The Company processes the personal information collected from the Subject of Information according to the purpose of each of the following items and does not change the purpose of use or use it in a different way other than that without prior consent of the Subject of Information.

The company processes the personal information acquired from the subject for each of the following purposes and does not modify the purpose of the use or use of the information for other reasons without the subject's prior agreement.

• ① The Company processes and holds personal information within the period of possession and use of personal information under laws or within the period of possession and use of personal information agreed upon by the Subject of Information.
• ② Each personal information processing and retention period is as follows:
  • A. Processing of customer inquiries and unethical activities reporting: one month from the date of inquiry/reporting.
  • B. Factory/facility tour/space rental application: 6 months from the date of application.
  • C. Request for commercial use of imaginary style: 1 month from the date of request.
• ③ Notwithstanding the holding period of the above paragraph, where the Subject of Information directly requests the deletion according to due procedures and methods, it will be destroyed without delay.

• ① The company processes and retains personal information within the period of retention and use of personal information required by applicable laws and regulations, or within the period of retention and use of personal information agreed upon at the time personal information was collected from the information subject.
• ② Each processing and retention period for personal information is outlined below.

  Article 2 (Processing and Retention Period of Personal Information)

  Division	Retention Period
  Customer Inquiries	- 1 month from the date of inquiry
  Reporting of Unethical Acts	- 3 years after completion of handling reporting-related measures, etc.

• ③ Regardless of the retention period specified in the preceding paragraph, if the information subject explicitly requests deletion by a proper procedure and method, the information will be deleted without delay.

• ① In principle, the Company processes the user's personal information within the scope specified in Article 1 (Purpose of processing personal information) and does not process it beyond the original scope or provide it to a third party without the user's consent.
• ② However, except where there is a risk of unfairly infringing on the interests of the Subject of Information or a third party, the personal information may be provided to a third party in the following cases.
  • A. Where a separate consent is obtained from the Subject of Information,
  • B. Where there are special provisions in other laws,
  • C. Where it is necessary for the purpose of statistics preparation and academic research and the information of a specific individual is provided in an unrecognizable form.
  • D. Where it is necessary to investigate a crime, file a prosecution, and perform the court's judicial affairs.
• ③ Provision of personal information

  Provision of personal information

  Person to be provided	Purpose of provision	Items of provision	Retention and use period
  KT&G affiliates (including KGC, Yungjin Pharmaceuticals Co., Ltd. and COSMOCOS)	an investigation of report details and the result of the report may be conducted and confirmed	Name, Contact information(home/cell phone), E-mail, Inquiries type, Inquiries, Check my text/password, Over 14 years old	3 years after the end of report related measures

• ① The company processes the personal information of the information subject solely within the scope defined in the purpose for processing personal information. Only in cases covered by Articles 17 and 18 of the "Personal Information Protection Act," such as consent of the information subject and special provisions of the law, shall personal information be provided to third parties; otherwise, personal information of the information subject shall not be provided to third parties.
• ② To offer a seamless service, the company will only disclose the minimum necessary with the agreement of the information subject in the following instances:

  Article 3 (Items Pertaining to the Provision of Personal Information to Third Parties)

  Recipients	Purpose of Use by the Recipient	Provided Items	Period of Retention and Use
  KT&G Affiliates (View list)	Investigation of reports of unethical actions and confirmation of results	- Name, contact information, email, Reports (Type / Title / Content) - Country / Attachment * Collection of optional items Provided only when received consent to use	Deleted promptly upon the completion of report-related measures, and so on.
  KT&G Consigned Operator / Partners

• ① The Company entrusts its affairs as follows for smooth business processing.

  Trustee company	Trusted affairs and purpose	Items of personal information	Retention and use period
  Easy media, Co. Ltd.	Webpage development/maintenance/analysis	Name, contact (home/cell phone), e-mail, IP address, name of company, business type, handling goods, person in charge	No separate retention
  LG CNS, Co. Ltd.	Infra (DB) operation	Name, contact (home/cell phone), e-mail, IP address, name of company, business type, handling goods, person in charge	No separate retention

• ② In accordance with Article 26 of the Personal Information Protection Act, the Company specifies the matters related to responsibility, such as the prohibition of personal information processing, the technical and administrative protection measures, the re-consignment restrictions, the management and supervision of the trustee and compensation for damages in the documents such as a contract, and supervises whether the trustee handles personal information safely.
• ③ Where the contents of the consignment work or the trustee changes, we will disclose it through this personal information processing policy without delay

• ① The company delegates the following responsibilities for efficient business operations.

  Consignees	Duty and Purpose of Consignees	Items of Personal Information	Period of Retention and Use
  EZ Media	Web page development/maintenance/analysis	All personal information gathered via the website, including name, contact information, and e-mail address (refer to Article 6)	Until the end of the consignment contract term (does not own separately)
  SK C&C	Infrastructure (DB) operation	All personal information gathered via the website, including name, contact information, and e-mail address (refer to Article 6)	Until the end of the consignment contract term (does not own separately)

• ② By Article 26 of the Personal Information Protection Act, when a company enters into a consignment contract, the contract must include provisions regarding the company's responsibilities, such as the prohibition of processing personal information for purposes other than the performance of entrusted tasks, technical and administrative protection measures, restrictions on re-entrustment, management and supervision of the trustee, and compensation for damages. Moreover, the company supervises the trustee's safe handling of personal information.
• ③ The company shall immediately notify any changes to the consignment's contents or consignee through this Privacy Statement.

• ① The Subject of Information may exercise the following personal information protection rights against the Company at any time.
  • A. Request to access personal information.
  • B. Where there is an error, etc., request of correction.
  • C. Request of deletion.
  • D. Request for suspension of processing.
• ② If you contact the reception and processing department or request in writing for the exercise of rights such as requesting access, the Company will take action without delay.
  • A. Phone or e-mail inquiry.
  • B. A written request through e-mail or FAX.

  Reception and procession department
  Person in charge/department	Oh Ju-yeon / promotion dept.
  Contact	02-3404-4202
  e-mail	smile-amanda@ktng.com

• ③ You can exercise your rights, such as requesting access, through an agent delegated by the Subject of Information. In this case, you must submit the following power of attorney
• ④ Where the Subject of Information requests the correction or deletion of personal information errors, etc., the Company will not use or provide the personal information until the correction or deletion is completed.
• ⑤ The Company processes the personal information terminated or deleted at the request of the Subject of Information as specified in Article 2 (Period of processing and retention of personal information) and ensures that it cannot be accessed or used by other purposes.
• ⑥ The Subject of Information shall not infringe on the personal information and privacy of the Subject of Information itself or others in violation of the relevant laws such as the Personal Information Protection Act.

• ① The information subject may at any time exercise the following rights relevant to the protection of personal information against the company.
  • A. Request to read personal information
  • B. Request for correction in case of errors, etc.
  • C. Request for deletion
  • D. Request to suspend the processing
• ② If you contact the reception/processing department or submit a written request to exercise rights such as a request for reading, the company will respond promptly.Request Form Download
  • A. Inquiry by phone or email
  • B. Request in writing via email

  Reception and Processing Department

  Reception and Processing Department
  Person in Charge / Department	Oh Ju-yeon / PR Department
  Contact Information	02-3404-4202
  Email	smile-amanda@ktng.com

• ③ An authorized agent of the information subject may exercise a subject's rights, such as a request for a reading. The following power of attorney must be provided in this instance. Download Power-of-Attorney Form
• ④ If the information subject requests rectification or deletion of personal information, the company will refrain from using or disclosing the information until the request is fulfilled.
• ⑤ The company handles personal information that has been canceled or destroyed at the information subject's request in accordance with Article 2 (Processing and Retention Period of Personal Information) in a way that prevents it from being accessed or used for any other reason.
• ⑥ The information subject may not violate the personal information and privacy of the information subject or other individuals in violation of applicable laws such as the Personal Information Protection Act.

• ① The Company handles the following personal information items.
  • A. Answer to customer inquiries.

    - Required : Name, E-mail, Inquiry type, Inquiries, Over 14 years old

    - Optional : Attach file

  • B. Answer to report unethical activities.

    - Required : Name, Contact information(home/cell phone), E-mail, Inquiries type, Inquiries, Check my text/password, Over 14 years old

    - Optional : Country, Attach file

• ② In addition to paragraphs 1 and 2, the following personal information items may be automatically generated and collected during the service use process.
  - User Agent (browser information), IP address: Statistical analysis of service use and prevention of illegal/unfair use.
• ③ We do not process sensitive information such as thoughts and beliefs, joining and withdrawal of labor unions and political parties, political views, and sexual life.

• ① The following personal information is handled by the company:

  Article 6 (Processed Items of Personal Information)

  Division	Items of Personal Information
  Customer Inquiries	[Required] Name, email, inquiry (type/title/content), whether older than 14 years or not [Optional] Attachments
  Reporting of Unethical Acts	[Required] Name, contact information, e-mail, report information (type/title/content), Password to confirm the post, whether older than 14 years or not [Optional] Country, Attachments

• ② In addition to the personal information described in Paragraph 1, the following information may be automatically produced and collected over the course of using the service:
  - Browser information and IP address: Statistical service usage analysis and prevention of illegal/unauthorized use
• ③ Other sensitive information will not be handled, including ideology/belief, union/party membership/withdrawal, political opinion, and sex life.

• ① Where the personal information becomes unnecessary, such as the lapse of the period of personal information retention or the achievement of the purpose of processing, the Company will destroy the personal information without delay.
• ② Where the personal information must be preserved according to other laws and regulations even after the period of personal information retention agreed upon by the Subject of Information has elapsed or the purpose of processing has been achieved, the personal information will be moved to a separate database or preserved differently.
• ③ The procedure and method of destroying personal information are as follows:
  • A. Destruction procedure

    The Company selects personal information that has caused the reason for destruction and destroys the personal information with the approval of the Company's personal information protection officer.

  • B. Method of destruction

    The Company permanently deletes personal information recorded and stored in the form of electronic files in a way that cannot be restored, and shreds or incinerates records, prints, documents and other recording media other than electronic files.

• ① The company destroys personal information without delay when it is no longer necessary, such as when the personal information retention term has expired or the processing purpose has been fulfilled.
• ② If the personal information retention period agreed upon by the information subject has expired or if the personal information must be kept in accordance with other laws despite the attainment of the processing purpose, the personal information will be transferred to a separate database or stored in a different storage location.
• ③ The technique and method for destroying personal information are as follows.
  • A. Destruction procedure

    With the agreement of the company's personal information security officer, the company destroys the personal information for which the reason for deletion has occurred.

  • B. Destruction method

    In the event of recordings, prints, handwriting, and another non-electronic recording medium, the company uses a shredder or an incinerator to destroy them.

The Company operates Cookie, which automatically stores and finds member information to provide the specialized services to users.

• - What is Cookie: A very small text file sent to the user's browser by the server used to run the website. It is stored on the user's computer.
• - Denial of Cookie installation and collection: Users have the option to install cookies and can allow all cookies by setting options in a web browser, or go through confirmation whenever cookies are saved, or refuse to save all cookies. However, where users refuse to install cookies, it may be difficult to use some services that require login.
  
  • · Method of setting in the case of Internet Explorer: Tools menu in the top of web browser > Internet Options > Personal Information > Settings
  • · Method of setting in the case of Chrome: Settings menu on the right side of the web browser > Indication of high rank settings at the bottom of the screen > Personal information contents setting button > Cookies
• - Purpose of automatic collection and items to collect.

  Collection purpose	Collection items	Retention period
  Statistical analysis and illegal/unlawful prevention use	Users' agents (browser information), IP address	Factory/facility tour/space rental application: 6 months - Customer inquiry, reporting of unethical activities, download of imagination style: 1 month
  Provision of customized service	Cookie	15 minutes

The company uses "cookies" that automatically store and retrieve user data to present customers with personalized services.

• A. Cookie: A very little text file supplied to the user's browser and saved on the user's computer by the server that operates the website.
• B. Refusal to install and collect cookies: Users have the choice to install cookies and can choose whether to accept all cookies, verify each cookie saved, or refuse to save all cookies by configuring the parameters in their web browser. However, utilizing some services could be challenging if you choose not to install cookies.
  
  • - For Internet Explorer

    · In Internet Explorer, select the Tools button > Select Internet Options

    · Select Privacy tab > Select Advanced in Settings > Select Block or allow cookies

  • - For Microsoft Edge

    · After clicking the ‘….’ mark in the upper right corner of Edge, click the Settings

    · On the settings screen, click "Personal information, search, and service". Choose the level and "Do not track" from the "Anti-Tracking" option.

    · Select the always browse InPrivate with "strict" tracking protection.

    · Select the “Send the Request of Do Not Track” in the Personal Information section below

  • - For Chrome

    · In Chrome, click the '⋮' mark (Customize and Control Chrome) at the upper right > Click Show Settings

    · Click “Show advanced settings” at the bottom of the settings page > Click Content Settings in the Privacy section

    · Check the box for “Block third-party cookies and site data” in the Cookies section

• C. Purpose of automated collection and the items collected

  자동 수집 목적 및 수집하는 항목 보유 기간

  Purpose of Collection	Collected Items	Retention Period
  Statistical analysis and use against illegal/anti-corruption	Browser information, IP address	1 month
  Provision of customized service (Retention of user's preferences)	Cookie	15 minutes

• A. Management measures: Establishing and implementing an internal management plan, training of regular employee, and minimizing the designation of persons in charge of handling personal information.
• B. Technical measures: managing the access rights of data systems that process personal information, installing the access control systems, encrypting the unique identification information, and installing the security programs.
• C. Physical measures: Control of access to places where the personal information is stored such as computer centers.

• A. Administration measures: Establishment and implementation of internal management plans, frequent staff training, and a reduction in the number of individuals entrusted with the handling of personal data.
• B. Technical measures: Management of access rights to personal information processing systems, etc., installation of an access control system, encryption of passwords, and installation of a security program
• C. Physical measures: Restriction of access to personal data storage areas such as computer centers

• ① The Company is responsible for the handling of personal information as a whole, and designates the person in charge of personal information protection as follows to handle complaints and damages relief of the Subject of Information related to personal information processing.

  Officer in charge of personal information protection		Staff in charge of personal information protection
  Name	Park Young-Jo	Name	Jo Kyoung-Chun
  Position	The head of Information Security Office	Department	Information Security Office
  Contact1 (phone & fax)	042-939-5347
  Contact2 (e-mail)	kcjo@ktng.com

• ② The Subject of Information may contact the personal information protection manager and the department in charge for all personal information protection inquiries, complaints, and damage relief incurred while using the Company's service (or business). The Company will respond and process the Subject of Information's inquiries without delay.
• ③ In order to receive the relief from the personal information infringement, the Subject of Information may apply for the dispute resolution or consultation to the Personal Information Infringement Reporting Center, the Personal Information Dispute Mediation Committee, and the Korea Internet & Security Agency. Please contact the institutions below for the reports and counseling of personal information infringement.
  - Personal Information Infringement Report Center: (without a regional number) 118 (http://privacy.kisa.or.kr)
  - Personal Information Dispute Mediation Committee: 1833-6972 (http://kopico.go.kr)
  - Cyber investigation department of the Supreme Prosecutors' Office: 1301(without a regional number), cid@spo.go.kr (http://spo.go.kr)
  - National Police Agency Cyber Safety Bureau: 182(without a regional number) (http://cyberbureau.police.go.kr)

• ① The company is responsible for the overall management of personal information and has appointed the following individual as the person in charge of personal information protection to handle complaints and damage settlement relating to the processing of personal information.

  Article 10 (Officer for the Protection of Personal Information)

  Privacy Protection Officer		Privacy Protection Manager
  Name	Park Young-jo	Name	Cho Gyeong-cheon
  Position	Head of Information Security	Department	Information Security Department
  Contact Info.1(Tel)	042-939-5347
  Contact Info.2(Email)	kcjo@ktng.com

• ② The information subject may address all personal information protection-related inquiries, complaint management, damage alleviation, etc. that happened while using the company's services (or business) to the person in charge of personal information protection and the responsible department. The company shall promptly reply to and manage the information subject's inquiries.
• ③ The information subject may submit a request for dispute resolution or consultation to the Personal Information Infringement Report Center, the Personal Information Dispute Mediation Committee, or the Korea Internet & Security Agency in the event of a personal information breach. For complaints and consultations about breaches of personal information, please contact the following institutions.
  - Personal Information Infringement Report Center: (without area code) 118 (http://privacy.kisa.or.kr)
  - Personal Information Dispute Mediation Committee: (without area code) 1833-6972 (http://kopico.go.kr)
  - Cyber Investigation Division, Supreme Prosecutors' Office: (without area code) 1301 (http://spo.go.kr)
  - Cyber Investigation Bureau, National Police Agency (without area code) 182 (http://ecrm.cyber.go.kr)