The Company processes personal data for the following purposes. The personal data processed shall not be used for purposes other than the following, and in case of a change of the purpose of use, necessary measures such as obtaining a separate consent shall be implemented.

1. ①1. Customer Inquiries: personal identification and authentication, prevention of fraudulent use by problematic customers, record-keeping for dispute resolution, handling complaints including grievances, delivery of notifications, verification of intent to delete written posts
2. ②2. Newsletter: subscription and cancellation of newsletter, sending newsletters to subscribers.

The Company processes and retains personal data within the personal data retention and use period agreed upon when collecting personal data from the data subject or within the personal data retention and use period stipulated by laws and regulations.

1. 2.The Company processes and retains personal data for a certain period in accordance with the relevant laws and regulations in the following cases:

1. ㆍ If an investigation or inquiry is ongoing due to a violation of related laws, personal data will be retained until the investigation or inquiry is concluded.
2. ㆍ If there are outstanding debts or credits arising from the use of the website, personal data will be retained until the settlement of such debts or credits.
3. ㆍ Records related to displays and advertisements: 6 months (under the Act on the Consumer Protection in Electronic Commerce, etc.)
4. ㆍ Records related to contracts or withdrawal of subscriptions: 5 years (under the Act on the Consumer Protection in Electronic Commerce, etc.)
5. ㆍ Records related to payment and supply of goods: 5 years (under the Act on the Consumer Protection in Electronic Commerce, etc.)
6. ㆍ Records related to consumer complaints or dispute resolution: 3 years (under the Act on the Consumer Protection in Electronic Commerce, etc.)
7. ㆍ Data contained in commercial books and important documents on business: 10 years (under the Commercial Act)
8. ㆍ Data related to transaction history and supporting documents: 5 years (under the Framework Act on National Taxes, Corporate Tax Act)
9. ㆍ The date of telecommunications by subscribers, the time that the telecommunications commence and end, the subscriber number of the other party, frequency of use: 1 year (under the Protection of Communications Secrets Act)
10. ㆍ Data on computer communications, internet log records, and tracking data: 3 months (under the Protection of Communications Secrets Act)

The Company, in principle, processes the personal data of data subjects within the scope specified in Article 1 (Purpose of Processing Personal Data). The Company only provides personal data to third parties in cases that fall under Articles 17 and 18 of the Personal Information Protection Act, such as with the consent of the data subject or under special legal provisions. Outside of these cases, the Company shall not provide the personal data of data subjects to third parties.

1. 2.When the Company enters into an outsourcing contract, it specifies in the contract or other written documents the prohibition of personal information processing for purposes other than the outsourced tasks, technical, managerial, and physical protection measures, restrictions on sub-outsourcing, management and supervision of the subcontractor, and liability for damages. The Company also supervises the subcontractor to ensure they handle personal information securely.
2. 3.If the content of the outsourced tasks or the subcontractor changes, the Company shall promptly inform the data subjects and disclose the changes through the privacy policy.

1. 1.Data subjects have the right to request access, correction, deletion, or suspension of processing of their personal data at any time.
2. 2.The rights described in paragraph 1 may be exercised in writing, via email, or fax in accordance with Article 41, Paragraph 1 of the Enforcement Decree of the Personal Information Protection Act, and the Company shall respond without delay.
3. 3.The rights specified in paragraph 1 may also be exercised through a legal representative or a delegated person of the data subject. In this case, a power of attorney using Appendix Form No. 11 of the “Notice on Personal Data Processing Methods (No. 2023-12)” must be submitted.
4. 4.Requests for access to and suspension of processing of personal data may be restricted under Article 35, Paragraph 4 and Article 37, Paragraph 2
5. 5.A request for correction or deletion of personal data cannot be made if the personal data is designated for collection under another law.
6. 6.The Company shall verify whether the person making the request for access, correction, deletion, or suspension of processing in accordance with the rights of the data subject is the person or his/her authorized representative.

1. ① Customer inquiries
2. ㆍ Required information: name, contact information, email, inquiry details and attachments
3. ② Newsletters
4. ㆍ Required information: name, email, category

The Company collects personal data in the following ways.

1. ㆍ Online (website, mobile) consultation boards, emails, Contact(Phone)

1. 1.The Company shall destroy the personal information without delay when the personal data become unnecessary, such as the expiration of the personal data retention period or the achievement of the purpose of processing.
2. 2.When the retention period for personal data, as consented to by the data subject, has expired, or the processing purpose has been achieved, but the personal data must continue to be retained in accordance with other laws, the Company shall transfer the personal data to a separate database (DB) or store it in a different location.
3. 3.The procedure and method for the destruction of personal data are as follows:

1. ① Destruction Procedure
2. ㆍ The Company identifies the personal data that needs to be destroyed and proceeds with its destruction upon approval from the Company’s Chief Privacy Officer.
3. ② Destruction Method
4. ㆍ For personal data recorded and stored in electronic file format, the Company shall use methods such as Low Level Format to ensure the records are unrecoverable. For personal data recorded and stored in paper documents, the Company shall destroy it by shredding with a shredder or incineration.

1. 1. Development and Implementation of an Internal Management Plan
2. ㆍ The Company’s internal management plan is established and implemented in accordance with the internal guidelines of the Ministry of the Interior and Safety.
3. 2. Minimization and Training of Personal Data Handlers
4. ㆍ The Company designates a minimal number of staff to handle personal data and implements personal data protection education and management measures.
5. 3. Restriction of Access to Personal Data
6. ㆍ The Company takes necessary measures to control access to personal data by granting, modifying, and deleting access rights to the database system processing personal data, and uses intrusion prevention systems to control unauthorized access from outside.
7. 4. Retention and Prevention of Tampering with Access Records
8. ㆍ The Company retains and manages records of access to the personal data processing system (web logs, summary data, etc.) for at least one year, and uses security features to prevent tampering, theft, or loss of access records.
9. 5. Encryption of Personal Data
10. ㆍ Personal data of data subjects, such as passwords, is stored and managed in encrypted form, ensuring that only the data subject knows it. Important data is protected by encrypting files and transmission data or using file locking features.
11. 6. Technical Measures Against Hacking, etc.
12. ㆍ To prevent the leakage and damage of personal data caused by hacking or computer viruses, the Company installs security programs, performs regular updates and inspections, and installs systems in areas with restricted external access, and also monitors and blocks such attempts both technically and physically. Additionally, network traffic monitoring is in place to detect attempts at illegally altering data.
13. 7. Access Control for Unauthorized Personnel
14. ㆍ The Company has a separate physical storage location for personal data systems that store personal data and establishes and operates access control procedures for this location. Furthermore, papers and backup storage media that include personal information are kept in a safe place with locks.

1. 1.The Company does not install or operate any device that automatically collects personal information, including “cookies”.

1. 1. Purpose of Installing Image Data Processing Devices

1. ㆍ Ensuring facility safety and fire prevention
2. ㆍ Ensuring customer safety, protecting the workplace, and preventing crimes such as theft
3. ㆍ Preventing unauthorized intrusion by non-authorized personnel within the workplace

1. 2. Number of Installations, Installation Locations, and Imaging Scope
2. In accordance with relevant laws and regulations, the Company installs and operates image data processing devices after reviewing their suitability in the following locations.
3. ㆍ Main entrances where personnel and vehicles enter and exit the premises, lobbies, ground/underground parking lots, and other areas and zones where public safety and the protection of trade secrets require security measures

1. 3. Responsible Departments and Managers

2. Category	Location	Purpose	Manager		Remarks
   			Responsible Entity	Contact Info.
   Headquarters	Gyedong HQ	Crime prevention, security	Security Management Center	02-746-3116
   R&D Center	Mabuk R&D Center	Crime prevention, security	R&D Support Team	02-746-0248
   Site	Nationwide on-site offices	Crime prevention, security	※ Site Manager (see onsite bulletin board for contact details)

1. 4. Recording Time, Retention Period, Storage Location, and Processing Method of Image Data
2. ㆍ Recording Time: continuous recording 24 hours a day
3. ㆍ Retention Period: at least 30 days from the date of recording
4. ㆍ Storage Location and Processing Method: stored and processed in the control room for image data processing devices

1. 5. Methods and Locations for Viewing Image Data
2. 1) After contacting the image data manager in advance, viewing the image data is possible at a designated location.

1. 6. Actions on Requests by Data Subjects to View Image Data, etc.
2. 1) A request to access personal image data or confirm its existence must be submitted using a request form. Access is granted only if the data subject is the person filmed or if it is clearly necessary to protect the data subject’s life, body, or property.
3. 2) Hyundai E&C will take immediate action in accordance with the legitimate rights of the data subject when they request to view, store, or delete personal image data. However, requests for processing may be denied in the following cases:

1. ㆍ If the storage period of the personal image data has expired and the data has been deleted
2. ㆍ If there is a concern about infringing on the privacy of others due to viewing and disclosure of the image data
3. ㆍ If it would seriously hinder a criminal investigation, the continuation of a public prosecution, or the proceedings of a trial
4. ㆍ If there is any other justifiable reason for the Company to refuse the data subject’s request to access or verify the data

1. 7. Technical, Administrative, and Physical Measures to Protect Image Data
2. The Company protects image data through the following measures: establishing an internal management plan, implementing access control and restricting access rights, applying secure storage and transmission technologies for image data, maintaining processing records and preventing tampering or forgery, and installing locking devices and preparing secure storage facilities.

1. 1. The Company has appointed the following Chief Privacy Officer and Privacy Manager to oversee and take responsibility for personal data processing tasks, handle customer complaints, and provide remedies related to personal data processing.
2. ㆍ Chief Privacy Officer

1. Name: Kim Ki-hong
2. Title: Vice President
3. Contact: 1577-7755, privacy@hdec.co.kr

1. ㆍ Privacy Manager

1. Organization: Public Relations Group
2. Name: Park Hyun-hee
3. Contact: 1577-7755, hhpark@hdec.co.kr

1. 2. Customers and data subjects can request any matters related to personal data protection, such as inquiries, complaint handling, damage relief, and requests for access to personal data, arising from the use of the Company’s services (or business). The Company shall respond and handle inquiries from customers and data subjects without delay.
2. ※ However, emails sent for purposes other than inquiries, complaints, or issues related to personal data protection may not receive a response or be processed. Additionally, unsolicited commercial emails sent without the consent of the responsible officer may be reported to relevant authorities and handled in accordance with Articles 50 to 50-8 of the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc.

1. ㆍ Department for Receiving and Processing Requests for Access to Personal Data

1. Department: Public Relations Group
2. Manager: Park Hyun-hee
3. Contact: 1577-7755, hhpark@hdec.co.kr
4. Working Hours: Weekdays 09:00-17:00
5. Closed: Saturdays, Sundays, and public holidays

1. 1. Personal Information Infringement Report Center (operated by Korea Internet & Security Agency)

1. ㆍ Scope of Work: Reporting personal data infringement, requesting consultation
2. ㆍ Website: privacy.kisa.or.kr
3. ㆍ Phone: 118 (no area code required)

1. 2. Personal Information Dispute Mediation Committee

1. ㆍ Scope of Work: Applying for personal data dispute mediation, applying for collective dispute mediation (civil resolution)
2. ㆍ Website: www.kopico.go.kr
3. ㆍ Phone: 1833-6972 (no area code required)

1. 3. Supreme Prosecutors’ Office: 1301 (no area code required) www.spo.go.kr
2. 4. National Police Agency: 182 (no area code required) ecrm.cyber.go.kr

1. ㆍ Announcement Date of the Privacy Policy: August 5, 2024
2. ㆍ Effective Date of the Privacy Policy: August 12, 2024