Lotte R&D Center (hereinafter, “Company”) views the protection of users’ personal information highly critical and thus makes its utmost efforts for the information provided to the Company via online to be protected.

The Company is in compliance with personal information protection provisions appearing on Personal Information Protection Act, Action on Promotion of Information and Communications Network Utilization and Information Protection, etc., and other stipulations which any information technology service provider should observe and other personal information protection guidelines written by Korea Communications Commission and Ministry of the Interior and Safety.

The Company drafted the Personal Information Processing Policy hereof (hereinafter, “Policy”) in accordance with Article 30 of the Personal Information Protection Act and Article 27.2 of the Action on Promotion of Information and Communications Network Utilization and Information Protection, etc., to let customers know the purpose and method of the use of provided personal information and the measures designed to protect the information.

The Company posts personal information protection policy on the landing page of its website so that users may understand it with convenience.

When there is a change in personal information protection laws and related guidelines or internal policies of the Company, the Policy shall be revised irregularly in accordance with the change thereof. Such revision shall be made through this Policy before being publicly announced. Customers are advised to visit the homepage more than often.

2. Personal information to be collected and its purpose)

The Company garners personal information in order to provide customers with diverse, convenient Internet services.

1. 1) HiGenie membership registration

   Name, country, department, branch, email, membership ID, position, password.

2. 2) Training

   company ID.

3.Duration of personal information retention and use

Retained personal information shall be properly discarded once the purposes of collection and provision of the information are fulfilled, or its retention period expires provided that, when there is a need of keeping it according to relevant laws, the Company shall hold it for an extended period only for retention.

1. 1) HiGenie membership registration

   • * ㆍ Food safety check and operation of distribution/dining contractor
   • * ㆍ Retention: One year

2. 2) Training

   • * ㆍ Education on food safety and others
   • * ㆍ Retention: One year

4 Right to refuse consent and CONSEQUENCES OF REFUSING CONSENT

The Lotte R&D Center shall not be able to provide or retain membership if the consent to collection and use of required personal information is refused.

Lotte R&D Center (hereinafter, “Company”) views the protection of users’ personal information highly critical and thus makes its utmost efforts for the information provided to the Company via online to be protected.

The Company is in compliance with personal information protection provisions appearing on Personal Information Protection Act, Action on Promotion of Information and Communications Network Utilization and Information Protection, etc., and other stipulations which any information technology service provider should observe and other personal information protection guidelines written by Korea Communications Commission and Ministry of the Interior and Safety.

The Company drafted the Personal Information Processing Policy hereof (hereinafter, “Policy”) in accordance with Article 30 of the Personal Information Protection Act and Article 27.2 of the Action on Promotion of Information and Communications Network Utilization and Information Protection, etc., to let customers know the purpose and method of the use of provided personal information and the measures designed to protect the information.

The Company posts personal information protection policy on the landing page of its website so that users may understand it with convenience.

When there is a change in personal information protection laws and related guidelines or internal policies of the Company, the Policy shall be revised irregularly in accordance with the change thereof. Such revision shall be made through this Policy before being publicly announced. Customers are advised to visit the homepage more than often.

Article 2 (Personal information to be collected and its purpose)

The Company garners personal information in order to provide customers with diverse, convenient Internet services.

1. 1) HiGenie membership registration

   Name, country, department, branch, email, membership ID, position, password.

2. 2) Training

   company ID.

Article 3 (Duration of personal information retention and use)

Retained personal information shall be properly discarded once the purposes of collection and provision of the information are fulfilled, or its retention period expires; provided that, when there is a need of keeping it according to relevant laws, the Company shall hold it for an extended period only for retention.

1. 1) HiGenie membership registration

   • ㆍ Food safety check and operation of distribution/dining contractor
   • ㆍ Retention: One year

2. 2) Training

   • ㆍ Education on food safety and others
   • ㆍ Retention: One year

Article 4 (Provision of personal information to and sharing of it with third party)

The Company shall utilize customers’ personal information within the notified scope in Collection and Utilization of Personal Information and not use it for a purpose that goes beyond the range or offer it to a third party without customer’s prior consent; provided that, the followings are exceptions:

1. 1) Where customers in advance publicly release it or give their consent for the provision to a third party
2. 2) Where there is a request from investigatory organizations or supervisory authorities in accordance with the procedures and methods as stipulated in relevant laws for the purpose of investigation and survey.
3. 3) Where the information is offered to contractors and others in such a way that the individual from whom it originates shall not be identifiable, for the purposes of statistics reports, academic research or market survey.

Article 5 (Consignment of personal information processing)

The Company consigns personal information processing to an outside party, in hopes of offering more seamless services. Regarding the consignment, the Company has been conducting the processing (handling) of personal information as follows and taking actions so that the dealing safely goes as stated in relevant laws at a time of consignment contract. In addition, the information up for consignment shall be run at its minimum amounts while ensuring expedient services. The party and purpose of the consignment is as follows:

Article 6 (Right/Obligation and the execution of it by information holder)

1. 1) Users, legal representatives (for children aged less than 14) and those who have power of attorney of other person may execute the following rights with regard to personal information of users themselves. Legal representatives and those who have power of attorney shall submit a letter of attorney which is written on the No. 11 Form in the Appendix of the Enforcement Rule of the Personal Information Protection Act.
   • - Request of personal information sight
   • - Request of correction to errors and others
   • - Request of deletion
   • - Request of halting the processing
2. 2) Execution of rights, stated in Clause 1, may be realized with notification via document, telephone, email, facsimile, and others. Upon receipt, the Company shall immediately respond to the notice.
3. 3) In case that those whom personal information is originate from call for the correction or deletion of errors in their information, the Company shall not use or provide the information until such request is fulfilled.
4. 4) Users and legal representatives shall not provide false information to the Company, or commit actions that infringe third party personal information, including, illegitimate collection, release or theft of it. In violation of this, the violator shall bear the civil and criminal responsibility, according to relevant laws.

Article 7 (Installation and operation of automatic personal information collection tools and rejection to them)

1. 1) Purpose of the use of cookies

   The Company employs cookies that frequently store and retrieve customers’ information. The cookies, a minuscule amount of information that a website transmits to customers’ web browser, are stored in their hard disc drives.

   • - The Company may use cookies to identify whether or not an Internet user is a membership holder and sustain his/her state of being logged-in.

2. 2) Installation/Operation and rejection of the cookies

   • - A customer has a right to decide where or not to install cookies. By setting options on a web browser, he/she can allow/reject all cookies, or can make his/her confirmation required for each step of storing cookies.
   • - Ways of choosing cookies settings on Internet Explore
     1. ① Click on “Tools” and then “Internet Options.”
     2. ② Click on “Privacy” tab.
     3. ③ Choose your cookie settings.
   • - Ways of choosing cookies settings on Safari
     1. ① Click on “Safari” in the top left of your screen and then choose “Preferences.”
     2. ② Click on “Privacy” and choose your preferred cookies setting.

Article 8 (Measures of personal information protection)

For customers’ personal information not to be lost, stolen, leaked, changed, or damaged along the course of its processing, the Company is seeking the following managerial, physical, and technological protection measures to ensure security.

1. 1) Managerial protection measure

   The Company established and implemented internal management plan of personal information, limiting the number of people who may handle it to a minimum level. In addition, it enhances the importance of personal information protection through managerial actions, including education to those who deal with it.

2. 2) Physical protection measure

   The Company installed computer center, data storage, and others in a place where outside access is tightly controlled, including under surveillance and blockade.

3. 3) Personal information encryption

   1. - Personal information encryption

      Customers’ passwords stored in one-way encryption are under management, and the confirmation and change of personal information is only available for those whom personal information is originated from and know password. Regarding the manner of setting up, password is not allowed to be formed in such ways that strangers can easily conjecture, for example, birthday, phone number, and so on.

   2. - Steps that can prevent hacking and others

      The Company is running an access-blocking system 24/7 to prevent any hacking and other invasive actions into the Company’s information telecommunication network from taking personal information out. On top of that, it securely transmits personal information to and from its network via encrypted telecommunication and other safe methods when dealing with sensitive personal information.

Article 9 (Scrap of personal information)

1. 1) When the Company finds personal information not needed any more, including for termination of personal information retention, completion of its purpose, etc., it scraps related personal information without delay.
2. 2) In case that it is required to keep personal information according to related laws even after personal information retention period terminates or its purpose completes, the information shall be moved to a separate database or another storage center.

3. 3) Scrapping shall be done through the following procedure and method:

   1. - Procedure: The Company selects personal information which is up for scrapping, and, with the approval of those responsible for internal personal information protection, scraps the information.
   2. - Method: The Company employs Low Level Format and others so that electronically written and recorded personal information is not workable. For the information on paper, it will shred or incinerate.

Article 10 (Personnel responsible for personal information)

In order to bear general responsibility in relation to personal information processing, lodge complaints and provide remedy to damage, the Company designates the following staff as the person in-charge of personal information protection.

Article 11 (Request of personal information sight)

Those for whom personal information is originated may raise the request of personal information sight, in accordance with Article 35 of the Personal Information Protection Act, to the department below. The Company will put in efforts so that the request can be processed in a speedy manner.

• - Personal information infringement center (http://privacy.kisa.or.kr / 118)
• - - Information protection certification committee (http://www.eprivacy.or.kr / 02-550-9531~2)
• - Forensic Science Investigation Department, Supreme Prosecutors’ Office (http://www.spo.go.kr / 02-3480-2000)
• - Cyber Bureau of the National Police Agency (http://cyberbureau.police.go.kr / Call 182 to police call center)

Article 12 (Duty of notice)

When there is addition, deletion, and revision to the Policy, the fact of it shall be notified on the website at least seven days in advance.

The Policy shall be enacted on May 8, 2020.