Data Privacy Policy - Korea


Last updated June 2020

Where Milliman is Acting as a Data Controller

Milliman, Inc. and its affiliates (“Milliman” or “we”) take data privacy very seriously. This Privacy Policy sets out the principles governing the Korean affiliate’s (Milliman Korea) use and protection of personal data that individuals and clients residing within South Korea share with us (“Personal Data”), hereafter “you”. Milliman is committed to handling Personal Data in accordance with this Privacy Policy, the Korean Personal Information Protection Act (KPIPA), and other data protection and privacy laws, as applicable.

Milliman, Inc. and Milliman Korea are joint-controllers with respect to the processing of Personal Data described in this Privacy Policy. This means that Milliman, Inc. and Milliman Korea are both responsible for the compliance with applicable data protection laws.

Collection of Data

Aggregate Data

Like many companies, Milliman monitors the use of its websites by collecting aggregate data. No Personal Data is collected in this process. Typically, Milliman collects data about the number of visitors to the website, to each web page, and the originating domain name of the visitor's Internet Service Provider. This data is used to improve the usability, performance and effectiveness of Milliman’s website.

Cookies, Third-Party Embedded Content and Do Not Track

For more detailed information describing how Milliman uses cookies and your choices surrounding the use and opt out of such cookies, including information about third party embedded content on Milliman’s website and how Milliman responds to Do Not Track signals in browsers please review our Cookie Policy which can be found here.

Processing of Personal Data

The Personal Data we collect varies depending upon the nature of the services provided and our interactions with individuals. In the context of the collection of data through this website, Milliman’s marketing activities and contract administration, we may collect, store and otherwise process Personal Data of:

- visitors to our websites (first name, last name, title, company, phone number, location, email address, subject of the request and message given) who request information about products or services from Milliman, for the purpose of the management of the relationship with clients and the administration of the website. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 15(1)(vi) of KPIPA).

- clients’ representatives, officers, agents and employees, business partners, providers, parties to a contract (name, professional address, title, email and other professional contact details) for contract administration purposes. The professional contact details of clients’ representatives, their employees and business partners are also used to activate and maintain client accounts, to fulfill requests or respond to inquiries about Milliman products or services and to provide offers and information (as permitted by law) about products, services, or events offered by Milliman or that Milliman thinks may be of interest. The legal basis for the processing of Personal Data is Milliman’s legitimate interest (Art. 15(1)(vi) of KPIPA). Milliman may rely on your consent (Art. 15(1)(i) of KPIPA) for the sending of marketing communications when so required by data protection and privacy laws, in which case we will ask your consent prior to the sending of the communication. Milliman Korea may also use professional contact details of its clients’ employees for the purpose of sending surveys, questionnaires or for the purpose of organizing contests. For those activities, the legal basis for the processing of Personal Data is Milliman Korea’s legitimate interest (Art. 15(1)(vi) of KPIPA), unless data protection and privacy laws require your prior consent. We may also collect and process limited Personal Data about you from public resources (such as LinkedIn) including your name/surname, email address, telephone number, organization, title/position, profession, professional interests, to allow us to assess a potential interest in our services and to contact you for marketing purposes.

When we communicate with you regarding the products and services we offer or develop, you will be given the opportunity in each communication to unsubscribe and prevent future communications of that sort. If you do not want us to collect this information from our marketing emails, or if you wish to unsubscribe from direct marketing communications from us, you may write to us at data.protection@milliman.com requesting the same. We will cease using your Personal Data for direct marketing purposes once you have requested us to do so.

If you provide us with Personal Data of another individual, it is your duty to make sure that these individuals have consented to or are appropriately informed about the processing of their Personal Data by Milliman.

No automated decision-making, including profiling, is undertaken based on the Personal Data collected from you.

Affiliates and Authorized Third-Party Agents

All Milliman websites, products, and services are provided in cooperation with Milliman, Inc., located in the U.S. Any Personal Data may be shared between Milliman Korea and Milliman, Inc. or other entities controlled by or under common control with Milliman, Inc., for purposes of centralization of Milliman’s administrative, contract management, Client Relationship Management (CRM), IT maintenance, marketing and IT security practices, for the purpose of the website’s management and security, and to provide information about Milliman products, services, or events. We may also share Personal Data with affiliated entities using the MILLIMAN® mark, in which case we will require those affiliates to comply with this Privacy Policy. Please note that we may be transferring your Personal Data to a country that does not have the same data protection laws as your home country. However, Milliman ensures that it and its affiliates will process Personal Data in compliance with this Privacy Policy.

Milliman also may share Personal Data with authorized third-party agents or contractors that perform services for Milliman. If Milliman shares Personal Data with a third party, Milliman requires that those third parties agree to process Personal Data based on Milliman’s instructions and in compliance with this Privacy Policy.

Any transfers of Personal Data are subject to appropriate safeguards that are compliant with the KPIPA. Those can be made available at Milliman’s premises, by contacting us at data.protection@milliman.com.

Other Disclosures

Milliman may also disclose Personal Data and other related information in response to subpoenas, court orders, or other lawful requests by public authorities, and to meet national security or law enforcement requirements. Milliman may collect and share Personal Data in order to investigate or take action regarding illegal activities, suspected fraud, violations of Milliman's Terms of Use, or as otherwise required by law or regulation.

Security

Milliman stores Personal Data on a secure server that is password protected and shielded from unauthorized access by a firewall. Milliman has in place security policies that are intended to ensure the security and integrity of all Personal Data. Milliman has appropriate technical and organisational measures in place to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data held or processed by Milliman. If Milliman forwards Personal Data to any third party, Milliman requires that those third parties have appropriate technical and organisational measures in place to comply with this Privacy Policy and applicable laws.

Data Retention

Milliman retains Personal Data only as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or not prohibited by law. Milliman will delete your Personal Data once the purpose of the collection and processing of such Personal Data has been fulfilled and the adequate duration for documentation and backup storage of such Personal Data has lapsed. If you have unsubscribed from receiving marketing information from us, we will continue to maintain your Personal Data for any other purpose for which we still have legal grounds for processing such Personal Data (such as for the purposes of complying with a legal obligation or when the processing is necessary for the purpose of our legitimate interest). In certain cases, if no other legal grounds exist, we will maintain limited Personal Data (such as your email address) about you on record, so as to be able to ensure for the future that such marketing communications are no longer sent to you.

Children

Milliman’s websites, products, and services are not directed to children, and Milliman does not knowingly collect Personal Data from children. If a parent or legal guardian becomes aware that his or her child has provided Milliman with Personal Data without their consent, the parent or legal guardian should contact Milliman at data.protection@milliman.com, and Milliman will take steps to delete any such Personal Data.

Third-party Links

Milliman’s website may contain links to websites hosted and operated by companies other than us (“Third-Party Websites”) to which you can export (part of) your Personal Data.

We do not disclose your Personal Data to these Third-Party Websites without your explicit consent. Note that any information you disclose to Third-Party Websites is no longer under our control and no longer subject to this Data Privacy Policy.

You should review the privacy policy practices of any such Third-Party Website to understand how that Third-Party Website collects and uses your Personal Data should you have decided to disclose your Personal Information to them. We are not responsible for the content or performance of these Third-Party Websites. We are in no way responsible or liable for the manner in which a Third-Party Website treats any Personal Data that you choose to provide to such a Third-Party Website and use of Third-Party Websites is strictly at your own risk.

Policy Updates

Milliman may change its Privacy Policy from time to time. Milliman therefore asks all persons concerned to check it occasionally to ensure that they are aware of the most recent version.

Rights

You have a number of rights under the KPIPA and the Korean Credit Information Use and Protection Act (KCIUPA) in relation to your Personal Data and credit information, namely:

  1. the right of access pursuant to Art. 35 of KPIPA: you have the right to obtain from us confirmation as to whether or not Personal Data concerning you is being processed, and, where that is the case, access to (including by obtaining a copy of) such Personal Data and the manner in which, and the purposes for which we process your Personal Data, so that you can verify its accuracy and the lawfulness of the processing.
  2. the right to rectification and erasure pursuant to Art. 36 of KPIPA: you have the right to request rectification or erasure of Personal Data concerning you.
  3. the right to suspension of processing pursuant to Art. 37 of KPIPA: you have the right to request suspension of processing your Personal Data. Nonetheless, such request may be denied if (a) a special provision exists in law or processing of your Personal Data is required to comply with other legal obligations; (b) there is a concern that such request might cause bodily harm or damage the life of a third party or if it could violate a third party’s property rights or other benefits; (c) a public institution cannot perform its task as prescribed in other law without processing your Personal Data; or (d) it is impossible to perform the agreed upon task without processing your Personal Data, assuming that you have not explicitly expressed your intent to terminate the contract.
  4. the right to withdrawal of consent pursuant to Art. 39-7 of KPIPA: you have the right to withdraw your consent to collect, use, and provide Personal Data at any time. Said provision becomes effective as of August 5, 2020.
  5. the right to transfer credit information pursuant to Art. 33-2 of KCIUPA (effective August 5, 2020): if Personal Data includes credit information, the owner of credit information has the right to request transfer of its personal credit information to (a) the owner of credit information; (b) personal credit information management company; (c) credit information provider/user prescribed by a Presidential Decree; (d) personal credit rating company; (e) other entity prescribed by a Presidential Decree.

    If Personal Data includes credit information, the scope of transferable personal credit information is determined by a Presidential Decree considering: (a) information directly collected from the owner of credit information by the credit information provider/user; (b) information directly provided to the credit information provider/user by the owner of credit information; and (c) information created in transactions between the credit information provider/user and the owner of credit information.

    If Personal Data includes credit information, transferable personal credit information shall not be information newly generated or processed by credit information provider/user.

    Upon receipt of transfer request of personal credit information, the credit information provider/user shall, without delay, transfer personal credit information through a secured and credible data processing unit, despite other applicable laws such as Act on Real Name Financial Transactions and Confidentiality, Framework Act on National Taxes, Framework Act on Local Taxes, KPIPA, etc.

    The credit information provider/user that transferred personal credit information may not need to notify the owner of credit information.

    The credit information provider/user may deny or suspend credit information owner’s transfer request for reasons prescribed by a Presidential Decree, such as when the identity of the credit information owner cannot be verified.
  6. the right to appeal to a competent data protection supervisory authority (Art. 62 of KPIPA): anyone who suffers infringement on the rights or interests involving his/her Personal Data in the course of processing Personal Data by a controller may report such infringement to the Minister of the Interior and Safety.

    The Minister of the Interior and Safety may designate a specialized institution to efficiently receive and handle the claim reports, as prescribed by Presidential Decree. In such cases, such specialized institution shall establish and operate a personal information infringement call center, namely, Privacy Call Center.

Please note that any processing of your Personal Data prior to the deletion of your account with us, or your request that we no longer contact you for direct marketing purposes will remain valid under the legal grounds then prevailing.

You can exercise any of your rights as stated above, by sending us a request to data.protection@milliman.com. We will endeavor to respond to any such request as soon as possible, and in any event within the legal deadline.

How to Contact Us

If you have any questions or feedback relating to your Personal Data or about this Privacy Policy, please contact Milliman’s Data Protection Officer at data.protection@milliman.com.