Careers at HYBE

Privacy Policy (March 31, 2021)

HYBE Co., Ltd. (hereinafter referred to as the “Company”) acknowledges the importance of personal information and is in full compliance with the regulations on personal information protection under pertinent laws, such as the Personal Information Protection Act. The Company outlines how the personal information is used and what measures are taken to protect personal information through this Privacy Policy. This Privacy Policy only applies to the hiring process of the Company and includes the following provisions.

1. Items and Purpose of Handling Personal Information

The Company will collect the least amount of personal information needed to use the website, besides the personal information for the application to the hiring process. However, additional required information may be collected based on the position.

1-1. Items

• When signing up for a membership: e-mail address, Korean name, English name, country of residence
• When applying for a job: English name, Korean name, e-mail address, mobile phone number, nationality, job experience, educational background, information on certifications and licenses, information on disability or veterans welfare, military service information, employment channel, CV, etc. (Additional information may be collected through submitted documents.)
• Information collected during the creation of an account may also be collected through the profile information voluntarily registered by the member prior to the job application.
• Sensitive information: Subject of disability or veteran’s welfare
• The following information may be automatically generated and collected in the process of using the service.
  : browsing history, application history, abusing history, device information (OS, screen size, unique device ID)

1-2. Purpose

• To confirm the identity of an applicant, provide notices and information, respond to inquiries, register as a candidate, and for the application processes.
• Notification of information related to the application submissions and current progress for a hiring process.
• Management and notification of prospective applicants.
• (If one receives the final offer) For the discussion in compensation and benefits, confirming the identity of the onboarding employee, personnel management, signing and executing employment contracts (assignment of position, provision of benefits, education and training, annual salary agreement, etc.), and preparing the employee roster and annual salary agreements.

1-3. Rights

• The user may refuse to provide consent on the aforementioned matters related to collection, use, provision and consignment of personal information. However, as the aforementioned information items hereunder are essential for the company to operate a fair and impartial hiring process, failure to provide consent may result in a restriction in the hiring process. For employment applications, children under 14 years of age are restricted from becoming a member.

2. Period of Handling and Retention Personal information

The personal information provided for an employment application and its history will be retained and processed for three (3) years to prevent duplicate applications and provide information of other employment opportunities. However, if the user withdraws consent to the processing of their personal information or requests to terminate the account, the provided personal information will be destroyed without delay unless there is an extenuating circumstance. Unsuccessful applicants may be contacted if a suitable position is open in the future.

However, if personal information must be retained by the law, the Company retains personal information for the prescribed period only. In such a case, the Company will use the information for storage purposes only, and the period of retention is as follows.

• Communication Confirmation Data
  • Grounds: Protection of Communications Secrets Act
  • Retention period: Three (3) months

3. Destruction of Personal Information

Once the purpose of personal information has been fulfilled, it will be automatically disposed after being stored for a retention period prescribed by internal policies or laws. The personal information for which the purpose of processing has been fulfilled is relocated to a separate database to be securely stored as per internal regulations and applicable laws. It is destroyed without delay as soon as the prescribed period has elapsed. Here, the personal information moved to the separate database will not be used for purposes other than those with provided consent or otherwise provided by applicable law.

Personal information printed on paper will be destroyed by means of a paper shredder. Personal information stored in the form of an electronic file will be irrevocably destroyed through technical or physical methods.

4. Consignment of Handling Personal Information

The Company consigns personal information to an external contractor to perform a number of tasks essential for providing the service. Also, the Company manages and supervises the practices of the contractor to ensure compliance with applicable privacy laws.

Category	Consigned Contractor	Consigned Duties
Korea	Doosan Digital Innovation Co., Ltd.	Maintenance and operation of hiring website and computing systems for hiring management system, and handling of related inquiries
Overseas	SAP, Inc. (Country of data storage: Singapore)	Operation of hiring website and computing systems for hiring management system, and handling of related inquiries [Details related to transferring personal information overseas] - Items to be transferred: All items provided in Article 1, Section 1-1 - Purpose, time and method of transfer: SAP cloud real-time transfer through networks - Use and retention period of transferee: Until the expiration of the contract

5. Provision to Third Parties

HYBE will use the personal information of the information entity within the scope notified in "1. Items and Purpose of Handling Personal Information" and will not use in excess of the scope thereof, or provide the information to another person, company, or institution. However, limited to the items that received consent during the application process as noted below, personal information of the information entity may be provided to a relevant company.

Recipients (Contact Information of Personal Information Protection Manager)	Country	Purpose of Provision and Use and Date and Method of Transfer	Information Provided	Retention Period
BIGHIT MUSIC SOURCE MUSIC BELIFT LAB KOZ ENTERTAINMENT PLEDIS Entertainment HYBE EDU Weverse Company ADOR (careers_privacy@hybecorp.com)	Korea	Purpose of use: Information regarding recruitment such as the progress of the recruitment screening and the results of each stage of progress and the creation of a talent pool. Date and method of transfer: Real-time transfer through inquiry on recruitment system	All information collected as set in paragraph 1	3 years

6. Rights and Responsibilities of an Information Entity and Their Legal Representative, and Exercising Methods

6-1. Rights and Exercising Methods

If an applicant hopes to withdraw consent to provide personal information, or request deletion or cessation of the handling of personal information, the request may be sent to careers_privacy@hybecorp.comUnless there is an extenuating circumstance, the company will respond within ten (10) days from the day the request is made. If it is difficult to respond within the given period, the fact will be notified and understanding sought. Where a request to withdraw the consent to the handling of personal information, delete or cease to process the personal information has been made, the service may be restricted in part or as a whole. Moreover, if there is a specified provision or the information must be retained to comply with legal obligations; there is a reason to believe the request may cause bodily harm or threat to the life of another person, or unduly violate another person’s properties or interests; non-processing of personal information prevents the company from performing the contract between the subject of information, such as providing contractually obligated service, and the subject of information does not declare an intention unequivocally, the withdrawal of the consent, deletion or cessation may be difficult to be processed. The corresponding information will not be utilized or provided to another party until the request is fulfilled. Also, if incorrect personal information has already been provided to a third party due to a reasonable cause, the result will be immediately notified to the third party to effectuate the request to withdraw consent, delete and cease to process the personal information.

6-2. Responsibilities

An information entity has the responsibility to protect their own personal information. The Company is not liable to the issues arising from the breach of personal information not imputable to the Company, such as the user’s lack of care, including transferring, lending, or losing information for accessing the system (such as ID and password) or access material, leaving the logged-in device unattended, or the issues of the Internet out of the Company's control even after exercising sufficient duty of care, such as the method that cannot be prevented through security measures prescribed in applicable laws or hacking through technical means. An information entity will keep their personal information up-to-date and will be held responsible for any issues arising from inputting inaccurate information. Signing up using another person’s information or stealing the information necessary to access the system (ID, password) can be punished under applicable law. Also, an information entity will cooperate with periodic security measures provided by the Company under its privacy policies.

7. Installing and Operating Automatic Collection Device of Personal Information and Refusal of Its Usage

7-1. Cookie

A cookie is a small-sized text file transferred and stored in a user’s device upon accessing a website to ensure efficient and safe usage of the web by the user. If the user re-visits the website after the cookie has been stored, the website recognizes the device of the user and reloads the previous settings and usage history. Also, it allows the website to analyze the information generated in using the service, information of visited services, time and frequency of the access, etc. The cookie does not automatically and actively collect personal identification information, and the user has the option to refuse the storage of a cookie or delete it at any time. By adjusting the settings in the web browser, the user can allow all cookies, be alerted every time a cookie is stored, or reject all cookies. However, if the user opts out from the use of a cookie or restricts its function, it may prevent the user from accessing convenient functions of the website, thereby limiting the overall user experience.

7-2. How to Change the Settings

The current cookie settings in your browser can be confirmed or changed as follows.

• See how to adjust cookie settings when using Internet Explorer
• See how to adjust cookie settings when using Safari
• See how to adjust cookie settings when using FireFox
• See how to adjust cookie settings when using Chrome Browser

8. Measures to Ensure the Security of Personal Information

The Company pursues the following technical and managerial measures to ensure the security of the collected personal information in its handling procedures and to prevent loss, theft, leaks, falsification of or damage to personal information.

8-1. The Company establishes internal management plans and follows them.

The Company has established internal privacy policies to safely process and handle personal information and monitor the practice and compliance through information security inspections, so any issues will be rectified immediately when identified.

8-2. Personal information is protected with encryption.

The Company transmits personal information via encrypted communication channels, and important information such as passwords is stored in an encrypted form.

8-3. The Company strives to protect personal information from hacking or computer viruses.

The Company has installed its systems such as servers or databases in an area with restricted access in order to prevent breach or corruption of personal information by hacking or computer viruses. The Company operates around-the-clock monitoring systems that detect and block the breach of hackers or other threats and uses anti-virus programs on work PCs to prevent damage caused by malware and viruses. The Company constantly studies the latest hacking and security technologies and applies them to its services.

8-4. The Company keeps the number of personnel with access to valuable privacy information to a minimum.

The Company is mitigating risk of the breach of personal information by minimizing the number of staff members that processes personal information. Also, systematic standards have been set on the generation and update of the passcodes to the system that processes personal information and the database that stores them, and also on the access authorities, followed by a constant inspection.

8-5. The Company has installed and is operating access control equipment.

The Company controls unauthorized external access through security solutions, such as intrusion prevention systems and strives to equip itself with all other technical apparatus available to ensure systematic security.

8-6. The Company is taking steps to prevent forgery or falsification of access logs.

The Company stores and manages the access logs of the personal information handling system, and ensures the access logs are not counterfeited or falsified.

8-7. Minimum Number of Handling Staff and Training

The Company is limiting the number of access authorities to whom handling personal information for work purposes is unavoidable. Regular training programs and awareness campaigns are offered on the duties to protect personal information and security for all executives and employees who have access to personal information. Moreover, the Company requires security pledge forms from all employees at the time of onboarding to prevent the human risk of information leakage in advance and prepares internal procedures to inspect the performance and compliance of the employees pertaining to privacy policies. Transition of the staff members with access to personal information is thoroughly controlled in a secure environment. The Company makes clear of the responsibilities regarding personal information incidents after joining and leaving the Company.

9. Personal Information Protection Manager and Department in Charge

Please contact the personal information protection manager or the department in charge for personal information-related inquiries or requests. The Company will listen to your concerns and strive to provide you with prompt and sufficient responses.

Personal Information Protection Manager and Department in Charge

• Manager: Yeo Seong-gu
• Department in charge: People Department
• Contact: careers_privacy@hybecorp.com

You can also seek help regarding or report incidents of the breach of personal information by contacting the following agencies.

10. Revisions to the Privacy Policy

• Privacy Policy Version: v2.0
• Effective Date of Privacy Policy: March 31, 2021
• Previous Privacy Policy : June 1, 2020 (v1.0)