개인정보 처리방침
Privacy Policy of EOFLOW Co., Ltd.

EOFLOW Co., Ltd. (hereinafter referred to as the "Company"), as data controller pursuant to EU General Data Protection Regulation no. 679/2016 (the “GDPR”) will collect and process your personal and particular categories of data (namely “sensitive data”) for managing your EOFLOW service membership registration and for providing the EOFLOW services, in compliance with the personal data protection regulations in accordance with the applicable laws and regulations including, but not limited to,  Legislative Decree no. 196/2003 (the “Privacy Code”), and are committed to protect the rights and interests of the information provided by and/or collected from you in the use of the EOFLOW service according to the modalities of this Privacy Policy. 

The Company also has firm commitment to respect your privacy and the right to Personal Data under the GDPR when the processing of Personal Data is related to the activities of the Company’ subsidiaries, affiliates, branches, representative offices and other establishments in the EEA or outside the EEA.

1. Purpose of personal data processing and legal basis

The Company processes your personal and sensitive data for the following purposes. The data collected and processed is not used for purposes other than the purpose indicated in this Privacy Policy, and if the purpose of use is changed, you will be informed and an additional consent will be secured when necessary in accordance with Articles 6, 7 and 9 of the GDPR and other necessary measures will be implemented.
A) EOFLOW service membership registration and management via the Narsha App and the ADM device 
The Company processes personal information for the purpose of checking the intention of a person to sign up as a member, verifying the identity of a member before providing membership services, managing membership status, verifying the identity of a member according to enforcement of the limited identification system, preventing illegal use of services, checking that a consent of the legal representative is properly granted when processing personal information of children under the age of 16, making various notices and notifications, handling complaints, etc. The legal basis of the processing carried out by the Company for these purposes is the execution of the service membership registration and management requested by you; therefore, the collection of the personal data (indicated in par. 2, lett. A) is necessary, as any refusal to provide such data does not allow the Company to manage and provide the services requested.
B) Providing EOFLOW services via the Narsha App and the ADM device 
The Company processes personal data, including sensitive data (see par. 2, lett . B) for the purpose of providing the EOFLOW services (including customized services) and contents, verifying the identity of a user as a member, and providing other accompanying services when requested by you. In relation to the “common” personal data (Email address, country of residence, name, ID/password, gender, date of birth), the legal basis of the processing carried out by the Company is the execution of the EOFLOW services requested by you, thus the collection of said data is necessary and any refusal to provide them does not allow the Companies to manage and provide the EOFLOW services. In relation to the sensitive data collected by the EOFLOW services, in compliance with the GDPR the legal basis of the processing carried out by the Company is your explicit consent, that will be required to you in the “Personal Information Consent Form”. The refusal to provide said consent, or its withdrawal, will affect the full provision of the EOFLOW services requested by you.
C) Communication of the personal and sensitive data to the Guardian/ Primary care Physician
Any personal information data collected through the EOFLOW services if you expressly request so, with your previous and optional consent could be communicated to your appointed Guardian/ Primary care Physician for the purpose of monitoring the physical condition of the data subject, if requested by you. The legal basis of the processing carried out by the Company is your express and entirely voluntary consent, that will be required to you in the “Personal Information Consent Form”. The refusal to provide said consent, or its withdrawal, won’t affect the provision of the EOFLOW services requested by you, preventing only the communication of your data to your appointed Guardian/Primary care Physician. you can also modify this option during the service. 
D) Fulfillment of Legal obligations
The data will be processed by the Company to fulfill legal obligations provided by regulations, national and European laws as well as to be compliant with the provisions provided by authorized Authorities.
E) Legitimate interests’ purposes
The data will be also processed by the Company in order to exercise their and/or third subjects’ rights and legitimate interests, such as the legal defense, the management of claims and disputes which may arise, the prevention of fraud and/or illegal activities, possible credit recovering, etc.
 
2. Personal and sensitive data to be processed

The Company collects and processes only the minimum personal information necessary for the use of the service when signing up for membership. 
A) EOFLOW service membership registration and management
    * Required: Email address, name, ID/password, gender, date of birth
    * Additionally required for children under the age of 16: Written authorization, name and contact information of the legal representative
B) Use of EOFLOW service
    * Required: Email address, country of residence, name, ID/password, gender, date of birth, 
    * Optional: medical emergency card information (hospital name, primary doctor, contact information)
    * Sensitive information: Diabetes type, height, weight, blood glucose, bolus, Basal/Temp basal injection, carbohydrate, exercise information
In addition, the following information may be generated and collected during the process of signing up or logging in. 
    * Device unique number (terminal ID or UUID), OS information, device model name, language and country setting, IP, etc.

3. Period of retention and use of personal and sensitive data

The Company processes and retains the personal and sensitive data collected by means of the EOFLOW services within the period of retention and use of personal information in accordance with the GDPR, the Privacy Code and the applicable laws and regulations or within the period of personal information retention and use agreed upon when collecting the data from you.
Each period of personal information processing and retention is as follows.
A) EOFLOW service membership registration and management: Until membership withdrawal from EOFLOW service. However, also following the membership withdrawal, the data could be retained for the additional necessary period for any of the following reasons
① If an investigation in violation of related laws is in progress, until the end of the investigation
② If there is an ongoing creditor/debtor relationship related to the use of EOFLOW service, until the settlement of the creditor/debtor relationship
B) Please note that EOFLOW separately manages and stores the personal information of data subjects who have not used the EOFlow service for at least six months 

4. Entrustment of Processing of Personal Information (Including transmission of personal information overseas)

For providing services and enhancing user convenience, the Company may transmit or manage your personal data overseas as follows or manage the information abroad. The details of the personal information that the Company may transmit overseas are as follows. 
The information of the receiving company Destination country Items of personal information transmitted Purpose of the receiving party, the period of retention and use, and the date and method of transmission Measures implemented to transfer personal data
Amazon Web Service Inc.
[aws-korea-privacy@amazon.com]
Republic of Korea Personal information and log information collected while using the service Purpose: Data storage, service operation or the like for providing the EOFlow service
Period: During the user's service subscription period
Transmission date and method: Transmitted as needed through the information and communication network in the process of providing the servic
Adequacy Decision
EOFlow, Inc.
[eo-usa-privacy@eoflow.com]
United States of America Personal information and log information collected while using the service Purpose: For operation and maintenance of the system
Period: During the user's service subscription period
Transmission date and method: Transmitted as needed through the information and communication network in the process of providing the service 
EU Standard Contractual Clauses 
(Data Sharing Agreement)

5. Matters concerning personal information to be provided to a third party

Company processes your personal and sensitive data strictly in accordance with the specified scope of the purpose of processing stated this Privacy Policy, and may not provide such personal data to third parties unless explicitly permitted under the applicable legislations as explained below.
A) If the data subject provides prior consent to the third party transfer 
Receiving company and contact Destination country Items to be provided Purpose of the receiving party, retention and use period and transmission date and method
Zucchetti Centro Sistemi (ZCS)
[privacy@glucologweb.com]
Belgium Bolus, Basal/Temp basal injection Purpose: Management of the patient's blood glucose levels, activity aimed at mitigating blood glucose results, control, and medical assistance.
Period: Upon membership withdrawal, provided that certain information will be retained for the retention period specified in relevant laws
Transmission date and method: Transmitted as needed through the information and communication network in the process of providing the service

B) If there are special regulations in other laws, etc.
The information of the receiving company Destination country Items to be provided Purpose of the receiving party, retention and use period and transmission date and method
The Ministry of Food and Drug Safety Republic of Korea Name, Gender, Date of Birth, Age (at the time of the reporting), side effects occurred and etc. Purpose: Carrying out reporting obligations in regards to safety management, such as reporting of side effects
Period: In accordance with the provisions of the relevant laws and regulations
Transmission date and method: Transmitted as needed through the information and communication network in the process of providing the service etc.
Other than above, if EOFlow is required to comply with foreign legislations regarding the third party transfer of information, EOFlow will duly comply with such obligations.  
 

6. Destruction of personal information

In principle, after the purpose of processing personal data is achieved (see par. 3 above), the Company destroys it without delay and in the following ways so that the personal data cannot be recovered and reproduced.
A) Destruction procedure
For the collected personal data, after the purpose of collecting and using personal data has been achieved or the retention period has elapsed, the personal data will be destroyed without delay.
However, information that must be kept in accordance with this policy and related laws will be stored for the period stipulated by the laws and then destroyed.
B) Method of destruction
Records, prints, and documents: Shredded with a shredder or incinerated
Electronic file format: Deleted using a technical method that makes it impossible to restore the record

7. Rights of the data subject and the legal representative and how to exercise the rights

The data subject and the legal representative can any time exercise, where applicable, the rights provided by the GDPR in order to obtain:
(i) the confirmation as to the existence of data concerning them, even if not recorded yet, and the communication of the same data in an intelligible form;
(ii) the indication of the origin of the data, purposes and modalities of the processing, subjects and categories of subjects to which the data may be communicated or which may get to know the data in their capacity as representatives in the State’s territory, as data processors, or persons in charge of the processing;
(iii) the updating, rectification or, where interested therein, integration of the data;
(iv) the erasure, transformation into anonymous form, or blocking of data that have been processed unlawfully.
The data subjects, moreover, shall have the right to object, in whole or in part, on legitimate grounds, to the processing of their personal data.
Finally, if applicable, the data subject and the legal representative have the right to rectification, right to erasure, right to restriction of processing, right to data portability as well as the right to lodge a complaint with the Italian Data Protection Authority in relation to the processing described into the present Privacy Policy.
The rights listed above may be exercised directly by contacting the Company’ personal information protection manager and personnel at the contacts indicated in par. 9 below.
For requests that are made by phone or e-mail to the personal information protection manager of the Company, the Company will take action without delay after going through the identity verification process.
If the data subject requests correction of errors in personal data, the personal data will not be processed until the correction is completed. In addition, if it has already been provided to a third party, the result of the correction will be notified to the third party without delay with the necessary measures for the third party to comply with the result of the correction.
The legal representative of the data subject under the age of 16 may request for viewing, correction, or consent withdrawal with regards to the personal data of the data subject under the age of 16.

8. Measures to ensure safety of personal information

The Company takes the following technical, administrative, and physical measures necessary to ensure safety.
A) Establishment and implementation of personal information protection guidelines
The Company takes measures to protect the personal information of the data subject with internal guidelines for the protection of the company's personal information in place.
B) Minimum number of personal data handlers and training
The Company conducts business with the access rights to the personal data of the information granted to as few number of people as possible and conducts regular training on personal data protection.
C) Restriction of access to personal data
The Company takes necessary measures to control access to personal data by granting, changing, or canceling access rights to the personal data processing system.
D) Storage of access records and prevention of forgery
The Company keeps/manages records of access to the personal data processing system for at least two (2) year, and takes measures to prevent forgery, theft, and loss of access records.
E) Installation of security program
The Company uses an antivirus program to take measures to prevent damage, and such program is updated regularly to prevent damage caused by viruses.

9. Contact information of personal information protection manager and personnel

To protect the personal data of the data subject and handle complaints and requests related to personal data, the Company appoints the relevant department and the personal information protection manger as follows.
Category Personal Information Protection Manager Personal Information Protection Personnel
Name Kim Kyung-soo Ahn In-soo
Department Quality Division IT Security Team
Email privacy@eoflow.com

as well as the contact details of EOFLOW legal representative in Italy 
category DPO (Data Protection Officer) Representative
Name dpo@eoflow.com DVecchi@gop.it
※ The personal information protection manager department is in charge of processing requests of access to personal information.

10. Duty of notice

If there is any change such as addition, deletion, or modification of the contents in this Privacy Policy, it will be notified in advance in the website or by a notice.
Effective Date: September 01. 2022

당사는 쿠키를 사용합니다. 본 웹사이트를 이용하는 것은 당사의 쿠키 사용 정책에 동의하는 것으로 봅니다.

개인정보 처리방침