YG Entertainment Personal Information Handling Policy
YG Entertainment Inc. (the "Company") has adopted this Privacy Policy to ensure the protection of data subjects' Personal Information and related rights, and to provide for the prompt and appropriate handling of inquiries and complaints concerning Personal Information, in compliance with applicable personal information protection laws and regulations.
In the event of any amendment to this Privacy Policy, the Company shall provide individual notice to the affected data subjects.
Table of Contents
- Purpose of Processing of Personal Information
- Categories of Personal Information Processed
- Retention and Use Period of Personal Information
- Cross-Border Transfer of Personal Information
- Provision of Personal Information to Third Parties
- Outsourcing of the Processing of Personal Information
- Processing of Pseudonymized Information
- Rights of Data Subjects and Legal Representatives
- Destruction of Personal Information
- Measures to Ensure the Security of Personal Information
- Automatic Collection of Personal Information and the Use of Cookies
- Privacy Officer and Contact Information
- Remedies for Infringement of Data Subject Rights
- Amendments of this Privacy Policy
Article 1. Purpose of Processing of Personal Information
The Company processes employees' Personal Information only for the purposes described below and does not use such information for any other purposes. If there is any change to the purpose of processing, the Company will take appropriate measures, including obtaining separate consent where required, in accordance with Article 18 of the Personal Information Protection Act ("PIPA").
1. Processing of General Personal Information
1) Mandatory collection and use
| Categories |
Name, email address, phone number |
|---|---|
| Purpose of collection and use |
Operation of <Contact> inquiries through YG FAMILY site (Casting Inquiry / Artist-related Inquiry / Concert Sponsorship Inquiry / Copyright Infringement Inquiry) |
| Period of retention and use |
Until the purpose of collecting and using such personal information has been achieved, or until consent is withdrawn |
| Categories |
Name, company, phone number, purpose of visit, time of entry and exit |
|---|---|
| Purpose of collection and use |
Visitor identity verification and access management |
| Period of retention and use |
Until one(1) year from the date of the visit, or until consent is withdrawn |
| Categories |
Weverse membership number, name |
|---|---|
| Purpose of collection and use |
Giveaway events for Weverse membership |
| Period of retention and use |
Within seven(7) days from the date of provision from Weverse Company Inc., or until consent is withdrawn |
| Categories |
Weverse membership number, name, date of birth, phone number, email address, country code, internal identification key(W ID) |
|---|---|
| Purpose of collection and use |
Fan events for Weverse membership |
| Period of retention and use |
If not selected as participant: Until the announcement of participants, or until consent is withdrawn |
| Categories |
Weverse membership nickname, name, phone number, email address, address |
|---|---|
| Purpose of collection and use |
Album promotion events for Weverse membership (participant selection and delivery of prizes) |
| Period of retention and use |
Within seven(7) days from prize delivery, or until consent is withdrawn |
| Categories |
Weverse account ID, Weverse membership nickname, name, phone number, post link, country code |
|---|---|
| Purpose of collection and use |
Album promotion events for Weverse community members (participant selection and delivery of prizes) |
| Period of retention and use |
Within seven(7) days from prize delivery, or until consent is withdrawn |
| Categories |
Weverse membership number, name |
|---|---|
| Purpose of collection and use |
Weverse membership card production |
| Period of retention and use |
Within ninety(90) days from the date of provision from Weverse Company Inc., or until consent is withdrawn |
| Categories |
Name, phone number, birth date |
|---|---|
| Purpose of collection and use |
Identity verification when distributing tickets through brand events |
| Period of retention and use |
Until end of such event, or until consent is withdrawn |
2) Optional collection and use
| Categories |
Email address, License plate number |
|---|---|
| Purpose of collection and use |
Visitor identity verification and access management |
| Period of retention and use |
Until one(1) year from the date of the visit or until consent is withdrawn |
Article 2. Categories of Personal Information Processed
The Company processes the categories of Personal Information described in Article 1 above. Resident registration numbers are processed only to the extent specifically required or permitted under applicable laws, Presidential Decrees, and the rules of the National Assembly, the Supreme Court, the Constitutional Court, the National Election Commission, and the Board of Audit and Inspection, including for purposes such as the withholding of taxes.
Article 3. Retention and Use Period of Personal Information
- The Company will process and retain Personal Information for the period prescribed under applicable laws and regulations, or for the period consented to by the data subject at the time of collection.
- The specific retention periods applicable to each category of Personal Information are as set forth in Article 1.
Article 4. Provision of Personal Information to Third Parties
- With the data subject's consent, the Company may provide Personal Information to third parties, to the minimum extent necessary, in accordance with Article 17(1)1 of the PIPA.
Article 5. Outsourcing of the Processing of Personal Information
- The Company engages service providers to outsource the processing of Personal Information to ensure the efficient handling of personal information-related matters, as described below:
| Service Provider | Scope of Services |
|---|---|
| S-One | Building access control system services |
- When entering into an outsourcing agreement, the Company specifies in written documents, matters required under Article 26 of the Personal Information Protection Act, including the restrictions on the use of personal information beyond the scope of the outsourced tasks, technical and administrative safeguards, limitations on sub-outsourcing, supervision of the service provider, and liability for damages, and supervises whether the service provider processes personal information in a secure manner.
- If there is any change to the scope of the outsourced processing activities or the service providers engaged, the Company will disclose such changes without delay in this Privacy Policy.
Article 6. Rights of Data Subjects and Legal Representatives
- A data subject may, at any time, request access to, transmission of, correction of, deletion of, or suspension of processing of his or her Personal Information, or withdraw consent (collectively, "exercise of rights"). If the data subject is under the age of 14, the legal representative must exercise such rights on behalf of the data subject, and if the data subject is a minor aged 14 or older, the data subject may exercise such rights directly or through his or her legal representative. Where a legal representative exercises such rights, a power of attorney in the prescribed form (as set out in the Personal Information Processing Method Public Notice, Annex 11) must be submitted.
-
A data subject may exercise his or her rights against the Company, and the Company will take prompt measures without undue delay. However, the data subject's rights to demand access to, or suspension of processing of, Personal Information may be restricted in the following cases:
- Where such access or suspension is prohibited or restricted by law.
- Where there is a risk of harming another person's life or body, or unfairly infringing upon another person's property or other interests.
- Where performance of a contract entered into with the data subject would be unduly difficult, and the data subject has not clearly expressed his or her intention to terminate such contract.
- Where the collection of certain Personal Information is expressly required under other laws or regulations, the data subject may not request deletion of such Personal Information.
- The Company will verify whether the person exercising the rights is the data subject or a duly authorized representative.
- Data subjects may exercise their rights by contacting the department indicated below. The Company will respond to such requests within 10 days from the date of receipt.
Department : IT Infrastructure Team
Contact Person : Person in charge of personal information protection
Contact Information : privacy@ygmail.net
Article 7. Destruction of Personal Information
The Company will promptly destroy Personal Information once the purpose of processing has been achieved. If, notwithstanding the expiry of the retention period consented to by the data subject or achievement of the processing purpose, the Company is required to continue to retain Personal Information under other applicable laws, such Personal Information will be stored in a separate database (DB) or preserved in a physically separate storage location. The procedures, timing and methods of destruction are as follows:
- Destruction Procedure: The Company identifies Personal Information subject to destruction upon the occurrence of a ground for destruction and destroys such Personal Information after obtaining approval from the Company’s Privacy Officer.
-
Method of Destruction
- Personal Information maintained in electronic form shall be destroyed using technical measures that render the records incapable of reproduction or restoration.
- Personal Information maintained in paper form shall be destroyed by shredding or incineration.
Article 8. Measures to Ensure the Security of Personal Information
In accordance with Article 29 of PIPA and other applicable provisions, the Company implements the following technical, organizational and physical measures to ensure the security of Personal Information:
- Regular internal audits
The Company conducts regular internal audits to ensure security and integrity in the handling of Personal Information. - Limitation and training of personnel handling Personal Information
The Company designates specific employees to handle Personal Information and limits access to such personnel only, and provides appropriate training. - Establishment and implementation of internal management plans
The Company has established and implements internal management plans to ensure the safe processing of Personal Information. - Technical measures against hacking, etc.
The Company installs security programs and regularly updates and inspects them to prevent leakage or damage of Personal Information due to hacking or computer viruses, and installs systems in access-controlled areas with technical and physical monitoring and blocking. - Encryption of Personal Information
Personal Information is managed through encryption so that only the relevant individual can know it, and important data are protected through encryption of files and transmission data, file-locking functions, and other separate security features. - Retention and prevention of alteration of access logs
The Company retains and manages logs of access to Personal Information processing systems for at least two (2) years, and uses security functions to prevent alteration, theft or loss of such logs. - Restriction of access to Personal Information
The Company takes necessary measures to control access to Personal Information by granting, changing and revoking access rights to databases that process Personal Information, and uses intrusion prevention systems to block unauthorized external access. - Locking devices for document security
Documents and auxiliary storage media containing Personal Information are kept in secure locations equipped with locking device. - Access control for non-authorized persons
The Company has designated separate physical storage locations for Personal Information and operates access control procedures for such locations.
Article 9. Privacy Officer and Contact Information
-
The Company has designated a Privacy Officer who is responsible for overseeing the processing of Personal Information and for handling data subjects' complaints and requests for remedies in connection with Personal Information processing, as follows:
Privacy Officer
Name : Taekyun Kim
Title : Leader
Tel : +82-2-3142-1104
Fax : +82-2-3142-0288 -
Data subjects may contact the department set out below regarding requests for access to Personal Information pursuant to Article 35 of the PIPA, as well as any inquiries or complaints relating to Personal Information protection. The Company will respond to such inquiries and requests without undue delay.
Department in Charge of Personal Information Protection
Department : IT Infrastructure Team
Person in charge : Person in charge of protection of Personal Information
Tel : +82-2-3142-1104
E-mail : privacy@ygmail.net
Article 10. Remedies for Infringement of Data Subject Rights
Data subjects may contact the following organizations to seek remedies or consultation in connection with Personal Information infringements. As these organizations are independent from the Company, please contact them if you are not satisfied with the Company's handling of complaints or remedies for damage, or if you require more detailed assistance.
Function : Reporting and consultation regarding infringements of Personal Information
Website : privacy.kisa.or.kr
Tel : 118 (toll-free)
Function : Mediation of Personal Information disputes; collective dispute mediation (civil resolution)
Website : www.kopico.go.kr
Tel : 1833-6972 (toll-free)
Supreme Prosecutors' Office : 1301 (www.spo.go.kr)
National Police Agency : 182 (ecrm.cyber.go.kr)
Article 11. Amendments of this Privacy Policy
This Privacy Policy will apply from the effective date set out below. In the event of any additions, deletions or revisions resulting from changes in applicable laws, services or internal policies, the Company will notify data subjects of such changes through a notice at least seven (7) days prior to the effective date.
[Addendum]
This Privacy Policy will take effect as of December 2nd, 2025.
[Previous Personal Information Processing Policy]
Enforcement Date: April 27th, 2023Enforcement Date: August 1st, 2021