In order to protect the personal information of the data subject and tackle any grievances suffered by the data subject in relation to the protection of their personal information in a smooth and quick manner in accordance with Article 30 of the Personal Information Protection Act, Silla Holdings (hereinafter “the Company”) shall establish and make publish its privacy policy as follows.

Article 1 (General Provisions)

1. ① The definitions of the terms used in this policy are as follows.
   1. 1. ‘Personal information’ is the information about a person who is alive, and is referred to as any information (including information which, while incapable of identifying certain individuals alone, can identify people when combined with other information) which can identify a person through the items, such as their name and resident identification number, that are included in the information.
   2. 2. The ‘data subject’ is a person who provides their personal information to the Company, and is referred to as the one who can be identified by the personal information handled by the Company.
2. ② The Company shall notify how and for what purpose the personal information is being used, and what kind of measures are being taken to protect the personal information via the intranet, etc.

Article 2 (Items of Personal Information to be Handled and Purpose of Handling of Personal Information)

The Company shall handle personal information as follows. Any handled personal information shall not be used for any other purpose than the following. If changes are made to the purpose of personal information use, the Company shall take necessary measures, including obtaining additional consent in accordance with Article 18 of the Personal Information Protection Act.

1. ① Items of Personal Information to Be Collected
   1. 1. Mandatory Items: Name, resident registration number, address (permanent domicile and current address), bank account information
   2. 2. Optional Items: E-mail address, contact information, academic background, language proficiency, photographs, veteran or disabled status, certificates, passport number, personal anniversaries, family information, medical check-up results
2. ② Purpose of the Use and Collection of Personal Information
   1. 1. Human Resource Management
      The Company shall handle personal information for the purpose of carrying out and supporting various human resource management tasks, such as the confirmation of personal identification for employment, the maintenance, performance, and management of employee relations, and the rewards, promotions, evaluations, rewards and punishment, and personnel appointment, etc. following said maintenance, performance, and management.
   2. 2. Provision of Welfare
      Personal information shall be handled for the purpose of medical check-ups and the registration in education courses.
   3. 3. Issuance of Various Certificates
      Personal information is handled for the purpose of identifying current and retired employees and issuing the certificates of career and employment.
3. ③ The Company shall not handle personal information such as thoughts, beliefs, membership status in labor unions or political parties, health, political views, etc. that may surely violate the privacy of the data subject without the consent of the data subject or stipulation in the relevant laws.

Article 3 (Items of Personal Information to Be Handled and Purpose of Handling Personal Information)

1. ① Personal information of the data subject shall be stored in the HR management system and used for the HR management of the data subject during the data subject’s employment.
2. ② In the case of retired employees, their information shall be kept for 3 years after their retirement. However, if it is necessary to keep the information for more than 3 years in order to issue certificates of the retired employees, such as certificates of career, the company shall retain the information after obtaining consent from the relevant retired employees.

Article 4 (Provision of Personal Information to Third Parties)

The Company shall use personal information within the scope of the purpose of collection, and shall not use, offer, or disclose it to a third party. However, exceptions will be made in the following cases.

1. ① In case the Company obtains additional consent from the data subject
2. ② In case there are any special stipulations in other laws
3. ③ When it is deemed urgently necessary to protect the life, body, and property interests of a data subject or a third party at a time when the data subject or their legal representative cannot give informed consent due to their incapacity to express intention, unknown whereabouts, etc.

Article 5 (Matters on the Rights and Obligation of Data Subjects and the Method for Exercising Them)

1. ① The data subject may inspect or modify their personal information, records on the use or provision of their personal information, and information on their consent to the collection, use, and provision of their personal information, all of which are in the possession of the Company.
2. ② In the case that it is deemed necessary to correct or delete information due to the errors in the corresponding personal information, the Company shall carry it out immediately.
3. ③ Requests for the inspection, correction, and deletion of the consent information can be made in writing or via phone call and E-mail, and the staffs in charge of the personal information shall take the necessary measures immediately.

Article 6 (Destruction of Personal Information)

1. ① The Company shall immediately destroy personal information once the purpose of its collection and use has been fulfilled or its retention period has expired, with the exception of the case where it is necessary to retain the information in accordance with the relevant laws.
2. ② Procedure and methods for the destruction of personal information are as follows.
   1. 1. Procedure of Destruction
      The Company shall select the personal information that needs to be destroyed and receive the approval of privacy officer before destroying it.
   2. 2. Method of Destruction
      The Company shall destroy personal information recorded and stored in a form of electronic files in a way that ensures they can no longer be replayed, and destroy personal information recorded and stored in writing by putting the paper documents through a paper shredder or incinerating them.

Article 7 (Privacy Officer)

1. ① The Company shall designate a privacy officer as follows to take full charge of tasks related to personal information handling and to tackle the complaints issued by data subjects and handle damage relief for the data subject regarding the handling of their personal information.
2. ② The data subject shall contact the privacy officer and their relevant department with any questions, complaints, requests for damage relief, etc. related to personal information that occur during the data subject’s employment, and the Company shall immediately reply to and handle the data subject’s questions.

※Privacy Officer
Department in Charge: Management Planning Division
Name: Mun Han-jin
Contact: +82-2-2203-8700
E-mail: jin0507@sla.co.kr

Article 8 (Measures to Secure the Safety of Personal Information)

The Company shall take the following measures to secure the safety of personal information.

1. ① Managerial Measure
   Establishing a privacy policy, educating personnel who will be handling personal information, and managing and supervising personnel to abide by the relevant laws
2. ② Technical Measure
   Managing the authority to access internal system (human resource program), etc. that contain personal information
3. ③ Physical Measure
   Establishing and implementing access control system and controlling access by restricting all but the relevant staffs through the establishment of control zones

Article 9 (Changes to Privacy Policy)

This Privacy Policy shall take effect starting May 1, 2014.