1. Purpose of Processing Personal Information

The Company processes personal information for the following purposes. The processed personal information will not be used for any other purposes unless the purpose of use changes, in which case prior consent will be obtained.

A. IR Meeting Requests and Service Provision

The Company collects personal information within the minimum scope for IR meeting requests. The specific purposes of processing are as follows:

Securing communication channels for responding to or handling IR meeting requests

2. Categories and Methods of Collecting Personal Information

A. Personal Information Items Collected

Firstly, for service provision, the Company collects the following minimum personal information at the time of tour requests:

Required items: Name, email, mobile phone number, address

Optional item: Occupasion

Additional items: Nationality, gender, age, position, organization name, number of visitors

Secondly, the following information may be automatically generated and collected during service use and processing:

Access IP information, cookies, service usage records, access logs

B. Method of Collecting Personal Information

Website > IR Meeting Request > Input by Customer

3. Processing and Retention Period of Personal Information

The Company will destroy the information immediately after the purpose of collecting and using personal information has been achieved. However, the following information will be retained for the period specified below for the reasons listed:

Retained items: name, email, mobile phone number, address

Basis for retention: internal management regulations of the Company

Retention period: 2 years

4. Matters Concerning Provision of Personal Information to Third Parties

The Company uses the personal information of data subjects within the scope announced for the collection and use purposes and does not provide it to third parties outside of these purposes without prior consent, except in the following cases:

A. When separate consent is obtained from the data subject

B. When it is unavoidable to comply with the law or legal obligations

C. When the data subject or their legal representative is incapacitated or unable to give prior consent due to an unknown address or other reasons, and it is deemed necessary for the urgent interests of life, body, or property of the data subject or a third party Provisions, retention, and use period of the information received by the third party will be notified to the data subject.

D. The personal information of data subjects may be used or provided to third parties for purposes other than those stated, except when it may unduly infringe upon the interests of the data subject or third parties in the following cases:

01. When necessary for statistical creation and academic research, etc., and the personal information is provided in a form that does not allow identification of specific individuals

02. When the provision of personal information for purposes other than those specified, or to third parties, is necessary for performing tasks prescribed by different laws and has been reviewed and decided upon by the supervisory committee

03. When it is necessary to provide information to foreign entities or international organizations for the implementation of treaties or other international agreements

04. When necessary for the investigation and prosecution of crimes and maintenance of prosecutions

05. When necessary for the performance of judicial affairs by courts

06. When necessary for the execution of penal and protective custody measures

E. When personal information is provided to a third party, information regarding the third party recipient, their purpose of use, and the personal information provided will be disclosed.

5. Matters Concerning the Destruction of Personal Information

The Company will destroy personal information without delay after the purposes for collecting and using the information have been achieved. The procedures and methods for destruction are as follows:

A. Destruction Procedure

The information entered is transferred to a separate database (or filing cabinet in the case of paper) after the purpose is achieved and is stored for a certain period according to internal policies and other relevant legal reasons (refer to the retention and usage period). Personal information moved to a separate database will not be used for purposes other than retention unless required by law.

B. Methods of Destruction

Personal information stored in electronic file format is deleted using technical methods that make the records non-reproducible.

For records in non-electronic file formats, such as printed documents, written documents, and other recording media, destruction is carried out through shredding or incineration.

6. Matters Concerning the Entrustment of Personal Information Processing

When entering into an entrustment contract with a third party, the Company will specify in the contract documents matters related to the prohibition of processing personal information beyond the purpose of entrustment, technical and managerial protection measures, restrictions on re-entrustment, management and supervision of the trustee, and liability for damages, by Article 25 of the Personal Information Protection Act. The Company will supervise the trustee to ensure the safe processing of personal information. The entrusted party, the details of the entrustment, and the retention period are as follows:

Should the content of the entrusted work or the trustee change, we will promptly disclose it through this Personal Information Processing Policy.

7. Measures to Ensure the Security of Personal Information

The Company takes the following measures to ensure that the personal information of data subjects is not lost, stolen, leaked, altered, or damaged:

A. Establishment and Implementation of Internal Management Plan

The Company establishes and implements an internal management plan according to the 'Standards for the Security Measures for Personal Information.'

B. Minimization and Training of Personal Information Handlers

The Company limits personal information handlers to designated personnel, assigns them unique passwords that are regularly updated, and emphasizes compliance with the Company’s Personal Information Processing Policy through regular training.

C. Restricting Access to Personal Information

The Company takes necessary measures to control access to the personal information processing database system by granting, altering, and revoking access rights and uses a Virtual Private Network (VPN) when personal information handlers access the system remotely via the information network.

D. Storage and Prevention of Tampering with Access Records

The Company stores and manages access records (e.g., web logs) to the personal information processing system for at least one year and uses security functions to prevent tampering, theft, or loss of access records.

E. Encryption of Personal Information

The personal information of data subjects is stored and managed in encrypted form. Additionally, critical data is encrypted during storage and transmission to enhance security.

F. Countermeasures against Hacking

01. The Company strives to prevent hacking or computer viruses from leaking or damaging personal information.

02. The Company regularly backs up data to prevent damage to personal information and uses the latest antivirus programs to prevent the leakage and damage of personal information and data. The Company also ensures that personal information is securely transmitted over the network through encrypted communication.

03. The Company controls unauthorized access from the outside using intrusion prevention systems and strives to secure all possible technical devices to ensure system security.

G. Control of Access by Unauthorized Persons

The physical storage locations of the personal information systems are kept separate, and access control procedures are established and operated.

H. Encryption of Passwords

Passwords are encrypted for storage and management and are known only to the data subject. The confirmation and change of personal information can only be performed by the data

I. Operation of Personal Information Protection Organization

The in-house personal information protection organization monitors the implementation of the Company’s Personal Information Processing Policy and the compliance of the handlers. If any issues are found, they are immediately corrected. However, the Company is not responsible for any issues arising from the data subject's negligence or internet problems, such as leakage of ID, password, or Social Security number.

8. Installation, Operation, and Refusal of Automatic Personal Information Collection Devices

The Company does not operate devices that automatically collect personal information, such as cookies, during service use. However, automatic collection devices may be installed and operated if necessary for future service provision. In such cases, data subjects can consent to the installation of cookies or refuse the storage of all cookies.

A. What are cookies?

The Company uses 'cookies' to store and retrieve user information periodically to provide personalized and customized services. A cookie is a small text file sent to the user's browser by the website's server and stored on the user's computer hard disk. When a data subject revisits the website, the website server reads the contents of the cookies stored on the hard disk to maintain and customize the data subject's settings. Cookies do not automatically or actively collect personally identifiable information; data subjects can refuse or delete these cookies at any time.

B. Purpose of the Company’s Use of Cookies

Currently, the Company does not use cookies. However, cookies may be used to maintain data subjects' settings and provide personalized services.

C. Installation, Operation, and Refusal of Cookies

Data subjects have the choice to install cookies. Therefore, data subjects can set their web browsers to allow all cookies, to check each time before saving cookies, or to refuse all cookies. However, if the storage of cookies is refused, some services requiring login may be challenging to use. The method to set cookie installation permissions is as follows:

- Allow/block cookies in a web browser

01. Chrome: Web Browser Settings > Privacy and Security > Delete Internet Usage History

02. Edge: Web Browser Settings > Cookies and Sites Permissions > Manage and Delete Cookies and Sites Data

- Allow/block cookies in your mobile browser

01. Chrome: Mobile Browser Settings > Privacy and Security > Delete Internet Usage History

02. Safari: Mobile Device Settings > Safari > Advanced > Block All Cookies

03. Samsung Internet: Mobile Browser Settings > Internet Usage History > Delete Internet Usage History

9. Rights and Obligations of Data Subjects Regarding Access to, Correction, Deletion of Personal Information, and Requests for Suspension of Processing

Data subjects may request access to, correction, or deletion of their personal information held by the Company at any time, and the Company is obliged to take necessary actions. If a data subject requests correction of errors, the Company will not use the personal information until the error is corrected. Furthermore, customer information deleted upon request will no longer be retained. Deletion requests can be made via email, or telephone. Data subjects have the following rights:

A. Request for Access to Personal Information

Data subjects can request access to personal information held by the Company at any time under Article 35 (Access to Personal Information) of the Personal Information Protection Act. However, access may be restricted in the following cases:

01. When access is prohibited or restricted by law.

02. When there is a risk of harming another person's life, body, or property or unfairly infringing on another person's property or other interests.

B. Requests for Correction, Deletion of Personal Information

Data subjects can request correction or deletion of their personal information held by the Company under Article 36 (Correction, Deletion of Personal Information) of the Personal Information Protection Act. However, deletion may not be requested if other laws specify the personal information as a subject of collection.

C. Request for Suspension of Processing

Data subjects can request suspension of processing of their personal information held by the Company under Article 37 (Correction, Deletion of Personal Information) of the Personal Information Protection Act. However, such requests may be refused in the following cases:

01. When there is a special provision under the law, or it is unavoidable to comply with legal obligations.

02. When there is a risk of harming another person's life, body, or property or unfairly infringing on another person's property or other interests.

03. When it is difficult to fulfill the contract with the data subject, such as not providing contracted services unless the personal information is processed and the data subject has not clearly expressed the intention to terminate the contract.

D. Other

01. If data subjects request correction or deletion of erroneous personal information, the Company will not use or provide the personal information until the correction or deletion is complete. If incorrect personal information has already been provided to a third party, the Company will notify the third party immediately to rectify or delete the information.

02. The Company processes personal information terminated or deleted at the request of the data subject or legal representative according to the specified retention and usage period in the personal information policy and ensures it is not accessed or used for other purposes.

10. Matters Concerning the Personal Information Protection Officer

The Company has designated the following departments and personal information protection officers to protect customer's personal information and handle related complaints:

All privacy-related inquiries from using the Company's services can be reported to the designated personal information manager or department. The Company is committed to providing prompt and sufficient responses to users' reports.

11. Department for Receiving and Processing Requests for Access to Personal Information

Data subjects can request access to their personal information under Article 35 of the Personal Information Protection Act at the following department. The Company will strive to process such requests promptly:

Department for Receiving and Processing Requests for Access to Personal Information

- Department: PR Team

- Contact Person: Kim Seong-Kyu Manager

- Phone: 02-746-7527

- Email: k_kyu@hd.com

12. Remedies for Infringement of Data Subject's Rights

If you need to report or consult about personal information infringement, please contact the following institutions:

Personal Information Dispute Mediation Committee (www.1336.or.kr, Phone: 1336)

Information Protection Mark Certification Committee (www.eprivacy.or.kr, Phone: 02-580-0533~4)

Supreme Prosecutors' Office Cybercrime Investigation Division (http://www.spo.go.kr, Phone: 02-3480-3573)

National Police Agency Cyber Terror Response Center (http://www.ctrc.go.kr, Phone: 02-392-0330)

13. Changes to the Personal Information Processing Policy

The Company maintains a personal information processing policy to protect data subjects' personal information and rights and smoothly handle grievances related to personal information, per relevant laws. Personal information processing policy changes will be announced through website notices (or individual notices).