Article 1. Items of personal information collected and Method of collecting them.

[Complaint Reporting Service]

- Required Fields: User’s name, company name, email address, contact information, report type, name of the person being reported, concerned department, contents of the report.

- Optional Fields: contact information, position

[Others]

- Record of using service, access log, cookie, access IP information

Article 2. Collection of Personal Information and Purpose of Use

The company uses the collected personal information for the following purposes.

[Complaint Reporting Service]

Personal information are used for personal verification, personal identification, prevention of illegal and unauthorized use when accessing to complaint reporting service and for processing complaints and delivering notifications.

Article 3. Retention Period of Personal Information

[Complaint Reporting Service]

By principle, the personal information collected is destroyed without delay once the purpose of use is met. However, when it is necessary to keep them in accordance with the relevant regulations, the company keeps customers information for a specific period of time as specified by relavant regulations as follows.

Kept Items: personal information submitted at the time of inquiry registration and contents of the consultation Reason for Keeping: Record on processing complaints or conflicts

Keeping Period: 3 years

Article 4. Destruction of Personal Information and Destruction Method.

By principle, the personal information collected is destroyed without delay once the purpose of use is met. The procedure and method of destruction are as follows.

[Destruction Procedure]

Information put in for using services are transferred to separate DB after achieving that purpose (separate filing cabinet) and kept for specific period of time in compliance with internal regulations and relevant laws on information protection (refer to keeping and using period) and then destroyed.

The personal information transferred to separate DB are not used for other purpose unless owing to laws.

[Destruction Method]

- Printed Personal Information : shredded or incinerated

- Personal Information saved as electronic files: permanently deleted with technology to not be able to be replayed.

Article5. Providing and Sharing Personal Information

The company use customers’ personal information only within the range specified in ‘collected items and colleting method of personal information’ and ‘use of personal information’ unless with customers’ permission or owing to relavant regulations. The company does not overuse or provide the information to others or other companies/organizations.

In case of providing or sharing customers information through partnership, the company asks for permission after notifying the customers individually by email or post about who will be receiving or sharing their information, which items will be provided or shared, and the purpose of provision or sharing

According to relevant laws and regulations, provision of information without customers’ consent is possible in the following cases.

• - When needed for drawing statistics, academic research, or market research, information can be provided after being processed so that specific individuals are not recognized.
• - Upon the request of investigative agencies for the purpose of investigation or on the ground of laws and regulations, in accordance with stipulated procedure and method.

The company can provide information collected in the course of registering to Corporate Ethics Consultation Service to Lotte affiliates in order to transfer complaints and notification.

Article 6. Entrustment of Collected Personal Information

For service implementation, the company is outsourcing the data to manage them as follows. We are regulating in contract with outsourcing company that the data are safely managed in compliance with related laws.

When making an outsourcing contract, we are clearly regulating the outsourcer to obey orders regarding protection of personal information and to take responsibility in case of accident and keep the contract in paper and electronically. When the outsourcer is changed, notify the replaced outsourcer company name in the Personal Information Processing Policy section of the website.

The company will conduct appropriate inspection within the range of outsourced tasks to make sure the entrusted company is honestly following the stipulated regulations to safely manage the entrusted information.

Article 7. Correction and Deletion of Personal Information and Cancellation of Permission

To check, change, delete users’ personal information, contact the person in charge of personal information management via post, phone, or email.

If a customer has put in a request for correction of his/her personal information, the company does not use or provide the personal information until the correction is completed. Also, when false information has already been provided to a third party, we will notify the third party without delay to correct the information.

Article 8. Management and Use of Cookie

The company manages cookie that regularly saves and finds customer information. A cookie is a very small text file sent by server that is used for operating website to the user’s browser and saved in your computer’s hard disc. The company uses the cookie for the following purposes.

[Purpose of Using Cookies]

- To provide target marketing and customized service by analyzing access frequency, visiting time, user’s taste and interests, tracing tracks, and number of visits.

Customers have various options of installing cookies. Accordingly, customers can allow all cookies, or go through confirmation every time a cookie is saved, or reject saving all cookies by setting options.

[How to reject installation of cookies]

Example: You can allow all cookies, or go through confirmation every time a cookie is saved, or reject saving all cookies by setting options of the web browser you are using.

Installation Example (Interment Explorer) : Tools > Internet Option > Personal Information But, service provision might be limited when cookie installation is rejected.

Article 9. Technical/Institutional Management for Personal Information Protection

The company is taking technical/institutional and physical measures needed for securing security as follows in accordance with article 29 of Personal Information Protection Law.

• - Technical Measures: encryption of personal information, installation of access contrail system. Installation and use of security program
• - Institutional Measures: Minimization of number of staffs dealing with personal information and education/training, regular self-inspection, establishment and implement of internal controls.
• - Physical Measures: Access control to document saving place with locks, access control of unauthorized people.

Article 10. Person(s) in Charge of Personal Information Management

The company is designating person(s) in charge of personal information management and related department as follows in order to protect customers personal information and handle personal information-related complaints.

Chief Managing Director of Information Protection

Person in Charge: Executive lee,seung-min

Contact : 02-801-8002, lee-seungmin@lotte.net

Information protection manager

Person in Charge: Administrative Manager, Lim, Jong-min

Contact : 02-801-8366, limjm@lotte.net

You can report every personal information-related complaint arouse while using our company’s service to the person in charge of personal information management or to the department. The company will promptly and thoroughly reply to customers’ complaints.

Should you need to make report or consultation regarding other personal information infringements, contact the following agencies.

• 1. Personal Information Dispute Mediation Committee(www.1336.or.kr/1336)
• 2. Information Protection privacy Mark Authentication Committee (www.eprivacy.or.kr/02-580-0533~4)
• 3. Forensic Science Planning Office & High-Tech Crime Investigation Division at Supreme Prosecutor’s Office
  (http://icic.sppo.go.kr/02-3480-3600)
• 4. Cyber Terror Response Center at the National Police Agency (www.ctrc.go.kr/02-392-0330)