The Company shall process personal information for the following purposes. The personal information under process shall not be used for purposes other than those set forth below, and in case of any change in the purpose, measures required according to Article 18 of the Personal Information Act such as obtaining separate consent, shall be carried out.

• 1. Employment
• 2. Consultation and advice
• 3. Examination after clinic/release
• 4. Product supply
• 5. Processing of complaints

The Company shall process and retain personal information during the period for retention and use as set forth in the law or within the period for retention and use for which consent was obtained from the data subject upon the collection of personal information.

The Company shall process personal information of data subjects within the scope set forth under Article 1 (Purpose of the Personal Information Process), and shall provide personal information to a third party only if consent is obtained from the data subject or based on special provisions in the law as set forth under Article 17 of the Personal Information Protection Act.

• ① In order to facilitate work process related to personal information, the Company has outsourced the processing of personal information as set forth below.
• 1. Employment
  - Outsourced to (Outsourcee): LG Uplus Corp.
  Details of the outsourced work: Maintenance and management of homepage related to employment, etc.
• ② According to Article 26 of the Personal Information Protection Act, the Company specifies prevention of personal information processing for purposes other than the purpose of outsourcing, technical and managerial safeguards of personal information, restriction of re-outsourcing, management and supervision of the outsourcee, compensation, etc. in the contract or relevant documents upon outsourcing, and supervises the outsourcee to ensure safe processing of the personal information by the outsourcee.
• ③ In case of any change in the details of the outsourced work or the outsourcee, the Company shall promptly disclose the changes through this Privacy Policy.

• ① The data subject may, at any time, exercise the rights related to protection of personal information as set for the below to the Company.
• 1. Request access to personal information
• 2. Request for correction in case of any error
• 3. Request for deletion
• 4. Request for suspension of processing
• ② The rights set forth under paragraph 1 can be exercised to the Company via document, telephone, email or fax, and the Company shall promptly take corresponding measures.

The Company is processing personal information items as set forth below.

• 1. Employment
  - name, nationality, address, contact, school, military service, work experience, other qualifications
• 2. Product supply
  - name, telephone number, email
• 3. Inquiry related to products, IR, report and employment
  - name, gender, age group, customer classification, email, cellphone number, address
• 4. Alliance, cooperation, service
  - name, organization, email address, residing country/city, telephone number
• 5. Consultation, advice
  - name, organization, date of birth, address, account number/copy of bank book, contact, email, fax number
• 6. Examination after clinic/release (institution entrusted with and performing clinical test / responsible person for the research / information, consultation with respect to the examination subject)
  - name, date of birth, contact, email, company name/clinic category/address, major/position, details of school and work experience, license number, business registration number, account number, health information
• 7. Personal information items set forth below may be created and collected automatically in the course of using internet service.
  - IP address, MAC address, visit record, bad usage record

• ① The Company shall promptly destruct personal information in the event the personal information is no longer required due to expiration of the personal information retention period, satisfaction of the purpose for processing, etc.
• ② In case personal information is required to be preserved according to other laws although the retention period consented by the data subject has expired or the purpose of processing is satisfied, the applicable personal information shall be moved to a separate database or preserved in a different storage location.
• ③ Personal information shall be destroyed by Low Level Format or shredding, upon approval of the privacy officer of the Company

• The Company takes following measures to ensure security of personal information.
• 1. Managerial measures: establishment and performance of internal managing plans, periodic employee trainings, etc.
• 2. Technical measures: manage access to personal information processing system, establish system to restrict access, encryption of personally identifiable information, installation of security program
• 3. Physical measures: restrict access to computer room, data storage, etc.

• The Company does not use ‘cookies’ to store and reload usage information of the data subjects.

The Company has designated a privacy officer to manage all operations related to processing of personal information.

• ▶ Privacy officer
  Name: Yeon Chul Lee
  Position: Head of legal team
  Contact :＜02-405-3013＞, ＜lyc@whanin.com＞, ＜FAX 02-405-3188＞
• ▶ Department in charge of personal information protection
  Department: Legal
  Name: Min Jung Park
  Contact : ＜02-405-3014＞, ＜lawpmj@whanin.com＞, ＜FAX 02-405-3188＞

• ▶ Department for submission and processing of request for personal information access
  Department: HR and General Affairs
  Name: Manager Dong Gun Lee
  Contact : ＜02-405-3032＞, ＜dglee@whanin.com＞, ＜FAX 02-405-3181＞

• ▶ Personal Information Infringement Report Center : 118 (privacy.kisa.or.kr)
• ▶ Personal Information Dispute Mediation Committee: 1833-6972 (www.kopico.go.kr)
• ▶ Cyber Crime Investigation Department in the Supreme Prosecutor’s Office: 02-3480-3573 (www.spo.go.kr)
• ▶ Korean National Police Agency Cyber Bureau: 182 (http://cyberbureau.police.go.kr)

• 1. Grounds and purpose for installation of visual data processing device: management of safety of the Company facility, fire prevention and security
• 2. Record time, retention period and location, processing methods
  - Recording time: 24 hours
  - Retention period: 30 days from recording

• ① This privacy policy shall be effective as of September 29, 2020.
• ② Prior versions of the privacy policy are available via the link set forth below.
• - Applied from October 31, 2007 ~ September 28, 2020