Chapter 1 General Provisions

This Regulation sets forth the basic framework for the handling of personal information acquired, used, or provided by Faber Vietnam Co., Ltd. (hereinafter referred to as "the Company"), and aims to appropriately protect personal information by indicating the measures to be implemented by all persons handling our personal information and the standards of matters to be observed.

This Regulation shall apply to the following persons (hereinafter referred to as "employees") who handle personal information in the performance of our business.
(1) Officers defined in the Regulation Governing Officers
(2) Executive officers as defined in the Corporate Officer Regulation
(3) Full-time, limited-time, temporary, and partner employees

The main terms used herein shall be defined as follows and shall have the meanings set forth in the Personal Information Protection Law.
(1) Personal Information shall mean information concerning a living individual, such as documents, drawings, or electromagnetic records produced by name, date of birth, or other description.
(2) The term "Specific Personal Information" shall mean Personal Information containing Individual Numbers (including numbers, symbols and other codes corresponding to and used on behalf of the Individual Numbers, other than Resident Record Codes) contained therein.
(3) Personal information requiring special consideration refers to personal information stipulated in (1) that includes descriptions that require special consideration so that there is no unjust discrimination, prejudice, or other disadvantage against a person, such as race, creed, social status, medical history, criminal background, or fact that the person was harmed by a crime.
(4) The term "pseudonym processing information" shall mean information that eliminates some or all of the descriptions, etc. contained in personal information so that a specific individual cannot be identified unless it is checked against other information.
(5) The term “Anonymized processing information” shall mean information concerning an individual that is obtained by deleting part or all the descriptions, etc. contained in the personal information so that a specific individual cannot be identified, and which cannot be restored to the personal information before processing.
(6) Personal information refers to information concerning a living individual that does not fall under any of the following categories: (1) Personal Information; (4) Pseudonym Processing Information; and (5) Anonymous Processing Information.
(7) Personal Data shall mean Personal Information constituting a Personal Information Database, etc.
(8) Retained Personal Data shall mean the personal data set forth in paragraph (6) which the company has the authority to disclose, correct, add, or delete the contents, suspend the use, delete or suspend the provision to a third party.
(9) "Identical person" means a specific individual identified by Personal Information.
(10) Correction shall mean the correction, addition, or deletion of the content of retained personal data.
(11) Suspension of Use shall mean suspension of use or deletion of retained personal data.

The company established a Personal Information Protection Policy that refers to our commitment to the handling and protection of personal information.

The Personal Information Protection Policy shall be announced on the company website.

Directors shall secure sufficient resources and actively participate in the management system in order to realize appropriate protection of personal information.

Chapter 2 Basic Framework

The authority, role, and term of office of each organization necessary to maintain the protection of personal information shall be subject to the contents of the Regulation of Information Management separately provided.

The company established the Personal Information Protection Counseling Desk to respond to inquiries about handled personal information.
・The Personal Information Protection Counseling Desk consists of the Chief Information Officer and the secretariat members.
・The Personal Information Protection Counseling Service shall respond to requests from the Person for disclosure, correction, suspension of use, etc., and complaint counseling regarding Retained Personal Data.
・The Personal Information Protection Consultation Office shall analyze the contents of the consultation and consider measures to prevent a recurrence.

The company communicates with professional organizations to meet business and legal or regulatory requirements and contractual obligations regarding the handling of personal information and the security of personal information.

The company establishes a management system (planning, operation, evaluation, improvement) to protect personal information.
(1) Plan: The necessary plan (hereinafter referred to as the "Personal Information Management Plan") shall be established in order to operate the management system for our Personal Information. The Personal Information Control Plan shall be determined by the IT Strategic Council. The company will also establish an education and training plan to maintain and promote the proper handling of personal information.
(2) Operation: The company implements a management system for personal information. The company also conducts education and training to maintain and promote the proper handling of personal information.
(3) Evaluation: The company evaluates the management system for personal information. Conduct internal audits at least once a year to ensure proper handling of personal information.
(4) Improvement: The company reviews the management system based on (3) assessment.

In the event that an employee adopts a substitute method that differs from the contents of this Regulation and documents set forth in this Regulation, the Company shall review the application of exceptional measures and approve such measures as deemed appropriate.

The company designates areas for the management of personal information that handle personal information.

The company shall deal with any situation or threat or suspicion concerning the security of personal data, such as leakage, loss, or damage.

The company must report to the Personal Information Protection Committee in the event that the company judges that personal data is a situation pertaining to the security of personal data, such as leakage, loss, or damage, and that there is a great risk of harm to the rights and interests of individuals.

Chapter 3 Acquisition of Personal Information

When acquiring personal information, the company must specify the purpose of use as much as possible.

The company shall publicly announce the Purpose of Use of the Personal Information specified pursuant to the provisions of the preceding article on the Company's website.

In the event of any change in the Purpose of Utilization, the Company must disclose the changed Purpose of Utilization on the Company's website.

In the event the Company acquires such Personal Information of the Identical Person as stated directly in writing (including electromagnetic records) from the Identical Person, the Company shall clearly indicate the Purpose of Use to the Identical Person in advance. However, this provision shall not apply in cases in which the acquisition of personal information is urgently required for the protection of the life, body, or property of an individual.

The provisions of the preceding three paragraphs shall not apply to the following cases:
(1) Cases in which notifying the person of the Purpose of Utilization or publicly announcing it are likely to harm the life, body, property, or other rights or interests of the person or a third party.
(2) Cases in which notifying the person of the Purpose of Utilization or publicly announcing it are likely to harm the rights or legitimate interests of the Company.
(3) Cases in which it is necessary to cooperate with a state organ or a local government in executing the affairs prescribed by laws and regulation and in which notifying the person of the Purpose of Utilization or publicly announcing it are likely to impede the execution of the affairs.
(4) Cases in which it is considered that the Purpose of Utilization is clear in consideration of the circumstances of the acquisition.

The company shall not handle personal information beyond the scope necessary to achieve the specified Purpose of Use.

In the event of any change in the Purpose of Utilization, the Company shall implement such change to the extent deemed to be reasonably related to the Purpose of Utilization prior to such change and shall notify or publicly announce such change without delay. Provided, however, that this provision shall not apply in the event of any of the following:
(1) When it is necessary for protecting the life, body, property, or other rights and interests of an individual.
(2) Cases in which there is a risk of harm to our rights or legitimate interests.
(3) Cases where there is a risk of causing a hindrance to the performance of affairs under the laws and regulation of the State or local public entities
(4) Cases in which the purpose of profit is found to be clear in light of the status of acquisition

The company shall not acquire personal information by deception or other wrongful means.

The company shall not use personal information in a manner that encourages or is likely to induce illegal or unfair acts.

When acquiring personal information directly from an individual by means of a written application, questionnaire, contract, etc. (including electronic mail, filling in the company's the company’s website, etc.), the company must clearly indicate the purpose of use to the individual in advance. Provided, however, that this provision shall not apply in the event of any of the following:
(1) Cases based on laws and regulation.
(2) Cases that are necessary for protecting the life, body, property, or any other rights or interests of individuals
(3) Cases in which there is a risk of harm to our rights or legitimate interests.
(4) Cases where there is a risk of causing a hindrance to the performance of affairs under the laws and regulation of the State or local public entities.
(5) Cases in which the purpose of profit is found to be clear in light of the status of acquisition.

When acquiring Personal Information from a third party other than the Person in question, the Company shall obtain such Personal Information after confirming that such Personal Information has been lawfully and properly obtained by such third party.

Acquire the personal information after confirming that the third party who provides the personal information has taken legitimate measures.

When personal information is acquired from a third party, records shall be prepared with respect to matters stipulated by laws and regulation.

The records prepared in the preceding paragraph shall be retained for the period specified by law.

Chapter 4 Management of Personal Information

The company records the inventory of personal information, management responsibility, and purpose of use in the ledger.

The current status can be ascertained by conducting an inventory.

The company ensures that personal information is accurate and up to date.

In order to realize the confidentiality, integrity and availability of the personal information to be handled, the company will take human, physical and technical measures in accordance with the contents stipulated in the Regulation of Information Management.

The company shall pay sufficient attention to the confidentiality of personal information under the instructions of the chief information officer and the information control manager in accordance with the provisions of laws and regulation or this Regulation.

Where necessary, the company may order employees to submit written pledges concerning the protection and proper handling of personal information.

When outsourcing the handling of personal information, the company select it with due consideration for the protection of personal information in compliance with the Regulation of Information Management separately provided.

The company investigates the protection system of the outsourcee's personal information prior to the start of outsourcing if necessary.

The company enters into a non-disclosure agreement with the subcontractor, if necessary, prior to the commencement of the outsourcing.

The company conducts periodic surveys on the status of the protection of the outsourcee's personal information after the outsourcing starts, if necessary.

The company shall delete any personal data upon termination of the Purpose of Use. Provided, however, that this provision shall not apply in the event that it is necessary to expend a large amount of money for the deletion of the personal data concerned, or in the event that it is difficult to discontinue the use, etc. of the personal data concerned, and in the event that alternative measures necessary to protect the rights of the person concerned are taken.

The company must appropriately and safely delete each medium on which personal data is recorded in accordance with Article 13 of the Regulation of Information Management separately provided.

When outsourcing the destruction of media on which personal data is recorded, the company must obtain a destruction certificate from the subcontractor.

Chapter 5 Provision of Personal Information

The company shall not provide any personal information to any third party without obtaining the prior consent of the principal. Provided, however, that this provision shall not apply in the event of any of the following:
(1) Cases based on laws and regulation.
(2) Cases where it is necessary for the protection of human life, body, or property.
(3) Cases where there is a risk of causing a hindrance to the performance of affairs under the laws and regulation of the State or local public entities.

When providing personal information to third parties, records shall be prepared with respect to matters stipulated by laws and regulation.

The records prepared in the preceding paragraph shall be retained for the period specified by law.

The company provides personal data (excluding personal information requiring special attention) to a third party with the approval of the general manager of the Corporate Division. Hereinafter the same shall apply in this paragraph. In cases where the provision of personal data by which the person is identified is to be discontinued to a third party at the request of the person, and where the person is notified in advance or put in a readily accessible condition for the person with regard to the following matters pursuant to the provisions of the Rules of the Personal Information Protection Commission, and where the person is notified to the Personal Information Protection Commission, the person may provide the personal data to a third party notwithstanding the provisions of Paragraph 1 of the preceding article:
(1) For the purpose of providing to a third party
(2) The items of the personal data to be provided to a third party.
(3) Method of provision to a third party
(4) The fact that the provision of such personal data will lead to the identification of the person to a third party will be discontinued at the request of the person.
(5) Method of accepting a request from the principal

In the event of any change in any of the matters listed in Items 2, 3, or 5 of the preceding Paragraph, the company shall notify the Person in advance or put the Person in a readily accessible condition as the company as notify the Personal Information Protection Committee in accordance with the provisions of the Rules of the Personal Information Protection Commission with respect to the content of such change.

The company will not provide personal data to third parties in foreign countries without obtaining the prior consent of the Individual. Provided, however, that this provision shall not apply in the event of any of the following:
(1) Cases based on laws and regulation.
(2) Cases where it is necessary for the protection of human life, body, or property.
(3) Cases where there is a risk of causing a hindrance to the performance of affairs under the laws and regulation of the State or local public entities.

In the event that the Company seeks to obtain the consent of the Person, the Company shall provide such information as a system concerning the protection of personal data in the relevant foreign country, measures for the protection of personal data to be taken by the relevant third party, and other information that will be of reference to the Person.

The company will take the necessary measures to ensure the continued implementation of the measures for the protection of personal data by such third parties and, if necessary, will provide information on such necessary measures to such persons.

Where it is assumed that a third party will acquire Personal Information as personal data, the company shall not provide such Personal Information to such third party without obtaining the prior consent of the Person.

Chapter 6 Rights of Individuals

In the event of a request for disclosure of Retained Personal Data or Record of Provision to a Third Party that identifies the Identical Person, the Company shall only respond to such request by the Identical Person to the Personal Information Protection Consultation Office in order to protect the privacy of the Identical Person.

In the event the Company confirms that the disclosure is requested by the Individual Concerned pursuant to the preceding clause, the Company shall disclose the Retained Personal Data or the Record of Provision to a Third Party without delay to the Individual Concerned. Provided, however, that when the disclosure falls under any of the following cases, the disclosure may be omitted in whole or in part:
(1) Cases in which disclosure is likely to harm the life, body, property, or other rights or interests of the person or a third party. (2) Cases that may significantly interfere with the proper performance of our business. (3) In the event of a violation of laws and regulation

When the Company decides not to disclose all or part of the Retained Personal Data or the Record of Provision to a Third Party pursuant to the provisions of the preceding paragraph, the Company shall notify the Individual Concerned to that effect without delay. In this case, efforts shall be made to explain the reason for non-disclosure.

When disclosing the Retained Personal Data or the Record of Provision to a Third Party to the Customer, the Company may request a fee to the extent reasonable in consideration of the actual cost.

In the event the Company is requested by the Customer to correct the Retained Personal Data due to the fact that the Retained Personal Data for which the Customer is identified is not true, the Company shall only respond to such request from the Customer at the Customer Service Center for Personal Information Protection.

When responding to a request pursuant to the provisions of the preceding paragraph, the company shall conduct the necessary investigation without delay and correct the Retained Personal Data with respect to matters that differ from the facts found.

In the event the Company corrects all or part of the Retained Personal Data or decides not to make such corrections pursuant to the provisions of the preceding paragraph, the Company shall notify the Individual Concerned without delay. If corrections, etc. are not made, efforts shall be made to explain the reason thereof.

Where Retained Personal Data that identifies the Identical Person falls under any of the following items and the Identical Person requests to discontinue such Retained Personal Data, the Company shall only respond to a request by the Identical Person to the Personal Information Protection Consultation Office.
(1) In the event the Company uses such Retained Personal Data for any purpose other than its own
(2) In the event that the company acquire such Retained Personal Data by wrongful means
(3) In the event that the company provide such Retained Personal Data to a third party without the consent of the Identical Person
(4) Where the Company provides such retained personal data to a third party in a foreign country without the consent of the person in question
(5) In the event that the company no longer need to use such retained personal data
(6) In the event that the company divulge such retained personal data
(7) Other cases where the handling of the retained personal data is likely to harm the rights or legitimate interests of the person in question.

When responding to a request pursuant to the provisions of the preceding paragraph, the Company shall make necessary adjustments without delay, and discontinue the use of the Retained Personal Information without delay in the event the reason presented by the Customer is found to be true.

Provided, however, that this provision shall not apply in the event that the deletion of such Retained Personal Data requires a large amount of expenses, or in the event that it is difficult to discontinue using or otherwise take alternative measures necessary to protect the rights of the Individual Concerned.

When the Company suspends the use of all or part of Retained Personal Data pursuant to the provisions of Paragraphs 2 and 3 or decides not to discontinue use, the Company shall notify the Individual Concerned without delay. If the use is not suspended, efforts shall be made to explain the reason.

Chapter 7 Handling of Specific Personal Information

The company shall handle Specific Personal Information in accordance with the provisions of the Regulation of Specific Personal Information Protection separately stipulated.

Chapter 8 Handling of Personal Information Requiring Consideration

The company shall, in principle, not acquire or provide to a third party any Personal Information Requiring Consideration.

Provided, however, that this provision shall not apply in cases where such information is necessary in the course of business and the employee has clearly obtained the consent of the employee after clearly indicating to the employee appropriate information regarding the purpose of use of the information and the necessity thereof, or where special regulation exists in laws and regulation, or where such provision is indispensable to judicial proceedings.

Chapter 9 Handling of Pseudonym Processing Information

When an employee handling pseudonymous processing information prepares the pseudonymous processing information, he/she shall process the personal information while considering ensuring that he/she cannot identify a specific individual unless he/she collates the information with other information.

After preparing the pseudonymous processing information, the company shall publicize the items of personal information contained in the relevant pseudonymous processing information without delay.

The company shall not provide pseudonymous processing information to any third party except under laws and regulation.

The company shall take necessary and appropriate measures to prevent the leakage, loss, or damage of the pseudonymous processing information to be handled, and for other safety management of the pseudonymous processing information.

The company shall not compare the relevant pseudonymous processing information with other information in order to identify the person pertaining to the personal information used for the preparation of the pseudonymous processing information.

Chapter 10 Handling of Anonymized Processing Information

An employee handling anonymized processing information shall, when preparing the anonymized processing information, process the personal information in consideration of making it impossible to identify a specific individual and making it impossible to restore the personal information used for the preparation thereof.

After preparing the anonymized processing information, the company shall publicize the items of personal information contained in the anonymized processing information without

When providing anonymized processing information to a third party, the company must publicize in advance the personal information contained in the anonymized processing information to be provided to the third party and the method of providing it.

When providing anonymized processing information to a third party, the company must clearly indicate to the third party that the information provided is anonymized processing information.

The company shall take necessary measures to prevent the leakage of anonymized processing information handled and the leakage of information concerning processing methods used when creating anonymized processing information.

The company shall process complaints about the handling of anonymized processing information and take other necessary measures to ensure proper handling and disclose the said measures.

The company shall not collate the anonymized processing information created by us with other information for the purpose of identifying the principal.

The company shall not acquire information such as the processing method of anonymized processing information received from a third party.

The company shall not check the anonymized processing information received from a third party against other information for the purpose of identifying the person.

Chapter 11 Others

In the event an employee violates this Regulation intentionally or through gross negligence, the details of the disposition shall be determined in light of the Regulation of Directors and the Labor Regulation.

Amendment and abolishment of this Regulation shall be governed by the separately provided Regulation of Regulation Management.