Information security policy
1. Purpose of Processing Personal Data
The Company processes personal data for the following purposes. The personal data processed shall not be used for purposes other than the following, and in case of a change of the purpose of use, necessary measures such as obtaining a separate consent shall be implemented.
2. Processing and Retention Period of Personal Data
The Company processes and retains personal data within the personal data retention and use period agreed upon when collecting personal data the data subject or within the personal data retention and use period stipulated by laws and regulations.
3. Provision of Personal Data to Third Parties
The Company, in principle, processes the personal data of data subjects within the scope specified in Article 1 (Purpose of Processing Personal Data). The Company only provides personal data to third parties in cases that fall under Articles 17 and 18 of the Personal Information Protection Act, such as with the consent of the data subject or under special legal provisions. Outside of these cases, the Company shall not provide the personal data of data subjects to third parties.
4. Outsourcing of Personal Data Processing
The Company outsources personal data processing tasks as follows to ensure smooth handling of personal data operations. When the Company enters into an outsourcing contract, it specifies in the contract or other written documents the prohibition of personal information processing for purposes other than the outsourced tasks, technical, managerial, and physical protection measures, restrictions on sub-outsourcing, management and supervision of the subcontractor, and liability for damages. The Company also supervises the subcontractor to ensure they handle personal information securely.
5. Rights and Obligations of Data Subjects and Legal Representatives and Methods of Exercise
Data subjects have the right to request access, correction, deletion, or suspension of processing of their personal data at any time. The rights described in paragraph 1 may be exercised in writing, via email, or fax in accordance with Article 41, Paragraph 1 of the Enforcement Decree of the Personal Information Protection Act, and the Company shall respond without delay.
The rights specified in paragraph 1 may also be exercised through a legal representative or a delegated person of the data subject. In this case, a power of attorney using Appendix Form No. 11 of the “Notice on Personal Data Processing Methods (No. 2023-12)” must be submitted.

Requests for access to and suspension of processing of personal data may be restricted under Article 35, Paragraph 4 and Article 37, Paragraph 2. A request for correction or deletion of personal data cannot be made if the personal data is designated for collection under another law. The Company shall verify whether the person making the request for access, correction, deletion, or suspension of processing in accordance with the rights of the data subject is the person or his/her authorized representative.