@extends('layouts.default') @section('content')

PrivacyPolicy: edm Education

Introduction

edm Education is committed to keeping your data safe and respecting your privacy. In this policy you will find information that show what we process about you, why we process that data and what the legal bases are for processing that data.

edm Education (the company) complies with the following principles of processing personal information, the principles of:

  • a) lawfulness, fairness and transparency, (having a lawful reason to process your data and being clear with you what that is)
  • b) purpose limitation (processing your data for a specific reason)
  • c) data minimisation (only processing data that is relevant for the purpose explained and agreed with you)
  • d) accuracy (making sure the data we process is accurate)
  • e) storage limitation (only keeping data for as long as necessary for the purpose explained and agreed with you)
  • f) confidentiality (keeping your data safe and not sharing it with anyone you do not give us permission to share with)

These principles are prescribed in privacy protection laws in the Republic of Korea and in the GDPR (General Data Protection Regulation) laws in the EU. The company has established privacy policies, explained in this document

Your rights

Under certain circumstances you have certain rights regarding how your personal data is used and kept safe, including the rights to:

  • a) Right of Access (you have the right to a copy of the information we hold about you)
  • b) Right to Object (you may object to the use of personal data if it would cause or is causing damage or distress. You have the right to object to any decisions taken using automated processes, you also have the right to object to certain types of processing such as direct marketing
  • c) Right of Rectification (if the data we hold about you is inaccurate or incomplete you have the right to correct or complete that data)
  • d) Right to be Forgotten (under certain circumstances you can ask for the data we hold about you to be deleted form our systems)
  • e) Right to Restriction of Processing (where certain conditions apply you have the right to restrict the processing of data)
  • f) Right of portability (you have the right to have the data we hold about you transferred to another organisation)

Where we have collected your data and are processing it with your consent you have the right to withdraw your consent at any time.

Some of these rights may not apply where we are legally obliged to keep or share your personal data. If you wish to exercise any of these rights please contact our Data Protection Officer.

Complaints

We take any complaints about our collection and use of personal information very seriously. If you think our collection or use of personal information is unfair, misleading or inappropriate please raise this with us in the first instance. To make a complaint please email our data Protection Officer

Alternatively, in the EU you can make a complaint to the Information Commissioner’s Office in the UK through the options listed in Article 11:

Article 1: Personal Data to be collected and processed

Article 2: The Purpose of the Collection of Personal Data

The Company collects and processes the following Personal Data for the purposes of entering and fulfilling a legal contract with you.

The data or type of data we process The purpose of processing that data The lawful basis for processing that data
Name, address, mobile phone no To accept your application for consultation, collected through our Web Form, To be able to offer a contract to you
ID, password, type of membership, name, address, mobile phone no To accept your application for membership, collected through our Web Form To be able to offer a contract to you
Desired country of study, area of interest, estimated departure date, level of preparation for overseas study To accept your application for membership, collected through our Web Form To be able to offer a contract to you
Name, address, mobile phone no, estimated departure date, intended period of overseas study To be able to invite you to a seminar To be able to offer a contract to you
Name, address, mobile phone no To be able to send you a guide book To be able to offer a contract to you
Name, sex, date of birth, passport number, address, level of English, type of visa, school information (school name, course, start date of classes, registration period, estimated end date of classes, vacations) accommodation information if requested (period, type of accommodation required) To make a booking with an overseas school For the fulfilment of a contract with you
Name, sex, date of birth, passport number, address, level of English, type of visa, school information (school name, course, start date of classes, registration period, estimated end date of classes, vacations) accommodation information if requested (period, type of accommodation required), Year of entry, UCAS number To confirm enrolment at an overseas school For the fulfilment of a contract with you
Name, sex, date of birth, passport number, address, level of English, type of visa, school information (school name, course, start date of classes, registration period, estimated end date of classes, vacations) accommodation information if requested (period, type of accommodation required), parents Information (name of father and mother, English name, contact details, occupation) To process an application for a young student (under 14 years old. To be able to check the legal representative of a child under 14 years of age consents to information being used For the fulfilment of a contract with you To protect your vital interests
Name, images for marketing our services for confirming your identity to maintain our security Where you have given consent Compliance with a legal obligation

Article 3: Concerning the Period of Retention

The Company retains and uses the Personal Information during the period of retention and during this period may use the Personal Information in line with the principles of processing data explained in the introduction of this policy.

The Company will normally use any personal Data obtained for the following periods:

  • 1. Where Personal Data is retained under the Internal Policy of the Company, where the Personal Data is kept as a record of wrongful use, the Personal Data will be kept for a period of one year.
  • 2. Where the Personal Data is retained as required by applicable laws and regulations including the Commercial Act and the Act on Consumer Protection in E-commerce the Company will retain the Personal Data as required by the appropriate Acts for the following periods:
Description of Data Period of retention Basis for retention
Record of withdrawal of contract or subscription 5 years Act on Consumer Protection in E-commerce
Record of payment and supply of goods 5 years Act on Consumer Protection in E-commerce
Record of consumer complaint or dispute treatment 3 years Act on Consumer Protection in E-commerce
Record of identification 6 months Act on Promotion of Information and Communication Network Use and Protection of Information
Record of visit 3 months Protection of Communications Secrets Act

Article 4: Dormant Accounts

In principle, any Personal Data that has not been used for a period of one calendar year will be transferred into a dormant account and the Personal Data will be retained in a separate database. Personal Data held in a dormant account will be deleted after a period of (….. years).

Any person whose Personal Data is held in this way is restricted in how they can use the Company’s services. If that person wishes to use the Company’s Services again, the data will be moved from the Dormant account to the Company’s live system.

Article 5: Procedure for Disposal of Personal Data

1. If it is no longer necessary to keep any Personal Data (either because of the ending of a Retention Period or the original purpose for collecting data being achieved) the Company will delete such Personal Data without delay.

2. If there is a request for deletion of data by the Data Subject (the Right to be Forgotten) and this is a lawful request the Company will delete Personal Data without delay and within any time limits defined under the GDPR.

3. Personal Data that has become inaccurate or out of date will also be disposed of securely, where it cannot or does not need to be rectified or updated.

4. If it is necessary, in order to comply with a legal obligation, to keep Personal Data for a period which is longer than the initial purpose of retention, the Personal Data will be moved to a separate database or other place of storage not in the live system.

5. Personal Data that is no longer required will be disposed of securely. Electronic files will be deleted or overwritten and paper-based records will be shredded or incinerated.

The Company will identify the Personal Data to be deleted and will delete the data only with the approval of the Data Protection Officer.

Article 6: Sharing Data with a 3rd party.

Personal Data will not be shared with any 3rd party without the prior consent of the user. Any intention to share Personal Data will be made clear when obtaining any consent to collect Personal Data.

If this situation changes and the Company wishes to share Personal Data with a 3rd party at a later time the Company will obtain consent from the user.

Any consent obtained can be withdrawn by the Data Subject at any time by contacting the Company. Details of who to contact can be found in Article 11.

The only exceptions to this are where there is a legal requirement to share the Personal Data with a 3rd party.

Article 7: Transfer of Personal Information

Where the Company has an agreement with another Company to provide specific services it may share the Personal Data obtained. In such cases there will be a Transfer Agreement clearly specifying how the other Company can use the Personal Data. This agreement will make clear the Company is the Data Controller (who specifies how the Data may be used) and the other company will be The Processor (who follows the instructions of the Data Controller. If there is any change to the Controller/Processor agreement the Company will make any such changes without delay.

Processors of Data in Contract with the Company Description of Responsibilities Period of retention
Panbusiness Travel Agency Booking and ticketing of Plane ticket Until membership is withdrawn of the termination of the agreement.
Seven Holidays-In Space Co Ltd Booking and ticketing of Plane ticket Until membership is withdrawn of the termination of the agreement.
Inschingu Co Ltd Arranging Insurance for students studying abroad Until membership is withdrawn of the termination of the agreement.
Planetti (Yousimstore) Co Ltd Subscription and service for mobile phone for students studying abroad Until membership is withdrawn of the termination of the agreement.
Universities and Schools in countries where the Customer is going to study Provision of Education Until membership is withdrawn of the termination of the agreement. In cases where there is a legal requirement on the provider of education to retain Personal Data for a certain period this will be disclosed to the Company at the beginning of the agreement.

Article 8: Your rights

Under certain circumstances you have certain rights regarding how your personal data is used and kept safe, including the rights to:

  • a) Right of Access (you have the right to a copy of the information we hold about you)
  • b) Right to Object (you may object to the use of personal data if it would cause or is causing damage or distress. You have the right to object to any decisions taken using automated processes, you also have the right to object to certain types of processing such as direct marketing
  • c) Right of Rectification (if the data we hold about you is inaccurate or incomplete you have the right to correct or complete that data)
  • d) Right to be Forgotten (under certain circumstances you can ask for the data we hold about you to be deleted form our systems)
  • e) Right to Restriction of Processing (where certain conditions apply you have the right to restrict the processing of data)
  • f) Right of portability (you have the right to have the data we hold about you transferred to another organisation)

Where we have collected your data and are processing it with your consent you have the right to withdraw your consent at any time.

Some of these rights may not apply where we are legally obliged to keep or share your personal data. If you wish to exercise any of these rights please contact our Data Protection Officer.

Article 9: Installation, Operation and rejection of Automatic Collection of Personal Data

The Company installs and operates ‘Cookies’ which store information about the customer’s use of the Company website. Cookies are small text files which are sent by the Company server to the Customer’s browser and which are stored in the hard disk of the Customer’s Computer.

The Company uses cookies to target marketing and for the provision of customised services through an analysis of the Customer’s use of the Website (including frequency and visit time of members and non members to the Home Page, identification and trace tracking of taste and the interests of customers, the degree of participation in various events and the numbers of visits).

Customers have options regarding the installation of Cookies through the settings in their web browser. Customers may allow all cookies, force a check of cookies when using a web browser or not accept any cookies.

Article 10: Measures to secure the stability of Personal Information

1. Operational measures:

  • Designing internal processes (Privacy by Design) to minimise the likelihood of Data breaches
  • Training for all staff involved in handling Personal Data
  • Carrying out internal audits on a regular basis (once each year)
  • Penetration testing (pen testing / mock hacking) carried out once each year
  • The establishment and execution of an internal management plan to ensure the security of Data
  • Having the following policies in place: Privacy Policy, Privacy by Design, Data Protection Impact Assessments, The Right to Erasure, Procedure for Dealing with Requests for the Erasure of Personal Data, Working Remotely, Using Personal devices, User Managament of Company systems, Responding to Objections, reporting a Data Breach, Data Retention Policy and Schedule,
  • Regular evaluation of the effects of Company policies and procedures for ensuring the security of Personal Data
  • Having agreements in place with any 3rd party who will be involved in handling Personal Data collected by the Company

2. Technical measures

  • Web firewall (365 x 24 security operation service)
  • Firewall security operation service
  • IPS (invasion detection)
  • SSL installation
  • User access through management of IP /authority
  • Encryption of sensitive information (SHA2)
  • Office firewall
  • Office PC vaccine (tablet)
  • Separate wired and wireless networks

Physical measures

  • Consignment of physical security of server (IDC) access control

Article 11: Contact details of the person responsible for Data Protection

How to contact the ICO in the UK

Report a concern online at https://ico.org.uk/concerns

Call +443031231113

Write to: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Contact us:

If you have any questions, concerns or would like more information about anything in this privacy policy, please contact our Data Protection Officer:

1. Staff responsible for privacy protection – Main office in Republic of Korea

  • Staff responsible for privacy protection: Dongwan Noh
  • Position : director
  • Tel. : +82-2-562-5091, E-mail : admin@edmedu.com

2. Staff responsible for privacy protection – London branch

  • Staff responsible for privacy protection: David Wilkins
  • Position : Data Protection Officer
  • Tel. : +44-20-7580-1521, E-mail : dataprotection@edmedu.com

3. Department in charge of Personal Information

  • Department in charge of Personal Information
  • Dept. : development team
  • Tel. : +82-2--562-2790, E-mail : admin@edmedu.com
@endsection