LX Hausys Europe GmbH General Privacy Policy

LX Hausys Europe GmbH (“LX Hausys Europe” or the “Company”), a Germany subsidiary of LX Hausys, Ltd. (“LX Hausys”) in South Korea, collects, uses and is responsible for certain personal information about you. When we do so we are regulated by the General Data Protection Regulation (‘GDPR’) which applies across the European Union, and thereon, we may be responsible as controller of that personal information for the purposes of those laws.

[nbsp]

1.Purposes of Collecting and Using Personal Data

[nbsp]

LX Hausys is in the business of manufacturing, buying, selling and servicing of certain goods and services, and LX Hausys Europe is a sales subsidiary for some of those goods and services for Europe. LX Hausys Europe currently services for Solid Surface Materials (aka HIMACS MyWorktop), Automotive and Deco Films. In response to the relevant laws and regulations and foremost, by furtherance of good business ethics, LX Hausys Europe is committed to safely protecting your personal data given to us, and we promise that we will only use your personal data for the purpose(s) accepted by you.

LX Hausys Europe collects and processes the minimum personal data required for the furtherance of its commercial interest only. Thereon, LX Hausys Europe will process all personal data only for the purpose specifically stated or otherwise permitted by law. All personal data entrusted with LX Hausys Europe will forever remain confidential to unrelated third parties.

What is personal data?

"Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier;[nbsp] or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.[nbsp] [GDPR Clause 1, Article 4]

MYWORKTOP.UK (the “Website”)

Types of Requests Available on the Website ("Contact Us"):

To provide customers with excellent services, the Company may share certain customer information with its contracted distributor and other business partners. Rest assured, the Company has an internal policy of processing all personal data for the specific purpose as stated or permitted by law. For certain business cases or requests, the Company’s Country Manager or Project Manager will make reasonable business decisions to transfer relevant personal information to the distributors and other business partners for the furtherance of commercial objectives. To adequately comply with your request, the Company may ask you for more information as it becomes necessary.

[nbsp]

DIRECT SALES

"Direct Sales" refers to any and all traditional and ordinary course of business taken off-line. However, some referral may be made directly by a source using e-mail system. Any and all referrals and traditional business methods, such as exchanging of business cards, phone calls, on-the-ground business transactions, exhibitions and trade shows, etc., will be considered as direct sales.

• For the furtherance of its commercial interest, the Company will process all personal information received from direct sales into the CRM. However, such personal data, unless a specific purpose or appropriate consent has been documented, will be only used when and if the Company receives consent or specific instruction from the respective data subject. Such method will be carried out by the aforementioned “Thank You” or confirmatory e-mail.
• Absent appropriate consent or a specific purpose provided, the Company shall delete all collected personal information from the database within 30 days of the initial input into the CRM.

[nbsp]

GENERAL APPLICABILITY

The Company collects and processes your personal data on the grounds of one or more of the lawful bases permitted under the laws and regulations (such as performance of contract, legitimate interest of the Company, required by law, etc.).

• If the data subject does not provide the Company with sufficient personal data to fulfill a data subject’s request, then the Company will not be able to proceed.
• If you made consent to specific use, then you are free to withdraw your consent at any time. Please refer to https://himacs.eu/en/rights-data-subject for more details on withdrawal, unless specified otherwise hereunder.
• The Company does not collect or process personal data of a minor child. The Company sets, as its internal policy, the age of consent to be 18. However, if the minor has a legitimate interest in doing business with the Company and is permitted to do so by the applicable laws and regulations (such as obtaining authorization from a parent or legal guardian), he or she may be able to submit certain personal information for the furtherance of a mutual commercial interest. There are no other exceptions.
• The Company currently does not use any features or services related to automated decision-making or profiling.
• The Company, unless required by law, does not collect or process any specially categorized personal data as set forth in the GDPR.

[nbsp]

2. Personal Data Retention Policy

The Company conforms to the data retention period as permitted or required by law. However, if one is not clearly specified or managed by law or regulation, then the Company shall reasonably set the retention period as its internal policy. When and if the data subject makes a request for deletion of some or all of his or her personal data, then the Company will do so without undue delay unless other reasonable ground exist.

Please refer to the Company Personal Data Retention Policy for further details. As a general standard, LX Hausys Europe does not retain personal data for longer than the period necessary. As a general rule, the three-year mark is considered as the point of deletion for unused personal data, absent other reasonable grounds to further retain such data. In short, if LX Hausys Europe does not use your personal data for 3 years, then it will be deleted automatically.

For statistical purposes, in the interest of commercial objectives, the Company may safely archive expired or terminated personal data by anonymizing such data (meaning no one will be able to identify the data subject).

[nbsp]

3. Matters Regarding Transfer of Your Personal Data to a Third-Party

[nbsp]

The Company, in order to efficiently process and safeguard data, processes or transfers applicable data to its affiliates and external service providers. All personal data provided hereunder shall only be collected and processed for the purpose(s) accepted by you.

For any personal data being processed and transferred to a third party or internationally, absent unique situation, the Company shall process only under the Article 6(1)(b), ("processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a Contract") and/or Article (6)(1)(f), ("processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child"), or by other means permitted by law.

• The management of the Website's system operations is consigned to two external service providers, Royalkomm and Internet X. These service providers, as part of their service related to the Website, will be able to access your personal information collected through the Website.
• For requests or matters that cannot be handled solely by the Company, they may be provided to LX Hausys, Ltd. in Korea (LX Hausys HQ) for additional assistance. Such requests will only be transferred to fulfill the purpose(s) accepted by you.
• The Company uses an internal e-mail system called "e.com Inc." This service provider, as part of its service related to the CRM, will be able to access your personal information collected through the Website.
• To better provide system provided by LX Hausys, Ltd. and its service provider for such system is LX CNS. This service provider, as part of its service related to the internal e-mail system, will be able to access your personal information collected.
• When and if the relationship with an aforementioned service provider ends, absent lawful reasons to retain it, all personal data processed in the course of the relationship will be deleted by such service provider as soon as the relationship ceases to exist.
• The Company collects and processes your personal data on the grounds of one or more of the lawful bases permitted under the laws and regulations (such as performance of contract, legitimate interest of the Company, required by law, etc.). If you do not provide the Company with sufficient personal data to fulfill for your request, then the Company will not be able to proceed with your request.
• If you do not feel comfortable using the Website or another online method (i.e. e-mail) to submit your personal data, then you may choose to reach out to the Company by making a phone call to the Company’s main phone number. However, for certain requests, a the third-party transfer is unavoidable.

[nbsp]

ASSIGNMENT: In the case of mergers and acquisitions or effects similar thereto, the Company will either transfer the personal data it has retained up to such transaction to its merging entity or maintain it until other corporate changes occur. In applicable cases, where your rights may be affected, you will be notified of such applicable changes in processing.

[nbsp]

4. Matters Regarding International Transfers of Personal Data

[nbsp]

The Company may transmit collected personal data to countries outside of the EEA (European Economic Area) in the following cases:

[nbsp]

• The Company uses internal systems and assistance provided by LX Hausys, Ltd. and, as its service provider, LX CNS, are located in Korea, therefore, international transfers of your personal data may occur.
• The Company entered into a Data Processing Agreement and executed a Model Contractual Clauses with the terms provided by the European Commission. Therefore, the proposed international transfer of personal data is permitted by the relevant laws and regulations.

[nbsp]

5. Matters Regarding Automated Decision-Making and Profiling

[nbsp]

The Company currently does not use any type of automated decision-making such as profiling or others having similar or substantial effects on a data subject.[nbsp] If this should change, this General Privacy Policy shall be revised accordingly to notify the users of the details of such changes.

[nbsp]

6. Complying with Requests Related to the Rights of the Data Subject under Privacy/Data Protection Laws and Regulations.

[nbsp]

In accordance with the rights provided by the GDPR and other relevant laws and regulations, you can request the following from the Company:

1. Access to your personal data ("Access to Personal Data")
2. Rectification of your personal data ("Rectification of Personal Data")
3. Deletion of some or all of your personal data ("Deletion of Personal Data")
4. Restriction of processing of your personal data ("Restriction" of Processing of Personal Data")
5. Data Porting of your personal data ("Personal Data Portability")
6. Objection to processing of your personal data ("Objection to the Processing of Personal Data")
7. Action on automated decision-making based on your personal data ("Action on Automated Decision-Making")
8. Withdrawal of your consent to personal data processing ("Withdrawal of Consent to Personal Data Processing’)

[nbsp]

The above forms are only applicable when and if the Company has any personal data related to you. The Company may refuse to comply with your request when there is a need to process your personal data for certain lawful purposes (performance of contract, required by law, etc.) or the Company has an overriding legitimate interest to process it.

[nbsp]

If you want to make a request as mentioned above, you can download the respective form from https://himacs.eu/en/rights-data-subject and submit such a request to the gdprweb@lxhausys.com. In order for us to process your request, you must fill-in all required information and are strongly encouraged to fill-in additional information reasonably related to your request.

[nbsp]

For all requests, the Company is to use only the contact information already within the CRM or in other applicable databases. As the Company requires an e-mail address for all commercial requests, such e-mail address will be the primary contact information to be used. If additional contact information is available, such as a phone number or address, then such methods may be used to verify the identity of the requester. When an e-mail address is used that is different from the one the Company has, then the Company will ask for verification of the requester’s identification.

[nbsp]

In the case of a request received from a proxy, the Company will only process such request once the identity of the proxy has been verified (photo ID, etc.) and a lawful power of attorney has been received.

[nbsp]

The standard processing time permitted by law is to respond within 30 days of the request. If the Company cannot process such a request within the permitted time period, then you will be notified with the reasons for the delay and the anticipated delivery date. When abusive, excessive, and/or repetitive requests are made, the Company may charge reasonable administrative fees to process such requests.

[nbsp]

7. Matters Regarding Technical Protection Measures

[nbsp]

The Company devises the following technical protection measures to implement safeguards so that your personal data does not get lost, stolen, leaked, falsified or damaged during processing.

1. Measures against hacking, etc.

The Company uses antivirus software to prevent its PCs that are processing your personal data from being infected with a virus and periodically improves weaknesses in its systems by conducting penetration testing where applicable. Furthermore, security mechanisms (SSL, etc.) are employed to transmit personal data safely over the network used by the Company.

2. Storage of access records

The Company secures traceability by storing and managing records (web logs, summarized information, etc.) of access to the personal data processing system. There is no active monitoring of such records, and such records will be used when there is an issue or to take preventative measures.

3. Restrictions on access to personal data

The Company actively manages the permissions of each access group, both of its employees and its business partners, to sufficiently implement reasonable measures against data protection. Such actions may include granting, changing, and terminating one’s access. The Company only permits a small number of authorized employees to hold such management roles. Any and all creation, deletion and changes related to access will be recorded in accordance with the Company’s internal policy.

4. Deletion of personal data

The Company regularly deletes personal data, whose purpose of use has expired, from the applicable databases.

The above protection measures do not guarantee perfect security. However, the Company will act diligently to prevent further damage, when there is an actual or suspected personal data breach.

8. Matters Regarding Cookies

The Company uses “cookies” that store and retrieve your personal data frequently to provide you with a more comfortable homepage environment.

[nbsp] - What are cookies?

Cookies are very small test files that the server used to operate a homepage sends to your browser. They are sometimes stored on your computer’s hard disk.

- Purposes of using cookies.

To provide a faster web environment to you by storing your preferred settings, etc., and to improve services.

- Cookies settings

You can choose whether to install cookies or not. In other words, you can allow all cookies, go through confirmation whenever cookies are to be stored, or reject storage of any cookies by means of the seetings in your web browser.

- Google Analytics

The Website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”).[nbsp] Google Analytics uses cookies, which are text files placed on your computer, to help the Website analyze how users use the site. The information generated by the cookie about your use of the Website (including your IP address) will be transmitted to and stored by Google on servers in the United States . Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for Website operators and providing other services related to website activity and Internet usage.[nbsp] Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google will not associate your IP address with any other data held by Google.[nbsp] You may refuse the use of cookies by selecting the appropriate settings in your browser. However, please note that if you do this you may not be able to use the full functionality of this Website.[nbsp] By using this Website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.

Please see the following for more details on how to check, manage and delete cookies on your computer: http://www.allaboutcookies.org.

[nbsp]

9. Responsibility for Data Protection

[nbsp]

LX Hausys Europe GmbH

- Address: Lyoner Str. 15, 60528 Frankfurt am Main, Germany

- Phone: +49-69-583-029-469

- E-mail: gdprweb@lxhausys.com

[nbsp]

Department in charge of data processing and protection for HIMACS MyWorktop products/services and the Website

- Department: LX Hausys Europe GmbH, HIMACS MyWorktop Team

[nbsp]

LX Hausys Europe Data Protection Officer

- Name: IBS data protection services and consulting GmbH, Dr. Michael Foth

- Address: Zirkusweg 1, 20359 Hamburg, Germany

- Phone: +49-(0)40-696-985-24

- E-mail: info@ibs-data-protection.de

[nbsp]

To file a complaint with the supervisory authority in Hessen, Germany:

If you need damage relief or a consult on infringement of your personal data, you can contact the following institution.

The following institution is a public body and is separate from the Company. If you are not satisfied with the result of the Company’s response to your claims or complaints, or need more specific assistance, please contact the following:

Supervisory authority in Hessen, Germany

- Name: Der Hessische Datenschutzbeauftragte

- Phone: +49-06-11-140-80

- Fax: +49-06-11-14-08-900

- E-mail: poststelle@datenschutz.hessen.de

- Website: http://www.datenschutz.hessen.de

This Privacy Policy takes effect on May 25, 2018.