Coway operates a privacy protection body in charge of protecting private information. The Information Protection Committee carries out discussions and makes decisions on major issues related to privacy protection.As an executive-level body, the Information Protection Committee is chaired by the chief information protection staffer and comprises the heads of relevant departments as members. The Committee is chaired by the Chief Information Security Officer (CISO), who has "at least 10 years of experience in the field of information protection or information technology", which is the requirement specified for the CISO under the Act on Promotion of Information and Communications Network Utilization and Information Protection.

The Committee helped build an integrated management system to protect and manage private information more efficiently. All bodies related to privacy and information protection are led by the Information Security Team, and work closely with relevant departments for thorough information protection.

Externally, there has been an increase in the threat of cyberattacks and the transition to a digital society due to the COVID 19 pandemic;internally, there is a need to establish security policies adapted to the expansion of online services and the evolving cloud environment. In 2022, the Information Protection Committee completely revised the Privacy Protection Policy and guidelines to reflect the evolving internal and external information protection environment and processes, and established new security guidelines for cloud services, which lay the foundation for more practical and systematic operation of the Information Protection Management System.

We operate an information security system based on the information security policy and guidelines we drew up for protection of customers’ information in all business areas. We divided our privacy protection regulations into policy on basic principles regarding protection of private information and detailed areas for the practice of privacy protection, so that they can be readily applied in the workplace. The information security policy and guidelines are enacted and revised on a regular basis in order to reflect them in the realm of privacy protection that is growing wider in line with changes in the business environment.

In 2022, we subdivided the policy and three guidelines into one policy and 17 guidelines by incorporating the latest issues concerning privacy protection, such as the active use of in-firm cloud system and increase of the location-based services. We are determined to protect private information by applying the related guidelines and measures to all our business areas and fiduciaries and suppliers, as well as marketing bodies.

Coway responds promptly to requests for deletion of personal information from information subjects or matters received through the e-Privacy Clean Service to ensure the rights of the information subject.

In 2023, we completed the implementation of privacy labeling on Coway.com and cosmetics sites to make it easier for information subjects to understand the key points of our privacy policy.

(Effective date: Coway.com_ May 12, 2023/ Cosmetics_ April 25, 2023)

Coway has acquired capabilities to fulfill domestic and international standards for personal information security and privacy protection by obtaining information protection certifications from reputable third-party organizations, and strengthens its information protection level every year through post-examination (1 year) and renewal examination (3 years).

In 2022, we identified risk issues, such as mass inquiries and export of personal data and activities after office hours. As a result, we identified some cases involving suspicion of privacy violation and managed the risk factors. We also reinforced our activities to raise awareness on information privacy in order to prevent potential risks to information protection in the process of employees’ working from home due to COVID 19,and ran malicious email simulation training for employees, suppliers, and partners. In addition, we checked the continuity of our information protection system by diagnosing infrastructure weaknesses, reviewing security, and validating disaster recovery procedures.

We operate a privacy incident response system to take initial action promptly, minimize damage and prevent secondary damage in cases where a data leak or breach occurs. We classify privacy incidents into data breach and data leak (leaks of private data and inside information), respectively, and take appropriate measures for each type of incident. Above all, we alert the information protection staff immediately after we detect an incident through security control and periodic monitoring and form a response team. Next, we conduct a detailed analysis of how the information leak occurred through fact-checking and evidence-collection and preservation after taking initial action. This is followed by measures to prevent recurrence and ensure we get back on track. Equipped with this response system, we inform relevant departments of the incident and our responses, and provide training in order to prevent similar incidents.

Coway monitors information security activities on a monthly basis, identifies areas needing improvements, and reports and manages ongoing information security activities. In 2022, a total of 34 information security activities were conducted, exceeding the target of 90% and achieving 100%.