S&SYS

The Company establishes and makes available the personal information processing policy as follows in order to protect personal information of information subjects and handle related complaints promptly and amicably.
This policy is implemented from August 1, 2018 (Version 1.0), and if it is amended, the Company will give a notice thereof through its website’s notices (or individual notice).

1. Article 1 (Items of Personal Information to be Processed)
   1. ①The Company processes the following personal information items.

      Type	Personal Information Items
      Required Items	Name, E-mail, Contact Information
      Selective Items	N/A

2. Article 2 (Purpose of Processing Personal Information)
   1. ①The Company processes personal information for the following purposes.

      Type		Personal Information Items	Purpose of Use
      Asking	Required Items	Name, E-mail, Contact Information	Answering questions
      	Selective Items	N/A

   2. ②Personal information being processing shall not be used for purposes other than the purposes above, and where the purpose of use is changed, the Company is to take necessary measures by obtaining separate consent, etc. under relevant laws.
3. Article 3 (Processing and Retention Period for Personal Information)
   1. ①The Company processes and retains personal information only for relevant purposes within a personal information retention and use period under relevant laws or within a personal information retention and use period consented to by information subjects when it collects personal information from the information subjects.
   2. ②The processing and retention period of personal information consented to by information subjects when it collects personal information from the information subjects shall be as follows.

      Purpose	Retention and Use Period
      Managing answering histories	12 months

   3. ③The processing and retention period of personal information under the laws shall be as follows.

      Items to be Retained	Retention Period	Legal Basis
      Records on contract or offer withdrawal	5 years	The Act Relating to Protection of Consumers in Electronic Commercial Transactions, etc.
      Records on payments or provisions of goods	5 years
      Records on treatment of complaints or disputes of consumers	3 years
      Records on collection, treatment, and use of credit information	3 years	The Act Relating to Use and Protection of Credit Information.
      Records on labeling and advertising	6 months	The Act Relating to Protection of Consumers in Electronic Commercial Transactions, etc.
      User’s log-in records on Internet, etc., and users’ access area tracking materials	3 months	The Communications Secret Protection Act
      Materials for verifying communications	12 months

4. Article 4 (Provision of Personal Information to Third Parties)
   1. ①The Company does not provide users’ personal information to a third party without the users’ consent.
      However, an exception shall be made to each of the following cases:
      1. 1. Where there is a specific provision under the law or it is unavoidable in order to comply with the obligations under the laws;
      2. 2. Where an information subject or his or her legal representative is not in a position to express his or her intention, or prior consent may not be obtained due to an unclear address, etc., and it is found clearly necessary for urgent life, bodily, or proprietary interests of an information subject or a third party; or
      3. 3. Where an investigative agency requests the Company to provide personal information pursuant to relevant provisions of laws or according to procedures and methods prescribed under the laws for investigative purposes.
   2. ②Where there is a change in a third party supplier, or it is necessary to provide users’ personal information other than the content consented, the Company shall provide users’ personal information by passing separate procedures for obtaining users’ consent thereto.
5. Article 5 (Entrustment for Processing of Personal Information)
   1. ①The Company entrusts a third party professional company to do personal information processing works as follows in order to provide services and do works amicably.

      Name of Entrusted Company	Content of Services to be Entrusted
      Newriver	Operating, improving, maintaining, and managing systems

   2. ②When the Company entrusts a third party to do personal information processing works, it clearly specifies relevant matters on prohibition of processing of personal information, technical, managerial, and physical safety protection measures, responsibilities for confidentiality and compensation for damages, etc., and monitors whether entrusted companies process personal information safely.
   3. ③Where there is a change in the content of entrusted works or entrusted companies, the Company will without delay disclose such a change via the website notices (or individual notices) or this personal information processing policy.
6. Article 6 (Rights, Obligations, and the Right Exercise Method of Information Subjects)
   1. ①Information subjects may at any time exercise each of the following personal information protection related rights in relation to the Company:
      1. 1. To request the Company to allow them to get access to personal information;
      2. 2. To request the Company to make corrections for errors, etc.;
      3. 3. To request the Company to delete relevant personal information; and
      4. 4. To request the Company to discontinue processing of personal information.
   2. ②The rights in Section 1 may be exercised in writing, by telephone, e-mail, etc. in relation to the Company, and the Company shall take measures for the requests without delay.
   3. ③In the event that an information subject has requested the Company to make corrections for errors, etc. of personal information or delete relevant personal information, the Company shall not use or provide the personal information until it completes making corrections or deleting relevant personal information.
   4. ④The rights in Section 1 may be exercised by an agent, such as an information subject’s legal representative or a delegated person, etc. In this case, a Power of Attorney shall be submitted in the form of the Appendix no. 11 of the Enforcement Rules of the Personal Information Protection Act.
   5. ⑤Information subjects shall not infringe upon their own or a third party’s personal information or privacy being handled by the Company by violating relevant laws, including the Personal Information Protection Act.
7. Article 7 (Destruction of Personal Information)
   1. ①The Company shall destroy relevant personal information when it became unnecessary because the personal information retention period had lapsed, the purpose of processing had been accomplished, or an information subject had made a request for destruction, etc. The Company’s destruction procedures and methods are as follows:
      1. 1. Destruction procedures : In the event the personal information retention period consented to by an information subject has elapsed or the purpose of processing has been accomplished, the personal information shall be deleted or destroyed after it is retained for a certain period of time according to internal policies and other relevant laws.
      2. 2. Destruction methods : The Company deletes any personal information recorded or saved in an electronic file format by using technical methods in which the records cannot be regenerated, and shred by paper or destroy by incineration any personal information recorded or printed out in paper documents.
8. Article 8 (Measures to Obtain Personal Information Security)
   1. ①When the Company handles personal information, it takes the following managerial, technical, and physical measures for obtaining safety, in order to prevent the personal information from being lost, stolen, leaked, altered, or damaged:
      1. 1. Managerial measures : the Company establishes, complies with, and supervises its internal rules to be observed for protecting personal information, and provides regular education, etc.
      2. 2. Technical measures : the Company manages the right to access to personal information processing systems, etc., establishes access control systems, encrypts unique identifiable information, etc., and installs security programs, etc.
      3. 3. Physical measures : the Company controls access to data processing rooms, materials retention rooms, etc., and installs entrance authorization monitoring systems, etc.
9. Article 9 (Personal Information Protection Administrator)
   1. ①The Company has designated a Personal Information Protection Administrator to generally manage duties on handling of personal information and handling complaints and recover damages for information subjects with respect to processing of personal information as follows:

      Personal Information Protection Administrator	Personal Information Protection Manager
      Affiliation : S&SYS Support Part Name : Bang Seung Wook Telephone : 031-229-1021 Mail : s.bhang@samsung.com	Affiliation : S&SYS Support Part Name : Kim Sora Telephone : 031-229-1075 Mail : sora0719.kim@samsung.com

   2. ②Information subjects may ask inquiries to the personal information protection administrator and management department with respect to all personal information related questions, handling of complaints, recovery of damages, etc. arising while information subjects use the Company’s services (or businesses). The Company will give answers and handle complaints, etc. without delay as to information subjects’ inquiries.
10. Article 10 (Request for Access to Personal Information)
    1. ①Information subjects may request the following department to get access to their personal information. The Company will make efforts to promptly handle information subjects’ request for access to personal information.

       Department for Receiving and Handling Requests for Access to Personal Information
       Affiliation : S&SYS Support Part Name : Bang Seung Wook Telephone : 031-229-1021 Mail : s.bhang@samsung.com	Affiliation : S&SYS Support Part Name : Kim Sora Telephone : 031-229-1075 Mail : sora0719.kim@samsung.com

11. Article 11 (Remedial Measures for Infringement of Rights and Interests)
    1. ①Information subjects may ask the following institution of remedial methods for damages, consultations, etc. with respect to infringement of their personal information:
       1. 1. Personal Information Infringement Reporting Center (operated by the Korea Internet & Security Agency)
          • - Authorized works : reporting personal information infringements, applying for consulting
          • - Homepage : privacy.kisa.or.kr
          • - Telephone : 118 (without a telephone exchange number)
          • - Address : Personal Information Infringement Reporting Center , Korea Internet & Security Agency, Joongdae-ro, Seoul (05717)
       2. 2. Personal Information Dispute Mediation Committee (operated by the Korea Internet & Security Agency)
          • - Authorized works : applying for personal information dispute mediation, mediating group disputes (by civil resolutions)
          • - Homepage : privacy.kisa.or.kr
          • - Telephone : 118 (without a telephone exchange number)
          • - Address: Address : Korea Internet & Security Agency, Joongdae-ro, Seoul (05717)
       3. 3. Cyber Crime Investigation Center of Supreme Prosecutors’ Office: 02-3480-2000, cybercid@spo.go.kr(www.spo.go.kr)
       4. 4. National Police Agency Cyber Bureau : 182 (without a telephone exchange number) (cyberbureau.police.go.kr)
    2. ②The above-mentioned institutions are separated from the Company. If an information subject is not satisfied with the Company’s handling personal information complaints or the results of remedies for damages, or need more detailed help, he or she must ask inquiries.
12. Article 12 (Changes in Personal Information Processing Policies)
    1. ①① This personal information processing policy (Version 1.0) applies from August 1, 2018.