1. General Provisions

<Hyundai Motor Company (hereinafter referred to as "the Company")> establishes and discloses its privacy policy to protect customers' personal information in accordance with Article 30 of the Personal Information Protection Act and to facilitate prompt addressing of related complaints.

2. Purposes of Processing Personal Information, Processed Items, Period for Retaining and Using Personal Information

1) The Company processes personal information as follows for the purposes listed below. The Company processes and retains personal information within the period for retention and use required by applicable law or the period that customers agreed to at the time of collection. The personal information processed will not be used for purposes other than those stated below, and if there are changes to the purpose or the collected items, separate consent will be obtained in accordance with Article 18 of the Personal Information Protection Act.

2) Despite the above retention period, if the Company is obligated to retain customer's personal information under the provisions of relevant laws such as the Commercial Act, the Company will retain the information accordingly. In this case, the Company will only use the personal information for those retention purposes, and each retention period required by law are as follows:

① Important documents related to Company's commercial books and business, and information related to vouchers: 10 years for important documents / 5 years for vouchers (Commercial Act)
② All books related to transactions and information related to proof documents: 5 years (Framework Act On National Taxes , Corporate Tax Act)
③ Records on contracts, withdrawal of offer, payment and supply of goods: 5 years (Act on Consumer Protection in Electronic Commerce, etc.)
④ Records related to consumer complaints or dispute resolution: 3 years (Act on Consumer Protection in Electronic Commerce, etc.)
⑤ Books and tax invoices or receipts issued: 5 years (Value-Added Tax Act)
⑥ Service usage records, access logs, access IP information (Protection of Communications Secrets Act): 3 months

3. Procedure and Method of Personal Information Destruction

1) The Company, unless required by other laws to retain personal information, promptly destroys personal information that has become unnecessary to retain due to such events as expiration of the retention period and achievement of the processing purpose.

2) When the Company still needs to retain the personal information under other laws even after the retention period that the customer agreed to has expired or the purposes of processing the personal information has been achieved, the Company moves the personal information to a separate database or stores it separately (for the paper documents, in a separate file cabinet). Personal information moved to a separate database is not used for purposes other than purposes for retention, unless required by law.

3) The destruction process and the destruction method of personal information are as follows:

① Destruction Process:

The Company selects personal information subject to destruction, or promptly destroys personal information when the purpose of using personal information is achieved or the period for retention and use expires. If the personal information is retained according to other related laws, it is destroyed immediately after the required period.

② Destruction Method:

Personal information recorded and stored in electronic form is destroyed in a way that prevents reconstruction, and personal information recorded and stored on paper documents is shredded or incinerated.

③ Measures for Destruction of Personal Information of Non-Users

(1) The accounts of the users who have not used the service for 6 months will be turned inactive, and will be destroyed if there is no login activity for 18 months.
(2) The Company, at least 30 days before conversion, notifies users whose accounts will be turned dormant, of the fact that their accounts will be separately stored, the date of conversion to the dormant account, and the personal information items that are separately stored, via email, text messages, or such other means by which users can be notified.
(3) If users do not wish to have their accounts turned dormant, they can log in to the service before conversion. Even if the account has already been turned dormant, users can still log in, restore the dormant account, and use the service with user’s consent by logging in.

4. Consignment of Personal Information Processing

1) To facilitate processing personal information, the Company consigns personal information processing tasks as below:

2) In order to monitor whether the consignee safely processes personal information, the Company specifies in documents as contracts on prohibiting the consignee from processing personal information beyond the purpose of performing consigned tasks, technical and managerial protective measures, restrictions on re-consignment, management and supervision of the consignee, liabilities for damages, according to Article 26 of the Personal Information Protection Act.

3) If there are any changes to the consigned tasks or to the consignee, the Company will promptly disclose such changes via this privacy policy.

5. Providing Personal Information to Third Parties

The Company processes the personal information of data subjects only within the scope specified in '2. Purposes of Processing Personal Information, Processed Items, Period for Retention and Use of Personal Information', and provides personal information to third parties only when it complies to Articles 17 and 18 of the Personal Information Protection Act such as when there is a consent from the data subject or specially required by law.

6. Measures to Ensure the Security of Personal Information

Measures to Ensure the Security of Personal Information

The Company implements the following technical and managerial measures to secure customers' personal information and prevent its loss, theft, leakage, alteration, or damage:

1) Technical Measures

① Encryption of Customer Information: When storing such personal information as personally identifiable information and card numbers that requires encryption under law, the company makes sure that the personal information is encrypted and then stored in the DB so that the personal information cannot be utilized even if it is leaked by external cyber intrusion.
② Encryption of Transmission: For sections such as membership registration or login where customers enter their personal information via website, the Company implements SSL or similar encryption protocols to ensure that customer information is transmitted safely.
③ Installation of Security Solutions: The Company installs antivirus programs, performs regular updates and periodic inspections on personal information processing systems. The Company also applies DB access control solutions and screen capture prevention solutions when necessary. Furthermore, the Company installs intrusion prevention/detection systems to prepare for external intrusions like hacking. The Company also conducts continuous monitoring for hacking and external intrusions through an Integrated Security Operations Center (SOC).

2) Managerial Measures

① Establishment of Personal Information Management System: The Company has internally established personal information management system to safely manage personal information.
② Operation of Personal Information Protection Committee: The Company formed Personal Information Protection Committee and holds meetings at least once a year. In these meetings, the Company takes efforts to improve and respond to issues regarding the operation of the personal information management system and personal information protection.
③ Management of Personal Information Handlers: Personal information handlers, who process customer's personal information, are required to submit a personal information protection undertaking. The company also conducts personal information protection training on the personal information handlers at least once a year to emphasize the importance of customer’s personal information and ensure its safe management. Furthermore, by managing personal information handler’s authority, the Company is working hard to minimize unnecessary access and exposure to the customer's personal information.

7. Matters related to installation, operation and refusal of automatic personal information collection devices

1) The Company uses ‘cookies’ to store usage information and retrieve it from time to time in order to provide individualized services to users.

2) Cookies are a small amount of information that the server (http(s)), which is used to run the website, sends to the user's computer browser and the cookies are sometimes stored in the hard disk of the user's PC computer.

① Purpose of using cookies: Cookies are used to provide optimized information to users by identifying visiting and usage patterns, secure access, etc. for each service and website visited by the user. Customers can choose whether to install cookies or not by setting options in the web browser. Customers may choose either to allow all cookies, request confirmation each time a cookie is saved, or refuse to save all cookies.
② Installation, operation, and rejection of cookies: By selecting cookie options, you can either allow all cookies by selecting the option of the web browser you use, request confirmation each time you save cookies, or refuse to save all cookies.
※ Example of setting method
(Internet Explorer) : Tools at the top of the web browser > Internet Options > Personal Information > Settings
(Microsoft Edge) : Settings at the top of the web browser > Cookies and site permissions > Management and deletion of cookies and site data
(Google Chrome) : Settings at the top of the web browser > Privacy and security > Cookies and other site data > Select setting method
③ However, if you refuse to store cookies, you may have difficulty using part of the services that require login.

8. Rights and Obligations of Customers and Legal Representatives, and Exercising Methods

1) Customers or legal representatives (if the customer is under 14 years old) have the right to withdraw (terminate membership) their consent to collection, use, and provision of personal information by the Company at any time and to exercise those rights such as requesting for accessing, correcting, deleting, and demanding suspension of processing of personal information.

2) Customers or legal representatives can exercise aforementioned rights online on homepage by accessing the personal information management menu after identification process. They can also contact the customer center or the personal information protection officer and the staff of in written document, telephone, or email, and the Company will promptly respond to such requests.

3) The rights stated in the clauses 1) and 2) above can also be exercised by a legal representative or a delegate. In such cases, a power of attorney, in the format of Form No. 11 of the "Guidelines on Personal Information Processing Methods (No. 2023-12)" must be submitted.

4) Requests for access to personal information and the suspension of its processing may be limited under Articles 35(4) and 37(2) of the Personal Information Protection Act.

5) Requesting for the correction and deletion of personal information is not permitted if the relevant laws require the personal information to be collected.

6) Upon the request stipulated in clause 1), the Company verifies whether the person who has made the request is a data subject himself or a legitimate representative.

7) If a customer requests the Company to correct the errors of the customer’s personal information, the Company will not use or provide that personal information until the error is corrected. If the personal information has already been provided to a third party, the Company will promptly notify the third party to ensure it is corrected.

8) If a customer or a legal representative withdraws consent (terminates membership), the Company, in principle, will destroy the personal information without delay. However, if any applicable law requires its retention, the Company will process it in accordance with the ‘Period for Retaining and Using Personal Information’ specified in the Article 2 of this privacy policy, ensure its access or use only when necessary.

9. Remedies for Infringement of Customer Rights

Customers may inquire following institutions to seek remedies and legal advice regarding personal information infringement. These institutions are separate entities from the Company, and if customers are not satisfied with the Company's internal processes for addressing personal information complaints or need more detailed assistance, please contact following institutions:

Personal Information Infringement Report Center (Operated by Korea Internet & Security Agency)

Duties: Reporting personal information infringement, requesting counseling
Website: privacy.kisa.or.kr
Phone: 118 (no area code needed)

Personal Information Dispute Mediation Committee

Duties: Applying for personal information dispute mediation, group dispute resolution (civil resolution)
Website: www.kopico.go.kr
Phone: 1833-6972 (no area code needed)

Supreme Prosecutors' Office : 1301 (no area code needed) (www.spo.go.kr)

National Police Agency : 182 (no area code needed) (ecrm.police.go.kr)

10. Chief Privacy Officer, Manager in Charge and Relevant Department

1) We appoint a Chief Privacy Officer (CPO) to oversee the overall processing of personal information within the Company and to address customer complaints and advice about the remedies related to processing the personal information.

2) Customers using the service (or business) may contact the CPO and relevant department regarding any inquiries, complaints, or remedies related to personal information protection issues that arise while using the service. The Company will promptly respond to and address them. ※ However, please note that emails sent for purposes other than personal information protection inquiries, complaints, and damage-related matters may not receive a reply or be processed. Furthermore, advertising emails for commercial purposes sent without the consent of the manager in charge may be subject to actions such as reporting to the relevant authority according to the articles 50 to 50-8 of the "Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc."

11. Guidelines on Sending Advertisement

1) The Company does not send advertisement for commercial purposes without the prior consent of customers.

2) When the Company sends advertising information for such commercial purposes as promotion of new car release or notifying events, it is sent only to those customers who have given prior consent for receiving such advertising information.

3) The Company takes following measures when using electronic transmission media to send advertising information, according to the Articles 50 to 50-8 of the "Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc.":

- Electronic transmission methods: mobile phone text messages, emails, faxes, and other electronic transmission media

① Indicate "(Advertisement)" in front of the title
② Transmitter's name and contact information
③ Display of a number for free unsubscription

4) The Company, every 2 year from the day the customer agreed to receive advertisement, checks whether the customer agrees to receiving advertisement. If customers do not make any choice, their consent to the advertisement remains unchanged.

5) The Company does not transmit advertisement by electronic transmission media from 9:00 PM to 8:00 AM the following day.

6) However, the following messages sent by electronic transmission media is are not considered as advertisement:

- Information related to the performance of contracts executed between the Company and customers
- Responses to information requested by customers (e.g., quotations, car catalogs, newsletters)
- Such matters related to vehicle safety and quality that the Company must notify according to relevant laws.

※ The methods of withdrawing consent for receiving advertisement are as follows:
Choose to refuse receiving advertisement on the "My Page" site of each homepage, Automatic refusal by ARS : 080-656-6000 (Free of charge), Unsubscribe by calling customer service center : 080-600-6000 (Free of charge)

12. Revision of Privacy Policy

Prior to adopting the revised privacy policy, the Company will announce in advance any changes made to this privacy policy and reasons for change by such ways as posting on the landing page or on a separate pop-up. This privacy policy is in effect as of July 10, 2024.