NRB Inc.

Terms

NRB Incorporated, Ltd. (hereinafter referred to as the "Company") complies with the "Personal Information Protection Act" and the "Act on Promotion of Information and Communication Network Utilization and Information Protection" and is committed to protecting the privacy and rights of individuals and ensuring the proper handling of complaints related to personal information. To achieve this, the Company has established the following privacy policy, which it abides by. The Company's "Privacy Policy" may be subject to changes in accordance with changes in relevant laws, regulations, or internal operational policies.

If there are changes to the Company's "Privacy Policy," the revised policy will be displayed at the business premises or announced through the Company's website (www.and-rb.com/).

Article 1 : Purpose of Processing Personal Information

The Company uses personal information for the following purposes.

The collected personal information will not be used for purposes other than those specified below. In case of a change in the purpose of use, the Company will take necessary measures, including obtaining separate consent in accordance with Article 18 of the Personal Information Protection Act

Confirmation and response processing upon user's business inquiries and requests
Confirmation and response processing when users report unfair transactions in ethical management
Analysis of user's access status

Article 2 : Processing and Retention Period of Personal Information

The Company, in principle, discards information without delay after the purpose of collecting and using personal information is achieved. However, for the following information, the Company retains it for the specified period for the reasons stated:

Cyber counseling information
- Retained Items : E-mail
- Retention period : 3 years
- Reason for retention : Manage user inquiries and requests
Website visit record
- Retained Items : Access Logs, cookies
- Retention period : 3 months
- Reason for retention : Improve service quality by analyzing users' site access status

Article 3 : Provision of Personal Information to Third Parties

The Company processes the personal information of the information subject within the scope specified in Article 1 for the purpose of personal information processing. Personal information will not be used or provided to third parties beyond this scope without the prior consent of the information subject, except in the following cases:

With separate consent from the information subject When there is a special provision in other laws
When it is deemed necessary for the urgent life, body, property interests of the information subject or a legal representative who cannot express their intention or obtain prior consent due to unknown address, etc.
When it is necessary for statistical or academic research purposes, providing personal information in a form that cannot identify specific individuals.

Article 4 : Outsourcing of Personal Information Processing

The company does not entrust the processing of personal information to external companies without the consent of the information subject.

Article 5 : Rights and Obligations of Information Subjects and Methods of Exercising Them

Information subjects may exercise the following rights related to personal information protection against the Company at any time:

Request for access to personal information
Request for correction if there are errors
Request for deletion
Request for processing suspension
- The exercise of rights under paragraph 1 can be made to the Company in writing, by phone, email, facsimile (FAX), etc., and the Company will take prompt action.
- If an information subject requests correction or deletion of his/her personal information under paragraph 1, the Company will not use or provide the information until the correction or deletion is completed.
- The exercise of rights under paragraph 1 can be made through a legal representative or agent of the information subject. In this case, a power of attorney according to the attached Form 11 of the Enforcement Rules of the Personal Information Protection Act must be submitted.
- Information subjects must not infringe on the personal information and the privacy of individuals or third parties processed by the Company in violation of laws and regulations, including the Personal Information Protection Act.

Article 6 : Personal Information Port to be Processed

The company is processing the following personal information items.

Related to homepage service : E-mail
In the process of using the Internet service, the following personal information items can be automatically created and collected. : Cookies, visit records, etc

Article 7 : Procedure and Method of Personal Information Disposal

The Company promptly disposes of personal information when the retention period of personal information has elapsed, the purpose of processing is achieved, etc.

However, in cases where personal information needs to be retained under other laws despite the expiration of the agreed retention period, the Company transfers the information to a separate database (DB) or stores it in a different location. The procedure and method of personal information disposal are as follows:

Disposal procedure
- The Company selects personal information for disposal, obtains the approval from the Company's personal information protection manager, and disposes of the personal information.
Disposal method
- The company destroys personal information recorded and stored in the form of electronic files using methods such as Low Level Format so that records cannot be reproduced, and the personal information recorded and stored in paper documents is shredded or incinerated.

Article 8 : Measures to Ensure the Safety of Personal Information

The company is taking the following measures to ensure the safety of personal information.

Administrative Measures
- Establishment and implementation of internal management plans, regular employee training, etc
Technical Measures
- Management of access rights of personal information processing systems, installation of access control systems, encryption of unique identification information, and installation of security programs
Physical Measures
- Control access to the computer room

Article 9 : Purpose and Refusal of Automatic Collection of Personal Information

The Company uses "cookies" to identify and store information on its subjects when necessary for website operation.

Cookies are very small text files sent by the server operating the website to the information subject's browser, stored in the information subject's computer hard drive. Cookies do not personally identify the information subject.

What's Cookies?
- Cookies are stored on the user's computer as very small text files that the server used to run the website sends to the user's browser.
Purpose of use
- It is to analyze the frequency of access and visit time and use it to improve the service, and users have the right to choose whether to install cookies. Therefore, users can allow or deny all cookies by setting options in the web browser or confirm each time a cookie is saved.
Refusal of cookie collection
- Cookies do not store personal identifying information, such as name and phone number, and users have the right to choose whether to install cookies. Therefore, users can allow or deny all cookies by setting options in the web browser or confirm each time a cookie is saved. However, refusing to install cookies may make web browsing inconvenient and may cause difficulties in using some services that require login.
Example of setting method
- For Internet Explorer: Tools menu at the top of the web browser > Internet Options > Privacy > Settings
- For Chrome: Settings menu on the right side of the web browser > Display advanced settings at the bottom of the screen > Content settings button for privacy > Cookies

Article 10 : Person in Charge of Personal Information Protection

The Company has designated the following department and person in charge of personal information protection to protect personal information, handle complaints related to personal information, and manage personal information:

The information subject may ask the person and department in charge of personal information protection regarding all personal information protection-related inquiries, complaint handling, and compensation for damage that occurred while using the company services (or businesses). The Company will answer and process the inquiry from the information subject without delay.

Person in charge of personal information protection
- Name : Lee, Jae-Young
- Position : Assistant Manager
- Contact : 070-8801-2019 / 010-7236-0621
Department in charge of personal Information
- Department name : Management Planning Department
- Person in charge : Lee, Jae-Young
- Contact : 070-8801-2019 / 010-7236-0621
- E-mail : ljy3000@and-rb.com

Article 11 : Method of Remedying Rights Violations

Information subjects can contact the following organizations for damage relief, consultation, etc., regarding personal information infringements:

These agencies are separate from the company, and if you need to report or consult on other personal information breaches, please contact the relevant agency below:

Personal Information Breach Reporting Center
- (Without Area Code)118
- https://privacy.kisa.or.kr
Personal Information Dispute Resolution Commission
- 1833-6972
- https://kopico.go.kr
Supreme Prosecutor's Office Cyber Investigation Division (spo.go.kr)
- (Without Area Code)1301
- https://cid@spo.go.kr
National Police Agency Cyber Safety Bureau
- (Without Area Code)182
- https://cyberbureau.police.go.kr

Additionally, individuals who have suffered harm to their rights or interests due to dispositions made by public agencies regarding requests for access, correction/deletion, or suspension of processing of personal information can file an administrative lawsuit under the Administrative Adjudication Act.

Central Administrative Appeals Commission
- Refer to https.simpan.go.kr for contact information.

Article 12 : Request for Access to Personal Information

The information subject may request the following department to access personal information in accordance with Article 35 of the Personal Information Protection Act. The company will try to expedite the information subject's request for personal information access.

Personal Information Access Requesting and Processing Department
- Department name : Need to check
- Person in charge : Need to check
- Contact : Need to check
- E-mail : Need to check

Article 13 : Installation and Operation of Visual Data Processing Device

The company installs and operates visual data processing device as follows:

Basis and purpose of installing visual data processing devices: Facility safety and fire prevention
Number of devices installed, location of installation, and scope of monitoring
- Number of units: 25 units installed at Gunsan Factory (headquarters), 2 units at Seoul Office
- Location of installation: Within Gunsan Factory (headquarters), in front of the entrance to Seoul Office
- Scope of monitoring: Video recording of all spaces in major facilities
Manager, department in charge, and authorized accessor of visual data
- Managers: Managed through outsourcing companies (S-1 / CAPS)
- Authorized accessors: Jin, Gil-Jong, Manager of Modular Production Dept. at Gunsan Factory (headquarters) / Lee, Jae- Young, Assistant Manager of Management Planning Dept. at Seoul Office
Recording time, storage period, storage place, and processing method of visual data
- Recording time : 24 hours operation (recorded only when motion is detected)
- Storage period : Minimum 1 to 3 months from the recorded time
- Storage place and processing method : Natural deletion without separate backups
Method and location for checking personal visual data : Confirm through authorized accessors
- Gunsan Factory (headquarters) : Check the CCTV image on monitors near the office entrance
- Seoul Office : Check the CCTV image on authorized accessor's PC
Measures to the data subjects' requests for viewing visual data : The data subjects may request access to his/her personal visual data by submitting a written request to access the personal visual data and existence confirmation form, provided that such a request is limited to the personal visual data of the data subject and when necessary for an urgent life, physical or property interest of the data subject.
Technical, managerial, and physical measures for protecting visual data: Managed through outsourcing companies (S-1 / CAPS)

Article 14 : Duty to Notify

In the event of changes to the privacy policy for legal or service-related reasons, the company may modify the privacy policy.

When the privacy policy is modified, the company will post the changes, and the revised privacy policy will take effect seven days after the posting date.
However, in cases where there are significant changes to the rights of users, such as changes to the items of collected personal information or purposes of use, the company will notify users in advance through the website at least 30 days before the changes take effect.

Notice Date : October 1st, 2022
Effective Date : October 1st, 2022

TERMS

Contents