Personal Information Protection Policy (For Samsung KNOX) Samsung Electronics Co., Ltd (hereinafter referred to as "Company") places emphasis on the user's privacy and endeavors to observe the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. and Personal Information Protection Act. The Company informs users about how and for what purpose the Company uses the personal information that the user provides, as well as what measures the Company takes to protect this personal information through the Data Protection Policy. This policy shall be enforced on and after December 15, 2014 and if this policy is amended the Company will announce this via a notice on its website (or individual notice by way of written notification, email, phone call, SMS, etc.). 0. General Provisions The term "personal information" refers to information pertaining to a living person, including their full name, social security number, etc., by which the individual in question can be identified (including information by which the individual in question cannot be identified but can be identified through simple combination with other information). The Company places emphasis on protecting users' personal information and observes the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. and Personal Information Protection Act. The Company informs users about how and for what purpose the Company uses the personal information that the user provides, as well as what measures the Company takes to protect said personal information by means of this Data Protection Policy. The Company takes measures to enable users to easily view this Data Protection Policy by making it available on the home page of http://eula.secb2b.com/eula/en. The Company is establishing the procedures necessary to amend this Data Protection Policy in order to constantly improve it. The Company also enables the user to easily identify amended contents by assigning a version number, etc. 1. Items of Personal Information to Be Collected and Collection Methods (1) Items of Personal Information to Be Collected When a user signs up or uses the service for the first time, the Company collects the personal information stated below: ο Samsung KNOX service ① Requirements □ Samsung KNOX License Key, "IMEI" or "Serial Number" or "MAC address" in hashed form, MODEL description of your mobile device, Android OS Version / Build Number, MCC (Mobile Country code), MNC (Mobile network code), Country ISO code, CSC code (customer software configuration), Client Timezone, KNOX SDK Version, KNOX SDK API usage time / frequency, Package name / version / hash data of B2B Application which uses KNOX SDK, Samsung KNOX Container ID / status / activation time / entrance count. ο Update service for Security Enhanced for Android policies ① Requirements □ Your device's unique identification number, model name, customer code, access records, your device's current software version, MCC (Mobile Country Code), MNC (Mobile Network Code) ※ The Company shall not collect sensitive information (i.e. information on thoughts/beliefs, affiliation/disaffiliation with a union/party, political opinions, health, sexual life, etc.) which would significantly invade the user's privacy. ※ If the user is a minor under the age of 14, the Company shall not, in principle, collect their personal information. If the Company must collect personal information from a minor under the age of 14 for service use, the Company shall obtain prior approval from his/her legal representative, destroy the said information without delay on completion of the related work, and fully control the said information while the work is in progress. (2) Method of Collecting Personal Information - If a user uses the KNOX service and update service for Security Enhanced for Android policies, personal information will be automatically collected. ※ The Company provides a procedure by which a user may select to "Agree" or "Disagree" on each item of content in the Consent Form for Collection/Use of Personal Information. 2. Purpose of Collecting and Using Personal Information The Company shall use the personal information collected in connection with the following purposes: ο Samsung KNOX service ① Service Provision – Verification and activation of product licenses ② Improvement and analysis of products and services – Improvement of products and services, as well as demographic analysis ο Update service for Security Enhanced for Android policies ① Service Provision – Activation in the case of a new policy update ② Improvement and analysis of products and services – Improvement of products and services, as well as demographic analysis 3. Retention and Use Period of Personal Information The Company shall destroy the relevant information without delay when the purpose of collecting and using the personal information has been fulfilled. However, if the information must be preserved in accordance with the provisions of relevant laws and regulations, the Company will retain said information for the period of time as prescribed by said laws and regulations. In this case, the Company will use a separate database or other storage location to preserve the said personal information. Retention Item Retention Period Legal Basis Records regarding contracts, cancellations, etc. 5 Years Act on Consumer Protection in E-Commerce Transactions, etc. Records regarding payments, provision of goods, etc. 5 Years Act on Consumer Protection in E-Commerce Transactions, etc. Records regarding customer complaints or dispute resolution 3 Years Act on Consumer Protection in E-Commerce Transactions, etc. Records regarding collection, processing, use, etc. of credit information 3 Years Use and Protection of Credit Information Act Records regarding display/advertising 6 Months Act on Consumer Protection in E-Commerce Transactions, etc. User's Internet log information. etc./tracking of a user's connection locations 6 Months Protection of Communications Secrets Act Verification information relating to other communications 3 Months Protection of Communications Secrets Act 4. Procedures and Methods for Destroying Personal Information The procedures and methods for destroying personal information shall be as follows: (1) Destruction Procedures The user's personal information shall be moved to a separate database (or a separate filing cabinet in case of hard copy records) once their purpose has been fulfilled, and destroyed after being stored for a certain amount of time in accordance with data protection regulations prescribed by internal policy and other related laws and regulations. Personal information that is moved to a separate database shall not be used for any purpose other than storage, unless otherwise prescribed by the laws and regulations. (2) Destruction Method Personal information saved in an electronic file format shall be deleted using a technical method which does not allow any reproduction. Personal information which is printed on paper shall be shredded using a shredder or incinerated. 5. Supplying Personal Information to a Third Party In principle, the Company shall not provide users' personal information to any third party. However, the following circumstances shall be deemed as exceptions: - If an investigative agency requests the personal information for the purposes of investigation in accordance with the provisions of related laws and regulations, or procedures and methods prescribed by said laws and regulations. – If the personal information is required in order to collect fees for the provision of charged services. – If the personal information is processed and provided for producing statistics, academic research or market research in a form in which a specific individual may not be identified. - If a user consents to the information being disclosed in advance. If a user's personal information, other than the contents stated above, is provided or shared, said information shall be provided using procedures for obtaining a separate user consent for such use. 6. Users' and Legal Representatives' Rights and Methods for Exercising Rights With respect to users' personal information, the user—or legal representative if a user is a minor under the age of 14—may at any time request to view/correct/delete/cease processing/withdraw consent for the personal information. The Company will take action without delay, if the user or legal representative calls telephone number 1588-3366 or contacts the person responsible for managing personal information in writing, by phone or by email. The Company may refuse to inspect/correct/delete all or part of the personal information in the following circumstances:  – If laws and regulations prohibit or restrict viewing.  – If there are concerns that another person's life or well-being would be at risk or another person's property or other interests would be unjustly infringed upon. 2. If a user requests errors in their personal information to be corrected, the Company shall not use or provide the personal information to a third party until the correction is complete. If the Company has already provided the personal information to a third party, the Company shall notify the third party of the results of the correction without delay. The Company shall process personal information which is deleted/suspended at the request of a user or a legal representative in accordance with "3. Retention and Use Period of Personal Information." The Company shall not inspect or use the personal information for purposes other than those stated. Please enter the correct and up-to-date personal information. The user shall be held responsible for any incident which takes place due to incorrect information entered by the user, and membership may be terminated for a user who enters false information, or uses someone else's personal information without permission, etc. The user has the right to their privacy being protected, as well as being obligated to protect themselves and not infringe upon the privacy of others. Please make sure that users' personal information, including passwords, is not leaked and users will not damage the privacy of others, including their posts. If the user fails to fulfill these obligations and damages the privacy of others, the user may be punished under the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. or any other applicable laws. 7. Installation, Operation and Refusal of Device to Collect Personal Information Automatically (This only applies if the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. applies) The Company shall use "cookies," etc., which save and search users' personal information from time to time. A "cookie" is a very small text file that is sent to the user by the server used to operate the Company's website, and is saved to the user's computer hard disk. (1) Purpose of Using Cookies, etc. : Implementing the automatic login function; Analyzing the connection frequency or visit times of members and non-members; Understanding users' preferences and areas of interest, as well as tracking; Targeted marketing and personalized services through understanding, etc. of various event participation and visiting counts. (2) Refusing Cookie Installation A user may have the option to accept or refuse the use of cookies. Thus, the user may allow all cookies, verify whenever a cookie is installed, or refuse to save all cookies using the settings in their web browser. However, if the user refuses to accept cookies, there may be difficulty in providing services. – Method for installing a cookie (if the user uses Internet Explore 8.0) : Select "Internet Options" from the "Tools" menu and click on the "Privacy" tab. Configure the cookie permission level using "Configuration." – Method for viewing a received cookie (if the user uses Internet Explore 8.0) : Select "Internet Options" from the "Tools" menu. Verify a cookie using "View File" in "Configuration" of "Search Record" by clicking on the "General" tab. – Method for refusing cookie configuration (if the user uses Internet Explore 8.0) : Select "Internet Options" from the "Tools" menu. Click on the "Privacy" tab. Set the configuration to "Block All Cookies," which is a higher level, using "Configuration." 9. Policy on Handling of Other Personal Information (1) Technical and Administrative Measures for Protecting Privacy The Company has the following technical and administrative measures in place in order to ensure security so that personal information is not lost, stolen, leaked, altered or damaged when being processed: – Establishment and Implementation of Internal Management Plans ㆍThe Company has established and implemented internal management plans in order to securely process personal information. ㆍThe Company verifies the implementation of privacy protection measures through a dedicated internal task-force for privacy protection and compliance. If a problem is found, the Company immediately takes corrective action. – Installation and Operation of an Access Control Device ㆍThe Company controls unauthorized access using an intrusion detection system and endeavors to possess all possible technical devices in order to ensure system security. – Measures to Prevent Forgery or Falsification of Connection Records ㆍThe Company stores and manages records of connections to the personal information processing system and uses a security function to prevent forgery or falsification of connection records. – Encryption of Personal Information ㆍThe users' personal information is protected by a password, and files and transmission data are saved and managed by encryption or a file lock function. Furthermore, important data are protected by a separate security function. – Protection against Hacking, etc. ㆍThe Company takes measures to prevent damage caused by computer viruses using antivirus programs. The Company periodically updates the antivirus programs. If a new virus emerges, the Company prevents such virus infringing upon privacy by providing a vaccine as soon as a vaccine is found. ㆍThe Company has adopted SSL which can securely transmit personal information over a network using encryption algorithms. ㆍThe Company ensures security by using an intrusion detection system and vulnerability analysis system in each and every server in order to defend against intrusion, such as hacking, etc. ㆍThe Company does not mix personal information with ordinary data, and stores them on separate servers. – Minimization and Training of Handling Personnel ㆍThe Company restricts access to users' personal information to the following persons only: a person to perform marketing; a person to perform personal information management tasks, etc.; other persons who must handle personal information as part of their duties. ㆍThe Company implements regular in-house and outsourced training for employees handling personal information with regard to learning about new security technologies and privacy protection obligations. ㆍThe Company prepares internal procedures to prevent information being leaked through ensuring that each and every employee signs a security oath when they join the Company and monitoring the enforcement of privacy protection policy and the employee's compliance with the policy. ㆍThe Company ensures that tasks of those handling personal information are handed over in such a way that security is fully maintained. The Company also clarifies responsibilities for personal information accidents when employees join and leave the Company. ㆍThe Company has designated a computer room and an archive as specially protected areas with controlled access. (2) Policy on Provision of Link Site The Company may provide the user with a link to another company's website or information, and use products and services that a third party has developed through Samsung services (e.g., if a user downloads and uses an application that a third party has developed through Samsung Apps). In this case the Company cannot be held responsible for or guarantee the usefulness of products and services or data that a third party has provided since the Company has no control over such third-party sites, data, products and services. If a user moves to another company's website by clicking a link in the Company's website, the privacy policy of the third-party site is independent from the Company. Therefore, please view the policy belonging to the third-party website. (3) Policy on Posting Management The Company endeavors to protect users' posts from falsification, damage or deletion. However, this protection does not apply to the following: – Spam posts – Posts damaging the reputation of others by spreading false information for the purpose of slander – Posts disclosing the identity of others without permission – Posts infringing upon rights, such as intellectual property rights, etc. of the Company or a third party – Other posts not in keeping with the subjects of bulletin boards If a user discloses the identities of others without permission, the Company may delete or amend a specific part of the board, etc. in order to create a desirable bulletin board culture. If a post contains contents that may be transferred to another bulletin board, the Company may prevent misunderstanding by suggesting a transfer. In other cases, the Company may issue an express or individual warning and then delete the relevant post. In principle, all rights and responsibilities for a post rest on the author. Also, since information that is voluntarily disclosed through a post is difficult to protect, users should carefully consider the information prior to posting. (4) Policy on Refusal of Email Collection without Permission The Company does not allow email addresses which are posted to be collected without permission through an email collection program or other technical devices. If a user violates this, he/she may be punished in accordance with the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. and other laws and regulations. (5) Transmission of Advertising Information The Company shall not transmit advertising information for profit-making purposes if the user has explicitly requested to opt out of receipt. If a user has given their consent to receiving emails concerning product information, newsletters, etc., the Company makes them easily identifiable by indicating the following in the titles and bodies of such emails. – The Company may not advertise in the title of an email and must describe the main contents of the email in the subject line. – The Company specifies the name, email address and phone number of the sender in the body of the email, through which users may express their intention to stop receiving such emails. The Company also specifies a method through which the user may easily express their intention to stop receiving such emails. If the Company transmits advertising information for profit-making purposes via media such as fax, text messaging, etc. rather than email, the Company takes the necessary measures, such as stating "advertisement" at the beginning of the transmitted contents, in accordance with relevant laws and regulations. 10. Details of the Privacy Manager and Customer Services Department The Company designates a department and a person to be responsible for managing personal information in order to protect users' privacy and handle any complaints related to privacy. (1) Customer Services Department  Customer Services Department: Samsung Electronics Mobile Communication Division B2B Development Team  Phone: 1588-3366  Contact: support@samsungknox.com (2) Privacy Manager  Name: Hwang, Gi Yeong Managing Director  Department: Business Support Division  Phone: 1588-4730  Contact: privacy.sec@samsung.com (3) Other Organization Users can report all privacy related complaints which occur while using the Company's services to the Privacy Manager or the customer services department. The Company shall provide the user with sufficient answers to their complaints without delay. If a user needs to report or seek advice regarding other privacy infringements, they can contact the following organizations: – Privacy Infringement Report Center (www.118.or.kr/ 118) – Cybercrime Investigation Center of the Supreme Prosecutor's Office (www.spo.go.kr / 02-3480-3600) – Cyber Terror Response Center of the Korean National Police Agency (www.ctrc.go.kr / 02-392-0330) Version Number of Data Protection Policy: Version 1.0 Enforcement date of Data Protection Policy: December 15, 12.15