access to personal image data may be refused in any of the following cases:
    1) If personal image data has been destroyed after the expiration of its retention period
    2) If there is other legitimate ground for refusing the information subject’s request for access

[Technical/managerial/physical safeguards for image data]

  • Image data processed in the Hospital is securely maintained through encryption, etc. Furthermore, the Hospital authorizes access to personal data on a differentiated basis as a managerial safeguard to protect personal image data, maintaining records of personal image data in terms of creation time, access purpose, by whom and when it was accessed to prevent personal image data from being forged/altered. In addition, locking devices are installed for secure physical storage of personal image data.

15. Amendment to Privacy Policy

This Privacy Policy went into effect on May 1, 2011, and addition, deletion, and/or revision thereto pursuant to amendments to laws, revision of government policies, or development of security technologies will be publicly notified on the Hospital’s website with applicable reason no later than 7 days prior to such addition, deletion and/or revision takes effect.

Date of public notice: September 18, 2020

Date of effectuation: September 25, 2020