Privacy Policy of EOFLOW Co., Ltd.
EOFLOW Co., Ltd. (hereinafter referred to as the “Company”), as data controller pursuant to EU General Data Protection Regulation no. 679/2016 (the “GDPR”) will collect and process your personal and particular categories of data (namely “sensitive data”) for managing your EOFLOW service membership registration and for providing the EOFLOW services, in compliance with the personal data protection regulations in accordance with the applicable laws and regulations including, but not limited to, Legislative Decree no. 196/2003 (the “Privacy Code”), and are committed to protect the rights and interests of the information provided by and/or collected from you in the use of the EOFLOW service according to the modalities of this Privacy Policy.
The Company also has firm commitment to respect your privacy and the right to Personal Data under the GDPR when the processing of Personal Data is related to the activities of the Company’s subsidiaries, affiliates, branches, representative offices and other establishments in the EEA or outside the EEA.
1. Purpose of personal data processing and legal basis
- The Company processes your personal and sensitive data for the following purposes. The data collected and processed is not used for purposes other than the purpose indicated in this Privacy Policy, and if the purpose of use is changed, you will be informed and an additional consent will be secured when necessary in accordance with Articles 6, 7 and 9 of the GDPR and other necessary measures will be implemented.
- A) EOFLOW service membership registration and management via the Narsha App and the ADM device
-
The Company processes personal information for the purpose of checking the intention of a person to sign up as a member, verifying the identity of a member before providing membership services, managing membership status, verifying the identity of a member according to enforcement of the limited identification system, preventing illegal use of services, checking that a consent of the legal representative is properly granted when processing personal information of children under the age of 16, making various notices and notifications, handling complaints, etc. The legal basis of the processing carried out by the Company for these purposes is the execution of the service membership registration and management requested by you; therefore, the collection of the personal data (indicated in par. 2, lett. A) is necessary, as any refusal to provide such data does not allow the Company to manage and provide the services requested.
- B) Providing EOFLOW services via the Narsha App and the ADM device
-
The Company processes personal data, including sensitive data (see par. 2, lett . B) for the purpose of providing the EOFLOW services (including customized services) and contents, verifying the identity of a user as a member, and providing other accompanying services when requested by you. In relation to the “common” personal data (Email address, country of residence, name, ID/password, gender, date of birth), the legal basis of the processing carried out by the Company is the execution of the EOFLOW services requested by you, thus the collection of said data is necessary and any refusal to provide them does not allow the Companies to manage and provide the EOFLOW services. In relation to the sensitive data collected by the EOFLOW services, in compliance with the GDPR the legal basis of the processing carried out by the Company is your explicit consent, that will be required to you in the “Personal Information Consent Form”. The refusal to provide said consent, or its withdrawal, will affect the full provision of the EOFLOW services requested by you.
- C) Communication of the personal and sensitive data to the Guardian/ Primary care Physician
-
Any personal information data collected through the EOFLOW services if you expressly request so, with your previous and optional consent could be communicated to your appointed Guardian/ Primary care Physician for the purpose of monitoring the physical condition of the data subject, if requested by you. The legal basis of the processing carried out by the Company is your express and entirely voluntary consent, that will be required to you in the “Personal Information Consent Form”. The refusal to provide said consent, or its withdrawal, won’t affect the provision of the EOFLOW services requested by you, preventing only the communication of your data to your appointed Guardian/Primary care Physician. you can also modify this option during the service.
- D) Fulfillment of Legal obligations
-
The data will be processed by the Company to fulfill legal obligations provided by regulations, national and European laws as well as to be compliant with the provisions provided by authorized Authorities.
- E) Legitimate interests’ purposes
-
The data will be also processed by the Company in order to exercise their and/or third subjects’ rights and legitimate interests, such as the legal defense, the management of claims and disputes which may arise, the prevention of fraud and/or illegal activities, possible credit recovering, etc.
2. Personal and sensitive data to be processed
- The Company collects and processes only the minimum personal information necessary for the use of the service when signing up for membership.
- A) EOFLOW service membership registration and management
- * Required: Email address, name, ID/password, gender, date of birth
- * Additionally required for children under the age of 16: Written authorization, name and contact information of the legal representative
- B) Use of EOFLOW service
- * Required: Email address, country of residence, name, ID/password, gender, date of birth
- * Optional: medical emergency card information (hospital name, primary doctor, contact information)
- * Sensitive information: Diabetes type, height, weight, blood glucose, bolus, Basal/Temp basal injection, carbohydrate, exercise information
- In addition, the following information may be generated and collected during the process of signing up or logging in.
- * Device unique number (terminal ID or UUID), OS information, device model name, language and country setting, IP, etc.
3. Period of retention and use of personal and sensitive data
- The Company processes and retains the personal and sensitive data collected by means of the EOFLOW services within the period of retention and use of personal information in accordance with the GDPR, the Privacy Code and the applicable laws and regulations or within the period of personal information retention and use agreed upon when collecting the data from you.
- Each period of personal information processing and retention is as follows.
- A) EOFLOW service membership registration and management: Until membership withdrawal from EOFLOW service. However, also following the membership withdrawal, the data could be retained for the additional necessary period for any of the following reasons
-
- ① If an investigation in violation of related laws is in progress, until the end of the investigation
- ② If there is an ongoing creditor/debtor relationship related to the use of EOFLOW service, until the settlement of the creditor/debtor relationship
- B) Please note that EOFLOW separately manages and stores the personal information of data subjects who have not used the EOFlow service for at least six months
4. Entrustment of Processing of Personal Information (Including transmission of personal information overseas)
- For providing services and enhancing user convenience, the Company may transmit or manage your personal data overseas as follows or manage the information abroad. The details of the personal information that the Company may transmit overseas are as follows.
-
The information of the receiving company |
Destination country |
Items of personal information transmitted |
Purpose of the receiving party, the period of retention and use, and the date and method of transmission |
Measures implemented to transfer personal data |
Amazon Web Service Inc.
[aws-korea-privacy@amazon.com]
|
Republic of Korea
|
Personal information and log information collected while using the service
|
Purpose: Data storage, service operation or the like for providing the EOFLOW service
Period: During the user's service subscription period
Transmission date and method: Transmitted as needed through the information and communication network in the process of providing the service
|
Adequacy Decision
|
EOFlow, Inc.
[eo-usa-privacy@eoflow.com]
|
United States of America
|
[Personal information and log information collected while using the service]
|
Purpose: For operation and maintenance of the system
Period: During the user's service subscription period
Transmission date and method: Transmitted as needed through the information and communication network in the process of providing the service
|
EU Standard Contractual Clauses (Data Sharing Agreement)
|
5. Matters concerning personal information to be provided to a third party
- Company processes your personal and sensitive data strictly in accordance with the specified scope of the purpose of processing stated this Privacy Policy, and may not provide such personal data to third parties unless explicitly permitted under the applicable legislations as explained below.
-
A) If the data subject provides prior consent to the third party transfer
Receiving company and contact |
Destination country |
Items to be provided |
Purpose, retention and use period and transmission date and method |
Zucchetti Centro Sistemi (ZCS) [privacy@glucologweb.com]
|
Belgium
|
Bolus, Basal/Temp basal injection
|
Purpose: Management of the patient's blood glucose levels, activity aimed at mitigating blood glucose results, control, and medical assistance.
Period: Upon membership withdrawal, provided that certain information will be retained for the retention period specified in relevant laws
Transmission date and method: Transmitted as needed through the information and communication network in the process of providing the service
|
- B) If there are special regulations in other laws, etc.
The information of the receiving company |
Destination country |
Items to be provided |
Purpose of the receiving party, retention and use period and transmission date and method |
The Ministry of Food and Drug Safety
|
Republic of Korea
|
Name, Gender, Date of Birth, Age (at the time of the reporting), side effects occurred and etc.
|
Purpose: Carrying out reporting obligations in regards to safety management, such as reporting of side effects
Period: In accordance with the provisions of the relevant laws and regulations
Transmission date and method: Transmitted as needed through the information and communication network in the process of providing the service etc.
|
- Other than above, if EOFlow is required to comply with foreign legislations regarding the third party transfer of information, EOFlow will duly comply with such obligations.
6. Destruction of personal information
- In principle, after the purpose of processing personal data is achieved (see par. 3 above), the Company destroys it without delay and in the following ways so that the personal data cannot be recovered and reproduced.
- A) Destruction procedure
- For the collected personal data, after the purpose of collecting and using personal data has been achieved or the retention period has elapsed, the personal data will be destroyed without delay.
- However, information that must be kept in accordance with this policy and related laws will be stored for the period stipulated by the laws and then destroyed.
- B) Method of destruction
- Records, prints, and documents: Shredded with a shredder or incinerated
- Electronic file format: Deleted using a technical method that makes it impossible to restore the record
7. Rights of the data subject and the legal representative and how to exercise the rights
- The data subject and the legal representative can any time exercise, where applicable, the rights provided by the GDPR in order to obtain:
- (i) the confirmation as to the existence of data concerning them, even if not recorded yet, and the communication of the same data in an intelligible form;
- (ii) the indication of the origin of the data, purposes and modalities of the processing, subjects and categories of subjects to which the data may be communicated or which may get to know the data in their capacity as representatives in the State’s territory, as data processors, or persons in charge of the processing;
- (iii) the updating, rectification or, where interested therein, integration of the data;
- (iv) the erasure, transformation into anonymous form, or blocking of data that have been processed unlawfully.
- The data subjects, moreover, shall have the right to object, in whole or in part, on legitimate grounds, to the processing of their personal data.
- Finally, if applicable, the data subject and the legal representative have the right to rectification, right to erasure, right to restriction of processing, right to data portability as well as the right to lodge a complaint with the Italian Data Protection Authority in relation to the processing described into the present Privacy Policy.
- The rights listed above may be exercised directly by contacting the Company’s personal information protection manager and personnel at the contacts indicated in par. 9 below.
- For requests that are made by phone or e-mail to the personal information protection manager of the Company, the Company will take action without delay after going through the identity verification process.
- If the data subject requests correction of errors in personal data, the personal data will not be processed until the correction is completed. In addition, if it has already been provided to a third party, the result of the correction will be notified to the third party without delay with the necessary measures for the third party to comply with the result of the correction.
- The legal representative of the data subject under the age of 16 may request for viewing, correction, or consent withdrawal with regards to the personal data of the data subject under the age of 16.
8. Measures to ensure safety of personal information
- The Company takes the following technical, administrative, and physical measures necessary to ensure safety.
- A) Establishment and implementation of personal information protection guidelines
- The Company takes measures to protect the personal information of the data subject with internal guidelines for the protection of the company's personal information in place.
- B) Minimum number of personal data handlers and training
- The Company conducts business with the access rights to the personal data of the information granted to as few number of people as possible and conducts regular training on personal data protection.
- C) Restriction of access to personal data
- The Company takes necessary measures to control access to personal data by granting, changing, or canceling access rights to the personal data processing system.
- D) Storage of access records and prevention of forgery
- The Company keeps/manages records of access to the personal data processing system for at least two (2) year, and takes measures to prevent forgery, theft, and loss of access records.
- E) Installation of security program
- The Company uses an antivirus program to take measures to prevent damage, and such program is updated regularly to prevent damage caused by viruses.
9. Contact information of personal information protection manager and personnel
-
To protect the personal data of the data subject and handle complaints and requests related to personal data, the Company appoints the relevant department and the personal information protection manger as follows.
- ▶ Personal Information Protection Manager
-
- Name : Ahn In-Soo
- Department : IT Security Team
- Email : privacy@eoflow.com
- as well as the contact details of EOFLOW legal representative in Italy
-
Category |
DPO (Data Protection Officer) |
Representative |
Email |
dpo@eoflow.com |
DVecchi@gop.it |
- ※ The personal information protection manager department is in charge of processing requests of access to personal information.
10. Duty of notice
-
If there is any change such as addition, deletion, or modification of the contents in this Privacy Policy, it will be notified in advance in the website or by a notice.
-
Effective Date: 14.09.2023
Check the previous Privacy Policy