Article 1 (Purpose of Processing Personal Information and Items Collected)

The Company collects only the minimum personal information necessary for providing its services, based on the data subject’s consent (Article 15(1)(1) of the Personal Information Protection Act), and uses the information solely within the agreed scope. Collected personal information will not be used for any purpose beyond this scope or disclosed externally without prior consent. If the purpose of use changes, the Company will take necessary measures, including obtaining separate consent, in accordance with Article 18 of the Personal Information Protection Act.

To identify individuals making inquiries, confirm the details of inquiries, verify facts, respond to inquiries, and notify results:

• Mandatory Items: Email address, Name
• Optional Items: Phone number, Company name, Occupation

Article 2 (Retention and Storage Period of Personal Information)

1. The Company will destroy personal information without delay after one year from the date the purpose of collection and use has been fulfilled.

2. However, if retention is required under applicable laws, the Company may store the information for the duration specified by those laws.

• Records related to consumer complaints or dispute resolution: 3 years (in accordance with Article 6(1)(4) of the 「Enforcement Decree of the Act on Consumer Protection in Electronic Commerce」)

Article 3 (Provision of Personal Information to Third Parties)

The Company uses personal information only within the scope specified in “Article 1 (Purpose of Processing Personal Information and Items Collected)” and does not share or disclose the information to third parties without the data subject’s prior consent. However, exceptions may apply in accordance with Article 18(2) of the 「Personal Information Protection Act」, including but not limited to the following cases:

• When required by the law in accordance with legally established procedures
• When requested by investigative agencies in accordance with legal procedures for investigative purposes

Article 4 (Entrustment of Personal Information Processing)

To facilitate the efficient operation of services, the Company entrusts certain personal information processing tasks to third-party service providers as described below.

When entering into Entrustment Agreements, the Company shall include clauses to ensure that personal information is not processed for purposes other than performing the entrusted work, and to require appropriate technical and administrative safeguards, restrictions on re-entrustment, supervision of the entrusted party, and liability for damages, in accordance with applicable laws.

The Company also monitors the entrusted entities to ensure their compliance with personal information protection laws. Any changes to the details of the entrusted work or the entrusted entities will be disclosed through this Privacy Policy without delay.

• Entrusted Entity | Entrusted Work
• Haengbok ICT | Development and operation of the SK Biopharmaceuticals website
• SK AX | Infrastructure operation and maintenance
• Amazon Web Services Inc. | Support for cloud infrastructure operations

Article 5 (Procedures and Methods for Destroying Personal Information)

1. Destruction Procedure

• When personal information is no longer needed due to expiration of the retention period or achievement of the purpose, the Company will destroy the information without undue delay.
• If personal information must continue to be retained despite the expiration of the consented retention period due to legal requirements, the information will be transferred to a separate database (DB) or stored in a different location, and will be destroyed immediately upon the termination of the reason for retention.
• The personal information selected for destruction will be destroyed with the approval of the Company’s Privacy Officer.

2. Destruction Method

• Printed documents containing personal information will be shredded or incinerated.
• Personal information stored in electronic file format will be permanently deleted using technical methods that prevent data recovery.

Article 6 (Rights and Obligations of Data Subjects and How to Exercise Them)

1. Data subjects may exercise the following rights with respect to their personal information at any time:

• Request to access personal information
• Request correction in case of errors
• Request withdrawal of consent or deletion
• Request suspension of processing

2. These rights may be exercised by submitting a written request, email, or fax to the Company. The Company will take necessary action without delay upon receiving the request.

3. If a data subject requests correction or deletion of personal information, the Company will not use or provide such information until the correction or deletion is complete.

4. These rights may also be exercised by a delegated representative of the data subject (hereinafter referred to as "Representative"). The Representative must submit a power of attorney signed by the data subject, and the Company will process the request after cofirming whether he/she is the duly authorized representative.

5. As a principle, the Company does not collect personal information from minors under the age of 14. However, if it becomes unaviodable through 1:1 inquiries or consultations, the Company will obtain consent from the legal representative prior to collection. Such information will be destroyed immediately after the purpose is fulfilled or the agreed retention period expires.

6. The data subjects' rights to request access and suspention of processing may be restricted in accordance with Articles 35(4) and 37(2) of the 「Personal Information Protection Act」. In addition, if the collection of such personal information is explicitly required under other applicalbe laws, deletion of such information may not be requested.

Article 7 (Installation, Operation, and Rejection of Behavioral Information Collection Tools)

1. To improve user experience, the Company uses “cookies,” which store and retrieve user data for the website operation.

2. Cookies are small data files sent by the web server (HTTP) to the user’s computer browser and may be stored on the user’s PC hard drive or device.

3. Processing of Behavioral Information: The Company processes behavioral information using automated collection tools, such as cookies, in a manner that does not identify individuals. This is done to provide personalized and convenient services during website use.

• Items Collected: IP address, cookies, visit history
• Method of Collection: Automatically collected when accessing and using the website
• Purpose of Collection: To prevent repetitive display of pop-up notifications when users revisit the homepage, thereby enhancing the user experience
• Retention Period: Behavioral information is retained for 30 days from the date of collection and then permanently deleted

4. How to Refuse the Collection and Processing of Behavioral Information: Users can configure their browser settings as described below to allow or block the collection of behavioral information.

• ▶On desktop browsers:
  • Chrome: Settings > Privacy and security > Clear browsing data
  • Edge: Settings > Cookies and site permissions > Manage and delete cookies and site data
• ▶ On mobile browsers:
  • Chrome: Settings > Privacy and security > Clear browsing data
  • Safari: Device Settings > Safari > Advanced > Block All Cookies
  • Samsung Internet: Settings > Browsing data > Clear browsing data

5. Users may refuse the use of cookies without any limitations in accessing or using the website. However, pop-up notifications may reappear each time the user visits the site.

Article 8 (Measures to Ensure the Safety of Personal Information)

The Company takes the following managerial, technical, and physical measures to ensure the security of personal information and to prevent loss, theft, leakage, alteration, or damage of personal data.

• 1. Managerial Measures
  • The Company establishes and implements an internal management plan for the secure processing of personal information.
  • The Company designates specific personnel to handle personal information and limits access to authorized individuals. Regular training is provided to ensure compliance with this Privacy Policy.
• 2. Technical Measures
  • The Company retains and manages records of access to the personal information processing system and implements security measures to prevent tampering, theft, or loss of such records.
  • The Company controls access to personal information and restricts access rights. Security programs are installed and regularly updated to prevent the leakage and damage of personal information caused by hacking or computer viruses.
  • Users’ personal information is encrypted for storage and management to ensure that only the individual can access their data. Important data is further protected through encryption during storage and transmission or by applying file-locking functions.
• 3. Physical Measures
  • Personal information is stored in physically separated areas with access control procedures

Article 9 (Contact Information of Privacy Officer and Manager)

The Company designates the following person and department to protect personal information of data subjects and respond to related inquiries and complaints:

• Privacy Officer: Hyejin Moon, Chief Information Officer
• Department in Charge of Privacy and Data Access Requests: IT Team, Business Strategy Division
• Phone: 031-8093-0162
• Email: skbp_sec@sk.com

Article 10 (Remedies for Violation of Rights)

The data subjects may contact Personal Information Dispute Mediation Committee, Korea Internet & Security Agency or the following institutions for consultation or to request dispute resolution to receive relif from information infringements:

• Personal Information Infringement Reporting Center: https://privacy.kisa.or.kr / (without area code) 118
• Supreme Prosecutors’ Office, Cyber Crime Division: http://cybercid.spo.go.kr / (without area code) 1301
• National Police Agency, Cyber Security Bureau: https://cyberbureau.police.go.kr / (without area code) 182

Article 11 (Amendments and Notification of the Privacy Policy)

1. This Privacy Policy shall enter into force on June 24, 2025.

2. In the event of any additions, deletions, or modifications to this Privacy Policy due to changes in relevant laws, policies, or security technologies, the Company will announce the purpose and details of such amendments on its official website at least seven days prior to the enforcement date of the revised policy.

• Notice Date : June 17, 2025
• Enforcement Date: June 24, 2025