Policy on the Operation of Video Surveillance Devices

2. Categories and Methods of Collecting Personal Information

1. Personal Information Items Collected

   Firstly, the Company collects the following minimum personal information at the time of tour application to provide services:

   • Required items: Name, email, mobile phone number, address
   • Optional item: Occupation
   • Additional items: Nationality, gender, age, position/title, organization name, affiliation, number of visitors

   Secondly, the following information may be automatically generated and collected during service use and processing:

   • Access IP information, cookies, service usage records, access logs
2. Method of Collecting Personal Information
   • Website > Tour Application > Input by Customer

3. Processing and Retention Period of Personal Information

The Company, in principle, destroys personal information without delay once the purpose of collection and use has been fulfilled.
However, the following information is retained for the specified period for the reasons stated below:

• Retained items: Name, email, mobile phone number, address
• Basis for retention: Internal management regulations of the Company
• Retention period: 2 years

4. Provision of Personal Information to Third Parties

The Company uses personal information of data subjects within the scope notified for collection and use purposes and does not use it beyond this scope or provide it externally without prior consent. However, exceptions apply in the following cases

1. When separate consent is obtained from the data subject
2. When it is necessary to comply with laws or legal obligations
3. When the data subject or their representative is unable to express consent due to incapacity or unknown address, and the use is necessary for urgent protection of the life, body, or property of the data subject or a third party
4. Except where it may unjustly infringe upon the interests of the data subject or third parties, personal information may be used or provided to third parties for the following purposes:
   1. When providing personal information in a form that does not identify specific individuals for statistical or academic research purposes
   2. When use or provision is necessary for performing tasks under other laws, approved by the supervisory committee
   3. When necessary for providing information to foreign entities or international organizations for treaty implementation
   4. When necessary for criminal investigations and prosecution
   5. When necessary for court judicial affairs
   6. When necessary for the execution of penal and protective measures
5. When personal information is provided to a third party, the data subject will be informed of the recipient, purpose of use, items provided, and retention period.

5. Matters Concerning the Destruction of Personal Information

The Company, in principle, destroys personal information without delay once the purpose of collection and use has been fulfilled.

The procedures and methods for destruction are as follows.

1. Destruction Procedure

   Information provided for factory tour applications is transferred to a separate database (or a separate filing cabinet in case of paper records) after the purpose has been fulfilled, and is stored for a certain period in accordance with internal policies and other relevant laws (see retention and use periods) before being destroyed. Personal information transferred to the separate database is not used for any purposes other than retention, except as required by law.

2. Destruction Method
   • Personal information stored in electronic file format is deleted using technical methods that make record recovery impossible.
   • Records in non-electronic formats, such as printed documents, written materials, or other recording media, are destroyed by shredding or incineration.

6. Matters Concerning the Entrustment of Personal Information Processing

The Company, when entering into entrustment contracts with third parties, specifies in the contract or related documents matters concerning the prohibition of processing personal information beyond the entrusted purpose, technical and managerial protection measures, restrictions on re-entrustment, management and supervision of the trustee, and liability for damages, in accordance with Article 25 of the Personal Information Protection Act. The Company supervises the trustee to ensure the safe processing of personal information.

The Company’s entrusted parties and entrusted tasks for personal information processing are as follows.

Personal Information Entrusted Processing Agencies, Entrusted Tasks, Category, and Retention Reasons

• Agencies: HNIX, Won Holdings
• Retention Reason: System Development and Maintenance

7. Matters Concerning Measures to Ensure the Security of Personal Information

The Company takes the following measures to ensure the security of personal information when handling data subject’s personal information, preventing loss, theft, leakage, alteration, or damage.

1. Establishment and Implementation of Internal Management Plan

   The Company establishes and implements an internal management plan in accordance with the "Standards for the Security Measures for Personal Information."

2. Minimization and Training of Personal Information Handlers

   The Company limits personal information handlers to designated personnel, assigns them unique passwords that are regularly updated, and continually emphasizes compliance with the Company’s Personal Information Processing Policy through ongoing training.

3. Restriction of Access to Personal Information

   Access rights to the database system processing personal information are granted, modified, or revoked to control access to personal information. When personal information handlers access the system remotely via the information network, a Virtual Private Network (VPN) is used.

4. Storage and Prevention of Tampering with Access Records

   Access records (such as web logs) of the personal information processing system are stored and managed for at least one year, with security measures in place to prevent tampering, theft, or loss of these records.

5. Encryption of Personal Information

   Personal information of data subjects is stored and managed in encrypted form. Additionally, critical data is encrypted during storage and transmission using separate security measures.

6. Measures Against Hacking and Other Threats
   1. The Company makes every effort to prevent the leakage or damage of member’s personal information caused by hacking or computer viruses.
   2. To protect against data damage, the Company regularly backs up data and uses the latest antivirus programs to prevent leakage or damage of personal information or data. It also ensures that personal information is securely transmitted over networks through encrypted communication.
   3. The Company controls unauthorized external access using intrusion prevention systems and strives to implement all possible technical measures to secure system integrity.
7. Access Control for Unauthorized Persons

   The Company maintains a separate physical storage location for the personal information system and establishes and operates access control procedures for this area.

8. Encryption of Passwords

   Passwords are encrypted for storage and management, known only to the data subject, and verification or modification of personal information can only be performed by the data subject who knows the password.

9. Operation of Personal Information Protection Organization

   The Company monitors the implementation of its Personal Information Processing Policy and the compliance of personnel through its internal personal information protection organization and strives to promptly correct and resolve any issues identified. However, the Company assumes no responsibility for any issues arising from the data subject’s negligence or internet-related problems resulting in the leakage of personal information such as ID, password, or resident registration number.

8. Matters Concerning the Installation, Operation, and Refusal of Automatic Personal Information Collection Devices

The Company does not currently operate devices that automatically collect personal information, such as cookies, during service use. However, the Company may install and operate such automatic collection devices in the future if necessary for service provision. In such cases, data subjects have the option to consent to cookie installation or refuse the storage of all cookies.

1. What Are Cookies?

   The Company uses cookies to store and periodically retrieve user information to provide personalized and customized services. A cookie is a small text file sent by the website’s server to the user’s browser and stored on the user’s computer hard disk. When a data subject visits the website again, the website server reads the contents of the cookie stored on the hard disk to maintain the data subject’s settings and provide customized services. Cookies do not automatically or actively collect personally identifiable information, and data subjects can refuse or delete these cookies at any time.

2. Purpose of the Company’s Use of Cookies

   The Company does not currently use cookies. However, cookies may be used in the future to maintain data subject’s settings and provide personalized services.

3. Installation, Operation, and Refusal of Cookies

   Data subjects have the option to consent to cookie installation. Therefore, they can configure their web browser settings to accept all cookies, be prompted to confirm each time a cookie is stored, or refuse the storage of all cookies.
   However, if cookies are refused, services requiring login may be difficult to use. The method to specify cookie acceptance settings (for Internet Explorer) is as follows

   1. Select [Internet Options] from the [Tools] menu.
   2. Click the [Privacy] tab.
   3. Adjust the [Privacy Level] settings as desired.

9. Rights and Obligations of Data Subjects Regarding Access, Correction, Deletion, and Suspension of Processing of Personal Information, and Methods to Exercise Such Rights

Data subjects may request access to, correction of errors in, or deletion of their personal information held by the Company at any time, and the Company is obligated to take necessary actions in response. When a data subject requests correction of errors, the Company will not use the relevant personal information until the correction is made. Additionally, once deletion is processed upon request, the deleted customer information will no longer be retained. Requests for deletion can be made via email, fax, or telephone.

Data subjects have the following rights

1. Request for Access to Personal Information

   Data subjects may request access to their personal information held by the Company at any time in accordance with Article 35 (Access to Personal Information) of the Personal Information Protection Act.
   However, the Company may restrict access in the following cases:

   1. When access is prohibited or restricted by law
   2. When there is a risk of harming another person's life or body, or unfairly infringing upon another person's property or other rights and interests
2. Request for Correction or Deletion of Personal Information

   Data subjects may request correction or deletion of their personal information held by the Company in accordance with Article 36 (Correction and Deletion of Personal Information) of the Personal Information Protection Act. However, deletion cannot be requested if other laws specify that the personal information must be collected.

3. Request for Suspension of Personal Information Processing

   Data subjects may request suspension of processing of their personal information held by the Company in accordance with Article 37 (Correction and Deletion of Personal Information) of the Personal Information Protection Act. However, such requests may be refused in the following cases

   • When there are special provisions in law or it is unavoidable to comply with legal obligations
   • When there is a risk of harming another person’s life, body, or unfairly infringing upon another person’s property or other rights and interests
   • When processing personal information is necessary to provide services contracted with the data subject, and the contract cannot be fulfilled without processing, provided the data subject has not clearly expressed their intention to terminate the contract
4. Other
   1. When a data subject requests correction or deletion of erroneous personal information, the Company will not use or provide the relevant personal information until the correction or deletion is completed. Additionally, if incorrect personal information has already been provided to a third party, the Company will promptly notify the third party to ensure that the correction is made.
   2. Personal information that has been canceled or deleted at the request of the data subject or their legal representative is processed in accordance with the retention and usage periods specified for personal information and is prevented from being accessed or used for any other purposes.

10. Matters Concerning Changes to the Privacy Policy

The Company has established the following Privacy Policy to protect the personal information and rights of data subjects and to facilitate the smooth handling of complaints related to personal information in accordance with relevant laws. Any revisions to the Privacy Policy will be notified through website announcements (or individual notices).

11. Matters Concerning the Personal Information Protection Officer

The Company has designated the following departments and Personal Information Protection Officers to protect customer’s personal information and handle related complaints.

You may report any complaints related to personal information protection arising from the use of the Company’s services to the Personal Information Protection Officer or the responsible department. The Company is committed to providing prompt and thorough responses to user’s reports.

12. Department for Receiving and Processing Requests for Access to Personal Information

1. Data subjects may submit requests for access to personal information in accordance with Article 35 of the Personal Information Protection Act to the department listed below. The Company will strive to process such requests promptly.

Department for Receiving and Processing Requests for Access to Personal Information (Only applicable for requests related to personal information collected during factory tour applications)

• Department: Corporate Social Responsibility Team
• Contact Person: Cho Hong-soo, General Manager
• Phone: 052-202-2295
• Email: hscho@hhi.co.kr

13. Remedies for Infringement of Data Subject’s Rights

For reporting or consultation regarding other personal information infringements, please contact the following organizations:

• Personal Dispute Mediation Committee ( https://www.kopico.go.kr , Phone: 1833-6972)
• Information Protection Mark Certification Committee ( www.eprivacy.or.kr , Phone: 02-580-0533~4)
• Supreme Prosecutor’s Office Cybercrime Investigation Division ( http://www.spo.go.kr , Phone: 02-3480-3573)
• National Police Agency Cyber Terror Response Center ( https://cyberbureau.police.go.kr/ , Phone: 02-392-0330)