Tupperware Brands Korea Co., Ltd. Personal Information Processing Policy

Tupperware Brands Korea Co., Ltd. (hereinafter referred to as the “Company”) establishes and discloses the following personal information processing guidelines in order to protect the personal information of data subjects and to promptly and smoothly process complaints related thereto in accordance with the Personal Information Protection Act of the Republic of Korea.

Article 1 Purpose of processing personal information

The company processes personal information for the following purposes. Personal information being processed will not be used for purposes other than the following, and if the purpose of use changes, necessary measures will be taken, such as obtaining separate consent in accordance with Article 18 of the Personal Information Protection Act.

1. Membership registration and management Personal information is processed for the purposes of confirming membership registration, self-identification and authentication, maintaining and managing membership qualifications, preventing unauthorized use of services, and various notifications and notices.

2. Service Provision Personal information is processed for the purpose of providing services (including monitoring members’ use of services), providing content, and providing customized services.

3. We process personal information for the purpose of contacting members using email, phone, text message or other forms of communication related to the supply of goods or services to members.

4. Personal information is processed for the purposes of verifying the identity of the complainant, confirming the complaint, contacting and notifying for fact-finding, and notifying the results of processing.

5. In case a creditor-debtor relationship remains due to use of services and supply of goods, performance of creditor-debtor relationship

6. Re-registration verification and exclusion of fraudulent use

7. Restrictions on registration of fraudulent users

Article 2 Processing and retention period of personal information

① The company processes and retains personal information within the retention and use period of personal information stipulated by law or within the retention and use period of personal information agreed upon by the information subject at the time of collection of personal information.

②The processing and retention period for each personal information is as follows.

1. Membership registration and management, complaint handling: Until membership withdrawal, however, in the following cases, until the end of the relevant reason

A. In the case where an investigation or inquiry is in progress due to a violation of relevant laws and regulations, until the end of the investigation or inquiry

B. Until settlement of debts and creditors arising from use of the service

2. Provision of service usage data, application usage mobile device type and unique device ID, device IP address, and other related records services, etc.: Deleted without delay after membership withdrawal

3. Performance and payment for provision of goods or services: Until the completion of the provision of goods and services and payment and settlement, however, in the following cases or when there is a basis in relevant laws and regulations, until the end of the relevant period.

A. Records of transactions such as display and advertisement, contract contents and performance, etc. in accordance with the Act on Consumer Protection in Electronic Commerce, etc. - Records of display and advertisement: 6 months - Records of contract or cancellation of subscription, payment, supply of goods, etc.: 5 years - Records of consumer complaints or dispute resolution: 3 years

B. Retention of communication fact verification data according to Article 41 of the Enforcement Decree of the Communication Secrets Protection Act - Subscriber telecommunication date and time, start and end time, other party subscriber number, frequency of use, transmitter base station location tracking data: 1 year - Computer communication, Internet log record data, access location tracking data: 3 months 4. Re-registration verification and exclusion of fraudulent use: Up to 90 days from the date of membership withdrawal or loss of qualification 5. Restriction on registration of fraudulent users: 1 year from the date of termination of fraudulent activity

Article 3 Provision of personal information to third parties

The company processes users' personal information within the scope notified in 'Article 1 Purpose of Personal Information Processing' and does not use it beyond the scope of consent or provide it to third parties in principle. However, in the following cases, personal information may be provided to third parties.

1. When providing information in a form that does not allow the identification of specific individuals for the purpose of compiling statistics, academic research, or market research.

2. If users have agreed in advance

3. When there is a request from an investigative agency in accordance with the provisions of the law or in accordance with the procedures and methods stipulated by law for investigative purposes.

Article 4 Consignment processing of personal information

① The company may entrust the processing of personal information to provide improved services. The contents of the personal information entrusted to the company are as follows.

② When concluding a consignment contract, the company states in a contract or other document matters related to prohibition of processing personal information for purposes other than the performance of the consigned work, technical and administrative protection measures, restrictions on re-consignment, management and supervision of the consignee, and liability for damages, etc., in accordance with Article 26 of the Personal Information Protection Act, and supervises whether the consignee safely processes personal information.

Article 5 International transfer of personal information

In order to provide users with stable service provision and the latest technology, the company transfers personal information overseas as follows.

Article 6 User rights, obligations and exercise methods

①Users may exercise their rights to view, correct, delete, or request suspension of processing of their personal information at any time.

② The rights under Paragraph 1 may be exercised against the Company in writing, by e-mail, etc. in accordance with relevant laws and regulations, and the Company will take action on this without delay.

③The exercise of rights under Paragraph 1 may be done through a proxy, such as the data subject's legal representative or an authorized person. In this case, a power of attorney in the format of Appendix 11 of the Enforcement Regulations of the Personal Information Protection Act must be submitted.

④Requests to view or suspend processing of personal information may restrict the rights of the data subject according to relevant laws (Article 35, Paragraph 4, Article 37, Paragraph 2 of the Personal Information Protection Act, etc.).

⑤ Requests for correction or deletion of personal information cannot be made if the personal information is specified as a collection target in other laws.

⑥When requesting access, correction/deletion, or suspension of processing in accordance with the information subject's rights, the company verifies whether the person making the request is the information subject or a legitimate agent.

Article 7 Items of personal information to be processed

The company processes the following personal information items.

1. When registering as a member a. Common: Name, mobile phone number, email address, address, date of birth, CI b. When registering as an online seller: Bank account information

2. Service usage records when using the service

3. Information automatically generated when using the service: service usage history, OS information, hardware information, IP address, browser type and version, time and date of service page visit, time spent on the page, device unique identifier and other diagnostic information, and other information transmitted by the browser.

4. Payment and debt collection name, date of birth, mobile phone number, account information

5. Re-registration verification and exclusion of fraudulent use, restriction of registration of fraudulent users CI

Article 8 (Separate storage of personal information of long-term unused members)

① In accordance with relevant laws and regulations, the company stores the personal information of dormant members who have not used the service for more than one year in a separate, inaccessible storage device.

② The company will notify users of the fact that their information will be stored separately and the date of dormancy 30 days prior to the dormant period by email, text message, or other methods.

③ Personal information that has been stored separately will be destroyed after one year, and before that, members can change the dormant status to general status.

Article 9 Destruction of personal information

① When personal information becomes unnecessary, such as when the retention period for personal information expires or the purpose of processing is achieved, the company destroys personal information without delay.

② In cases where the retention period for personal information agreed upon by the user has expired or the purpose of processing has been achieved, but personal information must be retained in accordance with other laws and regulations, the personal information will be transferred to a separate database (DB) or stored in a different location.

③ The procedures and methods for destroying personal information are as follows.

1. Destruction Procedure The company selects personal information for which a reason for destruction has arisen and destroys the personal information after receiving approval from the company's personal information protection officer.

2. Destruction Method The Company uses a technical method that renders the records unrecoverable for personal information recorded and stored in electronic file format. Personal information recorded and stored in paper documents is destroyed by shredding.

Article 10 Measures to ensure the safety of personal information

① When processing users’ personal information, the company takes the following technical, managerial, and physical measures to ensure the safety of personal information and prevent it from being lost, stolen, leaked, altered, or damaged.
division

Action details
Administrative Action
- Establishment and implementation of personal information internal management plan
- Minimize and educate the designation of personal information handlers
- Management of new and old employees
Technical measures
- Restrict access to personal information
- Password encryption
- Access log storage and prevention of forgery/alteration
- Measures against hacking, etc.

② The company is not responsible for any incidents that occur due to the user’s personal mistakes or basic internet risks. Each member must properly manage his or her ID and password to protect his or her personal information and take responsibility for this.

Article 11 Matters concerning the installation and operation of automatic personal information collection devices and their refusal

① The company uses cookies and similar tracking technologies to identify users, maintain member login status, and store and periodically retrieve user information in order to provide personalized services to each user. The tracking technologies used by the company are signals, tags, and scripts that collect and track information and improve and analyze services, and are also stored in the storage device of the user's computer.

② Users have the option to install cookies. Users can allow/reject all cookies or request confirmation each time a cookie is saved through the settings of their web browser. However, if you reject the storage of cookies, you may have difficulty using some of the services provided by the company, such as personalized services.

③ How to reject cookie settings:

1. Internet Explorer: Select [Tools] menu on the web browser > Select [Internet Options] > Select [Privacy] tab > Select desired options in [Advanced]

2. Chrome: [Settings] menu on the right side of the web browser > [Privacy and Security] menu > [Cookies and other site data] > Select desired option

Article 12 Personal Information Protection Manager

① The company is responsible for the overall management of personal information processing, and has designated a personal information protection officer and practitioner as follows to handle user complaints and provide remedies for damages related to personal information processing.

Personal Information Manager

Name: Yang Seong-gyu

Position: Director

Phone: 02-3270-1700

Email: CustomerCareKor@tupperware.com

Personal Information Practitioner

Name: Park Chang-ho

Affiliation: IDT

Position: Manager

Phone: 02-3270-1700

Email: CustomerCareKor@tupperware.com

② Users may inquire about all personal information protection-related matters, such as complaints, damage relief, etc. that arise while using the company's services, to the personal information protection officer and the department in charge. The company will respond to and process user inquiries without delay.

Article 13 Processing of pseudonymized information

The Company does not process pseudonymized information for the following purposes:

Article 14 Request for access to personal information

The company protects and values the personal information of users, and users have the right to receive honest answers to their questions at all times. The company operates a customer center to ensure smooth communication with users, and the contact information is as follows.

- Department name: Customer Service Center

- Phone: 1588-6866

- Email: CustomerCareKor@tupperware.com

Article 15. Methods of relief for infringement of rights

If your personal information rights have been violated, you may contact the Personal Information Infringement Report Center, the Supreme Prosecutors' Office Cyber Investigation Department, or the National Police Agency Cyber Safety Bureau.

- Personal Information Infringement Report Center / privacy.kisa.or.kr / 118 without area code

- Supreme Prosecutors' Office Cyber Investigation Department / www.spo.go.kr / 1301 without area code

- National Police Agency Cyber Security Bureau / police.go.kr / 182 without area code

Article 16 Compliance with GDPR

① The company complies with the General Data Protection Regulation of the European Union and the laws of each member state. When providing services to users within the European Union, the following may apply.

1. The company uses the collected personal information only for the purposes stated in Article 1, and informs the user of this fact in advance and obtains consent. In addition, in accordance with applicable laws such as GDPR, the company may process the user's personal information in one of the following cases.

A. Consent of the data subject

B. In case of concluding and executing a contract with the data subject

D. In case of compliance with legal obligations. C. In case of processing necessary for the significant interests of the data subject. E. In case of pursuing the company's legitimate interests (except in cases where the interests, rights or freedoms of the data subject outweigh such interests).

② The company carefully protects the personal information of users. In accordance with applicable laws such as GDPR, users may request that their personal information be transferred to another manager and may request that their information be refused to be processed. Users also have the right to file a complaint with the personal information protection authority.

③The company may use personal information to provide marketing such as events and advertisements, and obtains the user's consent in advance. Users may withdraw consent at any time if they do not wish to do so.

④For any requests related to this article, please contact the customer center in writing, by phone, or by email, and we will take action without delay.

⑤If you request correction of errors in personal information, the personal information will not be used or provided until the correction is complete.