Privacy Policy
Sketch Plastic Surgery (hereinafter "the Hospital") complies with the Personal Information Protection Act and has established the following Privacy Policy to protect the personal information and rights of data subjects. When the Hospital revises this Privacy Policy, it will give notice through the announcements section of its website (or by individual notice).
Article 1. Items of Personal Information Collected and Methods of Collection
The Hospital collects only the minimum personal information necessary to provide its services.
1) Items Collected for Medical Treatment
- Required items: name, resident registration number, date of birth, address, contact information (telephone number and mobile phone number), medical records
- Health information: personal health information that medical staff determine to be necessary in order to provide medical services
※ Unique identifying information, including the resident registration number, and treatment information are items that must be recorded and retained under Articles 22 and 23 of the Medical Service Act and the National Health Insurance Act (no separate consent is required).
2) Items Collected for Consultation Inquiries
- Name, contact information, content of the inquiry
- Collection channels: telephone, fax, email, and the messaging channels listed by the Hospital (KakaoTalk, WhatsApp, LINE, WeChat, Zalo, etc.)
※ The website does not operate its own consultation request form; only information provided directly by the data subject through the channels above is collected.
3) Automatically Generated and Collected Information
The following information may be automatically generated and collected in the course of using the services.
- Service usage records, access logs, cookies, access IP information
4) Methods of Collection
- Website, written forms, fax, telephone, email, and messaging consultations
- Treatment-related forms completed at the time of a visit
Article 2. Purposes of Collection and Use of Personal Information
The Hospital uses the personal information it collects only for the following purposes. If the purpose of use changes, the Hospital will obtain consent in advance.
1) Treatment Information
- Lookup of treatment, examination, and appointment records, and identity verification procedures
- Provision of medical services for diagnosis and treatment
- Administrative services such as billing, receipt, and refund of medical fees
- Issuance and delivery of medical fee statements, itemized statements, and certificates
- Referral for external testing and receipt of the results
- Securing a channel of communication for handling civil complaints and grievances
- Legal and administrative responses for quality-of-care management and hospital operations
2) Consultation Information
- Provision of consultation services and response to inquiries
- Guidance regarding treatments and procedures
Article 3. Processing of Personal Information of Children Under the Age of 14
The Hospital does not collect the personal information of children under the age of 14.
Article 4. Retention and Use Period of Personal Information
In principle, personal information is destroyed without delay once the purpose of its collection and use has been achieved. However, the following information is retained in accordance with the grounds and periods set out below.
| Retained Item | Retention Period | Legal Basis |
|---|---|---|
| Medical records | 10 years | Article 15 of the Enforcement Rule of the Medical Service Act |
| Surgical records | 10 years | Article 15 of the Enforcement Rule of the Medical Service Act |
| Examination details and examination findings records | 5 years | Article 15 of the Enforcement Rule of the Medical Service Act |
| Patient registers, prescriptions, radiographic images, etc. | Statutory period | Article 15 of the Enforcement Rule of the Medical Service Act |
| Records on consumer complaints or dispute resolution | 3 years | Act on the Consumer Protection in Electronic Commerce |
| Records on the collection, processing, and use of credit information | 3 years | Credit Information Use and Protection Act |
| Records on identity verification | 6 months | Act on Promotion of Information and Communications Network Utilization and Information Protection |
| Records on access (visits) | 3 months | Protection of Communications Secrets Act |
Article 5. Procedures and Methods for Destroying Personal Information
1) Destruction Procedure
Personal information for which the purpose of collection and use has been achieved is transferred to a separate database (or, in the case of paper documents, to a separate filing cabinet), stored for the retention period required by internal policy and relevant laws, and then destroyed. Personal information stored separately is not used for any purpose other than retention, except as required by law.
2) Destruction Methods
- Electronic files: deleted using a technical method that makes the records irretrievable
- Paper documents: shredded or incinerated
Article 6. Provision of Personal Information to Third Parties
The Hospital does not provide personal information to third parties, except with the consent of the data subject or where Article 17 or 18 of the Personal Information Protection Act applies. The cases in which information is currently provided are as follows.
- Submission of medical records to the Health Insurance Review and Assessment Service for the purpose of claiming costs of health care benefits under the National Health Insurance Act
- Provision in a form that does not allow identification of a specific individual, where necessary for statistical compilation or academic research
- Submission upon the request of an investigative agency in accordance with the procedures and methods prescribed by law
Other than the cases listed above, the Hospital does not provide personal information to third parties. If any such provision arises in the future, the Hospital will inform the data subject of the recipient, the purpose of provision, the items provided, and the retention and use period, obtain consent, and then disclose the matter through this Privacy Policy.
Article 7. Entrustment of Personal Information Processing
When entering into an entrustment agreement, the Hospital stipulates in writing matters such as compliance with personal information protection laws, confidentiality of personal information, prohibition of provision to third parties, liability in the event of an incident, the entrustment period, and the obligation to return or destroy personal information upon completion of processing, and it manages and supervises these matters.
| Entrusted Party | Scope of Entrusted Work | Entrusted Personal Information | Retention and Use Period |
|---|---|---|---|
| S-1 Corporation | Crime-prevention and security monitoring, and maintenance of the video information processing device (CCTV) system | CCTV video information for facility safety purposes | Until termination of the entrustment agreement |
- The processing of personal information related to medical treatment and consultation is not entrusted to any third party.
- The operating room CCTV under Article 38-2 of the Medical Service Act (Article 13, item 2) is operated on standalone equipment isolated from external networks and is therefore not subject to entrustment.
- If the scope of the entrusted work or the entrusted party changes, the Hospital will disclose the change without delay through this Privacy Policy.
Article 8. Overseas Transfer of Personal Information
The Hospital does not sell or provide the personal information of data subjects to third parties overseas. However, in order to operate its website, the Hospital uses the infrastructure and services of the overseas providers listed below, and access information may be transmitted and processed overseas in this process.
| Recipient | Country of Transfer | Items Transferred | Purpose of Transfer | Retention and Use Period |
|---|---|---|---|---|
| Cloudflare, Inc. | United States | Access IP, browser and device information, access date and time, request path | Website hosting and content delivery (CDN), blocking of security threats | In accordance with the provider's log retention policy |
| Google LLC | United States | Access IP, browser and device information, cookies | Display of map (Google Maps) and video (YouTube) content | In accordance with the provider's policy |
- Method of transfer: automatic transmission over the information and communications network when a user accesses the website or the relevant feature (map or video)
- The map and video features load only when the user interacts with the relevant area; if the user does not interact with it, no related information is transmitted.
- Users who do not wish their information to be transferred overseas may refrain from using the relevant features or configure their browser to block cookies and scripts. However, transmission relating to website hosting is essential to the provision of the service, and refusal makes use of the website impossible.
Weather information is provided by the Public Data Portal of the Korea Meteorological Administration (domestic) and is not transferred overseas.
Article 9. Rights and Obligations of Data Subjects and Legal Representatives, and How to Exercise Them
- A data subject may at any time request the Hospital to allow access to, correct, delete, or suspend the processing of personal information.
- These rights may be exercised in writing, by email, by fax, or by other means pursuant to Article 41(1) of the Enforcement Decree of the Personal Information Protection Act, and the Hospital will take action without delay.
- These rights may also be exercised through a legal representative or a duly authorized agent. In such a case, a power of attorney in the form annexed to the Notice on Personal Information Processing Methods (「개인정보 처리 방법에 관한 고시」) must be submitted.
- In the following cases, requests for access and for suspension of processing may be restricted pursuant to Article 35(4) and Article 37(2) of the Personal Information Protection Act.
- Where special provisions exist in law, or where restriction is unavoidable in order to comply with a statutory obligation
- Where there is a risk of harm to the life or body of another person, or of unjustly infringing the property or other interests of another person
- Where failure to process the personal information would make it difficult to perform the contract, such as by making it impossible to provide the service agreed with the data subject, and the data subject has not clearly expressed an intention to terminate the contract
- Where personal information is expressly specified as subject to collection under other statutes, its deletion may not be requested. Information subject to statutory retention, such as medical records, falls under this category.
- When a request for access, correction, deletion, or suspension of processing is made, the Hospital verifies whether the person making the request is the data subject or a duly authorized agent.
Article 10. Measures to Ensure the Security of Personal Information
1) Administrative Measures
- Establishment and implementation of an internal management plan
- Minimization of the number of staff handling personal information and regular training
- Regular internal audits of personal information handling
2) Technical Measures
- Encrypted storage and transmission of personal information
- Installation and periodic inspection of security programs against hacking and malicious code
- Access control through the granting, modification, and revocation of access rights to the personal information processing system
- Retention of access records and prevention of forgery or alteration
3) Physical Measures
- Storage of documents and auxiliary storage media containing personal information in locked facilities
- Establishment and operation of access control procedures for areas where personal information is stored
Article 11. Installation and Operation of Automatic Personal Information Collection Devices and Refusal Thereof
The Hospital operates "cookies," which store and retrieve user information from time to time. A cookie is a very small text file that the server operating the Hospital's website sends to the user's browser, where it is stored on the user's device. The Hospital uses cookies for the following purposes.
- To analyze the frequency and duration of visits and to identify users' areas of interest, and to use this as a metric for restructuring our services.
- To maintain the user's environment, such as the language selected by the user, so that the same settings can be used on the next visit.
Users have the right to choose whether cookies are installed. Accordingly, by configuring the options in their web browser, users may allow all cookies, be prompted for confirmation each time a cookie is stored, or refuse the storage of all cookies. However, refusing the storage of cookies may make it difficult to use some services.
In addition, the website includes third-party services such as maps (Google Maps) and videos (YouTube), and access information may be transmitted to the relevant provider when these features are used.
As of July 2026, no external analytics or advertising scripts are installed on the website.
Article 12. Personal Information Protection Officer
The Hospital has designated a Personal Information Protection Officer as set out below, who has overall responsibility for personal information processing and for handling complaints and providing remedies for data subjects in connection with personal information processing.
| Category | Name / Position | Contact |
|---|---|---|
| Personal Information Protection Officer | HyunWook Jung / Director | 02-562-5415 · [email protected] |
Data subjects may direct to the Personal Information Protection Officer any inquiries, complaints, or requests for remedy relating to personal information protection that arise while using the Hospital's services. The Hospital will respond and take action without delay.
Article 13. Policy on the Installation and Operation of Video Information Processing Devices (CCTV)
The Hospital operates two types of video information processing devices with different purposes and legal bases. Because the grounds for installation, retention periods, and access requirements differ, they are described separately below.
None of the video information processing devices operated by the Hospital have audio recording capability.
1) CCTV for Facility Safety Purposes (Article 25 of the Personal Information Protection Act)
| Category | Details |
|---|---|
| Grounds and purpose of installation | Facility safety and fire prevention, crime prevention for the safety of patients and visitors, and prevention of unlawful intrusion by outsiders |
| Number of units installed | 17 units |
| Installation locations and filming range | Interior of the clinic |
| Filming hours | 24 hours |
| Audio recording | None |
| Retention period | Within 30 days from the date of filming |
| Storage location | Server within the Hospital |
| Entrustment | S-1 Corporation — monitoring and maintenance (Article 7) |
- A data subject may request access to, confirmation of the existence of, or deletion of personal video information in which the data subject appears. However, this is limited to footage in which the data subject personally appears, or footage clearly necessary for the urgent protection of the life, body, or property of the data subject.
- To request access or similar measures, please contact the Video Information Management Officer in advance and then visit the Hospital, where the footage can be reviewed. If a request is refused, the Hospital will notify the reasons for refusal and the means of appeal in writing or by other means within 10 days.
2) Operating Room CCTV (Article 38-2 of the Medical Service Act)
| Category | Details |
|---|---|
| Grounds and purpose of installation | Installation of closed-circuit television inside operating rooms pursuant to Article 38-2(1) of the Medical Service Act. Prevention of unlawful acts in operating rooms and verification of the facts in the event of a medical dispute |
| Number of units installed | 3 units (one in each of the 3 operating rooms) |
| Installation locations and filming range | Interior of the operating rooms |
| Network connection | None (standalone operation). Isolated from external networks, so remote access is not possible |
| Audio recording | None |
| Retention period | At least 30 days from the date of filming (Article 38-2 of the Medical Service Act and the Enforcement Rule of the same Act) |
| Storage location | Standalone recording device within the Hospital |
| Entrustment | None |
Filming and Consent
- Where a patient or the patient's guardian so requests (including where the Hospital or a medical professional makes the request and the patient or guardian consents), the Hospital films surgery performed while the patient is unconscious, such as under general anesthesia.
- A patient or guardian who wishes to request filming must submit a filming request form to the Hospital before the surgery.
- The Hospital may refuse filming where any of the grounds set out in the subparagraphs of Article 38-2(2) of the Medical Service Act applies, in which case it will explain the reason and record and retain it.
- Because the video information processing devices installed by the Hospital have no audio recording capability, no audio is recorded during surgery.
Restrictions on Access and Provision
- The Hospital allows access to or provides the recorded video information only in the following cases.
- Where a relevant agency requests it for the purposes of criminal investigation or judicial proceedings
- Where the Korea Medical Dispute Mediation and Arbitration Agency requests it in mediation or arbitration proceedings under the Act on Remedies for Injuries from Medical Accidents and Mediation of Medical Disputes
- Where all data subjects concerned — including the patient and the medical professionals who participated in the surgery — consent to the request
- A person who wishes to request access or provision must apply to the Hospital in accordance with the forms and procedures prescribed by the Enforcement Rule of the Medical Service Act.
- The Hospital does not access or provide video information for any purpose other than those set out in the subparagraphs above, and does not arbitrarily search or review video information.
3) Video Information Management Officers and Persons Authorized to Access
| Category | Name | Department |
|---|---|---|
| Video Information Management Officer | HyunWook Jung | Medical Team |
| Video Information Management Officer | WooSung Lee | Medical Team |
4) Measures to Ensure the Security of Video Information
- Differentiated granting of access rights and minimization of the number of persons authorized to access
- Preparation and management of access records (date and time of creation, purpose of access, person accessing, date and time of access)
- Installation of locking devices at storage locations and control of entry
- Periodic change of passwords for the surveillance control system, the recording devices, and the monitoring accounts
- Operation of operating room video information in isolation from external networks
Video information whose retention period has expired is destroyed without delay by a method that makes it irretrievable.
Article 14. Remedies for Infringement of Data Subjects' Rights
If you need to report or seek consultation regarding an infringement of personal information, please contact the organizations below.
| Organization | Telephone | Website |
|---|---|---|
| Personal Information Infringement Reporting Center | 118 (no area code) | https://privacy.kisa.or.kr |
| Personal Information Dispute Mediation Committee | 1833-6972 (no area code) | https://www.kopico.go.kr |
| Supreme Prosecutors' Office, Cyber and Technology Crime Investigation Division | 1301 (no area code) | https://www.spo.go.kr |
| National Police Agency, Cybercrime Reporting System (ECRM) | 182 (no area code) | https://ecrm.police.go.kr |
Article 15. Changes to the Privacy Policy
This Privacy Policy may be amended in accordance with changes in relevant laws and guidelines or changes in internal operating policies. Where this Privacy Policy is amended, the Hospital will give notice of the reasons for and content of the amendment through its website, and in the case of significant changes, will give notice at least 7 days before the effective date.
Revision History
| Effective Date | Category | Key Content |
|---|---|---|
| April 20, 2021 | Establishment | Initial establishment |
| July 20, 2026 | Full amendment and first publication on this website | Reorganization of the article structure (15 articles), addition of the overseas transfer article, separate description of the 2 types of video information processing devices, identification of the entrusted party (S-1 Corporation), and updating of the remedy organizations for rights infringement |
- ① This Privacy Policy applies from July 20, 2026.
- ② The full text of the previous Privacy Policy may be obtained upon request to the Personal Information Protection Officer (Article 12).
Established: April 20, 2021 / Effective: July 20, 2026