Privacy and Information Processing Policy, etc.

1. Personal Information Processing Policy

01. General Provisions

- “Personal information” means information such as a name, a resident registration number, or an image relating to a living individual who can be identified from the information. (It also includes information that cannot identify a person by itself but can indirectly identify the person in combination with other information.)

- “Information subject” means an individual who can be identified through the processing of the personal information provided.

- The Company provides its privacy policies on the main page of its website (www.doosanmobility.com) so that anyone can check them easily.
The company will announce any revision of its privacy policies through its website (or by individual notification).

02. Processing Personal Information

The Company does not process sensitive information that may significantly infringe on the privacy of the subject of the information,
or unique identification information given to distinguish the individual, unless supported by statutory provisions or the consent of the information subject.

A. Processed Information

＜Customer-Related＞
Name, home address, email, company name, service usage record, access log, cookies, and IP login information

＜Employment-Related＞
Name, resident registration number, photo, password, home address, home phone number, mobile phone number, email, educational background, military service record, language skills, computer skills, qualifications, family relationships, career experience, social experience, awards and merits, overseas experience, and R&D experience

B. Purpose

＜Customer-Related＞
- Membership management and complaint handling
- Online market surveys or opinion surveys
- Marketing or advertising
- Service provision or fee settlement

＜Employment-Related＞
- Processing of application, application reviews, confirmation of hiring, contact with applicant, eligibility checks
- HR management, such as wage payments, welfare provision, and work performance support and evaluation

03. Retention and processing period of personal information

As a rule, the Company immediately destroys personal information when the purpose for collecting and using the personal information has been fulfilled. However, the following information will be retained for the specified periods for the following reasons.

• - Retained information : Name, home address, email, and company name
• - Retained period : 1 year
• - Reason for retention : Management of user inquiries and requests, user identification, etc.

• - Retained information : Service usage record, access log, cookies, and IP login information
• - Retained period : 3 years
• - Reason for retention : To improve service quality by analyzing service patterns

• - Retained information : Name, password, date of birth, gender, resident registration number, home address, home phone number, mobile phone number, hobbies, skills, educational background, career experience, language skills, military service record, and family status
• - Retained period : Until termination of employment in principle
• - Reason for retention : HR management such as wage payments, welfare provision, and work performance support and evaluation
• - The personal information of an applicant who is not hired is destroyed without delay after the application procedure is completed

04. Destruction of Personal Information

A. Destruction Procedure

If the personal information collected has served its purpose, or the retention period expires, the Company immediately destroys the personal information unless it must be retained, based on the customer's consent, the terms of Use, or the applicable laws.

B. Destruction Method

- Electronic files holding personal information are deleted using technical means that prevent regeneration of records.

- Personal information printed on paper is destroyed with a shredder or by incineration.

05. Transfer of Personal Information to a Third Party

The Company uses personal information within the scope of the purpose described in "02. Processing Personal Information" and does not use the personal information or disclose or provide it to third parties beyond scope. However, personal information may be transferred in the following exceptions.

• - Consent from the subject of the information is obtained.
• - The special clause is stipulated in another law.
• - It is explicitly required for the life, physical, or financial interests of the subject of the information or a third party while the subject of the information or legal guardian is not in a position to express an opinion or provide the advance consent due to an unknown address, etc.
• - The information is needed for the generation of statistics and academic research and is provided in an unidentifiable form.

The company is currently providing personal information as follows.

• - Entity receiving personal information : MultiCampus Co., Ltd.
• - Personal information provided : Name, ID, password, mobile phone number, email, company name, and address
• - Purpose of the provided information : Collection and use for e-learning education
• - Retention and usage period of provided information : Immediately destroyed at the end of training

• - Entity receiving personal information : Doosan Corporation Information & Communications
• - Personal information provided : Name, affiliate name, department/position, HR and welfare, email, and contact number
• - Purpose of the provided information : Information resource management service
• - Retention and usage period of provided information : Permanent

• - Entity receiving personal information : Doosan Cuvex
• - Personal information provided : Personal information required for business operation (name, affiliate name, department/position, etc.)
• - Purpose of using the provided information : General administration, welfare support, purchase, and wage-payment-related tasks
• - Retention and usage period of provided information : Permanent

• - Entity receiving personal information : Doosan Corporation
• - Personal information provided : Name, resident registration number, photo, password, home address, home phone number, mobile phone number, email, educational background, military service record, language skills, computer skills, qualifications, family relationships, career experience, social experience, awards and merits, overseas experience, and R&D experience
• - Purpose of the provided information : Integrated management and development of HR
• - Retention and usage period of provided information : Until termination of employment

06. Outsourcing of Personal Information Processing

The Company does not consign the user's information to external companies without the user's consent.
The Company consigns personal information as follows and defines the required regulations for the safe management of personal information for outsourcing contracts according to the applicable laws.

• - Outsourced company : Doosan Cuvex
• - Outsourced tasks : Wage management, welfare, etc.

• - Outsourced company : Woori Bank
• - Outsourced tasks : DB-based retirement fund manager (outside deposition of severance pay)

• - Outsourced company : Mercer (Hong Kong) Limited
• - Outsourced tasks : Actuarial valuation of retirement liabilities (calculation of retirement liabilities)

• - Outsourced company : DLI
• - Outsourced tasks : Operation of online education programs

• - Outsourced company : MultiCampus Co., Ltd.
• - Outsourced tasks : Operation of online education program

• - Outsourced company : MS Gas Co., Ltd.
• - Outsourced tasks : Hydrogen gas filling and delivery, hydrogen container management

07. Information Subject's Rights and Obligations and How to Exercise Them

All information subjects can request access, correction, erasure, or suspension of the personal information processed by the Company.
However, the Company may refuse or limit the above request in the following cases.

• - Where special provisions exist in law, or legal obligations must be observed.
• - When it may harm a third party physically, or breach a third party's property or other benefits.
• - When the information subject fails to explicitly notify of the termination of the contract even though it is impracticable to execute the contract, such as for the provision of a service as agreed to with the data subject without processing the personal information in question.

Method and Procedure of Exercising Rights

• - An information subject may file requests for access, correction, erasure, or suspension of processing in writing, email, fax, etc. to the Company department in charge of privacy.(The department in charge of privacy refers to “09. Customer Claims Service for Personal Information”.)
• The Company takes the necessary measures within 10 days unless it has good reason to reject the measures and, if there is the reason for limiting or refusing the request, notifies the information subject of the reason for restriction or refusal and how to raise objections within 5 days.
• When an information subject or his/her representative claims access, etc. to personal information, the company can check his/her identification source, such as a resident registration card or public electronic signature to confirm the identity of the information subject or his/her representative.

Request Form

08. Technical, Managerial, and Physical Safeguards for Personal Information

The Company applies the following safeguards to prevent loss, theft, falsification, or damage to the user’s personal information during handling.

Technical Measures

- The Company complies with regulations for the safe storage and transfer of personal information.

- The Company uses an anti-virus program as a preventive measure against computer viruses. The anti-virus program is updated regularly.
If a virus or viruses appear(s), then the Company will make the latest virus vaccine available to users to prevent their personal information from external attacks.

- The Company ensures security using an intrusion prevention system and vulnerability analysis system to protect each system against external intrusions like hacking

Managerial Measures

- The Company limits access rights to personal information to those who perform sales and marketing activities, those who perform personal information management tasks, and those who are involved in the handling of personal information.

- The Company regularly conducts in-house and outsourced training on personal information protection for employees who handle personal information. It also thoroughly manages and supervises compliance with laws and regulations related to the protection of personal information after employees enter and leave the company.

Physical Measures

- The Company takes protective measures, such as physical locks, to prevent physical access and protect personal information and personal information processing systems. The Company designates the computing room and the data archive as special protection zones, so that access to such zones may be strictly controlled.

09. Customer Claims Service for Personal Information

The Company uses the following department and the Chief Privacy Officer (CPO) to protect customers' personal information and settled all complaints regarding personal information :

A. Department in charge of privacy

- Department : Business Execution Team

- TEL : 82 31 270 1703

- FAX : 82 31 270 1719

- Email : [email protected]

- Business hours : (Mon-Fri) 09:00 - 18:00, (closed on Sat-Sun, national holidays)

B. CPO

- Name : Lee Doo-soon

- TEL : 82 31 270 1703

- Email : [email protected]

• For other questions about reporting or consulting on privacy breaches, please contact the following agencies.
• 1. Personal Information Dispute Mediation Committee (http://privacy.kisa.or.kr/TEL : 118)
• 2. Personal Information Intrusion Report Center (http://privacy.go.kr/TEL : 118)
• 3. Information Protection Mark Certification Committee (http://www.eprivacy.or.kr/TEL : 02-580-0533~4)
• 4. Internet Criminal Investigation Center of the Supreme Prosecutors’ Office (http://icic.sppo.go.kr/TEL : 02-3480-3600)
• 5. Cyber Terrorism Response Center of the Korean National Police Agency (http://www.ctrc.go.kr/TEL : 02-392-0330)

10. Disclosure Obligation

The Company will notify users via the 'Notice' section on its website no earlier than 10 days before the revision of policies related to privacy.

• - Date of Public Notification : August 30, 2018.
• - Date of Enforcement : August 30, 2018.

2. Personal Information Handling Policy

Doosan Mobility Innovation (hereinafter referred to as “the Company”) takes users' personal information very seriously and abides by relevant laws such as the Act on the Promotion of Information and Communication Network Utilization.
The Company informs users of the purposes for which their personal information will be used, how the information will be used, and the measures taken to protect their privacy. The Company will notify you of revisions or updates to its personal information handling or processing policy through website announcements or individual notices when they occur.
The following personal information handling policy applies to this website (www.doosanmobility.com, “the Site”). This policy comes into effect on August 30, 2018.

01. Installation, Operation, and Rejection of the Automatic Collection of Personal Information

The Company uses a cookie to store and find out information about users from time to time. A cookie is a very small text file that the server used by the Company to operate the Site sends to your browser. It is saved on your computer hard disk. The Company uses the cookie for the following purposes.

• - To understand the user’s preferences and interest and track traces by analyzing the frequency of access and the time of visit
• - To provide targeted marketing and personalized service by analyzing participation in events and number of visits

You have the right to decide whether to install the cookie.
Accordingly, you can set the option in the web browser to allow all cookies, confirm each saving of a cookie, or refuse to save any cookie.

Settings (based on Internet Explorer)
: Tools in the top menu of the web browser > Internet Options > Personal Information
Please note that it may be difficult to provide the service if you refuse to install the cookie.

02. Processing Personal Information

The Company may collect users' personal information for the following purposes.

• - To handle complaints
• - To provide a better service to users and improve the quality of the site by analyzing service usage

03. Types of Personal Information Collected

The Company collects the following personal information for the purposes of counseling and service requests.
- Collected information

Required information : Name, email address, service usage record, access log, cookies, and IP login information
Optional information : Location (city and province), phone number (contact), country, and company
- Method of collecting personal information : Homepage (Contact Us and Cyber Report Center)

04. Disclosure of Personal Information

Personal information collected through this Site is not disclosed to the outside world except when the user consents to it in advance or when the law requires that the user's personal information be disclosed to a third party investigation agency, judicial authority, or other government agency.

However, personal information may be transferred in the following exceptions.

• - Users prior consent
• - The regulations require it, or the investigative agency requires it under the procedure and method stipulated in legislation for the investigation purpose.

The Company does not consign the customer’s information without the customer’s consent.
When it is necessary to disclose the user's personal information to a third party in order to provide the service requested by the user, the Company will inform the user of the identity of the third party and the content of the requested service, and obtain prior consent from the user.

05. Rights of the User and Legal Representative and Exercise of the Rights

Users and their legal representatives may request to query, amend, or withdraw consent for the registered user’s personal information at any time.
The Company will process the request without delay if you contact the department in charge of privacy in writing, by phone, or by email.
If you request the correction of an error regarding your personal information, the Company will not use the personal information until the correction of the error is complete. If the incorrect personal information had been provided to a third party, the Company will immediately notify the third party of the correction so that the transferred information is corrected.
The Company processes personal information that has been revoked or deleted at the request of the user or the user’s legal representative, as described in "Period of Retention and Use" and prohibits access or use of personal information for any other purpose.

06. Retention and Use of Personal Information

The Company prohibits the use of any user-provided information for purposes other than archiving or compliance with relevant laws.
The information will be destroyed without delay after the purpose for collecting and using the information has been fulfilled.
However, when a user requests the destruction of personal information, the user’s information is immediately destroyed after the request is received unless the time required under the relevant law for holding such information ends later than the time of the destruction request.
No archival information will remain. The procedure and method of destruction are as follows.

A. Period of Retention and Use

- Retained information : Name, email address, location (city and province), phone number (contact), country, and company

- Retained period : 1 year
- Reason for retention : Management of user inquiries and requests, user identification, etc.

- Retained information : Service use record, access log, cookies, and IP login information

- Retained period : 3 years
- Reason for retention : Collection of user’s service use statistics

B. Destruction Procedure

Any information inputted by users that is transferred to a separate database (or a separate document box if the information is on paper) after the purpose is achieved, and then stored in the database for a certain period before being discarded as per the Company’s internal policies and other relevant laws or regulations.
Personal information transferred to a separate database is not used for any purposes other than retention unless otherwise specified by law.

C. Destruction Method

The personal information stored in electronic files is deleted using technical means that prevent regeneration of records.

07. Link to External Site

This Site may contain links to other websites.
The Company will not be liable for the content of linked websites or the use of such websites.
You agree that the use of such linked websites is subject to the privacy policies of the linked websites.

08. Protection of Personal Information

The Company maintains strict safeguards against unauthorized or improper access to such personal information by limiting its employees
from accessing or using the personal information.

09. Customer Claims Service for Personal Information

The Company uses the following department and the Chief Privacy Officer (CPO) to protect customers' personal information
and settled all complaints regarding personal information :

A. Department in charge of privacy

- Department : Business Execution Team

- TEL : 82 31 270 1703

- FAX : 82 31 270 1719

- Email : [email protected]

- Business hours : (Mon-Fri) 09:00 - 18:00, (closed on Sat-Sun, national holidays)

B. CPO

- Name : Lee Doo-soon

- TEL : 82 31 270 1703

- Email : [email protected]

Please contact the following agencies to report infringements of the privacy policy or for privacy policy inquiries.

• 1. KISA (http://privacy.kisa.or.kr/TEL : 118)
• 2. National Information Society Agency (http://eng.nia.or.kr/TEL : 02-2131-0114)
• 3. MOGAHA (http://privacy.go.kr/TEL : 02-2100-1737)

• - Date of Public Notification : August 30, 2018.
• - Date of Enforcement : August 30, 2018.

3. Image Processing System Operation and Management Policy

01. Grounds for and Purpose of Installing an Image Processing System

The purpose of the Image Processing System Operation and Management Policy (hereinafter referred to as "the Policy") is to ensure the proper performance of work and help guarantee the rights of citizens. It specifies the matters that Doosan Mobility Innovation Co., Ltd. (hereinafter referred to as "the Company") must comply with in relation to the installation and operation of image processing systems and the protection of personal image information in accordance with Article 25 of the Personal Information Protection Act.

02. Personal Information Protection Principles

The Company will collect the minimum amount of personal image information necessary to install the image information processing system. It will make it possible for the information subject to clearly recognize the purpose of the installation, and where personal image information has been used for purposes other than those stated. The Company strives to manage personal image information securely by ensuring that the information is accurate and up-to-date, that general matters related to the processing of personal image information are disclosed, and in a way that guarantees the rights of those whose personal image information is being processed.

03. Appointment of Person in Charge

The following manager, department, and coordinator are responsible for the secure management of personal image information.

• - Manager : Lee Doo-soon
• - Department : Business Execution Team
• - Coordinator : Kim Ji-young (the person responsible for installation and operation of image information processing systems)

04. Image Processing System Installation

The number of image processing systems to be installed, their locations, and their recording ranges are described below.

• - Number of image processing systems : Eight (eight fixed types)
• - Locations of image processing systems : Company entrance and laboratory, office, production facilities, etc.
• - Recording range of image processing system : Company entrance, passageway, laboratory, office, production facilities, etc.

05. Installation of Signs

The company takes necessary measures, such as the installation of signs with the following information so that people can easily recognize that the video information processing device is installed and operating.

• - Purpose and location of installation, recording range and time, and name, position, and contact of manager in charge
• - Name and contact of the person in charge of installation and management if they are outsourced

The location and size of the sign are described as follows.

• - Installation location : Entrance of building, Entrance, Office and laboratory entrance, Facility entrance etc.
• - Size : 40ⅹ30cm (may be changed according to the condition of the installation site.)

06. Claim of Access, etc. by Information Subject

An information subject can demand to access and check the existence (hereinafter referred to as “access, etc.”) of his or her personal image information processed by the Company.

Request Form (Personal Visual Information)

When the Company receives a claim for access, etc., the Company must take necessary measures without delay. In such a case, the Company can confirm the identity of the person who made the claim for access, etc. or the person’s legal representative by checking the identification document, such as the resident registration card, driver’s license, or passport.

The Company can refuse a person's demand for access, etc. to his or her personal image information in the following case
and by notifying the person of the reason for refusal and the way to object it in writing within 10 days.

• - The personal image information is destroyed once its retention period has passed.
• - There is a rightful reason to refuse the demand for access, etc. by the person.

07. Recording Time, etc. of the Image Information Processing System

The recording time, storage period, and storage location of image information are described as follows.

• - Recording time : 24 hours
• - Storage period : 15 or 30 days
• - Storage location : Within the CCTV inside the warehouse

08. Management of Image Information

The following information is recorded and managed in a "Personal Image Information Management Ledger" if the personal image information is used for purposes other than that of collection or provided to a third party by the consent of the information subject or regulations,.

• - Name of personal image information file
• - Name of the person using or receiving the information
• - Purpose of using or providing the information
• - Legal grounds, if available, for using or providing the information
• - The period, if available, of using or providing the information
• - Method of using or providing the information

• Destruction of personal image information is recorded and managed in "Personal Image Information Management Ledger".
• - Destroyed personal image information
• - Date and time of the destruction of the personal image information (destruction interval if the automatic destruction is set to a preset interval)
• - Person in charge of destruction of personal image information

09. Storage and Destruction

The Company destroys any personal image information it has collected when the retention period stated in this policy has expired.
However, the Company does not destroy the personal image information if there are special regulations in other laws.

The method of destroying personal image information is described as follows.

• - The outputs (photo, etc.) recorded with personal image information are shredded or incinerated.
• - Personal image information in the form of an electromagnetic (EM) file is permanently deleted by a technical method that cannot be restored.

10. Technical, Managerial, and Physical Measures

• - The Company limits access authority of the personal image information collected and processed by the image information processing device to the minimum number of designated persons, such as the manager in charge and the person in charge of the task.
• - The Company designates the area where the personal image information transmitted by the image information processing system is accessed and played as the restricted zone and controls access and playback by unauthorized persons.
• The Company changes or revokes the authorization without delay if the access right is changed due to personnel changes, such as transfer and retirement.
• The Company takes measures, such as password setting, to ensure safety by preventing loss, theft, leakage, alteration, or damage of image information if the Company processes personal image information or transmits/receives personal image information files.
• The company regularly checks the operation of the image information processing system in order to prevent alteration or falsification of personal image information.

• Date of Public Notification : August 30, 2018.
• Date of Enforcement : August 30, 2018.