Ethics Privacy Notice (V.1.0)
Coupang takes all reported ethics concerns seriously and will investigate to determine if any law, our Code of Business Conduct and Ethics or our policies have been violated. In processing such reports, we may need to process personal information. Coupang has established this Privacy Policy to protect the rights of individuals from whom we receive personal information and to handle any reports about ethics concerns appropriately. This Privacy Policy complies with the requirements of Korean privacy law (including Article 30 of the Personal Information Protection Act (the PIPA) and Article 27-2 of the Act on Promotion of Information and Telecommunications Network Utilization and Information Protection (the Network Act)).
Purpose of Coupang processing personal information
Coupang will collect and use personal information to the minimum extent necessary for handling reports about ethics concerns. The collected personal information will be kept confidential and will not be used for purposes other than for handling such reports.
Types of personal information processed
Coupang receives reports about ethics concerns through various speak up channels and collects all personal information provided in those reports. This may include the personal information of the individual subject to the report. Coupang may use this personal information for purposes of investigating the report and informing the person who made the report of how it was handled. Coupang has not installed and does not operate any device that automatically collects personal information (such as cookies) for the purpose of handling reports.
How long does Coupang use and retain personal information
Coupang will use the personal information it receives for the time necessary to handle the report. Once that purpose is fulfilled, Coupang will retain the personal information for a reasonable duration according to legal requirements and our internal record retention policies. After that, Coupang will destroy the personal information in a timely manner.
Transfer of personal information to third parties
Coupang will transfer personal information to third parties only where: (i) it obtains consent from the data subject, and/or (ii) there is a legal basis under the PIPA or Network Act.
Delegation of personal information processing to third parties
Coupang delegates personal information processing services to the entities listed below to facilitate the effective processing of personal information:
| Delegatee | Delegated services | Retention period of personal information |
|---|---|---|
| KPMG South Africa – KPMG Services (Pty) Limited KPMG Mexico – KPMG Cárdenas Dosal, S.C KPMG Singapore – KPMG Services Pte. Ltd. |
Professional ethics speak up channel services and system operation. | Unsubstantiated reports: Up to 90 days after the date of the report. Substantiated reports: Up to 90 days after the verification work of the investigation is completed, unless disciplinary action is taken or court proceedings are filed against the individual(s) subject to the report or the reporter if the report was filed in bad faith in which case the personal information will be removed up to 90 days after the disciplinary action or the court proceedings (in highest instance) have been completed. |
When Coupang enters into a delegation agreement with a third party, Coupang ensures that the agreement includes: (i) a prohibition of personal information processing for purposes other than fulfilling the delegated services, (ii) requirements for technical, administrative and protective measures, (iii) limitations on sub-delegation, (iv) provisions regarding the management and supervision of the delegate, and (v) compensation for damages and other matters. Coupang also supervises whether the delegatee processes personal information in a safe manner. Coupang undertakes these efforts in accordance with PIPA Article 26 and Network Act Article 25-2. If there are changes to the delegated services or the delegatee, Coupang will disclose the change via this Privacy Policy in a timely manner.
What rights does a data subject have (and how to exercise those rights)
A data subject (or the legal representative in the case of a data subject under the age of 14) may at any time exercise any of the following rights with respect to Coupang’s processing of his or her personal information: (i) right to review personal information, right to request correction of personal information, (iii) right to request deletion of personal information in documents whose retention period has expired, and (iv) right to request suspension of personal information processing. The rights under this section may be exercised by filing a complaint or via telephone, written request or fax. Coupang will review and take action in a timely manner. The rights under this section may be exercised by a representative of the data subject, such as a lawyer or other individual authorized by the data subject. Any such representative must submit a power of attorney in the form prescribed in Annex 11 of the Enforcement Regulation of the PIPA.
Destruction of personal information
Coupang will immediately destroy personal information when the personal information is no longer necessary, such as when the retention period has lapsed or the purpose of processing such personal information is fulfilled. Coupang will follow the following procedures and methods for destroying personal information: (i) Destruction Procedures – Coupang will establish a destruction plan for personal information or personal information file(s) to be destroyed, and destroy personal information or personal information file(s) according to the plan. Coupang will designate personal information or personal information file(s) that must be destroyed and destroy the designated personal information or personal information file(s) upon approval by the Chief Privacy Officer, and (ii) Destruction Methods – for personal information contained in electronic files, Coupang will use a destruction method that renders the data irrecoverable. For personal information contained in paper documents, Coupang will undertake destruction by means of incineration or shredding.
How Coupang ensures the security of personal information
Coupang takes the following managerial, technical, and physical measures to ensure the security of personal information in its possession: (i) Managerial measures – establishment and implementation of an internal management plan and regular training of employees handling personal information, (ii) Technical measures – management of access rights to the personal information processing system, retention and prevention of falsification/alteration of access logs, installation of an access control system, installation of security programs and other measures, (iii) Physical measures – control of access to the computer room, data storage room, and other measures.
Responsibility for personal information
Coupang designates its Chief Privacy Officer who oversees all matters relating to personal information processing and handles customer complaints and remedial procedures arising from personal information processing.
| Chief Privacy Officer | Department responsible for personal information-related complaints |
|---|---|
| Name: Kwan Hee Hong Telephone: 1577-7011 Email: help@coupang.com |
Department name: Customer Support Center Telephone: 1577-7011 Email: help@coupang.com |
In relation to complaints and reports of improper activity, the data subject may direct all privacy-related questions to the Chief Privacy Officer and the responsible Department, including those concerning the protection of personal information, handling of complaints, and remedial procedures. Coupang will endeavor to immediately answer and deal with each inquiry in a timely manner.
Available remedies
A data subject may report or seek remedies/consulting relating to infringement of his or her personal information, through the following entities:
- KISA Personal Information Infringement Reporting Center: (no local code) 118 (privacy.kisa.or.kr)
- Personal Information Dispute Mediation Committee: 1833-6972 (kopico.go.kr)
- Prosecution Service Cyber Investigation: (no local code) 1301 (www.spo.go.kr)
- Korean National Police Agency Cyber Bureau: (no local code) 182 (cyberbureau.police.go.kr)
When this Privacy Policy (or its amendments) takes effect
This Privacy Policy takes effect on August 1, 2019.