We value the personal information of individuals and have established and implemented "Personal Information Handling Guidelines" to comply with relevant regulations such as the "Personal Information Protection Act." 1. General Provisions 1) "Personal information" refers to information about an individual that can identify them, including but not limited to their name, resident registration number, and video footage (including information that can easily identify an individual when combined with other information). 2) We comply with the regulations on personal information protection under the Personal Information Protection Act and the "Personal Information Protection Policy" established by the Ministry of Public Administration and Security, and we disclose the processing status of personal information so that data subjects can verify the status of their personal information at any time. 2. Items and Methods of Personal Information Collection 1) Job Application ① Collected personal information : nationality, name, address, date of birth, gender, phone number (landline/mobile), email, hobbies, education, career, military service (exemption reasons for those not required to serve), foreign languages, family relationships, benefits for veterans, etc. ② Collection method : When submitting a job application via email. 2) New Retail Store Transactions ① Collected personal information - Personal information : name, email address, fax number, contact information, photo (for facility installation verification) - Account information : bank name, account number, account holder, relationship (related to facility maintenance fee payment) - Business information : business registration number, company name, business type, representative, business address ② Collection method : When applying for new retail store transactions, we collect the information through the "Retail Store Registration Application" and upon signing the facility maintenance fee payment contract. 3. Purposes and Retention Period of Personal Information Collection We process personal information for the following purposes and do not use it for any purposes other than the ones stated below. 1) Collection purposes ① Reception and management of job applications, notifications ② New retail store transaction activities (orders, delivery, issuance of tax invoices, etc., between retail stores and our company) 2) Retention period ① Job applications : Within one month from the date of confirmation of successful applicants (except for cases of withdrawal after retirement or consent revocation by the successful applicant) ② Retail store transaction information : Retained for 5 years after the transaction is discontinued according to Article 85(3) of the Basic Tax Law, and then disposed of along with transaction records. 4. Provision of Personal Information to Third Parties We provide the following personal information to third parties. 1) Recipients of personal information : Philip Morris Korea 2) Purposes of the recipient's personal information use : ① For analysis purposes related to the status of retail stores, such as current status, sales volume, and goal setting, as a tobacco supplier. 3) Personal information items provided - Retail store transactions : ① Personal information : name, email address, fax number, phone number, mobile number, photo (for facility installation verification) ② Account information : bank name, account number, account holder, relationship (related to facility maintenance fee payment) ③ Business information : business registration number, company name, business type, representative, business address 4) Retention and use period of the recipient - Retail store transactions : 5 years after the transaction is discontinued 5. Outsourcing of Personal Information Processing We outsource personal information processing tasks as follows : 1) Issuance of electronic tax invoices - Contractor : GSITM (GS ITM) - Outsourced tasks : Issuance of tax invoices 2) Electronic document storage - Contractor : Amazon - Outsourced tasks : Storage of electronic documents as agreed upon with the data subject 3) Construction and maintenance of electronic contract systems - Contractor : JC1 - Outsourced tasks : Website and system development, system enhancement, maintenance 6. Rights, Obligations, and Exercise Methods of Personal Information Providers 1) Personal information providers can request access to their personal information, as well as request correction, deletion, or withdrawal of consent. Upon request, the requested information will be provided immediately after undergoing a personal verification process. [Request for Personal Information Modification : General Affairs 02-549-5210 (554)] 2) If a correction is requested for any provided personal information, we will not use or provide the information until the correction is completed. If the information has already been provided to a third party, we will promptly notify the third party of the correction to ensure its implementation. 3) If there are any changes in the provided information, please contact us to prevent potential incidents. The responsibility for any incidents resulting from failure to update the information lies with the information provider. 4) The information provider is responsible for any incidents arising from providing false personal information. 7. Personal Information Disposal 1) When personal information becomes unnecessary due to the expiration of the retention period or the achievement of the processing purpose, it will be promptly disposed of. 2) If personal information needs to be retained despite the expiration of the agreed-upon retention period or the achievement of the processing purpose due to other legal requirements, it will be moved to a separate database or stored in a different location for retention. 3) The procedure and method of personal information disposal are as follows : ① Disposal procedure : - Select personal information that has expired or has reasons for disposal, obtain approval from the Personal Information Protection Manager, and dispose of the personal information. Personal information data stored on servers is automatically deleted, and its deletion is verified once a month. ② Disposal method : - Personal information recorded and stored in electronic file format will be irreversibly destroyed using methods such as perforation, low-level formatting, etc. Personal information recorded and stored on paper documents will be shredded for disposal. 8. Measures to Ensure the Security of Personal Information We have implemented the following technical, administrative, and physical measures to ensure the safety of customer's personal information: 1) We store and manage sensitive personal information in an encrypted form. 2) Measures against hacking : ① We make our best efforts to prevent the leakage or alteration of customer's personal information due to hacking, computer viruses, etc. ② We regularly back up data to prepare for personal information damage, use up-to-date antivirus programs to prevent leakage or damage of customer's personal information or data, and ensure secure transmission of personal information over networks through encrypted communication. ③ We utilize intrusion prevention systems, control unauthorized access from external sources, and make efforts to implement all technically feasible measures to ensure security. 3) Minimization and education of handling staff: ① Only designated personnel have access to personal information, and they are assigned separate passwords that are regularly updated. Regular training is provided to handling staff to ensure the secure management of personal information. ② When handling personal information, strict procedures are followed for transfer and inheritance, and responsibilities for personal information incidents are clearly defined after employment and retirement. ③ Computer rooms and data storage rooms are designated as restricted areas with controlled access. 4) We do not use "cookies" that store and retrieve usage information of data subjects. 9. Personal Information Protection Manager 1) We have appointed a personal information protection manager who is responsible for overseeing the processing of personal information, handling complaints and remedies related to personal information processing. The designated personal information protection manager is as follows: ▶ Name: Jeong, Whoi-in (Assistant Manager) Position: Department Head Contact: 02-549-5210 (extension 558) ▶ Department in Charge of Personal Information Protection Department: Information Systems Department Contact: 02-549-5210 (extension 440) 2) If you have any inquiries, complaints, or requests regarding personal information protection related to our services or business, you can contact the personal information protection manager or the department in charge, and we will respond and handle your inquiries promptly. 10. Installation and Operation of Video Information Processing Devices We have installed and operate video information processing devices as follows: 1) Basis and Purpose of Video Information Processing Device Installation: Facility safety and fire prevention. 2) Number of Installations, Installation Locations, and Recording Range: One device installed at the entrance of the head office and each warehouse and entrance of branch offices, recording the entire space of major facilities. 3) Person in Charge of Management, Department in Charge, and Authorized Access to Video Information: Jung Hoein (Assistant Manager) of the General Affairs Department. 4) Recording Time, Retention Period, Storage Location, and Processing Method of Video Information: - Recording Time: Continuous recording for 24 hours. - Retention Period: 30 days from the time of recording. - Storage Location and Processing Method: Stored and processed in the video information processing room at the head office/branch offices. 5) Method and Location for Viewing Video Information: Request to the person in charge of management (General Affairs Department). 6) Actions for Requests to Access Video Information from Data Subjects: Requests for viewing personal video information or confirming its existence must be submitted using an application form. Access to video information is granted only when the data subject themselves is captured in the footage or when it is necessary for clear benefits related to the data subject's life, body, or property. 7) Technical, Administrative, and Physical Measures for the Protection of Video Information: Implementation of internal management plans, access control and restriction of access rights, application of secure storage and transmission technologies for video information, storage and prevention measures against tampering of processing records, establishment of storage facilities, and installation of locking devices. 11. Changes to the Personal Information Processing Policy The "Personal Information Processing Policy" is effective from the date of enforcement. In the event of additions, deletions, or corrections to the content in accordance with legal requirements or policies, we will notify the changes through the notice board at least 7 days prior to the implementation of the changes. We will comply with the regulations specified in the "Personal Information Protection Act" and make every effort to ensure that the personal information provided to us is not misused for purposes other than the intended use. Effective Date: November 2, 2020