Personal Information Protection Policy

Enacted December 12, 2024

Article 1 (Purpose)

This policy aims to safely protect and manage customers' personal information collected and managed by the Company (hereinafter "the Company") and to protect customers' rights.

Article 2 (Scope of Application)

This guideline follows the provisions of relevant laws including the "Personal Information Protection Act" and the "Act on Promotion of Information and Communications Network Utilization and Information Protection" when processing personal information.

Article 3 (Designation of Chief Privacy Officer)

The Company's representative shall serve as the Chief Privacy Officer responsible for overall management and implementation of personal information protection and security operations. However, if a personal information manager has been designated pursuant to Article 27 of the Act on Promotion of Information and Communications Network Utilization and Information Protection, a separate privacy officer need not be appointed.

Article 4 (Duties and Responsibilities of Chief Privacy Officer)

1. The Chief Privacy Officer shall perform the following duties:

01) Establishment and implementation of personal information protection plans

02) Regular investigation and improvement of personal information processing practices

03) Handling complaints and remedies related to personal information processing

04) Implementation of internal control systems to prevent personal information leakage and misuse/abuse

05) Establishment and implementation of personal information protection training plans

06) Protection, management, and supervision of personal information files

2. Violation of Paragraph 1 may result in penalties under relevant laws.

Article 5 (Scope, Duties, and Responsibilities of Personal Information Handlers)

1. Personal information handlers include all staff responsible for treatment, examination, payment processing, etc.

2. Personal information handlers must not disclose or provide personal information learned during their duties to others or use it for improper purposes, and must take administrative and technical measures to ensure collected personal information is safely stored and used.

3. Personal information handlers must complete and maintain security (confidentiality) pledges specifying their responsibilities and obligations, and access rights must be modified or revoked when handler duties change due to personnel transfers.

Article 6 (Technical Protection Measures)

1. The following technical measures must be implemented to ensure security against loss, theft, leakage, or damage of personal information:

01) Differential authority assignment limited to the minimum necessary for job performance

02) Installation and operation of access control systems such as firewalls (When processing personal information using only work computers, utilize OS and security program access control functions)

03) Encryption measures for secure storage and transmission of personal information (Encryption targets: unique identification information, passwords, biometric information)

04) Measures to maintain access records and prevent forgery/alteration (minimum 6-month retention)

05) Installation and regular updating/checking of security programs (Install security programs like antivirus software, update automatically or at least once daily)

2. The following security practices must be mandatory:

01) Install auto-updating antivirus software and use real-time monitoring

02) Delete suspicious emails and attachments without opening

03) Use automatic updates and firewall functions provided by operating systems (Windows, etc.)

04) Set passwords using combinations of letters, numbers, and special characters; change regularly

05) Mandatory use of passwords for computer boot-up, login, and screen savers

06) Minimize use of shared folders; when necessary, always set passwords

07) Verify certificates and digital signatures before installing programs from websites

08) Save important data with password protection; prohibit storage on internet-connected PCs

09) Use legitimate software

10) Avoid sending important data via email; if unavoidable, password-protect attachments

Article 7 (Physical Access Restrictions)

1. Install access control systems to restrict entry to server rooms and data storage areas.

2. Install locking devices to restrict access and viewing of areas where paper-based personal information files are stored.

Article 8 (Internal Audit Frequency and Procedures)

The Chief Privacy Officer shall conduct internal audits at least once per year during a designated period.

Article 9 (Implementation of Internal Audit Results)

1. The Chief Privacy Officer shall immediately implement improvements for deficiencies identified through internal audits.

01) Identify non-compliant items

02) Determine causes of non-compliance and establish corrective and preventive measures

03) Implement measures within set deadlines

04) Document results of corrective and preventive actions

Article 10 (Implementation of Personal Information Protection Training)

1. Information protection and security training shall target all employees and contractors handling personal information and services.
2. Information protection and security training shall be conducted regularly, with additional training when information protection policies, procedures, or roles change.

General Operation Engineering Co., Ltd.