Amendment proposed to Personal Information Processing Policy

Doosan Corporation (hereinafter “the company”) complies with the statutory provisions concerning personal information protection, including those under the Personal Information Protection Act and the Act on Promotion of ICT Network Service and Protection of Information.The company also does its best to protect the information subjects, including its customers, officers, employees, and website users, by determining its personal information processing and handling policies based on the related statutes. Through its personal information processing and handling policies, the company informs the information subjects as to how it uses or processes the personal information provided by them and for what purposes and what actions it takes to protect their personal information. The company will publish any amendments to its personal information processing and handling policies on the NewDoobuy website (or by individual notification). However, a separate personal information handling policy is operated for Doosan websites other than this website.

Doosan Corporation (hereinafter “the company”) highly respects the personal information of its customers and users of its website (newdoobuy.doosan.com) (hereinafter “data or information subjects”) and always does its best to protect their personal information. It thus follows the related statutes, including the Personal Information Protection Act and the Act on Promotion of ICT Network Service and Protection of Information (hereinafter “the ICT Network Act”).

01. Scope of personal information collected

1. 1. The company collects personal information of the data subjects by lawful and fair means.
2. 2. The personal information collected by the company is limited to the minimum required to provide its service. It does not collect the unique identification information of the data subjects and sensitive personal information that may infringe upon their basic human rights (race, religion, ideology, place of birth, permanent home address, political orientation, criminal records, health conditions, sex life, etc.).

02. Items of personal information collected and collection means

The items of personal information of the data subjects collected by the company are as follows, and three of the items below may automatically be generated and collected in the process of using its website:

1. 1. Conclusion and Performance of Contracts
   • - ID, Password, Company name (English), Company representative's name (English), Business office address, company phone number, company e-mail address, Name of a person in charge of purchase and his contact point, Duns Number, Name of the bank you do business with, Business license number (For Korean members only), Type of business as stated on business license (For Korean members only), Business items as stated on business license (For Korean members only)
2. 2. Handling of user grievances and complaints
   • - Essential items: Name, e-mail address, Location (city, province), phone number (contact info), country name, company name
3. 3. Service analysis and service level enhancement: Automatically generated and collected in the process of use of Internet-based services
   • - Record of service use, access log data, cookies, IP access data

03. Purposes of collection and use of personal information

The company collects personal information of the data subjects for the following purposes.

1. - Conclusion and Performance of Contracts
2. - Service analysis and service level enhancement: To provide better service to the users through service analysis and to enhance the service level of this site (Service analysis and service level enhancement)
3. - Handling of user grievances and complaints: To check customer complaints, contact or notify for checking facts, notify processing results, etc.

04. Period of retention and use of personal information

1. 1. Conclusion and Performance of Contracts
   • - Items to be retained: ID, Password, Company name (English), Company representative's name (English), Business office address, company phone number, company e-mail address, Name of a person in charge of purchase and his contact point, Duns Number, Name of the bank you do business with, Business license number (For Korean members only), Type of business as stated on business license (For Korean members only), Business items as stated on business license (For Korean members only)
   • - Period retained: 5 year
2. 2. Handling of user grievances and complaints
   • - Items to be retained: Name, e-mail address, location (city, province), phone number (contact info), country name, company name
   • - Period retained: 1 year
3. 3. Service analysis and service level enhancement
   • - Items to be retained: Record of service use, access log data, cookies, access IP data
   • - Period to be retained: 3 years

05. Procedure or methods for destroying personal information

1. 1. Conclusion and Performance of Contracts
   • The user’s personal information is destroyed within 5 days from the final day of the retention period when the period of use has elapsed or 5 days from the day when it is believed no longer be necessary to handle the personal information when the personal information is no longer required due to the purposes of processing of personal information having been been achieved, abolition of the relevant service, or discontinuance of the service.
2. 2. Destruction method
   • a. Printed materials, documents, etc. recording personal information Shredding or incineration
   • b. Digital or electronic files: Permanently delete using unrecoverable methods

06. Provision of Personal Information to Third Parties

The company does not provide any personal information to third parties without a justifiable cause, including the requirements under the relevant statutes and advance consent from the data subject. However, this shall not apply to the exceptional cases listed below.

1. - When separate consent has been obtained from the data subject
2. - When a specific provision is provided by the law or it is unavoidable to perform the obligations of a statute
3. - Where it is explicitly deemed necessary for the protection from impending danger to life, body, or financial profits of a data subject or a third party in cases where the data subject or their legal representative is not in a position to express intention, or where prior consent cannot be obtained due to unknown addresses, etc.

The company shall not disclose any personal information to a third party

07. Outsourced processing of personal information

The company outsources some of the functions required to provide its service to the data subjects to outside service providers while controlling and supervising the outsourced service providers by defining necessary items to ensure that they process the personal information securely based on the relevant statutes. The personal information processing outsourced by the company includes the following.

1. Data storage and service operation

Data storage and service operation

Service provider entrusted with processing	Contents of entrusted duties
Doosan Digital Innovation	Data storage and service operation for handling of customer grievances and complaints - Name, e-mail address, location (city, province), phone number (contact info), country name, company name, cloud system, server operation and management

08. Rights and duties of information subjects and their methods of exercising

1. 1. The data subjects may request the review or correction of their personal information registered on the company’s systems and withdraw their consent at any time. The company will take actions without delay upon the data subject’s request in writing or by phone or e-mail to the company’s department managing the personal information.
2. 2. The company does not use or provide the relevant personal information [to any third parties] until the correction is completed when the data subjects request correction of errors in their personal information.
3. 3. The legal agents of minors of less than 14 years of age have the right to review or correct their personal information or withdraw their consent to the collection or use of their personal information.
4. 4. The company treats personal information terminated or deleted based on the request by data subjects or their legal agent as provided under its “personal information handling policy”, and does not review or use the personal information for any other purposes.

09. Installation and operation of devices to automatically collect personal information, and their refusal

1. 1. The company uses cookies that save or locate the information of the data subjects. Cookies are small data used to operate a website that the server transmits to the browsers of data subjects to be stored on the hard disc of their computer.
2. 2. The data subjects may choose whether to allow the use of cookies. The data subjects may allow all cookies by setting the option on their web browser or to require their confirmation whenever cookies are saved on their computer, or they may reject the saving of all cookies. However, if data subjects refuse cookie installation, they may experience difficulties in using the service.

10. Measures to secure safety of personal information

The Company takes technical, administrative, and physical actions required to secure safety pursuant to Article 29 of the Personal Information Protection Act as follows.

1. ① Minimize the number of personal information handlers
   • The company minimizes the authorization of its personal information handlers in order to protect personal information.
2. ② Periodic training is provided to personal information handlers
   • The company periodically conducts training to enhance awareness of the protection of personal information.
3. ③ Periodic internal inspection performed
   • The company periodically conducts internal inspection to secure the safety of personal information handling.
4. ④ Development and implementation of internal management plans
   • The company develops and maintains its internal management plans for secure handling or management of personal information.
5. ⑤ Encryption of personal information
   • The personal information and password of the data subjects are encrypted before storage or management. The personal information is securely managed during transmission using separate security functions.
6. ⑥ Technical countermeasures against hacking
   • To block leakage of or damages to personal information from hacking or computer viruses, the company installs security programs and periodically updates or inspects them, installing the systems in areas where outside access is controlled and monitoring and blocking the systems both technically and physically.
7. ⑦ Restriction of access to personal information
   • The company takes necessary measures to control access to personal information by assigning, modifying, or deleting authorization to access the database system that processes personal information, and controls any unauthorized outside access using an intrusion blocking system.
8. ⑧ Storage and prevention of forging of or tampering with access records
   • The company stores and maintains records of access to its personal information processing systems and uses security functions to prevent forging, tampering, theft, or loss of the access records.
9. ⑨ Use of locking devices for document security
   • The company keeps documents and secondary storage media containing personal information in secure locations with locking devices.
10. ⑩ Control of access by unauthorized personnel
    • The company has a physically separated space for storing personal information, and operates an access control procedure developed for this purpose.

However, the company will not be held responsible for consequences attributable to any mistakes by individual users or the inherent risk of the Internet service.

11. Guidance for personal information protection managers and representatives

1. 1. The company has designated a department and personnel responsible for protection of personal information as follows in order to protect the personal information and handle complaints related to personal information.
   • a. Personal information protection manager
     • - Full name : Jeongbae Hong, Vice President
   • b. Department responsible for protection of personal information
     • - Name : Doosan Corporation Security Audit Team
     • - Phone: 02-3398-2722
     • - Fax: 02-3398-1284
     • - E-mail: dicdhee@doosan.com
2. 2. Please contact the agencies listed below for reporting or counseling on other infringements of personal information.
   • • Korea Communications Commission, Korea Internet & Security Agency (KISA) Personal Information Infringement Report Center (http://privacy.kisa.or.kr Phone number: 118)
   • • Supreme Prosecutors Office Cyber Investigation Team (www.spo.go.kr Phone number: 1301)
   • • National Police Service Cyber Security Bureau (www.cyberbureau.police.go.kr Phone number: 182)

12. Scope of application of this personal information processing policy

This personal information processing policy is applied when the company’s website (newdoobuy.doosan.com) is used. Separate personal information processing policies may be applied to services under the company’s other brands.

13. Notice of amendment to personal information processing policy

When provisions of this personal information processing policy are added, deleted, or revised, the company will publish the reasons, contents, etc. on its website before such changes are enforced.

[Addendum] 1. (Enforcement date) This personal information processing policy enters into force on July 15, 2022.