Personal Information Protection Policy

Chapter 1 General Provisions

This Regulation sets forth the basic framework for the handling of personal information acquired, used, or provided by Faber Vietnam Co., Ltd. (hereinafter referred to as “the Company”) and aims to protect personal information by specifying the measures to be implemented by all persons who handle it and the standards to be observed.

This Regulation applies to the following persons (hereinafter referred to as “employees”) who handle personal information in the performance of our business:

1. Officers as defined in the Regulation Governing Officers
2. Executive officers as defined in the Corporate Officer Regulation
3. Full-time, part-time, temporary, and contract employees

The main terms used herein shall have the meanings set forth in the Personal Information Protection Law:

• Personal Information: Information concerning a living individual, such as documents, drawings, or electromagnetic records, identified by name, date of birth, or other descriptors.
• Specific Personal Information: Personal Information containing Individual Numbers (including numbers, symbols, and other codes corresponding to or used on behalf of those numbers, excluding Resident Record Codes).
• Personal Information Requiring Special Consideration: Personal Information that includes sensitive descriptors—such as race, creed, social status, medical history, criminal background, or details of victimization—that require special care to prevent unjust discrimination, prejudice, or disadvantage.
• Pseudonymized Information: Information derived from Personal Information by removing or modifying identifiers so that a specific individual cannot be identified without additional information.
• Anonymized Information: Information obtained by deleting part or all identifiers from Personal Information so that a specific individual cannot be identified and the information cannot be restored to its original form.
• Personal Data: Personal Information that forms part of a Personal Information Database, etc.
• Retained Personal Data: Personal Data over which the Company has authority to disclose, correct, supplement, delete, suspend use, or suspend provision to third parties.
• Identifiable Individual: A specific person identified by Personal Information.
• Correction: The amendment, addition, or deletion of the content of Retained Personal Data.
• Suspension of Use: The suspension or deletion of Retained Personal Data.

The Company has established a Personal Information Protection Policy to demonstrate its commitment to handling and protecting personal information. This Policy shall be published on the Company website. Directors shall allocate sufficient resources and actively participate in the management system to ensure proper protection of personal information.

Chapter 2 Basic Framework

The authority, role, and term of office of each organization responsible for maintaining the protection of personal information shall be determined by the separately provided Regulation of Information Management.

The Company has established the Personal Information Protection Counseling Desk to respond to inquiries regarding personal information handling. The Desk consists of the Chief Information Officer and secretariat members.

• The Desk responds to requests for disclosure, correction, suspension of use, etc., and handles complaints regarding Retained Personal Data.
• The Desk analyzes consultations and develops measures to prevent recurrence.

The Company collaborates with professional organizations to meet business, legal, regulatory, and contractual requirements concerning the handling and security of personal information.

The Company implements a management system for personal information in four stages:

1. Plan: Establish the “Personal Information Management Plan,” determined by the IT Strategic Council, including education and training programs.
2. Operation: Execute the management system and conduct education and training.
3. Evaluation: Perform internal audits at least once a year to ensure proper handling.
4. Improvement: Review and enhance the system based on audit findings.

If an employee adopts an alternative method that deviates from this Regulation or its supporting documents, the Company shall review and, if appropriate, approve such exceptional measures.

The Company designates specific areas for personal information management and addresses any threats—such as leakage, loss, or damage—to personal data. If a situation poses a significant risk to individuals’ rights or interests, the Company shall report it to the Personal Information Protection Committee.

Chapter 3 Acquisition of Personal Information

When acquiring personal information, the Company must specify the purpose of use as clearly as possible and publish it on the Company’s website. Any changes to the purpose must be disclosed without delay.

If acquiring Personal Information directly from an individual, the Company shall clearly inform the individual of the purpose in writing in advance, except in urgent cases to protect life, body, or property.

The above requirements do not apply when:

1. Notification or publication would harm the individual’s or a third party’s rights or interests.
2. Notification or publication would harm the Company’s legitimate interests.
3. Notification or publication would impede cooperation with government bodies in carrying out legal duties.
4. The purpose of use is clear from the circumstances of acquisition.

The Company shall not handle personal information beyond the scope necessary to fulfill the specified purpose or acquire it by deception. It shall not use personal information to induce illegal or unfair acts.

When acquiring Personal Information from a third party, the Company shall confirm that the information was lawfully and properly obtained, prepare legally required records, and retain them for the period specified by law.

Chapter 4 Management of Personal Information

The Company records an inventory of personal information, management responsibilities, and purposes of use in a ledger, ensuring accuracy and currency.

Under the guidance of the Chief Information Officer and InformationControle Manager, the Company implements human, physical, and technical measures to ensure confidentiality, integrity, and availability of personal information.

When outsourcing personal information handling, the Company conducts due diligence, enters into non-disclosure agreements, performs periodic audits, and securely deletes dataUpon completion of the service.

Media destruction follows Article 13 of the Regulation of Information Management, and destruction certificates are obtained when outsourced.

Chapter 5 Provision of Personal Information

The Company shall not provide personalInformation to any third partyWithout obtaining prior Consent, except as required by law to protect life, body, property, or to fulfill public duties.

When providing personal data, the Company prepares and retains legally required records and obtains approval from the Corporate Division General Manager for non-sensitive data.

The Company shall not transfer personal data to foreign countries without prior consent and shall inform individuals of the protection measures in the receiving jurisdiction.

Chapter 6 Rights of Individuals

Requests for disclosure of Retained Personal Data or records of provision to third parties must be handled exclusively by the Personal Information Protection Consultation Office to safeguard individual privacy.

If disclosure is requested by the individual, the Company shall promptly comply unless disclosure would:

1. Harm the life, body, property, or other rights or interests of the individual or a third party.
2. Significantly interfere with the Company’s proper business operations.
3. Violate laws or regulations.

If the Company withholds disclosure, it shall notify the individualWithout delay and explain theReasons. TheCompany may chargA reasonable fee to cover actual costs.

Correction requests shall be investigated promptly, and Retained Personal Data shall be amended to reflect factual accuracy. The Company shall notify the individual of the outcomeWithout delay and explain any refusal to correct.

Requests to discontinue use of Retained Personal Data shall be handled promptly. If discontinuation is impractical due to excessive cost or otherConstraints, the Company shall take alternative measures to protect the individual’s rights and explain the reasons.

Chapter 7 Handling of Specific Personal Information

The Company shall handle Specific Personal Information in accordance with the separately stipulated Regulation of Specific Personal Information Protection.

Chapter 8 Handling of Personal Information Requiring Special Consideration

The Company shall not acquire or provide Personal Information Requiring Special Consideration, except when necessary for business with clear individual consent or as mandated by law or judicial process.

Chapter 9 Handling of Pseudonymized Information

Employees preparing pseudonymized information shall ensure individuals cannot be identifiedWithout additional data, promptly publicize the data elements included, prohibit third-party provision except as allowed by law, and implement safeguardsAgainst leakage, loss, or damage.

Chapter 10 Handling of Anonymized Information

Employees preparing anonymized information shall ensure individuals cannot be identified or restored to the original data, publicize the data elements and provision methods, clearly label the information as anonymized, implement safeguards, and handle complaints to maintain proper use.

Chapter 11 Other Provisions

Employees who intentionally or negligently violate this Regulation shall be subject to disciplinary action under the Regulation Governing Officers and the Labor Regulations. Amendments or abolishment of this Regulation shall follow the procedures set out in the Regulation of RegulationManagement.