Privacy Policy

Lotte Duty Free ("Company”) adheres to the Personal Information Protection Act, and the Privacy Policy of the Company is available on the first page of the Lotte Duty Free promotional website (“PR website”). The Company informs any revisions to the Privacy Policy of the PR website via its official website.

Lotte Duty Free's Privacy Policy

• - Article 1 (Purpose of Collection)
• - Article 2 (Collection of Personal Data)
• - Article 3 (Method of Data Destruction)
• - Article 4 (Transfer of Data to Third Party)
• - Article 5 (Entrustment of Personal Data Processing)
• - Article 6 (Rights of Users)
• - Article 7 (Automated Data Collection and User’s Right to Refuse)
• - Article 8 (Security and Confidentiality)
• - Article 9 (Privacy Personnel and Remedies for Infringement of Rights and Interests)
• - Article 10 (Duty of Notice)

Article 1 (Purpose of Collection)

The Company collects personal data for the following purposes:
- to report ethical violations and unfair transactions; and
- to manage and run STAR★UPS and CHEER♥UPS.

Article 2 (Collection of Personal Data)

1. Items of personal data

Article 2 (Collection of Personal Data)

Classification		Items	Retention
Consultation/reporting/ checking cases of ethical violations	Required	Name, password, email address, phone number, contents of consultation/report (e.g. type of report, title, description)	3 years
Consultation/reporting/ checking cases of unfair transactions	Required	Name, password, email address, phone number, contents of consultation/report (e.g. type of report, title, description)
STAR★UPS program application	Required	Name, password, email address, phone number
CHEER♥UPS program application	Required	Name, phone number

* Data generated via other service processes

- Service use records, access logs, cookies, accessed IP addresses

2. Collection method

The Company collects personal data via the following channels:

• - website and phone calls; and/or
• - cookies generated while using desktop or mobile apps.

Article 3 (Method of Data Destruction)

1. In general, once the purpose of storing the collected personal data has been met, the data is immediately destroyed.
2. If separate consent is obtained from the user regarding the storage period, the data is retained until the end of the agreed-upon period and then immediately destroyed.
If specified by a superior court, however, a separate retention period is observed. In this instance, the Company stores data solely for storage purposes, and the retention period is as follows.

Article 3 (Method of Data Destruction)

Classification		Retention
Records on consumer complaints and dispute resolution	Act on the Consumer Protection in Electronic Commerce	3 years

Article 4 (Transfer of Data to Third Party)

1. The Company uses the user's personal data within the scope outlined in Article 1 (Purpose of Collection) and Article 2 (Collection of Personal Data), and does not use it beyond its intended scope or provide it to third parties or companies without the user's consent. The following, however, are exceptions.

(1) When the user consents beforehand;
Before disclosing a user's personal data to a third party, the Company informs the user of the following and obtains their consent.
- Recipients of personal data
- Purpose of use of personal data by the recipient
- Items of personal data provided
- Period of retention and use of personal data by the recipient
- Disadvantages followed by refusing or disagreeing the right to refuse the transfer of personal data

(2) In the case of an investigative agency fulfilling its obligations under the relevant laws or requesting the disclosure of personal data in accordance with the procedures and methods specified by those laws for the purposes of an investigation;

(3) Acquisition of business, etc.
If there is a reason for business transfer, etc., and it is necessary to transfer the user's personal data, the Company notifies in advance the facts regarding the transfer of personal data in accordance with the procedures and methods specified in related laws, such as the Act on Promotion of Information and Communications Network Utilization and Information Protection, and allows users to withdraw their consent to the transfer of personal data.

2. In the following instances, personal data may be disclosed without the user's consent in accordance with applicable laws and regulations.
- In accordance with the provisions of the law or in accordance with the procedures and methods established by the law for the purpose of investigation, if a request is made by an investigative agency.
- If required for statistical writing, academic research, or market research, processing and providing an individual's data in an unidentifiable format.

Article 5 (Entrustment of Personal Data Processing)

1. The Company consigns a portion of its tasks in order to improve and implement services, and stipulates that personal data can be managed securely in accordance with applicable laws and regulations during consignment contracts.

2. The Company's current personal data processors and their responsibilities are outlined below.

Article 5 (Entrustment of Personal Data Processing)

Classification	Third party	Consigned task
Information system management	Lotte Data Communication, Easy Media	Information system operation and maintenance
Promotional website management	Easy Media	Promotional website operation and maintenance

3. To ensure the safety of personal data protection when entering into a consignment contract, strict compliance with privacy-related regulations and responsibilities in the event of an accident are clearly specified, and the contract's terms are stored physically and electronically. If the company is changed, the name of the new company will be reflected on the privacy policy screen.

4. The Company conducts appropriate oversight within the scope of the entrusted tasks to ensure that the trustee faithfully fulfills the entrusted personal data so that the entrusted personal data can be managed securely.

Article 6 (Rights of Users)

1. Users can view, edit, and delete their registered data.
Users can view, edit, and delete the personal data regarding reports on ethical violations or unfair transactions via the “Check Status” menu on the website.
- In the case of programs operated by promotional sites, however, when the retention and use period agreed upon at the time of registration expires, the registered data is immediately deleted and cannot be accessed or modified.

2. If a user requests that an error in his or her personal data be corrected, the data will not be used or disclosed until the correction has been made.

3. Users may consult about their rights on personal data by each service via the following channels.

Article 6 (Rights of Users)

Classification	Contact
Ethical violations Reports on unfair transactions	LDFSETHICS@lottedfs.co.kr/ 02-3707-9436
STAR★UPS CHEER♥UPS	1688-3000

Article 7 (Automated Data Collection and User’s Right to Refuse)

1. The Company uses "cookies" to store and retrieve usage data in order to provide users with quick and useful services when they visit its website.

2. A user has a choice regarding cookies and can configure the web browser to allow all cookies, to prompt before saving a cookie, or to block all cookies.
However, if the user refuses to accept cookies, there may be restrictions on use, such as the need to re-enter login data when using certain login-required services.

Article 7 (Automated Data Collection and User’s Right to Refuse)

Classification	Route
Microsoft Edge browser	Modify settings via [Settings] > [Site permissions] > [Cookies and site permissions] > [Cookies and site data]
Google Chrome browser	Modify settings via [Settings] > [Privacy and security] > [Cookies and other site data]

3. The Company is able to read the cookie's contents from the user's browser, locate additional data on the user's computer, and provide the service without additional input such as the connection name.

4. The Company uses Google Analytics, a Google-provided web log analysis tool, to improve user services.
Through cookies, Google Analytics collects data about the behavior of our website visitors; in this case, only non-identifying data that cannot be used to identify the user is collected. However, users may opt out of using Google Analytics by installing the Google Analytics opt-out browser add-on (https://tools.google.com/dlpage/gaoptout) or by refusing cookie settings in the web browser.

Article 7 (Automated Data Collection and User’s Right to Refuse)

Classification	Route
Items collected	Service use records and access logs (e.g. browsing history)
Method	Automatically collected when the user uses the services
Purpose	To provide personalized services based on the analyzed user’s interest
Retention & use period	Processing of the data collected via Google Analytics complies with the Google Privacy & Terms and the Google Analytics Terms of Service. * Google Privacy & Terms: google.com/intl/ko/policies/privacy * Google Analytics Terms of Service: google.com/analytics/terms/kr.html

Article 8 (Security and Confidentiality)

The Company implements the following technical safeguards to prevent the loss, theft, unauthorized disclosure, alteration, or destruction of the user's personal data during processing.

1. Establishment and implementation of internal data management plans
- The Company establishes and implements data management plans to protect the user’s personal data.

2. Minimization and education of the staff managing personal data
- The Company minimizes the number of staff managing personal data and provides regular training to protect the data.

3. Limited access to personal data
- The Company limits the access to personal data by granting, changing, and deleting the authority to access the database system for personal data processing, and prevents external unauthorized access to the data by using an intrusion prevention system.

4. Retention of access records and data forgery prevention
- The Company stores and regularly examines the access records of the personal data processing system according to the related law.

5. Personal data encryption
- The Company encrypts user’s data to store and manage it according to the related law.

6. Technical measures against hacking and other cyberattacks
- The Company installs antivirus programs to prevent personal data leakage and damages resulting from such leakage due to hacking and viruses, regularly updates and examines the programs to install the system in the controlled area against external access, and technically and physically observes and blocks possible security issues.

7. Access control of an unauthorized party
- The Company separately designates a physical place for the personal data management system that stores user’s data, establishes access control procedures, and manages access to the system.

Article 9 (Privacy Personnel and Remedies for Infringement of Rights and Interests)

1. The Company designates the following departments and people in charge to protect user’s data and process user’s complaints regarding their personal data.

Article 9 (Privacy Personnel and Remedies for Infringement of Rights and Interests)

Classification	Name	Department	Contact, E-Mail
Privacy Officer	Noh Jae-Seung	Marketing Division	1688-3000 securityLDF@lotte.net
Privacy Manager	Kang Jae-weon	Big Data Team

2. Contact the KISA Privacy Infringement Report Center, the Electronic Cybercrime Report & Management System of the Korean National Police Agency, and other agencies to consult about other privacy issues.

Article 9 (Privacy Personnel and Remedies for Infringement of Rights and Interests)

Institution	Contact	Website
KISA Privacy Infringement Report Center	118	privacy.kisa.or.kr
Personal Information Dispute Mediation Committee	1833-6972	www.kopico.go.kr
Electronic Cybercrime Report & Management System of the Korean National Police Agency	182	ecrm.police.go.kr
Prosecution Service Cyber Investigation Division	1301	www.spo.go.kr

10. Duty of Notice

This privacy policy takes effect as of Dec 12, 2023. If there are any additions, deletions, or changes to the content, a notice will be posted on the website at least seven days prior to the amendment. In addition, the Company assigns revision dates to the privacy policy, making it easy to determine whether it has been updated.

Privacy Policy Ver. 1.6

• - Effective date: Dec 22, 2023
• - Last updated: Dec 15, 2023