제1조 (목적)

이 약관은 『개인정보보호법』 기타 관련 법률에 의하여 감사실(이하 감사실)이 제공하는 서비스(이하 "서비스")의 이용 조건, 절차 그리고 이용자규칙에 관한 사항 등을 규정함을 목적으로 합니다.

제2조 (약관의 효력)

• 1. 이 약관은 서비스 화면에 게시하거나 기타의 방법으로 이용자에게 공지함으로써 효력을 발생합니다.
• 2. 감사실은 이 약관을 개정할 수 있으며, 개정된 내용은 제1항과 같은 방법으로 공지함으로써 효력을 발생합니다.
• 3. 본 조의 규정에 의한 변경된 약관(이하 “변경약관”)은 원칙적으로 그 효력 발생일로부터 유효합니다.
• 4. 본 조의 고지방법은, 이 약관에서 달리 규정하지 않는 한, 이 약관의 각 조항에서 규정하는 통보 또는 통지의 경우에 이를 준용합니다.

제3조 (약관 외 준칙)

이 약관에 규정되지 않은 사항이 관련법령에 규정되어 있는 경우 그 규정에 따라 적용될 수 있습니다.

제4조 (용어의 정의)

이 약관에서 사용하는 용어의 정의는 다음과 같습니다.

• 1. 이용자 : 감사실 홈페이지에 접속하여 감사실이 제공하는 서비스를 이용하는 자
• 2. 관리자 : 감사실이 제공하는 서비스의 전반적인 관리와 원활한 운영을 위하여 감사실이 선정한 자
• 3. 개인정보 : 생존하는 개인에 관한 정보로서 성명 등에 의하여 특정한 개인을 알아 볼 수 있는 정보

제5조 (서비스의 제공 및 변경)

• 1. 감사실은 이용자에게 아래와 같은 서비스를 제공합니다.
• ① 사업정보 제공서비스
• ② 사업정보 통합검색서비스
• ③ 기타 감사실이 정하는 서비스
• 2. 감사실은 변경될 서비스의 내용 및 제공일자를 제2조에서 정한 방법으로 이용자에게 통지하고, 제1항의 서비스를 변경하여 제공할 수 있습니다.

제6조 (이용자에 대한 통지)

• 1. 감사실이 특정 이용자에 대한 통지를 하는 경우 이용자가 신청 시 기재한 메일주소, 연락처를 이용할 수 있습니다.
• 2. 감사실이 불특정다수 이용자에 대한 통지를 하는 경우 감사실 홈페이지에 사전 게시함으로써 개별 통지에 갈음할 수 있습니다.
• 3. 이용자가 개별 통지를 받을 수 있는 연락처 등을 잘못 기재함으로써 발생한 문제에 대하여 감사실은 책임이 없습니다.

제7조 (이용자의 개인정보보호)

감사실은 관련 법률 및 감사실이 정하는 개인정보처리방침에 정한 바에 따라 이용자의 개인정보를 보호하기 위하여 노력합니다.

제8조 (감사실의 의무)

• 1. 감사실은 서비스 제공과 관련하여 취득한 이용자의 개인정보를 본인의 사전 승낙 없이 타인에게 공개 또는 배포할 수 없습니다. 다만, 다음 각호의 1에 해당하는 경우는 예외입니다.
• ① 전기통신기본법 등 법률의 규정에 의해 국가기관의 요구가 있는 경우
• ② 범죄에 대한 수사상의 목적이 있거나 정보통신윤리위원회의 요청이 있는 경우
• ③ 기타 관계법령에서 정한 절차에 따른 요청이 있는 경우
• 2. 제1항의 범위 내에서, 감사실은 업무와 관련하여 이용자 전체 또는 일부의 개인 정보에 관한 통계 자료를 작성하여 이를 사용할 수 있고, 서비스를 통하여 이용자의 컴퓨터 쿠키를 전송할 수 있습니다. 이 경우 이용자는 쿠키의 수신을 거부하거나 쿠키의 수신에 대하여 경고하도록 사용하는 컴퓨터의 브라우저의 설정을 변경할 수 있습니다.

제9조 (서비스 전반에 관한 이용자의 의무)

• 1. 이용자는 서비스 이용 시 다음 각 호의 행위를 하지 않아야 합니다.
• ① 다른 이용자의 개인정보를 부정하게 사용하는 행위
• ② 서비스에서 얻은 정보를 감사실의 사전승낙 없이 이용자의 이용 외의 목적으로 복제하거나 이를 변경, 출판 및 방송 등에 사용하거나 타인에게 제공하는 행위
• ③ 회사의 저작권, 타인의 저작권 등 기타 권리를 침해하는 행위
• ④ 회사의 정책, 공공질서 및 미풍양속에 위반되는 내용의 정보, 문장, 도형 등을 게시, 공개하거나 타인에게 유포하는 행위
• ⑤ 범죄와 결부된다고 객관적으로 판단되는 행위
• ⑥ 타인의 명예를 훼손하거나 불이익을 주는 행위
• ⑦ 기타 관계법률 및 이 약관을 위배하는 행위
• 2. 이용자는 관계법령, 이 약관에서 규정하는 사항, 서비스 이용안내 및 주의사항 등 감사실이 공지하는 사항을 준수하여야 합니다.
• 3. 이용자는 감사실의 사전승낙 없이는 서비스를 이용하여 영업활동을 할 수 없으며, 그 영업활동으로 인하여 발생된 결과에 대하여 감사실은 어떠한 책임도 지지 않습니다.

제 10 조 (이용자의 게시물)

감사실은 이용자가 본 서비스를 통하여 게시, 게재, 전자메일 또는 달리 전송한 내용물에 대하여 책임을 지지 않으며, 다음 각호의 1에 해당한다고 판단되는 경우에 사전 통지 없이 삭제할 수 있습니다.

• 1. 다른 이용자나 타인을 비방하거나, 프라이버시를 침해하거나, 중상모략으로 명예를 손상시키는 내용인 경우
• 2. 서비스의 안정적인 운영에 지장을 주거나 줄 우려가 있는 경우
• 3. 범죄적 행위에 관련된다고 인정되는 내용일 경우
• 4. 감사실의 지적재산권, 타인의 지적재산권 등 기타 권리를 침해하는 내용인 경우
• 5. 감사실에서 규정한 게시기간을 초과한 경우
• 6. 기타 관계법령에 위반된다고 판단되는 경우

제 11 조 (게시물에 대한 권리 및 책임)

• 1. 감사실이 작성한 저작물에 대한 저작권 기타 지적재산권은 감사실에 귀속합니다.
• 2. 이용자는 감사실의 서비스를 이용함으로써 얻는 정보 중 감사실에게 지적재산권이 귀속된 정보를 감사실의 사전 승낙 없이 복제, 송신, 출판, 배포, 방송 기타 방법에 의하여 영리목적으로 이용하거나 제3자에게 이용하게 하여서는 안됩니다.
• 3. 감사실은 약정에 따라 이용자에게 귀속된 저작권을 사용하는 경우 당해 이용자에게 통보합니다.
• 4. 이용자가 게시한 저작물이 감사실 또는 제3자의 권리를 침해하거나 공서양속에 반한다고 볼 합리적인 사유가 있는 경우, 감사실은 이를 임의로 삭제할 수 있고 이를 이용자에게 통보합니다.
• 5. 게시물에 대한 권리와 책임은 원칙적으로 게시자에게 있습니다. 다만, 서비스를 통하여 제출된 이용자의 아이디어, 원고, 사진 등에 대한 저작권, 초상권은 감사실에 귀속됩니다.

제12조 (서비스 이용시간)

• 1. 서비스는 감사실의 업무상 또는 기술상의 장애, 기타 특별한 사유가 없는 한 연중무휴, 1일 24시간 이용할 수 있습니다. 다만, 설비의 점검 등 감사실이 필요한 경우 또는 설비의 장애, 서비스 이용의 폭주 등 불가항력으로 인하여 서비스 이용에 지장이 있는 경우 예외적으로 서비스 이용의 전부 또는 일부에 대하여 제한할 수 있습니다.
• 2. 감사실은 서비스를 일정범위로 분할하여 각 범위 별로 이용가능시간을 별도로 정할 수 있습니다.

제13조 (이용제한)

감사실은 이용자가 다음 각호의 1에 해당하는 행위를 하였을 경우 사전통지 없이 서비스 이용을 중지시킬 수 있습니다.

• 1. 타인의 개인정보를 도용한 경우
• 2. 서비스 운영을 고의로 방해한 경우
• 3. 공공질서 및 미풍양속에 저해되는 내용을 고의적으로 유포시킨 경우
• 4. 공익을 저해할 목적이나 악의적 의도로 서비스를 이용하는 경우
• 5. 타인의 명예를 손상시키거나 불이익을 주는 행위를 한 경우
• 6. 기타 이 약관 등 감사실이 정한 이용조건이나 관계법률에 위반한 경우

제14조 (면책조항)

• 1. 감사실이 홈페이지를 통하여 제공하는 건강 관련 상담 내용은 정확한 의료 진단이 아니므로 이에 대한 법적인 책임을 지지 않습니다.
• 2. 감사실은 국가비상사태, 정전, 서비스 설비의 장애, 또는 서비스 이용의 폭주, 기타사유 등으로 정상적인 서비스를 제공할 수 없는 경우 서비스 제공에 관한 책임이 면제됩니다.
• 3. 감사실은 이용자가 감사실 홈페이지 등에 게재한 정보, 자료 등의 신뢰도, 정확성에 대하여 책임을 지지 않습니다.
• 4. 감사실은 서비스에서 제공하는 자료를 이용자가 확인하지 않고 이용하여 입은 손해에 대하여는 책임을 지지 않습니다.

제15조 (관할 법원)

서비스 이용과 관련하여 발생한 분쟁에 대해 소송이 제기될 경우 원고 소재지의 법원을 관할법원으로 합니다.

[부칙] 이 약관은 2012년 1월 04일부터 시행합니다.

AMOREPACIFIC Co. Ltd. (hereafter "Company") considers the private information of the user using Service provided by Company very important. Therefore, Company makes its best efforts to protect the user's private information.

Company complies with 『Private Information Protection Law』, 『Law regarding Information Network Use Promotion and Information Protection and etc. 』 and all regulations relevant to the private information protection. Company establishes its own private information handling policy additionally and follows the policy to provide better protection of the private information of users. Also, Company opens the private information handling policy to public all the time in the front page of Company's website as a part of its measure for users' convenience in reading the policy.

Company's Private Information Policy is subjected to change according to any revision of relevant law or notification or any change of the internal operation policy. In case of any revision of Company's Private Information Policy, the revised items is announced though the website.

Company's Private Information Policy contains the following items.

• Article 1 The Collected Item of Private Information and the Purpose of Collection and Use
• Article 2 The Provision of Private Information
• Article 3 The Handling Consignment of Private Information
• Article 4 The Holding, the Use Period, the Deistruction, the Destruction Procedure and Method of Private Information
• Article 5 The Protection Work for Private Information and the Problem Handling Department
• Article 6 The Private Information Collection with Automatic Private Information Collection Device
• Article 7 The Reading, the Correction and others of the Private Information
• Article 8 The Cancellation of Consent regarding Collection, Use and Provision of Private Information
• Article 9 Administrative, Technical and Physical Measures for the Private Information Protection
• Article 10 The Right of User and Its Exercise Method
• Article 11 The Announcement Obligation for Protection Policy Change

Article 1 (The Collected Item of Private Information and the Purpose of Collection and Use)

• ① Company collects the minimum private information required to provide service if a user uses reporting service. However, to provide customized services with higher quality, the user is requested to enter additional private information on his/her choice.
• ② Company does not collect any sensitive private information concerning any violation of human right including the ideology, the belief, the participation in labor union or political party, the political opinion, the health, the sexual life, the past disease history, the religion, the place of birth and the criminal record without out the user's explicit and additional agreement.
• ③ The main purposes for the collection and the use of private information items when collected by Company are as under:

1. Internal Audit (ethics.amorepacific.com)

④ The user may deny to agree regarding the collection and the use of private information. And in case of denial, the user may be restricted for use of the service provided by a third party.

Article 2 (The Provision of Private Information)

• ① Company shall not use any user's private information or provide the information to a third party beyond limit specified in Article 2 except if Company has the relevant user's consent or if the case is acceptable according to regulations of the relevant law.
• ② However, in case of one of followings, the provision is allowed without additional agreements of users.
•   1. If necessary for the fee balance following a service provision.
•   2. If the information is processed into a form hiding any specific individual and provided to a research organization, a survey or research institution and others for a statistics work, an academic research or a market research.
•   3. In case of any special regulation established in the private information law, the law regarding the information network use promotion and the information protection, the communication secret protection law, The basic tax law, the law regarding the real name financial transaction and secret guarantee, the law regarding the use and the protection of credit information, the telecommunications law, the telecommunication business law, the local tax law, the consumer protection law and the criminal procedure law.
• ③ Company shall inform and request the agreement from the user in case of providing the private information to any third party in overseas.

Article 3 (The Handling Consignment of Private Information)

• ① Company may consign the management of private information to an external professional company to improve the service or the smooth computer process.
• ② When Company consigns the process of private information, Company shall manage and supervise to protect users' private information for the service provider's strict adherence of guides related to private information protection, confidentiality of private information, prohibition of private information provision to any third party without users' agreements through the consignment contract.
• ③ The consignee of the private information handling and its responsibility are as under:

2. Internal Audit

Article 4 (The Holding, the Use Period, the Destruction, the Destruction Procedure and Method of Private Information)

• ① Company holds and uses a user's private information while the user uses service provided by the company for the purpose to provide the service. The private information registered in the computer is not allowed to print out as a document to anyone except employees and staffs responsible for the private information management or a person authorized by the private information management personnel.
• ② Company shall take actions immediately without any delay in case of requests made by a user to delete his/her private information or to cancel his/her membership. The deleted information should be completely deleted from the disk according to a method preventing any recovery or replay in the state impossible for the future reading or use.
• ③ Company shall delete the information following Company's internal destruction process upon the occurrence of a reason for destruction of the collection purpose or the provision purpose of private information as stated under. In case of the information printed out, Company should destruct the user's private information immediately without any delay by shredding using a shredder.
• ④ Even in case of accomplishment of purpose for the collection or the provision, the user's private information may be held for certain period of time if it is necessary to hold according to regulations of the law regarding the consumer protection, the private information protection law, the commerce law and the basic national tax law applied to the electronic commerce.

Article 5 (The Protection Work for Private Information and the Problem Handling Department)

① To protect users' private information and handle complains related to the private information, Company assigns a department to handle the private information protection and related problems. Also, a private information manger and a private information management staff are assigned to process users' inquiries and complains regarding the private information as soon as possible.

[Private Information Manager]

Name: Lee Sang Ho Vice President

Department: AMOREPACIFIC Internal Audit

Telephone No.: 82-2-879-3274(Mon.~Fri. : 09:00~18:00 Except Holidays)

[The Department Responsible for Private Information Management]

② The user may make inquires not only to Paragraph 1's Private Information Protection Department of Company, but also to following institutions when consultation is required due to an occurrence of intrusion to own private information or its concern.

  - Private Information Violation Report Center, Korea Internet and Security Agency (privacy.kisa.or.kr/82-2-405-5118)

  - Information Protection Mart Certification Committee (www.eprivacy.or.kr/82-2-580-0533~4)

  - Online Complaint Office, Supreme Prosecutor's Office (www.spo.go.kr/minwon/82-2-3480-2000)

  - Cyber Terror Response Center, The National Policy Agency (www.ctrc.go.kr/1566-0112)

Article 6 (The Private Information Collection with Automatic Private Information Collection Device)

• ① Company may use 'cookie (Automatic Internet Access Information and other Private Information Collection Device)' that saves and frequently searches information regarding users. Cookie is a small information sent to a user's browser (Netscape, Internet Explorer and etc.) by the server used to operate Company's website and often saved in the hard disk of user's computer. When a user access the website, Company's computer reads the content of cookie in the user's browser and searches the user's additional information in the user's computer so that the service can be provided without no additional input. Cookie identifies the user's computer, but not the user personally.
• ② Company may use cookie for support or renewal of the service required for the site operation including the analysis of user's access frequency and visit hour and finding of the number of the user's visit.
• ③ Company uses cookie to find a user's participation level in various events conducted by Company and the number of visits to give differentiated entrance opportunities and to use the data to provide differentiated information according to the user's interested area.
• ④ The user has the right to choose regarding the cookie installation. Therefore, the user can make a selection for cookie's all acceptance, partial acceptance or complete rejection.
•   1. How to Select Acceptance of Cookie Installation (in case of using Internet Explorer 6.0): After clicking [Tool] in the internet window's task bar, select [Internet Option] then select [Private Information Tap], make a selection for cookie acceptance in {Private Information Protection Level}.
•   2. How to Read the Received Cookie (in case of using Internet Explorer 6.0 After clicking [Tool] in the internet window's task bar, select [Internet Option], the select [Configure] of the temporary internet file in the general tap (basic tap), then select [View File].

Article 7 (The Reading, the Correction and others of the Private Information)

• ① A user may sign-in Company's website and clicking [Reservation Check and Revision] for reading or correcting directly or request to the consignee for the private information handling or to Company's private information protection department via a phone call, in writing or through an E-mail to request to read, correct, delete or stop processing anytime. In any of such case, Company will take an action regarding the user's request without any delay.
• ② If a user requests the correction on an error in the private information, Company does not use or provide the relevant private information until the completion of the correction. Also, in case of the wrong private information is already processed, Company will take an action to reflect the corrected outcome without any delay.
• ③ In case of any of the following situation, the reading, the correction and others of the Private Information can be restricted.
•   1. In case of any concern to damage a third party's right or benefit significantly.
•   2. In case of any concern to cause severe interference to the relevant service provider's performance.
•   3. In case of any legal violation.

Article 8 (The Cancellation of Consent regarding Collection, Use and Provision of Private Information)

• ① A user may cancel his/her agreement on the collection and the provision of private information at any time. The cancellation can be performed by requesting to the consignee of private information handling or to the private information management department in writing, phone call or E-mail. Regarding the user's request, Company will conduct necessary measures such as the user's reservation cancellation process or destruction of the private information without any delay.
• ② Company shall make efforts to take necessary actions to make the agreement cancellation on the private information collection that the method to collect the private information.

Article 9 (Administrative, Technical and Physical Measures for the Private Information Protection)

• ① Company shall establish and conduct the internal management plan for safe process of the private information and perform trainings.
• ② Company is seeking for technical measure to secure the safety to prevent loss, theft, leak, alternation or damage on the private while handling users' private information.
• ③ Users' private information is managed by utilizing the internal network impossible for any access or intrusion from an external network. And, by encrypting files and transmission data or using the file lock feature, important data is thoroughly protected through additional security features.
• ④ To confront hackings and other external intrusion, Company makes its best efforts in its corporate network security using firewalls and intrusion detection system for each server and is reinforcing the security by installing access control systems.
• ⑤ Any invasion to the private information is prevented by installing vaccine programs for all time check and process of the intrusion of malware such as computer viruses and spywares to the information system used to process the private information by the private information process system and the private information handling personnel.
• ⑥ Company restrict the access right to users' private information to the minimum personnel. To secure the safety of the private information, the internal procedure required for access and management on the private information is prepared while the entrance control and lock devices are installed. The department employees are guided to understand and follow the international procedure.
• ⑦ The handover of the responsibility of the personnel related to the private information is strictly conducted in the state with the security is maintained. The responsibility in any private information accident occurred after entrance or resignation from Company is clearly defined.
• ⑧ The user shall maintain the accurate information through own confirmation and management regarding own private information. In case of using other person's private information without any authority or disturbing other person's right during a process of using the internet site, the user may be subjected to not only Company's sanction, but civil or criminal responsibility.
• ⑨ Company shall be completely free from any responsibility on any problem caused by private information leakage due to the user's carelessness or an internet problem. Therefore, each individual user should manage own private information properly to protect own private information and be responsible for such matter. However, in case of loss, leak, alternation or damage of the user's information because of Company's internal manager's mistake or a technical management accident, Company shall inform the fact immediately to the user and seek for proper measures and compensation.

Article 10 (The Right of User and Its Exercise Method)

• ① A user may exercise the right related to the read, the correction and the revision of the private information provided to Company and the cancellation of membership by him/herself or the legal representative.
• ② A user may exercise the right regarding private information by contacting Company using the internet, the telephone and/or a written format. And Company takes proper actions for the contact.

Article 11 (The Announcement Obligation for Protection Policy Change)

This policy's content may change according to any change in the law & policy and Company's internal operation policy or the security technology. In case of a change, Company will announce the cause and content of change on the front page of Company's website at least seven days (if the change is disadvantageous users, 30 days) prior to the changed policy enforcement.

<Addendum>January 2, 2014

Article 1 (Effective Date) This policy is implemented from January 2, 2014

<Addendum>March 25, 2014

Article 1 (Effective Date) This policy is implemented from April 2, 2014

AMOREPACIFIC Co. Ltd. (hereafter "Company") considers the private information of the user using Service provided by Company very important. Therefore, Company makes its best efforts to protect the user's private information.

Company complies with 『Private Information Protection Law』, 『Law regarding Information Network Use Promotion and Information Protection and etc. 』 and all regulations relevant to the private information protection. Company establishes its own private information handling policy additionally and follows the policy to provide better protection of the private information of users. Also, Company opens the private information handling policy to public all the time in the front page of Company's website as a part of its measure for users' convenience in reading the policy.

Company's Private Information Policy is subjected to change according to any revision of relevant law or notification or any change of the internal operation policy. In case of any revision of Company's Private Information Policy, the revised items is announced though the website.

Company's Private Information Policy contains the following items.

• Article 1 The Collected Item of Private Information and the Purpose of Collection and Use
• Article 2 The Provision of Private Information
• Article 3 The Handling Consignment of Private Information
• Article 4 The Holding, the Use Period, the Deistruction, the Destruction Procedure and Method of Private Information
• Article 5 The Protection Work for Private Information and the Problem Handling Department
• Article 6 The Private Information Collection with Automatic Private Information Collection Device
• Article 7 The Reading, the Correction and others of the Private Information
• Article 8 The Cancellation of Consent regarding Collection, Use and Provision of Private Information
• Article 9 Administrative, Technical and Physical Measures for the Private Information Protection
• Article 10 The Right of User and Its Exercise Method
• Article 11 The Announcement Obligation for Protection Policy Change

Article 1 (The Collected Item of Private Information and the Purpose of Collection and Use)

• ① Company collects the minimum private information required to provide service if a user uses reporting service. However, to provide customized services with higher quality, the user is requested to enter additional private information on his/her choice.
• ② Company does not collect any sensitive private information concerning any violation of human right including the ideology, the belief, the participation in labor union or political party, the political opinion, the health, the sexual life, the past disease history, the religion, the place of birth and the criminal record without out the user's explicit and additional agreement.
• ③ The main purposes for the collection and the use of private information items when collected by Company are as under:

1. Internal Audit (ethics.amorepacific.com)

④ The user may deny to agree regarding the collection and the use of private information. And in case of denial, the user may be restricted for use of the service provided by a third party.

Article 2 (The Provision of Private Information)

• ① Company shall not use any user's private information or provide the information to a third party beyond limit specified in Article 2 except if Company has the relevant user's consent or if the case is acceptable according to regulations of the relevant law.
• ② However, in case of one of followings, the provision is allowed without additional agreements of users.
•   1. If necessary for the fee balance following a service provision.
•   2. If the information is processed into a form hiding any specific individual and provided to a research organization, a survey or research institution and others for a statistics work, an academic research or a market research.
•   3. In case of any special regulation established in the private information law, the law regarding the information network use promotion and the information protection, the communication secret protection law, The basic tax law, the law regarding the real name financial transaction and secret guarantee, the law regarding the use and the protection of credit information, the telecommunications law, the telecommunication business law, the local tax law, the consumer protection law and the criminal procedure law.
• ③ Company shall inform and request the agreement from the user in case of providing the private information to any third party in overseas.

Article 3 (The Handling Consignment of Private Information)

• ① Company may consign the management of private information to an external professional company to improve the service or the smooth computer process.
• ② When Company consigns the process of private information, Company shall manage and supervise to protect users' private information for the service provider's strict adherence of guides related to private information protection, confidentiality of private information, prohibition of private information provision to any third party without users' agreements through the consignment contract.
• ③ The consignee of the private information handling and its responsibility are as under:

2. Internal Audit

Article 4 (The Holding, the Use Period, the Destruction, the Destruction Procedure and Method of Private Information)

• ① Company holds and uses a user's private information while the user uses service provided by the company for the purpose to provide the service. The private information registered in the computer is not allowed to print out as a document to anyone except employees and staffs responsible for the private information management or a person authorized by the private information management personnel.
• ② Company shall take actions immediately without any delay in case of requests made by a user to delete his/her private information or to cancel his/her membership. The deleted information should be completely deleted from the disk according to a method preventing any recovery or replay in the state impossible for the future reading or use.
• ③ Company shall delete the information following Company's internal destruction process upon the occurrence of a reason for destruction of the collection purpose or the provision purpose of private information as stated under. In case of the information printed out, Company should destruct the user's private information immediately without any delay by shredding using a shredder.
• ④ Even in case of accomplishment of purpose for the collection or the provision, the user's private information may be held for certain period of time if it is necessary to hold according to regulations of the law regarding the consumer protection, the private information protection law, the commerce law and the basic national tax law applied to the electronic commerce.

Article 5 (The Protection Work for Private Information and the Problem Handling Department)

① To protect users' private information and handle complains related to the private information, Company assigns a department to handle the private information protection and related problems. Also, a private information manger and a private information management staff are assigned to process users' inquiries and complains regarding the private information as soon as possible.

[Private Information Manager]

Name: Lee Sang Ho Vice President

Department: AMOREPACIFIC Internal Audit

Telephone No.: 82-2-879-3274(Mon.~Fri. : 09:00~18:00 Except Holidays)

[The Department Responsible for Private Information Management]

② The user may make inquires not only to Paragraph 1's Private Information Protection Department of Company, but also to following institutions when consultation is required due to an occurrence of intrusion to own private information or its concern.

  - Private Information Violation Report Center, Korea Internet and Security Agency (privacy.kisa.or.kr/82-2-405-5118)

  - Information Protection Mart Certification Committee (www.eprivacy.or.kr/82-2-580-0533~4)

  - Online Complaint Office, Supreme Prosecutor's Office (www.spo.go.kr/minwon/82-2-3480-2000)

  - Cyber Terror Response Center, The National Policy Agency (www.ctrc.go.kr/1566-0112)

Article 6 (The Private Information Collection with Automatic Private Information Collection Device)

• ① Company may use 'cookie (Automatic Internet Access Information and other Private Information Collection Device)' that saves and frequently searches information regarding users. Cookie is a small information sent to a user's browser (Netscape, Internet Explorer and etc.) by the server used to operate Company's website and often saved in the hard disk of user's computer. When a user access the website, Company's computer reads the content of cookie in the user's browser and searches the user's additional information in the user's computer so that the service can be provided without no additional input. Cookie identifies the user's computer, but not the user personally.
• ② Company may use cookie for support or renewal of the service required for the site operation including the analysis of user's access frequency and visit hour and finding of the number of the user's visit.
• ③ Company uses cookie to find a user's participation level in various events conducted by Company and the number of visits to give differentiated entrance opportunities and to use the data to provide differentiated information according to the user's interested area.
• ④ The user has the right to choose regarding the cookie installation. Therefore, the user can make a selection for cookie's all acceptance, partial acceptance or complete rejection.
•   1. How to Select Acceptance of Cookie Installation (in case of using Internet Explorer 6.0): After clicking [Tool] in the internet window's task bar, select [Internet Option] then select [Private Information Tap], make a selection for cookie acceptance in {Private Information Protection Level}.
•   2. How to Read the Received Cookie (in case of using Internet Explorer 6.0 After clicking [Tool] in the internet window's task bar, select [Internet Option], the select [Configure] of the temporary internet file in the general tap (basic tap), then select [View File].

Article 7 (The Reading, the Correction and others of the Private Information)

• ① A user may sign-in Company's website and clicking [Reservation Check and Revision] for reading or correcting directly or request to the consignee for the private information handling or to Company's private information protection department via a phone call, in writing or through an E-mail to request to read, correct, delete or stop processing anytime. In any of such case, Company will take an action regarding the user's request without any delay.
• ② If a user requests the correction on an error in the private information, Company does not use or provide the relevant private information until the completion of the correction. Also, in case of the wrong private information is already processed, Company will take an action to reflect the corrected outcome without any delay.
• ③ In case of any of the following situation, the reading, the correction and others of the Private Information can be restricted.
•   1. In case of any concern to damage a third party's right or benefit significantly.
•   2. In case of any concern to cause severe interference to the relevant service provider's performance.
•   3. In case of any legal violation.

Article 8 (The Cancellation of Consent regarding Collection, Use and Provision of Private Information)

• ① A user may cancel his/her agreement on the collection and the provision of private information at any time. The cancellation can be performed by requesting to the consignee of private information handling or to the private information management department in writing, phone call or E-mail. Regarding the user's request, Company will conduct necessary measures such as the user's reservation cancellation process or destruction of the private information without any delay.
• ② Company shall make efforts to take necessary actions to make the agreement cancellation on the private information collection that the method to collect the private information.

Article 9 (Administrative, Technical and Physical Measures for the Private Information Protection)

• ① Company shall establish and conduct the internal management plan for safe process of the private information and perform trainings.
• ② Company is seeking for technical measure to secure the safety to prevent loss, theft, leak, alternation or damage on the private while handling users' private information.
• ③ Users' private information is managed by utilizing the internal network impossible for any access or intrusion from an external network. And, by encrypting files and transmission data or using the file lock feature, important data is thoroughly protected through additional security features.
• ④ To confront hackings and other external intrusion, Company makes its best efforts in its corporate network security using firewalls and intrusion detection system for each server and is reinforcing the security by installing access control systems.
• ⑤ Any invasion to the private information is prevented by installing vaccine programs for all time check and process of the intrusion of malware such as computer viruses and spywares to the information system used to process the private information by the private information process system and the private information handling personnel.
• ⑥ Company restrict the access right to users' private information to the minimum personnel. To secure the safety of the private information, the internal procedure required for access and management on the private information is prepared while the entrance control and lock devices are installed. The department employees are guided to understand and follow the international procedure.
• ⑦ The handover of the responsibility of the personnel related to the private information is strictly conducted in the state with the security is maintained. The responsibility in any private information accident occurred after entrance or resignation from Company is clearly defined.
• ⑧ The user shall maintain the accurate information through own confirmation and management regarding own private information. In case of using other person's private information without any authority or disturbing other person's right during a process of using the internet site, the user may be subjected to not only Company's sanction, but civil or criminal responsibility.
• ⑨ Company shall be completely free from any responsibility on any problem caused by private information leakage due to the user's carelessness or an internet problem. Therefore, each individual user should manage own private information properly to protect own private information and be responsible for such matter. However, in case of loss, leak, alternation or damage of the user's information because of Company's internal manager's mistake or a technical management accident, Company shall inform the fact immediately to the user and seek for proper measures and compensation.

Article 10 (The Right of User and Its Exercise Method)

• ① A user may exercise the right related to the read, the correction and the revision of the private information provided to Company and the cancellation of membership by him/herself or the legal representative.
• ② A user may exercise the right regarding private information by contacting Company using the internet, the telephone and/or a written format. And Company takes proper actions for the contact.

Article 11 (The Announcement Obligation for Protection Policy Change)

This policy's content may change according to any change in the law & policy and Company's internal operation policy or the security technology. In case of a change, Company will announce the cause and content of change on the front page of Company's website at least seven days (if the change is disadvantageous users, 30 days) prior to the changed policy enforcement.

<Addendum>January 2, 2014

Article 1 (Effective Date) This policy is implemented from January 2, 2014

<Addendum>March 25, 2014

Article 1 (Effective Date) This policy is implemented from April 2, 2014

Amorepacific Corporation (hereinafter “the Company”) establishes and discloses the following privacy policies to protect personal information pursuant to Article 30 of the Personal Information Protection Act and handle related grievances promptly and smoothly.

• Article 1 - Purpose of Processing Personal Information
• Article 2 - Processing and Retention Period of Personal Information
• Article 3 - Providing Personal Information to Third Parties
• Article 4 - Entrusting Personal Information Processing
• Article 5 - Rights, Duties, and Exercise Methods of the Information Subject and Legal Representatives
• Article 6 - Items of Personal Information to Process
• Article 7 - Destroying Personal Information
• Article 8 - Measures to Secure the Safety of Personal Information
• Article 9 - Matters Concerning the Installation, Operation, and Refusal of Automatic Personal Information Collection Devices
• Article 10 - Matters Concerning Personal Information Security Officer
• Article 11 - Changing the Privacy Policy

Article 1 - Purpose of Processing Personal Information

The company is doing its best to protect personal information as well as the rights and interests of the information subject, and collects and uses personal information based on the relevant statutes or the consent of information subject for business processes.

Article 2 - Processing and Retention Period of Personal Information

The company processes and retains personal information within the period of possession and use of personal information under the relevant statutes or agreed by information subjects.

Article 3 - Providing Personal Information to Third Parties

The company shall provide the information to a third party only if the information subject agrees or if the Personal Information Protection Act permits, such as for the provisions of the law. Otherwise, the company cannot use or provide the customer’s personal information to third parties beyond the notified scope.

Article 4 - Entrusting Personal Information Processing

The company entrusts the processing of personal information to a specialized institution for smooth personal information processing, wherein the company clearly stipulates compliance with the relevant laws, the prohibition of providing personal information to third parties, as well as liability, and strives to protect personal information by signing and securing the details of the contract.

Article 5 - Rights, Duties, and Exercise Methods of the Information Subject and Legal Representatives

The information subject may exercise his/her right to view, correct, delete, or stop the processing of personal information from the company at any time by himself/herself, his/her legal representative, or a delegated person. Then, the company will take immediate action against the request for rights, except as otherwise provided for by law.

The information subject and a legal representative may exercise their rights by contacting the company using the Internet, telephone, or written documents in relation to personal information, and the company shall take the necessary measures without delay.

Article 6 - Items of Personal Information to Process

The company processes personally identifiable information, address, contact, etc. with the consent of the information subject or under the law for Amorepacific Group’s business, such as providing services to customers and managing its executive personnel and employees.

Article 7 - Destroying Personal Information

When personal information becomes unnecessary, such as the expiration of the period of personal information retention or the achievement of processing purposes, the company shall destroy such personal information without delay so that it cannot be reproduced or restored. If the law requires preservation, the information should be moved to a separate DB to minimize access.

Article 8 - Measures to Secure the Safety of Personal Information

To ensure the safety of personal information, the company implements the following measures and manages it strictly.

• ① Administrative measures: Establishment and implementation of internal management plans, regular training of employees, etc.
• ② Technical measures: Management of access authority of the personal information processing system, installation of the access control system, encryption of unique identification information, periodic inspection of access records, installation of security programs, etc.
• ③ Physical measures: Access control of computer rooms, archives, etc.

Article 9 - Matters Concerning the Installation, Operation, and Refusal of Automatic Personal Information Collection Devices

The company uses “Cookie,” which stores information and frequently calls to provide users with personalized service and convenience. Moreover, the user can set/stop of cookies on the web browser.

Article 10 - Matters Concerning Personal Information Security Officer

The company is in charge of handling personal information and appoints a person in charge of personal information protection as follows to handle complaints and damage relief related to personal information processing as well as respond to and handle inquiries from the information subject without delay.

* Personal Information Security Officer: Information Technology Div. Cho Young-gil

Article 11 - Changing the Privacy Policy

When the company changes its privacy policy, it continuously discloses the timing of the change and the changed contents and compares the changes before and after so that the information subject can easily check them.

<Addendum>

• 2020.07.10 (Enforcement Date) This policy will take effect on 10 July 2020.

Amorepacific Corporation (hereinafter “the Company”) establishes and discloses the following privacy policies to protect personal information pursuant to Article 30 of the Personal Information Protection Act and handle related grievances promptly and smoothly.

• Article 1 - Purpose of Processing Personal Information
• Article 2 - Processing and Retention Period of Personal Information
• Article 3 - Providing Personal Information to Third Parties
• Article 4 - Entrusting Personal Information Processing
• Article 5 - Rights, Duties, and Exercise Methods of the Information Subject and Legal Representatives
• Article 6 - Items of Personal Information to Process
• Article 7 - Destroying Personal Information
• Article 8 - Measures to Secure the Safety of Personal Information
• Article 9 - Matters Concerning the Installation, Operation, and Refusal of Automatic Personal Information Collection Devices
• Article 10 - Matters Concerning Personal Information Security Officer
• Article 11 - Changing the Privacy Policy

Article 1 - Purpose of Processing Personal Information

The company is doing its best to protect personal information as well as the rights and interests of the information subject, and collects and uses personal information based on the relevant statutes or the consent of information subject for business processes.

Article 2 - Processing and Retention Period of Personal Information

The company processes and retains personal information within the period of possession and use of personal information under the relevant statutes or agreed by information subjects.

Article 3 - Providing Personal Information to Third Parties

The company shall provide the information to a third party only if the information subject agrees or if the Personal Information Protection Act permits, such as for the provisions of the law. Otherwise, the company cannot use or provide the customer’s personal information to third parties beyond the notified scope.

Article 4 - Entrusting Personal Information Processing

The company entrusts the processing of personal information to a specialized institution for smooth personal information processing, wherein the company clearly stipulates compliance with the relevant laws, the prohibition of providing personal information to third parties, as well as liability, and strives to protect personal information by signing and securing the details of the contract.

Article 5 - Rights, Duties, and Exercise Methods of the Information Subject and Legal Representatives

The information subject may exercise his/her right to view, correct, delete, or stop the processing of personal information from the company at any time by himself/herself, his/her legal representative, or a delegated person. Then, the company will take immediate action against the request for rights, except as otherwise provided for by law.

The information subject and a legal representative may exercise their rights by contacting the company using the Internet, telephone, or written documents in relation to personal information, and the company shall take the necessary measures without delay.

Article 6 - Items of Personal Information to Process

The company processes personally identifiable information, address, contact, etc. with the consent of the information subject or under the law for Amorepacific Group’s business, such as providing services to customers and managing its executive personnel and employees.

Article 7 - Destroying Personal Information

When personal information becomes unnecessary, such as the expiration of the period of personal information retention or the achievement of processing purposes, the company shall destroy such personal information without delay so that it cannot be reproduced or restored. If the law requires preservation, the information should be moved to a separate DB to minimize access.

Article 8 - Measures to Secure the Safety of Personal Information

To ensure the safety of personal information, the company implements the following measures and manages it strictly.

• ① Administrative measures: Establishment and implementation of internal management plans, regular training of employees, etc.
• ② Technical measures: Management of access authority of the personal information processing system, installation of the access control system, encryption of unique identification information, periodic inspection of access records, installation of security programs, etc.
• ③ Physical measures: Access control of computer rooms, archives, etc.

Article 9 - Matters Concerning the Installation, Operation, and Refusal of Automatic Personal Information Collection Devices

The company uses “Cookie,” which stores information and frequently calls to provide users with personalized service and convenience. Moreover, the user can set/stop of cookies on the web browser.

Article 10 - Matters Concerning Personal Information Security Officer

The company is in charge of handling personal information and appoints a person in charge of personal information protection as follows to handle complaints and damage relief related to personal information processing as well as respond to and handle inquiries from the information subject without delay.

* Personal Information Security Officer: Information Technology Div. Cho Young-gil

Article 11 - Changing the Privacy Policy

When the company changes its privacy policy, it continuously discloses the timing of the change and the changed contents and compares the changes before and after so that the information subject can easily check them.

<Addendum>

• 2020.07.10 (Enforcement Date) This policy will take effect on 10 July 2020.

Amorepacific Corporation (hereinafter “Company”) values the personal information of data subjects (hereinafter “Users”) who use the services provided by the Company and is making every effort to protect it.

The Company complies with all personal information protection laws and regulations, including the “Personal Information Protection Act” and the “Act on Promotion of Information and Communications Network Utilization and Information Protection.” It has separately established and adheres to its own Personal Information Handling Policy to further protect users’ personal information. Additionally, the Company always discloses its Personal Information Handling Policy on the main page of the Company’s website to ensure that users can easily access it at any time.

The Company’s Personal Information Handling Policy may be modified according to changes in relevant laws and notices or internal operational policies. The website will announce changes if the Company’s Personal Information Handling Policy is revised.

The Company’s personal information protection policy includes the following contents:

• Article 1 Personal Information Collection Items and Purpose of Collection and Use
• Article 2 Provision of Personal Information
• Article 3 Outsourcing of Personal Information Handling
• Article 4 Retention and Use Period, Disposal Procedures of Personal Information
• Article 5 Department Responsible for Personal Information Protection and Related Grievance Handling
• Article 6 Collection of Personal Information by Automatic Collection Devices
• Article 7 Access to and Correction of Personal Information
• Article 8 Withdrawal of Consent to the Collection, Use and Provision of Personal Information
• Article 9 Administrative, Technical and Physical Measures for Personal Information Protection
• Article 10 Users’ Rights and How to Exercise Them
• Article 11 Obligation to Notify Changes to Protection Policy

Article 1 (Personal Information Collection Items and Purpose of Collection and Use)

• ① The Company collects the minimum personal information necessary to provide services to users. The Company, however, may collect additional personal information optionally to provide users with higher-quality customized services.
• ② Without the user’s explicit separate consent, the Company does not collect sensitive personal information such as thoughts/beliefs, labor union/political party membership/withdrawal, political views, health, sexual life, past medical history, religion, place of origin, criminal records, etc., which may infringe upon fundamental human rights.
• ③ The items of personal information collected concerning the services provided by the Company and the primary purposes of collection and use are as follows:

④ IP addresses, cookies, visit time, service usage records, and records of inappropriate use may be automatically generated and collected during online service use or business processing.

⑤ When using online services (including mobile), information about the device (device model, operating system, browser, MAC ADDRESS, etc.) may be collected for user verification and service provision and to prevent fraudulent use. Additionally, mobile carrier information may be collected and used to provide PUSH services (only with customer consent), application version upgrades, and other services specific to mobile service characteristics.

⑥ In cases where the Company provides services other than those specified in paragraph 3, such as donation activities, prize events, or other services, the Company may collect and use personal information necessary for providing the service. In such cases, the Company will obtain separate consent from users after clearly stating all items, purposes, periods, right of refusal, and disadvantages upon refusal by relevant laws.

⑦ In addition to collecting personal information for service provision under paragraphs 3 and 4, the Company may collect personal information in the following cases. It will notify users of the processing purpose and items when collecting personal information:

* During customer consultation: Name, contact information (wired/wireless phone numbers, work/home addresses, email), age, etc., are collected to handle inquiries/complaints and notify processing results, and are retained for 3 years

⑧ Users may refuse to consent to collecting and using personal information. However, if users refuse the collection and use of personal information, there may be limitations on service use and benefit provision.

Article 2 (Provision of Personal Information)

• ① The Company will not use users’ personal information beyond the scope notified in Article 1 or provide it to third parties, except with the consent of users or as required by relevant laws.
• ② However, personal information may be provided without separate consent from users in the following cases:
•   1. When necessary for payment settlement by service provision
•   2. When necessary for statistical compilation, academic research, or market research, the information is processed in a form that cannot identify specific individuals before being provided to research organizations, survey institutions, research agencies, etc.
•   3. When there are special provisions in laws such as the Personal Information Protection Act, Act on Promotion of Information and Communications Network Utilization and Information Protection, Protection of Communications Secrets Act, Framework Act on National Taxes, Act on Real Name Financial Transactions and Confidentiality, Act on the Use and Protection of Credit Information, Framework Act on Telecommunications, Telecommunications Business Act, Local Tax Act, Consumer Protection Act, Criminal Procedure Act, etc.
• ③ When providing personal information to third parties overseas, the Company will inform users of the details and obtain their consent.

Article 3 (Outsourcing of Personal Information Handling)

• ① The Company may outsource the management of users’ personal information to external specialized companies to improve services and facilitate data processing.
• ② When outsourcing the processing of personal information, the Company manages and supervises to protect users’ personal information through outsourcing contracts, ensuring that service providers comply with personal information protection instructions, maintain the confidentiality of personal information, and prohibit the provision of personal information to third parties without user consent.
• ③ The processors who are entrusted with personal information processing and their tasks are as follows:

• ④ The sub-processors who are entrusted with personal information processing and their tasks are as follows:

Article 4 (Retention and Use Period, Disposal Procedures of Personal Information)

• ① The Company retains and uses users’ personal information for purposes such as service provision while using the services provided by the Company. The personal information of users registered in the system cannot be printed as documents unless by the personal information protection officer, the person in charge, or those who have obtained their approval.
• ② When a user requests deletion of their personal information or membership withdrawal, the Company takes action without delay, and the deleted information is completely removed from the disk using methods that make it impossible to recover or reproduce the records, ensuring it cannot be viewed or used afterward.
• ③ When the purpose of collecting or receiving personal information has been achieved, the usage period has ended, or other grounds for disposal arise, the Company deletes the information from disks according to internal disposal procedures. It promptly disposes of users’ personal information by shredding printed materials.
• ④ Even when the purpose of collection or provision has been achieved, the Company may retain users’ personal information for a certain period by relevant laws such as the Personal Information Protection Act, Commercial Act, Framework Act on National Taxes, etc., if preservation is necessary as required by these laws.

• * Website visit records: 3 months

Article 5 (Department Responsible for Personal Information Protection and Related Grievance Handling)

① The Company has designated a department responsible for personal information protection and related grievance handling to protect users’ personal information and address complaints about personal information. In addition, the Company has appointed a personal information management officer and a personal information management person in charge of promptly handling inquiries and complaints regarding users’ personal information.

② When users need consultation due to the occurrence or concern of infringement regarding their personal information, they can contact not only the Company’s personal information protection department mentioned in paragraph 1 but also the following institutions:

  - Personal Information Dispute Mediation Committee (www.kopico.go.kr / 1833-6972 without area code)

  - Personal Information Infringement Report Center (privacy.kisa.or.kr / 118 without area code)

  - Supreme Prosecutors’ Office Cyber Investigation Division (www.spo.go.kr / 1301 without area code)

  - National Police Agency Cyber Investigation Bureau (ecrm.cyber.go.kr / 182 without area code)

Article 6 (Collection of Personal Information by Automatic Collection Devices)

• ① The Company may use ‘cookies’ (Internet connection information files and other personal information automatic collection devices) to store and periodically retrieve user information. A cookie is a small amount of information sent by the server operating the Company’s website to the user’s browser (Safari, Chrome, Internet Explorer, etc.). It can be stored on the user’s computer’s hard disk. When a user accesses the website, the Company’s computer reads the contents of cookies in the user’s browser. It can provide services without additional input, such as names, by finding the user’s information on their computer. Cookies identify the user’s computer but do not identify the user personally.
• ② The Company uses cookies to analyze users’ access frequency and visit times, track the number of visits, and improve services necessary for site operation.
• ③ The Company uses cookies to determine the level of user participation and number of visits in various events conducted by the Company, to provide differentiated entry opportunities, and as data to provide differentiated information according to users’ areas of interest.
• ④ Users have the option regarding cookie installation. Therefore, users can choose to allow all cookies, allow some cookies, or reject all cookies by setting options in their web browser.
•   • Methods to specify cookie installation permission:
•   - Internet Explorer : Click [Tools] on the Internet screen taskbar, select [Internet Options] -> Click [Privacy] tab -> Click [Advanced] -> Select cookie permission settings
• - Safari:
• (MacOS) From the top left menu bar, select [Safari] -> [Preferences] -> Go to [Privacy] in the [Preferences] window and select cookie permission settings (iOS) [Settings] -> Select [Safari] from the app list -> Select cookie permission settings in [Privacy & Security]
• - Chrome:
• (PC) Select [Settings] from the menu in the upper right corner of the web browser -> Select [Privacy & Security] -> Go to [Cookies and Other Site Data] and select cookie permission settings (Mobile) Select [Settings] from the menu in the upper right corner of the web browser -> Select [Site Settings] in Advanced settings -> Go to [Cookies] and select cookie permission settings

Article 7 (Access to and Correction of Personal Information)

• ① Users may contact the Company’s personal information protection department by phone, in writing, or by email at any time to request access, correction, deletion, or suspension of processing, and the Company will take relevant measures without delay in response to users’ requests.
• ② When a user requests correction of errors in personal information, the Company will not use, provide, or otherwise process the personal information until the correction is completed. In addition, if incorrect personal information has already been processed, we will ensure that the correction results are reflected immediately.
• ③ Access to and correction of personal information may be restricted in the following cases:
•   1. When there is concern that it may significantly harm the rights and interests of a third party
•   2. When there is concern that it may significantly interfere with the business of the service provider
•   3. When it violates laws and regulations, etc.

Article 8 (Withdrawal of Consent to the Collection, Use and Provision of Personal Information)

• ① Users may withdraw their consent to collecting, using, and providing personal information at any time. Consent can be withdrawn by requesting it from the person entrusted with processing personal information or by contacting the department responsible for personal information management in writing, by phone, or by email. In response to the user’s request, the Company will take immediate measures, such as destroying the user’s personal information.
• ② The Company strives to take necessary actions to make the withdrawal more effortless than the collection of the personal information.

Article 9 (Administrative, Technical and Physical Measures for Personal Information Protection)

• ① The Company establishes and implements internal management plans to process personal information safely and conducts training.
• ② The Company implements technical measures to ensure security so that users’ personal information is not lost, stolen, leaked, altered, or damaged when handling it.
• ③ Users’ personal information is managed using an internal network that cannot be accessed or infiltrated from external networks, and essential data is thoroughly protected through separate security features by encrypting files and transmission data or using file locking features.
• ④ The Company ensures network security by using firewalls and intrusion detection systems on each server to prepare against hacking and other external intrusions. It strengthens security by installing access control systems.
• ⑤ The Company prevents personal information infringement by installing anti-virus programs that constantly check for and handle the infiltration of malicious programs such as computer viruses and spyware on personal information processing systems and information devices used by personal information handlers.
• ⑥ The Company limits access to users’ personal information to a minimum number of personnel, establishes internal procedures for accessing and managing personal information to ensure its security, implements access control and locking devices, and ensures that employees are familiar with and comply with these procedures.
• ⑦ The handover of duties between personal information handlers is carried out thoroughly while maintaining security, and accountability for personal information incidents after joining or leaving the company is clearly defined.
• ⑧ Users should maintain accurate information through verification and management of the personal information they provide to the Company. If they use others’ personal information without authorization or infringe on others’ rights, they may be subject to sanctions by the Company as well as civil and criminal liability.
• ⑨ The Company assumes no responsibility for issues arising from personal information leakage due to users’ carelessness or Internet problems. Therefore, each user must appropriately manage their personal information to protect it and bear responsibility for this. However, if the loss, leakage, alteration, or damage of users’ personal information occurs due to misconduct or negligence on the part of the Company’s internal managers, the Company will immediately inform users of the facts and devise appropriate countermeasures and compensation.

Article 10 (Users’ Rights and How to Exercise Them)

• ① Users and their legal representatives may exercise rights related to viewing, modifying, changing personal information provided to the Company as themselves or as legal representatives, and withdrawing membership.
• ② The Company collects personal information of children under the age of 14 only with the consent of legal representatives (parents, etc.) to protect children’s personal information.
• ③ Users and legal representatives can exercise their rights by contacting the Company via the Internet, telephone, written documents, etc., regarding personal information, and the Company will take necessary measures without delay.

Article 11 (Obligation to Notify Changes to Protection Policy)

This policy may be amended according to changes in laws, policies, internal operational policies of the Company, or security technologies, and in such cases, we will promptly notify the reasons and content of the changed policy on the first page of the Company’s website.

Amorepacific Corporation (hereinafter “Company”) values the personal information of data subjects (hereinafter “Users”) who use the services provided by the Company and is making every effort to protect it.

The Company complies with all personal information protection laws and regulations, including the “Personal Information Protection Act” and the “Act on Promotion of Information and Communications Network Utilization and Information Protection.” It has separately established and adheres to its own Personal Information Handling Policy to further protect users’ personal information. Additionally, the Company always discloses its Personal Information Handling Policy on the main page of the Company’s website to ensure that users can easily access it at any time.

The Company’s Personal Information Handling Policy may be modified according to changes in relevant laws and notices or internal operational policies. The website will announce changes if the Company’s Personal Information Handling Policy is revised.

The Company’s personal information protection policy includes the following contents:

• Article 1 Personal Information Collection Items and Purpose of Collection and Use
• Article 2 Provision of Personal Information
• Article 3 Outsourcing of Personal Information Handling
• Article 4 Retention and Use Period, Disposal Procedures of Personal Information
• Article 5 Department Responsible for Personal Information Protection and Related Grievance Handling
• Article 6 Collection of Personal Information by Automatic Collection Devices
• Article 7 Access to and Correction of Personal Information
• Article 8 Withdrawal of Consent to the Collection, Use and Provision of Personal Information
• Article 9 Administrative, Technical and Physical Measures for Personal Information Protection
• Article 10 Users’ Rights and How to Exercise Them
• Article 11 Obligation to Notify Changes to Protection Policy

Article 1 (Personal Information Collection Items and Purpose of Collection and Use)

• ① The Company collects the minimum personal information necessary to provide services to users. The Company, however, may collect additional personal information optionally to provide users with higher-quality customized services.
• ② Without the user’s explicit separate consent, the Company does not collect sensitive personal information such as thoughts/beliefs, labor union/political party membership/withdrawal, political views, health, sexual life, past medical history, religion, place of origin, criminal records, etc., which may infringe upon fundamental human rights.
• ③ The items of personal information collected concerning the services provided by the Company and the primary purposes of collection and use are as follows:

④ IP addresses, cookies, visit time, service usage records, and records of inappropriate use may be automatically generated and collected during online service use or business processing.

⑤ When using online services (including mobile), information about the device (device model, operating system, browser, MAC ADDRESS, etc.) may be collected for user verification and service provision and to prevent fraudulent use. Additionally, mobile carrier information may be collected and used to provide PUSH services (only with customer consent), application version upgrades, and other services specific to mobile service characteristics.

⑥ In cases where the Company provides services other than those specified in paragraph 3, such as donation activities, prize events, or other services, the Company may collect and use personal information necessary for providing the service. In such cases, the Company will obtain separate consent from users after clearly stating all items, purposes, periods, right of refusal, and disadvantages upon refusal by relevant laws.

⑦ In addition to collecting personal information for service provision under paragraphs 3 and 4, the Company may collect personal information in the following cases. It will notify users of the processing purpose and items when collecting personal information:

* During customer consultation: Name, contact information (wired/wireless phone numbers, work/home addresses, email), age, etc., are collected to handle inquiries/complaints and notify processing results, and are retained for 3 years

⑧ Users may refuse to consent to collecting and using personal information. However, if users refuse the collection and use of personal information, there may be limitations on service use and benefit provision.

Article 2 (Provision of Personal Information)

• ① The Company will not use users’ personal information beyond the scope notified in Article 1 or provide it to third parties, except with the consent of users or as required by relevant laws.
• ② However, personal information may be provided without separate consent from users in the following cases:
•   1. When necessary for payment settlement by service provision
•   2. When necessary for statistical compilation, academic research, or market research, the information is processed in a form that cannot identify specific individuals before being provided to research organizations, survey institutions, research agencies, etc.
•   3. When there are special provisions in laws such as the Personal Information Protection Act, Act on Promotion of Information and Communications Network Utilization and Information Protection, Protection of Communications Secrets Act, Framework Act on National Taxes, Act on Real Name Financial Transactions and Confidentiality, Act on the Use and Protection of Credit Information, Framework Act on Telecommunications, Telecommunications Business Act, Local Tax Act, Consumer Protection Act, Criminal Procedure Act, etc.
• ③ When providing personal information to third parties overseas, the Company will inform users of the details and obtain their consent.

Article 3 (Outsourcing of Personal Information Handling)

• ① The Company may outsource the management of users’ personal information to external specialized companies to improve services and facilitate data processing.
• ② When outsourcing the processing of personal information, the Company manages and supervises to protect users’ personal information through outsourcing contracts, ensuring that service providers comply with personal information protection instructions, maintain the confidentiality of personal information, and prohibit the provision of personal information to third parties without user consent.
• ③ The processors who are entrusted with personal information processing and their tasks are as follows:

• ④ The sub-processors who are entrusted with personal information processing and their tasks are as follows:

Article 4 (Retention and Use Period, Disposal Procedures of Personal Information)

• ① The Company retains and uses users’ personal information for purposes such as service provision while using the services provided by the Company. The personal information of users registered in the system cannot be printed as documents unless by the personal information protection officer, the person in charge, or those who have obtained their approval.
• ② When a user requests deletion of their personal information or membership withdrawal, the Company takes action without delay, and the deleted information is completely removed from the disk using methods that make it impossible to recover or reproduce the records, ensuring it cannot be viewed or used afterward.
• ③ When the purpose of collecting or receiving personal information has been achieved, the usage period has ended, or other grounds for disposal arise, the Company deletes the information from disks according to internal disposal procedures. It promptly disposes of users’ personal information by shredding printed materials.
• ④ Even when the purpose of collection or provision has been achieved, the Company may retain users’ personal information for a certain period by relevant laws such as the Personal Information Protection Act, Commercial Act, Framework Act on National Taxes, etc., if preservation is necessary as required by these laws.

• * Website visit records: 3 months

Article 5 (Department Responsible for Personal Information Protection and Related Grievance Handling)

① The Company has designated a department responsible for personal information protection and related grievance handling to protect users’ personal information and address complaints about personal information. In addition, the Company has appointed a personal information management officer and a personal information management person in charge of promptly handling inquiries and complaints regarding users’ personal information.

② When users need consultation due to the occurrence or concern of infringement regarding their personal information, they can contact not only the Company’s personal information protection department mentioned in paragraph 1 but also the following institutions:

  - Personal Information Dispute Mediation Committee (www.kopico.go.kr / 1833-6972 without area code)

  - Personal Information Infringement Report Center (privacy.kisa.or.kr / 118 without area code)

  - Supreme Prosecutors’ Office Cyber Investigation Division (www.spo.go.kr / 1301 without area code)

  - National Police Agency Cyber Investigation Bureau (ecrm.cyber.go.kr / 182 without area code)

Article 6 (Collection of Personal Information by Automatic Collection Devices)

• ① The Company may use ‘cookies’ (Internet connection information files and other personal information automatic collection devices) to store and periodically retrieve user information. A cookie is a small amount of information sent by the server operating the Company’s website to the user’s browser (Safari, Chrome, Internet Explorer, etc.). It can be stored on the user’s computer’s hard disk. When a user accesses the website, the Company’s computer reads the contents of cookies in the user’s browser. It can provide services without additional input, such as names, by finding the user’s information on their computer. Cookies identify the user’s computer but do not identify the user personally.
• ② The Company uses cookies to analyze users’ access frequency and visit times, track the number of visits, and improve services necessary for site operation.
• ③ The Company uses cookies to determine the level of user participation and number of visits in various events conducted by the Company, to provide differentiated entry opportunities, and as data to provide differentiated information according to users’ areas of interest.
• ④ Users have the option regarding cookie installation. Therefore, users can choose to allow all cookies, allow some cookies, or reject all cookies by setting options in their web browser.
•   • Methods to specify cookie installation permission:
•   - Internet Explorer : Click [Tools] on the Internet screen taskbar, select [Internet Options] -> Click [Privacy] tab -> Click [Advanced] -> Select cookie permission settings
• - Safari:
• (MacOS) From the top left menu bar, select [Safari] -> [Preferences] -> Go to [Privacy] in the [Preferences] window and select cookie permission settings (iOS) [Settings] -> Select [Safari] from the app list -> Select cookie permission settings in [Privacy & Security]
• - Chrome:
• (PC) Select [Settings] from the menu in the upper right corner of the web browser -> Select [Privacy & Security] -> Go to [Cookies and Other Site Data] and select cookie permission settings (Mobile) Select [Settings] from the menu in the upper right corner of the web browser -> Select [Site Settings] in Advanced settings -> Go to [Cookies] and select cookie permission settings

Article 7 (Access to and Correction of Personal Information)

• ① Users may contact the Company’s personal information protection department by phone, in writing, or by email at any time to request access, correction, deletion, or suspension of processing, and the Company will take relevant measures without delay in response to users’ requests.
• ② When a user requests correction of errors in personal information, the Company will not use, provide, or otherwise process the personal information until the correction is completed. In addition, if incorrect personal information has already been processed, we will ensure that the correction results are reflected immediately.
• ③ Access to and correction of personal information may be restricted in the following cases:
•   1. When there is concern that it may significantly harm the rights and interests of a third party
•   2. When there is concern that it may significantly interfere with the business of the service provider
•   3. When it violates laws and regulations, etc.

Article 8 (Withdrawal of Consent to the Collection, Use and Provision of Personal Information)

• ① Users may withdraw their consent to collecting, using, and providing personal information at any time. Consent can be withdrawn by requesting it from the person entrusted with processing personal information or by contacting the department responsible for personal information management in writing, by phone, or by email. In response to the user’s request, the Company will take immediate measures, such as destroying the user’s personal information.
• ② The Company strives to take necessary actions to make the withdrawal more effortless than the collection of the personal information.

Article 9 (Administrative, Technical and Physical Measures for Personal Information Protection)

• ① The Company establishes and implements internal management plans to process personal information safely and conducts training.
• ② The Company implements technical measures to ensure security so that users’ personal information is not lost, stolen, leaked, altered, or damaged when handling it.
• ③ Users’ personal information is managed using an internal network that cannot be accessed or infiltrated from external networks, and essential data is thoroughly protected through separate security features by encrypting files and transmission data or using file locking features.
• ④ The Company ensures network security by using firewalls and intrusion detection systems on each server to prepare against hacking and other external intrusions. It strengthens security by installing access control systems.
• ⑤ The Company prevents personal information infringement by installing anti-virus programs that constantly check for and handle the infiltration of malicious programs such as computer viruses and spyware on personal information processing systems and information devices used by personal information handlers.
• ⑥ The Company limits access to users’ personal information to a minimum number of personnel, establishes internal procedures for accessing and managing personal information to ensure its security, implements access control and locking devices, and ensures that employees are familiar with and comply with these procedures.
• ⑦ The handover of duties between personal information handlers is carried out thoroughly while maintaining security, and accountability for personal information incidents after joining or leaving the company is clearly defined.
• ⑧ Users should maintain accurate information through verification and management of the personal information they provide to the Company. If they use others’ personal information without authorization or infringe on others’ rights, they may be subject to sanctions by the Company as well as civil and criminal liability.
• ⑨ The Company assumes no responsibility for issues arising from personal information leakage due to users’ carelessness or Internet problems. Therefore, each user must appropriately manage their personal information to protect it and bear responsibility for this. However, if the loss, leakage, alteration, or damage of users’ personal information occurs due to misconduct or negligence on the part of the Company’s internal managers, the Company will immediately inform users of the facts and devise appropriate countermeasures and compensation.

Article 10 (Users’ Rights and How to Exercise Them)

• ① Users and their legal representatives may exercise rights related to viewing, modifying, changing personal information provided to the Company as themselves or as legal representatives, and withdrawing membership.
• ② The Company collects personal information of children under the age of 14 only with the consent of legal representatives (parents, etc.) to protect children’s personal information.
• ③ Users and legal representatives can exercise their rights by contacting the Company via the Internet, telephone, written documents, etc., regarding personal information, and the Company will take necessary measures without delay.

Article 11 (Obligation to Notify Changes to Protection Policy)

This policy may be amended according to changes in laws, policies, internal operational policies of the Company, or security technologies, and in such cases, we will promptly notify the reasons and content of the changed policy on the first page of the Company’s website.