1. Personal Information Collection

A. Type of Personal Information to Collect

1) The company may collect the following personal information in order to process your requests and consult on ethical issues in accordance with Privacy Policy and relative business ethics Policy HD Hyundai and its affiliates may share this personal information with each other

• ① Required Items
  • Employee Identification Number, Name, Telephone or Mobile Phone Number, E-Mail Address, Company Telephone Number
• ② Optional Items
  • Address and Postal Code

2) HD Hyundai may gather some information automatically through visiting our websites or processing other business purpose. The details are as follows

• ① IP address, date and time of visit, service use records, or any relative records, etc.

B. How to collect personal information

HD Hyundai may collect personal information through following methods.

• 1) Website and E-mail
• 2) Telephone or Mobile Phone Number and Fax
• 3) Post and Visit

When you visit our websites or connect to our services, contact us, we may collect a variety of information including your name and other personal information.

2. Purpose of Processing Personal Information

We process personal information for the following purposes. Personal information will not be used for any other purposes. If the purpose of use is changed, we will take all necessary actions required by law including seeking new consent from you.

A. How we handle your requests

We process personal information for the purpose of Identification of requests confirming the details, contacting for factual inquiries, and notifying the result of processing or compliance with a legal obligation to which HD Hyundai is subject.

3. Personal information to a third party

We will not use the personal information other than the purposes mentioned in the above. However, the following exceptions may be applied.

• A. If we receive your renewed consent for the data subject
• B. If we have a good-faith belief that disclosure information is reasonably necessary to meet any applicable law, regulation, legal process, or enforceable governmental requests
• C. If there is no other way to obtain consent due to unforeseeable reasons or we have a good-faith belief that there is a reasonable reason to protect third party rights in property or any other interests
• D. In any of the following cases, except for when there is a possibility of unfairly infringing the interests of the data subject or a third party, the personal information of the data subject may be shared to third parties
  • 1) For a certain course of academic research, it is necessary to provide personal information in a non-personally identifiable form
  • 2) If the Company is unable to comply with any applicable law or regulation however the governmental agency such as Protection committee reviewed and approved to provide such information to a third party
  • 3) If company is necessary to meet any international treaty requirements
  • 4) When necessary for investigating and prosecuting criminal offenses
  • 5) If necessary for court proceedings
  • 6) If necessary for the execution of penalty and custody, enforcement of protective measures
• E. If we share those information to a third party, we will notify the purpose of sharing to a third party or a third party which is shared personal information, and the retention period by a third party

4. Commitment of handling personal information

When it is necessary to have a contractual relationship with a third party, we will cause to make our best efforts to indicate relevant clauses about the purpose of contract, the party information who will proceed such information, technical and administrative protection methods, and compensations for damages in accordance with Article 25 of Personal Information Protection Act. Additionally we will monitor from time to time the opposite party whether they are complying with subject agreement and any other applicable regulations.

• A. Name of external service provider: HNINC, Website operation and maintenance

5. Period of Retention and Use of Personal Information

In some cases, we retain data for limited periods when it needs to be kept for legitimate business or legal purposes. In principle, we will delete personal information immediately after the purpose of its use has been achieved. However, the following information may be retained for the limited period for the following reasons.

A. If there is reasonable reason to meet any applicable internal policy

The company will keep personal information with the consent.

• - The period of misuse records for preventing illegal use: For 1 year
• - The period of Information for requests management: Until the purpose of personal information is achieved.

B. If the company is compelled to comply with any applicable law or regulations, reason for holding information by relevant laws.

If it is necessary to comply with the provisions of applicable laws such as commercial law, Act on The Consumer Protection in Electronic Commerce, Etc., the company will keep personal information for a certain period of time in accordance with applicable laws and regulations.

6. Procedures and methods of personal information deletion

The Company will delete personal information without delay right after the purpose of its use has been achieved or we determine retaining such information is no longer necessary. The deletion procedure and methods are as follows.

A. Destruction procedure

The Company will select the personal information which is reasonably necessary to delete in accordance with applicable internal policies and laws and such information will be deleted with the prior approval by Chief Privacy Officer.

B. Deletion methods

1) Personal information stored in electronic file is deleted by technical method disabling regeneration of records.

2) Personal information stored in other devices other than electronic file or is printed, will be destroyed by a shredder or incinerated.

7. The rights, duties and methods of the data subject

① You may exercise its rights to request to review, correct, delete, or suspend processing personal information at any time.

② The exercise of rights indicated in above may be made in writing, e-mail, fax, etc., pursuant to Article 41, Paragraph 1 of the Enforcement Decree of the Personal Information Protection Act.

A. Personal information request for review

You may ask the company to view the personal information retained by the company in accordance with Article 35 of the Personal Information Protection Act (Inspection of Personal Information).

However, the company may not be allowed to such requests If:

• 1) If we are obligated not to do so by law or requirements of any relevant regulatory agency.
• 2) If there is a reasonable reason to protect against harm to the rights, property, or safety of users or a third party.
• 3) If it is possible to disrupt against governmental agency for processing for following tasks:
  • - Taxation, Collection or Refund
  • - Regarding grading or student selection at higher education institutions established in accordance with the Elementary and Secondary Education Act and the Higher Education Act, schools established under the Lifelong Education Act and other laws
  • - Assessment of qualifications, skills and employment, qualification examination
  • - Assessment or judgment in progress on compensation or allowance estimation
  • - Audit and investigation matters in progress under other applicable laws

B. Personal information correction and deletion request

You may request correction or deletion of personal information retained by the company in accordance with Article 36 (Correction or Deletion of Personal Information) of Personal Information Protection Act. However, if personal information is indicated in other applicable laws and regulations which the company is required to comply, you will not be able to request such deletion.

C. Request to stop personal information processing

You may request for correction of personal information retained by the company according to Article 37 (Suspension, etc. from Managing Personal Information) [Personal Information Protection Act.] However, in the following cases, the company is allowed not to respond your request the request to stop processing can be rejected.

• - If the company is compelled to comply with statutory obligations by applicable laws
• - If there is a reasonable reason to protect against harm to the rights, property, or safety of users or a third party
• - If it is possibly to disrupt against governmental agency for processing for its own duties under the laws or regulations
• - If there is difficulty to comply with any other agreements that we are obligated to and you are not clearly expressing objections to do

8. Measures to ensure the safety of personal information

In order to secure the security for the personal information not to be lost, stolen or damaged, we are making its best efforts to taking all of feasible methods in accordance with Article 29 of the Personal Information Protection Act. The details are as follows,

A. Establishment and enforcement of internal management plan

The Company has developed and enforced an internal policy based on the criteria for ensuring the safety of personal information.

B. Minimization and training of personal information handlers

The company's personal information handling staff is limited to the person in charge, and a separate password is assigned to it so that it is regularly updated. We constantly emphasize compliance with the company's personal information processing policy through on-the-job training.

C. Restrict access to personal information

We take all necessary measures for making limited access environments for personal information through the granting, modification and deletion of access rights to the personal information database systems. When one of our employees charging the personal information accesses the personal information processing system from the outside, the virtual private network will be used.

D. Secure connection history and prevent forgery/tampering

We are securing all of connection records (web logs, etc.) about the personal information processing system for at least 1 year and making all of best efforts for using the security function to prevent forgery, alteration and loss of connection records.

E. Encryption of personal information

Encryption is important, valuable to protect the personal information stored on. Such personal information is stored in encrypted manners and additional security devices for processing are to be used.

F. Measures to prevent hacking

1) The company is making its best efforts to protect your personal information against hacker and other privacy invasion

2) In order to protect personal information, we regularly back up the data. We use the latest vaccine program to prevent personal invasions or data from being leaked or damaged. We allow to transmit personal information in a strictly manners on the network through encrypted communication

3) And we are utilizing invasion prevention system to restrict unauthorized access from outside and try to have all necessary technical devices to make the best security system

G. Protection measures against unauthorized access

The physical storage of the personal information system is separately being operated, and access control procedures are effective and activated accordingly.

H. Password encryption

The password is encrypted and stored. Only you or data principal knowing password is able to access system for changing or confirmation of such data. Change of personal information is possible only by the data subject who knows the password.

I. Operation of personal information protection organization

Through the in-house personal information protection organization, we review whether it is complied with the company's Privacy Policy and any other applicable regulations, and make all of its efforts to correct any problems in the event that it is found. However the Company shall have no circumstance be liable for any loss, damage, expense arising from negligence act on you or any internet accessing issue.

9. Privacy Officer and Personal Information Manager

In order to protect personal information and to deal with complaints related to personal information, the Company has designated the Privacy Officer and Personal Information Manager as follows.

Contact Methods

	Chief Privacy Director	Privacy Officer	Personal Information Manager
Department	Security Managemet	Security Planning Team	Security Planning Team
Name	Lee, Oh-Young Managing Managing Director	Kim, Seong-bae Senior Officer	Park, Yoon-Sik Senior Officer
Telephone	+82-2-479-5601	+82-2-479-5683	+82-2-479-8954
E-mail	118@hd.com	kimsb@hd.com	parkyoonsik@hd.com

You can contact us if you have any questions or concerns or if you would like to make a compliant about privacy issues

10. Contact department of Personal Information collection and view

You may ask the company to view the personal information in accordance with Article 35 of the Personal Information Protection Act. Therefore, you can contact us if you have any questions or concerns

Department : Business Ethics Planning Team

Name : Lee, Yoon Hyuk (officer)

Telephone : 02-479-5279

E-mail : yoonhyuk.lee@hd.com

11. Change of personal information processing policy

This Privacy Policy may be updated from time to time. In the event there is a material change to comply with applicable laws and regulations, we will post on our websites along with the updated policy no later than 7 days of any addition, deletion or correction of any changes in accordance with the laws and regulations, we will endeavor to notify you through the notice 7 days before the possible change.

개인정보 취급정책 변경일자

v1.0 : 2018-09-20

v1.1 : 2019-06-03

v1.2 : 2021-01-07

v1.3 : 2021-12-22

v1.4 : 2022-12-07

12. Matters concerning the installation / operation of the automatic collection device of personal information and its rejection

Our website(ethics.hd.com) does not use cookies which are able to store and retrieve information.

13. Relief for privacy right infringement

If you have any questions or concerns about data processing, or if you would like to have a consultation for resolving any disputes about a possible breach of applicable regulations, you can always contact to relevant regulators or governmental agency such as the Personal Information Dispute Resolution Committee or the Personal Information Infringement Notification Center of the Korea Internet & Security Agency.

The following organizations are separate entity from the company, and if you are unsatisfied with the reply received or need more specification information, you may contact us and we will endeavor to provide you with information about your concerns.

▶ Personal Information Infringement Notification Center (operated by Korea Internet & Security Agency

Service : Personal information infringement report and consultation application

Website : privacy.kisa.or.kr

Telephone : +82 118

Address : 3rd Fl., Korea Internet & Security Agency (KISA) 9 Jinheung-gil, Naju, Jeollanam-do, Republic of Korea (58324)

▶ Personal Information Dispute Mediation Committee

Service : Personal information dispute settlement application, collective dispute settlement (civil settlement)

Website : www.kopico.go.kr

Telephone : +82 1833-6972

Address: 4th Fl., 209, Sejong-daero, Jongno-gu, Seoul, Republic of Korea (03171)

▶ Supreme Prosecutors' Office Cyber Crime Division

Telephone : +82-2-3480-3573

Website : www.spo.go.kr

▶ Korean National Police Agency Cyber Safety Bureau

Telephone : +82 182

Website : cyberbureau.police.go.kr