"Personal Information" refers to information of living individual, (i) information that allows an individual identifiable by name, Resident Registration number, video, etc., (ii) not discernable by the given information, but easily combined with other information to identify someone, and information that cannot be recognized without the use or combination of additional information to restore (i) or (i) to its original state by aliasing information.

The "Personal Information Protection Act" provides general norms for the processing of personal information, and the company shall treat personal information collected, retained, and processed in accordance with the provisions of the "Personal Information Protection Act" legally and appropriately to protect the rights and interests of data subjects.

The company processes personal information for the following purposes. The processed personal information shall not be used for any other than the following purposes.

1. Reservation via website, Registration to SOTETSU HOTELS
   • Reservation via website, registration to SOTETSU HOTELS through dedicated application, delivering information forwarding services
   • Securing communication channels for related services such as identification, cancellation, refund, etc.
2. Room Accommodation Information
   • Identification and verification of the person according to the room reservation.
   • Securing smooth communication channel for the delivery of announcements, handling complaints, etc.
   • Service delivery
3. Employee Recruitment
   • Support, selection, certificate verification, test performance verification of applicants, aptitude test, medical examination, answers, and guidance on inquiries from candidates for employment, etc.
   • Process of staff recruitment.

To the minimum extent necessary to achieve the purpose of collection and use, the company collects personal information by the website, written form, fax, telephone, email, etc.

1. Reservation via website, Registration to SOTETSU HOTELS
   • Required Items: Mail address, name, phone number, credit card information
2. Room Accommodation Information
   • Required Items: Name, phone number, date of birth, email address, gender, passport number, nationality, credit card information
   • Optional: Workplace name
3. Employee Recruitment
   • Required Items: Photo, name, date of birth, phone number, email address, address, educational background, career, foreign language skills, military service, qualification, self-introduction, health information.

When collecting personal information, the company shall promptly destroy the personal information when the period of retention and use of personal information has expired or where the purpose of collecting and using personal information is no longer required. The personal information of users who have not used the service for a year shall be separately stored and managed regardless of whether the purpose is achieved or not. However, if it is necessary to preserve users' personal information under the provisions of related Acts and subordinate statutes, the company shall protect personal information for a certain period prescribed by the relevant statutes as follows and shall not use it for any purpose other than the purpose under such statutes.

When the company collects personal information from uses, the retention period and use of personal information agreed by the company shall be as follows.

1. Reservation made through the website and personal information on membership of SOTETSU HOTELS: 3 years
2. Personal information related to room accommodation: 3 years
3. Personal information collected at the time of recruitment: 6 months

The period during which the company holds and uses personal information in accordance with the relevant statutes is as follows.

1. Records of withdrawal of contracts or subscriptions, etc.
   • Retention period: 5 years
   • Reasons for preservation: The Consumer Protection Act in Electronic Commerce, etc.
2. Records of payment and supply of goods, etc.
   • Retention period: 5 years
   • Reasons for preservation: The Consumer Protection Act in Electronic Commerce, etc.
3. Records on the handling of consumer complaints or disputes.
   • Retention period: 3 years
   • Reasons for preservation: The Consumer Protection Act in Electronic Commerce, etc.
4. Website visit history
   • Retention period: 3 months
   • Reason for Preservation: Communication Secret Protection Act

1. The company shall not provide personal information to any third party without the consent of the data subject. However, exceptions are made in the following cases.
   1. Where the data subject agrees in advance
   2. Where there is a special provision in the Act
2. With the consent of the data subject, the company provides personal information to third parties as follows.

1. Destruction Procedures When personal information is no longer necessary, such as when the retention period has expired or the purpose of processing has been achieved, the personal information will be promptly destroyed.
   Personal information will not be used for purposes other than those for which it was collected, unless required by law.
2. Disposal method Personal information printed on paper will be destroyed by shredding or incineration, and personal information stored in electronic file format will be deleted using technical methods that make it impossible to reproduce.

In order to fulfill our services, we outsource the processing of personal information to external specialized organizations as follows. We will contractually obligate the outsourced companies to manage your personal information appropriately in the same way as we do.

[Domestic trustee]
Contracted business: Hotel management system Contractor: SANHA

[Foreign Trustee]
Commissioned work: Website reservation management system Contractor: D-Edge Hospitality Solutions Pte Ltd

Entrusted work: Member management system
Trustee: CREANSMAERD

1. Rights and Obligations of the Data Subject The data subject or their representative may exercise the following personal information protection rights at any time in relation to the personal information of the data subject or the data subject under the age of 14 processed by our company.
   1. Request for the perusal of personal information
   2. Request for correction and deletion of personal information
   3. Request for suspension of personal information processing
   4. Request for withdrawal of consent for personal information
   If there is a request for correction or deletion of personal information, such as an error in personal information from the data subject and its representative, the company shall not use or provide the relevant personal information until the correction or deletion is completed.
2. How to request viewing, correcting, deleting, suspending processing, or withdrawing consent for personal information If the information subject or their representative wishes to request viewing, correcting, deleting, suspending processing, or withdrawing consent for personal information, they should contact the personal information protection officer by telephone, email, fax, etc. Upon receiving the request, we will respond to the request in good faith and process it immediately.
   If the above request is made through a representative of the information subject (legal representative, delegated person, etc.), a power of attorney in accordance with Form 11 of the Notice on Personal Information Processing Methods must be submitted.

1. Establishment and implementation of an internal management plan for the safe processing of personal informationWe have created and are managing an internal management plan for the safe processing and management of personal information.We also implement personal information management measures, such as limiting the number of people who handle personal information by restricting the authority of those who process personal information and minimizing the number of such people.
2. Location control and Location authority restriction measures for personal information We take necessary measures to restrict access to personal information by granting, changing, and deleting Location authority to the Location that processes personal information, and we use an intrusion prevention system to prevent unauthorized Location from outside.
3. Application of encryption technology or equivalent measures to safely store and transfer personal information Personal information is encrypted before it is stored and managed, and is also safely managed using separate security features when it is transmitted.
4. Measures to store connection records and prevent forgery and alteration in response to personal information infringement incidents We store and manage connection records to the personal information processing system for at least one year, and use security features to prevent the connection records from being forged, altered, stolen, or lost.
5. Installation and updating of security programs for personal information In order to prevent the leakage, loss, or damage of personal information due to unauthorized Location or computer viruses, etc., we have introduced security programs and periodically update and inspect them. We also install systems in areas with restricted access from outside to monitor and block them technically and physically.
6. Physical measures such as providing storage facilities or installing locking devices to safely store personal information Documents containing personal information and auxiliary storage media are stored in a secure location with a locking device.

The company uses "cookies" that store and retrieves user information frequently. Cookies are tiny text files sent to your browser by servers operating your company's website, stored on your computer's hard disk.

1. Purpose of using cookies Cookies are used to understand the frequency of users' Location, usage patterns, popular search terms, whether or not security is enabled, etc., and to provide users with information optimized for their needs.
   Cookie information can identify a user's computer, but cannot identify an individual user.
2. How to reject cookie settings Users have the right to choose whether or not cookies are installed. Therefore, by changing the options settings in the Tools > Internet Options menu at the top of your web browser, you can allow all cookies, display a warning when a cookie is received, or reject cookies.
   However, if you refuse to accept cookies, you may not be able to use all or part of the services provided on our website.

1. Personal Information Protection Officer In order to protect personal information and handle complaints regarding personal information, we have designated the following personal information protection officer and practitioners:
   1. Personal Information Protection Officer Name: Yoshizawa Koji TEL: 02-2095-4950
      ・E-mail address: yoshizawa_k@splaisir.com
   2. Personal Information Protection Officer ・Department: Management Department ・Name: Lee Hyung-kwon ・TEL: 02-2198-1254
      ・E-mail address: lee_hk@splaisir.com
2. In order to receive relief for infringement of personal information, the data subject may apply for dispute resolution or consultation to the Personal Information Dispute Mediation Committee, the Korea Internet & Security Agency's Personal Information Infringement Reporting Center, etc. For Others reports and consultations on personal information infringement, please Contact the following institutions.
   1. Personal Information Violation Reporting Center (operated by the Korea Internet and Security Agency)
      ・Services: Reporting personal information violations, applying for consultations ・Website: privacy.kisa.or.kr
      ・TEL: 118 (no area code)
      Address: (58324) 3rd floor, Personal Information Violation Reporting Center, 301-2, Bitgaram-dong, 9 Jinheung-gil, Naju-si, Jeollanam-do
   2. Personal Information Dispute Adjustment Committee - Jurisdiction: Personal Information Dispute Adjustment Application, Collective Dispute Adjustment (Civil Resolution)
      ・Website: www.kopico.go.kr
      ・TEL: (no area code) 1833-6972
      Address: (03171) 4th floor, Government Complex Seoul, 209 Sejong-daero, Jongno-gu, Seoul
   3. Supreme Prosecutors' Office Cybercrime Investigation Team Website: www.spo.go.kr
      ・TEL: 02-3480-3573
   4. National Police Agency Cyber ​​Security Bureau Website: cyberbureau.police.go.kr
      ・TEL: 182 (no area code)

This Personal Information Processing Policy will be applied from the effective date.

Publication date: October 1, 2019 Effective date: October 1, 2019