PRIVACY POLICY

Ralph Lauren Korea Limited (hereinafter the "Company") shall protect the personal information and the rights of the data subject (hereinafter the "Data Subject"), and shall comply with the "Personal Information Protection Law," the "Promotion of Information and Communications Network Utilization and Information Protection Act” and the relevant laws and regulations pertaining to the protection of personal information. This Privacy Policy (hereinafter the "Policy") has been enacted in order to resolve smoothly any dispute relating to the privacy of Data Subject.

Article 1. Purposes for the Processing of Personal Information

The Company shall handle personal information for the following purposes. Processed personal information shall not be employed except for the following purposes, and in the event that the intended use has been changed, the prior consent of the Data Subject shall be sought.

A. Personal Information Collected Offline

  1. Transmission of Information Pertaining to Marketing and Product Services

    Marketing activities directed toward the staff of customers, potential customers, and joint marketing companies, as well as reporters and individuals targeted for the introduction of market research products, and the acquisition and dissemination of information pertaining to the company's marketing activities, the dispatch of marketing and PR data, and the acquisition and dissemination of information on the company's products and services.

  2. Conclusion and Implementation of the Contract

    Confirmation of the contracting parties, determination of whether the contract has been duly concluded, delivery of products, implementation of the contract through payment of the price, payment of service charges such as consultation fee, etc., obligatory notification of the implementation of the contract within the required scope, dealing with unfulfilled obligations, dealing with disputes and petitions related to the contract, proof of implementation and conclusion of the contract, parties to the contract, details regarding the signature, product delivery, cash receipt, service charges payable including consultation fee for the implementation of the agreement, business liaison within the scope required for contract performance, corresponding to the default, contract disputes and handling of complaints, contract implementation and proof of the conclusion thereof, contracting parties, computerized management with regard to the details of contractual conditions and payments.

  3. Implementation of Legal and Administrative Obligations Imposed on the Company

    Legal and administrative obligations including payment of the corporate tax imposed on the company by law and the administrative obligations of the Company, issuance and delivery of tax filing, receipts and invoices for various taxes, including VAT

  4. Replies to Customer Inquiries
  5. Repair of Faulty Products at Customer’s Request
  6. Confirmation of Entry into and Exit from the Company, Crime Prevention, and Verification of Contacts
  7. Management of those Applying to the Company and Hiring Obligations

B. Personal Information Collected Online

1. Communication and notification of related services

2. Review, investigation and response to customer consultation and opinion

3. Investigation to protect the Ralph Lauren Group and its affiliates against negligence, fraud, theft and other illegal activities

4. Notification and reporting to public authorities

5. Obligation of complying with laws, regulations, court orders and other statutory obligations

6. Product and service quality-related activities (including the consideration and development of new businesses and value-added offers)

7. Management and operational development of the website and the stores of the Ralph Lauren Group

8. Delivery of promoted goods

9. Investigation of customer product marketing campaign, planning and conducting of events, etc.

10. Market research companies and other research projects related to the Company's subsidiaries (including personal information to be used in your marketing database, such as product user analysis)

11. Provision of personalized customer services, product development and specialization, consumer trend analysis, enhancement and strengthening of services

Article 2. Processing and Retention of Personal information

Your personal information will be destroyed without delay when you close your account or when you inform us of the withdrawal of your consent for collection of your personal information or when you request us to destroy your personal information, unless the law requires us to retain your personal information. For example, the period of retention of personal information based on the Consumer Protection in the Commercial Code and e-Commerce (hereinafter the "E-commerce Law") shall be as shown below. The E-Commerce Law applies only to online commerce:

1. Commercial books and important documents about the business, including customer information: 10 years (Law Article 33)

2. Slips or similar documents containing customer information: 5 years (Law Article 33)

3. Displays and records of the advertisement: 6 months (E-Commerce Law Article 6, Paragraph 3 and Article 6 Paragraph 1 of the Enforcement Decree)

4. Records regarding a contract or cancellation: 5 years (E-commerce Law Article 6, Paragraph 3 and Article 6 Paragraph 1 of the Enforcement Decree)

5. Records relating to the supply of payments and goods: 5 years (E-commerce Law Article 6, Paragraph 3 and Article 6 Paragraph 1 of the Enforcement Decree)

6. Consumer complaints or disputes relating to the processing records: 3 years (E-commerce Law Article 6, Paragraph 3 and Article 6 Paragraph 1 of the Enforcement Decree)

Article 3. Provision of Individual Information of Third Parties

In principle, the Company shall handle personal information only within the scope specified in Article 1 of this policy, doing so for no purpose other than as originally intended without the prior consent of the Data Subject. Otherwise, we shall not handle the personal information or provide it to third parties. However, the following cases are deemed to be exceptions:

1. If there is information for which advance consent has been given to provide the said information to one or more third parties;

2. If the third party should provide personal information as permitted or required by applicable law and regulation.

The Company shall provide access to third parties, as specified in Appendix I, to personal information collected offline and shall provide personal information collected online to a third party as specified in Appendix II.

Article 4. Processing of Personal-Information-Entrusted Tasks

The Company shall entrust all processing of personal information to the fiduciary provided for in Appendix III. If the Company or the trustee should accept the consignment to change the content of the work, the nature thereof will be released through this policy.

If you enter into a depositary and related business-consignment contract, the Company will make every commercially reasonable effort to comply with the duties of a trustee, in accordance with privacy laws as outlined in the contract documentation.

Article 5. Rights and Obligations of the Data Subject and How to Exercise

A. Inspection of Private Information

1. The Data Subject may ask to see personal information about the Company's processing of his/her information. If the Data Subject, as provided by the Security Administration Ordinance, (i) provides items and contents of the personal information, (ii) the collection of personal information or an object of use, (iii) holds personal information and details on the usage period; or (iv) has a personal information status pertaining to third parties, the Company must submit such personal information in response to the personal information viewing request in order to display the desired information and details of the facts, and to accept the treatment thereof.

2. The Company may allow viewing of the information on the data within 10 days after it has received the required information and consent regarding the subject privacy policy. In this case, when there are legitimate reasons whereby it cannot be read within said period, such access for viewing may be postponed upon indication of the reason for the browsing of information on the subject. If said reason ceases to exist, browsing may proceed without delay.

3. In the event that any of the following should apply to the Company, it may limit or reject the viewing and inform the Data Subject of the reasons:

a. In the event that the reading is banned or restricted in accordance with the law

b. In the event that the viewing thereof may cause physical harm or endanger the welfare of another person or if there is a risk that the viewing may unreasonably infringe upon the property rights or interests of others.

B. Correction and Deletion of Personal Information

1. The Data Subject whose personal information is to be inspected may submit to the Company a request for the correction or deletion of said personal information. In such case, the Data Subject must submit a request for correction or deletion to the Company as prescribed by the Ministry of Security of Public Administration.

2. The Company shall, within 10 days of receiving the request, issue a notice to the Data Subject as prescribed by the Ministry of Security of Public Administration, stating that (i) the correction or deletion of personal information is completed, following an examination in relation to the request of the Data Subject; or (ii) the Data Subject’s request for correction and deletion cannot be followed due to applicable laws and regulations, together with facts and reasons thereof, and the means of appeal. However, if different laws concerning correction or deletion of personal information prescribe a special procedures are applicable, the latter shall be followed.

3. If the Company is obliged to delete personal information as required by the Data Subject, such personal information must not be restored or reproduced.

C. Discontinuation of Processing Personal Information

1. If the Data Subject wishes to cease the processing his/her personal information, he/she needs to submit a written request as prescribed by Ministry of Security of Public Administration.

2. If the Company may refuse the discontinuation of processing of the Data Subject's personal information in the following circumstances:

a. If there are special legal provisions, or if such action is unavoidable in order to comply with the relevant statutory obligations;

b. If the discontinuation of processing may cause harm to the life or to the body of another person, or if there is a danger of unfair prejudice to the interests of others and their assets;

c. If personal information is not processed, the Company has difficulty in providing the contractual service to the Data Subject pertaining to an agreement entered into between the Company and the Data Subject, and the Data Subject has not clearly expressed his/her intention to terminate such agreement.

3. If the Company is requested to stop all of the processing from the date of receiving the stop request, it shall do so within 10 days; said stoppage shall apply to (i) the handling of personal information or the omission of all or some of the facts, or (ii) in the case of a processing stop request by the Data Subject, the fact and the reasons thereof shall be indicated to the Data Subject pursuant to its notice on the handling of personal information required in order to prevent a complaint under the section "How to Stop the Processing of Personal Information" under the Safety Administration Ordinance.

4. The Company shall take the necessary measures, including the prompt destruction of personal information, in accordance with the requirements from the principal information subject regarding the cessation of the use of said personal information.

D. Methods and Procedures for the Exercise of Rights

1. The viewing of personal information as well as the correction and deletion there of or a request to stop processing may be carried out as instructed by the Data Subject, or by a person delegated by a legal representative, on information regarding the Data Subject, or information on the subject. However, the legal representative of the Data Subject, who has been delegated by the Data Subject and therefore wishes to act on behalf of the latter, must submit a power of attorney as prescribed by the Ministry of Security of Public Administration.

2. In regard to the viewing of personal information, and to requests for the perusal, correction, cancellation and processing thereof, the Company may request said claimants for the prescribed commission and postage.

Article 6. Provision on the Handling of Personal Information

The items of personal information handled by the Company are as follows:

A. Personal Information Collected Offline

1. Your Personal Information

Your name, occupation, date of birth, social security number, passport number, e-mail address, phone number, cell-phone number, and consumption / purchase history, size and customer preferences, and for journalists and general customers, the addresses of those who have participated in the Company's marketing events, and the like.

2. Personal Information of Employees of Trading Partner Companies

Names, phone numbers, cell-phone numbers, fax numbers, e-mail addresses, social security numbers, importers, retailers, renters, external educators, contractors, marketing agencies, such as contract partners of the Company registration number and bank-account number, financial institution account information (in the case of a contracted party of the Company, this shall include the information about the employees and directors of the Company, or in the case of the landlord of the family that owns the property, including the family name and relationship to the family)

B. Personal Information Collected Online

1. Gender and e-mail address

Article 7. Breach of Personal Information

1. Unless we are required to retain your personal information under applicable laws, your personal information will be destroyed without delay when you close your account, when you inform us of the withdrawal of your consent for collection of your personal information, or when you request us to destroy your personal information.

2. If the Company is about to destroy your personal information, given that such personal information is commercially valuable, it will do so in such a manner that recovery will not be technically possible.

a. If the personal information is in an electronic file format, we will delete it permanently and use software to ensure that the files cannot be restored; or

b. Other non-documentary, written/printed documents, or other recording media shall be destroyed by shredding or incineration.

3. If the Company is to preserve the personal information, it shall not be destroyed but shall rather be preserved within the context of separating said personal information or personal information files from other personal information in order to store and manage it.

Article 8. Ensuring Privacy Through Safety Measures

The Company has available the technical, managerial, and physical measures necessary to ensure the safety of personal information pursuant to Article 29 of the Personal information Protection Act, as follows:

A. Managerial Measures

1. The Company shall designate a privacy officer in order to ensure that its customers' personal information can be processed in accordance with the relevant laws and to establish and implement an internal management plan for this purpose.

2. This shall be limited to the Company's staff, trustees and other personal information processed directly by parties responsible for establishing and enforcing regular privacy training.

The Company shall, through regular internal audits, ensure that it has provided adequate safeguards in accordance with internal management plans.

B. Technical Measures

1. The Company shall control access to personal information and manage access rights and restrictions.

2. The Company shall record the details of the personal information management, and maintain access to the records retained for a fixed period of time.

3. The Company shall install and operate an intrusion prevention/protection system in order to prevent unauthorized access to personal information. Furthermore, it shall apply a secure access-control system, including a virtual private network that cannot be accessed from the outside.

4. The Company may establish and apply a password, and create rules to allow customers to set up and use a secure password. A customer who has been given a password to access certain parts of the Company's website shall keep said password confidential and not disclose it to any third party.

5. If the Company is sensitive to unique identification information and transmits personal information, such as that for receipt and storage, it shall implement the encryption action required under applicable law.

6. The Company shall install a program to solve security bugs in the software, including the operating system, and shall update the program periodically.

7. The Company shall keep personal information safely for the period of time in which information is accessed on the personal information processing system.

C. Physical Measures

1. The Company has implemented protective measures such as the restricting of physical access to places in which your personal information is kept, e.g., the computer room and the data storage room.

Article 9. Posted Links to Other Sites

The Company's website can post links to other sites in order to provide customers with convenience and information. The site can be operated by a company that is not affiliated with the Company. The linked sites may have separate privacy policies. The Company recommends that you review their policies regarding privacy if you visit a linked site for customers. The Company shall assume no responsibility with regard to the processing of personal information and information on any company not affiliated with the Company's own website, or to the use thereof. If links to other sites are provided, the Company shall make commercially reasonable efforts to notify the customer that they are leaving the Company’s website and accessing a third party website voluntarily.

Article 10. Cookie

The Company may use sessional/permanent cookies and/or web beacons on specific websites of the Company. A "cookie" pertains to a customer of the Company's website, whereby it saves the file for access to record and allow the Company to indicate its history. The use of cookies allows the Company to track a customer's website preferences and his/her responses to changes that are made to the Company's website in accordance with the respective customer preferences. Cookies also make it possible to measure the Company's website usage.

If a customer has access to the Company's website, we can provide frequency of access, connection time, target marketing services or customized services through the analysis of such events of participation.

Customers have a choice regarding cookies. Therefore, a customer may accept all cookies by setting an appropriate function in the web browser to send notification when a cookie is installed, or it may reject all cookies. However, should a customer refuse to install cookies, certain services of the Company may be limited.

Cookie settings may be adjusted at the top of the web browser through the "Internet Options" tab available via your personal information.

Article 11. Installation and Operation of Visual Information Processing Equipment

The Company has installed and put into operation image information processing equipment in order to prevent crime and manage facilities as follows:

Installation purposes: Crime prevention, fire protection, general facilities management, etc.
Emplacement: Designated sites inside and outside each of the company stores
Operating range: Main site of each of the company stores
Opening hours: 24 hours
Manager: LEE Kwan-woo
Contact No.: 02-6004-0030

Article 12 Remedies for Infringement

The Data Subject can apply to the Personal Information Dispute Mediation Committee, the Korea Internet & Security Agency and other relevant agencies for dispute resolution and consultation in order to receive remediation for privacy violations.

Related agencies include the Supreme Prosecutors' Office of Advanced Criminology and/or the National Police Agency Cyber Bureau, the National Police, etc.

Article 13 Amendment of these Basic Policies

These policies may be amended in accordance with the relevant laws and regulations, guidelines and operating policies within the Company, to disclose the changes in accordance with the method prescribed under the relevant laws and regulations in the event the policies are changed.

Article 14. Dealing with Opinions and Complaints

The Data Subject may file a privacy complaint with the Privacy Officer or with our Customer Service Department. The Company shall provide a prompt and sufficient reply to the complaint of the Data Subject.

Chief Privacy Officer

Name: JU Sang-pil
Position: Chief Privacy Officer
Telephone: 00798-8521-7262
E-mail: Privacy@RalphLauren.co.kr

Online Business Privacy Department

Position: General Counsel, Asia Pacific
Contact: 00798-8521-7262
E-mail: CustomerAssistance@RalphLauren.co.kr

Offline Work Privacy Department

Department: Consumer Protection Team
Manager: Director LEE Kwan-woo
Telephone: 080-566-1199

Appendix I

Personal Information Collected Offline

Recipient (Contact) Purpose of Use by the Recipient Items Provided Period of Retention and Use
Ralph Lauren Asia Pacific Limited (Hong Kong) Marketing, recording and analysis of relevant information, order tracking, and return status reporting Name, telephone number, e-mail address, address, occupation and date of birth When you close your account.
Ralph Lauren Corporation
(The United States)
Same as above Same as above Same as above
Ralph Lauren Corporation Japan (Japan) Same as above Same as above Same as above

Appendix II

Personal Information Collected Online

Recipient (Contact) Purpose of Use by the Recipient Items Provided Period of Retention and Use
Ralph Lauren Asia Pacific Limited (Hong Kong) Management of customer database for customer analysis Name, address, telephone number, cell-phone number, date of birth, sex, e-mail address, password When you close your account.
Ralph Lauren Corporation
(The United States)
Same as above Same as above Same as above

Appendix III

Current Status of Entrusted Privacy Duties

Fiduciary Contents of Consignment Business
Saerom Co., Ltd. Knitted clothing repair
Star Co., Ltd. Accessory repair
Kugil Co., Ltd. Zipper repair
Piaenpi Co., Ltd. Color repair
Nama Advertising Business Related to Marketing Data Transmission
Maillink (Maillink) Business Related to Marketing Text Messages
AWS (Amazon Web Services) Website hosting and management
Salesforce Marketing Cloud E-Mail marketing and Sales Promotion to Customers
Omniture Analysis of Consumption Behavior and Sending of E-mails Welcoming Newly Registered Clients
PCCW Solutions Construction and Management of Customer Support System

This policy is effective as from July 19, 2016.