Privacy Protection Measures

Privacy Protection Governance

Kakao carries out its duty and responsibility to protect users' privacy with the privacy protection governance.

  • DPO (Data Protection Officer)
  • Privacy
    • CISO (Chief Information Security Officer)
      Information Security Technology and Policy Division
      Operate data protection management system and establish data protection policy
      Control technical risks
    • CPO (Chief Privacy Officer)
      Privacy Policy Division
      Establish privacy policy
      Review personal information usage and manage risks
    • Privacy Policy Advisory Committee

Privacy Impact Assessment

Kakao conducts a privacy impact assessment on user services to secure personal information.
It aims to eliminate risk factors in advance by closely examining observance of the law throughout the process of service planning, modifying and closing, as well as effects on users' personal information.

Privacy Impact Assessment Stage and Items

  • Introduction of Service Review the adequacy of the personal information life cycle from service planning to launch, as well as personal information processing system
    Collection of Personal Information:
    - Explicit user consent
    - Collect minimum data required
    Transmission/Storage of Personal Information
    - Secure transmission of personal Information
    - Encrypted storage of passwords, financial information,
    and location-based information
  • Operation of Service Review the introduction stage when additionally collecting, using, or providing personal information
    Use of Personal Information: Prevention of misuse of personal information
    - Prevention of misuse of personal information
    Provision of Personal Information
    - Minimum provision of personal information
    - Secure transmission of personal information
  • Termination of Service: Review the destruction of personal information
    - Secure adequacy at the time of destruction
    - Confirm a safe destruction
    Personal Information Management System
    - Identify the history of personal information handling
    - Review the authority to handle personal information
    - Control the unnecessary disclosure of personal information
    - Log the history of personal information handling

Precautionary Inspection

Kakao conducts various precautionary inspections such as security vulnerability checks, security coding, and code review in order to maintain the level of security above that required by law. All Kakao services are periodically checked for vulnerabilities from the pre-planning stage, before the service release, to the closing stage.
Precautionary Inspection: Kakao conducts various precautionary inspections such as security vulnerability checks, security coding, and code review in order to maintain the level of security above that required by law. Kakao will exert the utmost efforts to provide secure service by enhancing security and proactively responding based on new trends and technologies.

Strict Access Control

Kakao's personal data processing system and a membership database are maintained under strict access control. Only the minimum number of authorized users can access after going through a strict process. Each responsible person judges the necessity based on the scope of work, grants access, and monitors authorized personnel and intrusion detection system that blocks all unauthorized access attempts. Kakao has installed, managed, and operated a server firewall to protect sensitive information.

Employee Control

Kakao analyzes and monitors the access and handling of personal information while recording and storing the history of permission requests, changes, and deletions. Kakao immediately withdraws unnecessary permissions through periodic reviews. As a leading data company, Kakao is equipped with data privacy pledges required from its employees. In order to enhance privacy awareness among employees, Kakao has offered privacy protection training more than twice a year. Moreover, malicious code-finder programs are installed on employees' PCs to detect and confront malware.

24/7 Security Control

Kakao's 24/7 Security Control Center operates a dual monitoring system run in parallel by Kakao and independent experts. We immediately identify causes and effects upon detecting abnormal symptoms such as massive login attempts from a particular IP in the course of providing various services.

Response and Notification Procedures on Personal Data Leak

In case of detecting privacy data spill, Kakao has established a procedure to notify the damaged party of such fact and report it to the authorities concerned under the relevant laws and regulations. Kakao has always made it a rule to provide countermeasures and counseling contacts along with notification of privacy data spill. We also inform users of necessary instructions, such as remedy procedures, to minimize user damages. Besides, we will seek for the best countermeasure that minimizes damages incurred to our users, by closely discussing the scale and details of an issue with the relevant authorities.

A personal information controller shall notify the aggrieved data subjects of the information leakage without delay when he/she is aware that their personal information has been divulged, and report it to the Personal Information Protection Committee or the Korea Internet and Security Agency. (Article 34; Execution Date 2020.08.05) A business operator shall, in writing, notify the aggrieved data subjects of the information leakage without delay and keep such fact posted on an easily accessible site such as the Internet homepage. Provided, however, that there is an urgent need for immediate actions to prevent additional damage by such information leakage, the business operator may notify the users of the related facts after taking such actions. The following facts shall be included in a user notification and a report filed to the relevant authorities.

1. Particulars of the personal information divulged;
2. When and how personal information has been divulged;
3. Any information about what the data subjects can do to minimize the risk of damage from divulgence;
4. Countermeasures by the personal information controller and remedial procedure;
5. Help desk and contact points for the data subjects to report the damage.