GC i-MED

Article 1. Personal Information Collected and Collection Methods

When collecting personal information, the hospital gives prior notice of the scope and purpose of collection through its terms of use and other notices in accordance with applicable laws. The categories of personal information collected are as follows.

Information collected for medical treatment and health checkups

Personal information: name, date of birth, contact information, address, and email address.
Corporate checkup information: company name, employee number, and date of employment.
Sensitive information: medical results, health checkup results, and health information, including medical history, family history, and other personal health information that medical professionals determine is necessary for providing medical services.
Unique identifying information: resident registration number, alien registration number, passport number, and driver's license number.

Information collected when paying medical or checkup fees

Credit card payment approval information.

Information automatically collected while using online services

Service usage records, access logs, cookies, IP address, and MAC address.

Article 2. Purpose of Collection and Use

The hospital uses collected personal information for the following purposes.

Identity verification for medical treatment, testing, reservation lookup, and care.
Provision of diagnosis and treatment services.
Medical administration services, including billing, payment, and refunds.
Sending medical bills, statements, certificates, medicines, supplies, and results.
Basic data processing for external online and offline testing and result delivery.
Sending reservation notices and health checkup results.
Securing communication channels for complaints and grievance handling.
Providing information in accordance with the Medical Service Act, Criminal Act, and other applicable laws.
Guidance on medical information, academic information, and hospital information.
Analysis of checkup operation data and preparation of statistics to improve service quality.
Explaining a patient's symptoms and condition to family members or other relevant persons where appropriate.

Article 3. Retention and Use Period

The hospital destroys personal information without delay when the retention period has expired, the purpose of processing has been achieved, the information is no longer necessary, or the data subject requests destruction.

Where applicable laws prescribe a retention period, the hospital retains the information for the period specified by those laws, including the following.

Corporate checkup reservation information: until billing for the relevant checkup year has been completed.
Patient list: 5 years.
Medical records: 10 years.
Prescriptions: 2 years.
Surgery records: 10 years.
Examination details and findings: 5 years.
Radiological images and related findings: 5 years.
Nursing records: 5 years.
Copies of medical certificates and similar documents: 3 years.

Article 4. Destruction Procedures and Methods

In principle, the hospital destroys personal information without delay once the purpose of collection and use has been achieved. The procedures and methods are as follows.

Destruction procedure

Information entered by customers is transferred to a separate database after the purpose has been achieved, or to a separate document storage area for paper records. It is stored for a certain period under internal policy and other applicable laws, then destroyed. Personal information transferred to a separate database is not used for any purpose other than retention unless required by law.

Destruction method

Personal information stored in electronic files is deleted using technical methods that prevent recovery.
Personal information printed on paper is shredded or dissolved.

Article 5. Provision of Personal Information to Third Parties

The hospital does not use personal information beyond the stated purposes of collection and use, or provide it to third parties, unless requested or consented to by the data subject or permitted under applicable laws.

Personal information may be provided based on consent or legal grounds in the following cases.

Submitting medical records to claim medical care benefit costs under the National Health Insurance Act.
Complying with legal obligations or requests by investigative agencies made under procedures and methods prescribed by law.
Providing information for statistics or academic research in a form that cannot identify specific individuals, such as anonymized or pseudonymized data.
Providing information limited to the scope consented to by the data subject.

Recipient	Purpose	Items Provided	Legal Basis and Retention
GC Care	Providing checkup result viewing services, health management services based on checkup result analysis, and product information from the recipient or its partners.	General information: name, contact information, date of birth, and gender. Sensitive information: health checkup results.	Until the purpose of use is achieved. Transmission of personal medical information under Article 21 of the Medical Service Act.
Infiniticare	Providing checkup result viewing services, health management services based on checkup result analysis, and product information from the recipient or its partners.	General information: name, contact information, date of birth, and gender. Sensitive information: health checkup results.	Until the purpose of use is achieved. Transmission of personal medical information under Article 21 of the Medical Service Act.
Sun Healthcare International	Providing checkup result viewing services, health management services based on checkup result analysis, and product information from the recipient or its partners.	General information: name, contact information, date of birth, and gender. Sensitive information: health checkup results.	Until the purpose of use is achieved. Transmission of personal medical information under Article 21 of the Medical Service Act.
Hancom Carelink	Providing checkup result viewing services, health management services based on checkup result analysis, and product information from the recipient or its partners.	General information: name, contact information, date of birth, and gender. Sensitive information: health checkup results.	Until the purpose of use is achieved. Transmission of personal medical information under Article 21 of the Medical Service Act.
AIMMED	Providing checkup result viewing services, health management services based on checkup result analysis, and product information from the recipient or its partners.	General information: name, contact information, date of birth, and gender. Sensitive information: health checkup results.	Until the purpose of use is achieved. Transmission of personal medical information under Article 21 of the Medical Service Act.
BigCare	Providing checkup result viewing services, health management services based on checkup result analysis, and product information from the recipient or its partners.	General information: name, contact information, date of birth, and gender. Sensitive information: health checkup results.	Until the purpose of use is achieved. Transmission of personal medical information under Article 21 of the Medical Service Act.
Medicollection	Providing checkup result viewing services, health management services based on checkup result analysis, and product information from the recipient or its partners.	General information: name, contact information, date of birth, and gender. Sensitive information: health checkup results.	Until the purpose of use is achieved. Transmission of personal medical information under Article 21 of the Medical Service Act.
For Health	Providing checkup result viewing services, health management services based on checkup result analysis, and product information from the recipient or its partners.	General information: name, contact information, date of birth, and gender. Sensitive information: health checkup results.	Until the purpose of use is achieved. Transmission of personal medical information under Article 21 of the Medical Service Act.
Vivainnovation	Providing checkup result viewing services, health management services based on checkup result analysis, and product information from the recipient or its partners.	General information: name, contact information, date of birth, and gender. Sensitive information: health checkup results.	Until the purpose of use is achieved. Transmission of personal medical information under Article 21 of the Medical Service Act.
B Plus Healthcare	Providing checkup result viewing services, health management services based on checkup result analysis, and product information from the recipient or its partners.	General information: name, contact information, date of birth, and gender. Sensitive information: health checkup results.	Until the purpose of use is achieved. Transmission of personal medical information under Article 21 of the Medical Service Act.
Omni Care Co., Ltd.	Providing checkup result viewing services, health management services based on checkup result analysis, and product information from the recipient or its partners.	General information: name, contact information, date of birth, and gender. Sensitive information: health checkup results.	Until the purpose of use is achieved. Transmission of personal medical information under Article 21 of the Medical Service Act.
SCL Healthcare	Providing checkup result viewing services, health management services based on checkup result analysis, and product information from the recipient or its partners.	General information: name, contact information, date of birth, and gender. Sensitive information: health checkup results.	Until the purpose of use is achieved. Transmission of personal medical information under Article 21 of the Medical Service Act.
Corporate health managers (for corporate checkups)	Employee health management and fulfillment of employer legal obligations.	General information: name, contact information, date of birth, and gender. Sensitive information: health checkup results.	Until the purpose of use is achieved. Transmission of personal medical information under Article 21 of the Medical Service Act.

Article 6. Outsourcing of Personal Information Processing

The hospital outsources certain personal information processing tasks to external specialized companies to provide better services, improve customer convenience, and support smooth business operations.

The hospital enters into outsourcing agreements that require compliance with personal information protection laws, confidentiality, prohibition of third-party provision, liability for incidents, outsourcing period, and return or destruction of personal information after processing is completed. The hospital manages contractors so that personal information is handled safely.

Contractor	Outsourced Work
Dayoung Planning	Sending notices and result reports.
GC Care	Information system development and operation, hospital management support, pseudonymization processing, SMS/LMS/MMS sending (sub-entrusted to LG CNS), and call center system maintenance covering call recording and chat consultation (sub-entrusted to ECS Telecom).
GC Cell Co., Ltd.	Manufacturing and management of anticancer immune cell therapy products.
Korea TEI	Hair mineral testing.
EzBiome	Stool genetic testing (Eg gut, Gut Biome).
GSD	Blood genetic testing (Methyl DNA).
SCL	Masto Check testing.
Genomictree	EarlyTect testing.
Shinwon Medical Foundation	Gluten testing.
SCI Information Service	Mobile phone identity verification service.
Infinitt Healthcare	PACS imaging data maintenance.
SDAX Co., Ltd.	Physical destruction of personal information, including paper documents and storage devices.
Mediwhale	Fundus and intraocular pressure data analysis and cardiovascular risk analysis (Dr.noon).
Daehwa Healthcare	Health type measurement.
GC	Service improvement through checkup operation data analysis and statistical reporting (BI system).
iMediSync Co., Ltd.	QEEG test result analysis and test equipment maintenance.
Medical AI	AI left ventricular function prediction testing (Ethia) equipment deployment and maintenance.
Lunit Co., Ltd.	AI chest and mammography image reading support equipment deployment and maintenance.
Gangnam Mirae Radiology Clinic	Image reading for chest X-rays, general radiography, and mammography.
Coreline Soft Co., Ltd.	Chest CT reading support equipment and software deployment and maintenance.
A-POOL Co., Ltd.	Tracking customer-specific endoscope use and disinfection history.

Article 7. Rights of Users and Legal Representatives

When customers request access to, correction of, or deletion of personal information, the hospital responds faithfully and processes the request without delay. Data subjects may request access, correction, deletion, or other processing through the grievance handling department by visiting, telephone, mail, fax, or other available methods.

Customers may visit the hospital to request access to their personal information, and the hospital will respond promptly.
If a customer requests correction or deletion of personal information and the hospital recognizes that correction or deletion is necessary, such as when an error is found, the hospital will correct or delete the information without delay. The hospital may request supporting documents needed to verify the facts.
When a customer requests access to, correction of, or deletion of the customer's own personal information, the hospital verifies identity by requesting identification such as a resident registration card, passport, or driver's license.
If there is a legitimate reason to refuse access to, correction of, or deletion of all or part of the personal information, the hospital will notify the customer and explain the reason.
A legal representative of a child under 14 may request access to, correction or deletion of, or suspension of processing of the child's personal information and must submit documents proving the relationship and identity.
GC i-MED provides a simple method to refuse processing for personal information use related to service quality improvement among mandatory collection purposes. Customers who wish to refuse processing may apply at https://www.gcchart.com/agree/cancel.do.

Article 8. Measures to Secure Personal Information

Technical safeguards

The hospital controls unauthorized external access through intrusion prevention systems and manages access rights to personal information processing systems. Records of granting, changing, and deleting access rights are kept for at least 5 years.
Personal information is transmitted through secure network measures such as SSL and stored using secure encryption algorithms.
Access records to personal information processing systems are kept and managed for at least 2 years, and measures are taken to prevent alteration, theft, loss, or damage.

Administrative safeguards

The hospital minimizes the number of employees handling personal information, assigns different access rights by employee, and conducts regular security training.
All employees sign confidentiality pledges upon joining, and internal procedures are maintained to monitor compliance with this policy.
Handovers involving personal information handlers are conducted securely, and responsibility for personal information incidents after joining or leaving the hospital is clearly defined.
If loss, leakage, falsification, alteration, or damage of personal information occurs due to internal administrative error or technical management incidents, the hospital will notify the data subject and take appropriate measures and compensation where necessary.

Physical safeguards

Major facilities such as server rooms that operate personal information processing systems are subject to access control procedures with minimum necessary access rights.

Article 9. Cookies

The hospital may install and operate cookies that contain personal PC information through its website. A cookie is a file sent by a web server to a web browser, stored by the browser, and sent back to the server upon additional requests.

Information contained in cookies may be used to maintain customer settings and reduce repeated input steps. Customers may choose whether to allow cookies through their browser settings. Depending on the browser, this may be under settings related to tools, internet options, privacy, or advanced cookie settings.

If cookies are refused, there may be inconvenience in using services or difficulty in providing certain services.

Article 10. Personal Information Protection Officer

The hospital maintains technical safeguards to protect users' personal information. Information provided by users is protected and managed through security equipment such as firewalls. The hospital also maintains administrative procedures needed to access and manage personal information, limits the number of personnel who process personal information, conducts continuous security training, assigns users for systems that process personal information, issues passwords, and renews them regularly.

Center	Personal Information Protection Officer	Personal Information Protection Manager
Gangnam Center	Director Sang-man Kim, kosso@gccorp.com	Ki-yeon Kim, Deputy General Manager, Checkup Operations Department, since2010@gccorp.com, 02-6230-4117
Gangbuk Center	Director Gyu-cheol Jeong, chyjung@gccorp.com	Deok-geun Oh, Deputy General Manager, Checkup Operations Department, odkgreen@gccorp.com, 02-6711-8703
Seoul Sup Center	Director Beom-hee Choi, cbh0216@gccorp.com	Yi-gyu Kang, Deputy General Manager, Checkup Operations Department, no2121@gccorp.com, 02-2038-8936

Article 11. Installation and Operation of Fixed Image Information Processing Devices

Purpose and legal basis

The hospital installs and operates fixed image information processing devices for facility safety, fire prevention, and crime prevention.

Number, location, and filming scope

Gangnam Center: 64 cameras.
Gangbuk Center: 54 cameras.
Seoul Sup Center: 60 cameras.
Main waiting areas: medical administration, outpatient reception, questionnaire, checkup waiting areas, and information desks.
Entrances and corridors: clinic entrances, elevator areas, examination room corridors, and administrative office corridors.
Specific facilities: server rooms and cafeterias, where applicable to Gangnam and Gangbuk Centers.

Management and access authority

Managing department: MSO Management Team.
Manager in charge: Team Leader Yun-su Jeong.
Gangnam Center contact: Jae-ung Heo, gchwheo2@gccorp.com, 02-2034-0513.
Gangbuk Center contact: Pyeong-gang Lee, gcpglee@gccorp.com, 02-6711-8711.
Seoul Sup Center contact: Beom-su Park, gcbspark@gccorp.com, 070-8686-7854.

Filming time, retention, storage, and processing

Filming time: 24 hours.
Retention period: 120 days, after which footage is automatically deleted.
Storage and processing: stored and processed in image information processing device management equipment.

How and where to access image information

Contact the manager for each center. After confirming the basis for viewing, footage may be reviewed in the MSO Management Team office.

Requests by data subjects

Customers may request access to, confirmation of existence of, or deletion of personal image information at any time from the operator of the fixed image information processing device. This applies only to personal image information in which the customer appears.
The hospital will take necessary measures without delay when such a request is made.

Safeguards for image information

The hospital secures image information through internal management plans, access control, access right restrictions, secure storage and transmission technologies, processing record retention, anti-tampering measures, and locking devices for storage facilities.

Outsourcing of image information device installation and management

GC Care: operation of image information processing devices, including image management and viewing support.
S-1 Corporation: installation and maintenance of image information processing device facilities.

Article 12. Notice of Policy Changes

This Privacy Policy may change due to amendments to applicable laws or guidelines, or changes in internal operating policies. If the hospital's Privacy Policy changes, notice will be posted through the website at https://www.gcimed.com.

For reports or consultation regarding personal information infringement, please contact the agencies listed below.

Effective date: February 11, 2026. Announcement date: February 10, 2026.
The reservation and result lookup menus on this website use the health checkup customer center website. Please refer to the relevant privacy policy on that website for those services.

Personal information infringement report and consultation agencies

Personal Information Dispute Mediation Committee - https://www.kopico.go.kr, 1833-6972 (toll-free).
Supreme Prosecutors' Office Cyber Investigation Division - https://spo.go.kr, 1301 (toll-free), cid@spo.go.kr.
Korean National Police Agency Cyber Bureau - https://cyberbureau.police.go.kr, 02-3150-2659.