1. Importance

Green Capital Holding Company and its subsidiaries (collectively referred to as "the Company") respect and highly value the protection of personal data of their personnel, customers, business partners, and business allies. The Company is committed to protecting personal data from misuse and keeping it secure in accordance with laws and international standards.

2. Objectives

• 2.1 To ensure that all transactions with the Company are secure and reliable, with protection for the personal data of all personnel, customers, business partners, and business allies.
• 2.2 To prevent damage from the fraudulent or improper use of personal data for gain.

3. Scope of the Policy

This policy is effective for Green Capital Holding Company and its subsidiaries, both those already established and those that may be established in the future. This policy will be reviewed at least once a year, or when deemed appropriate.

4. Principles

The personal data protection law sets out standards, practices, and duties that the Company must adhere to when managing or processing personal data. These principles apply to all personal data relating to customers, employees, and all stakeholders involved with the Company. To comply with these practices and duties, the Company must process personal data in accordance with the following principles:

• Process personal data fairly and lawfully.
• Always process personal data for the purpose for which it was collected, used, and disclosed.
• The personal data processed by the Company must be adequate, relevant, and not excessive for the purpose.
• Personal data must be accurate and up-to-date.
• Do not keep personal data for longer than necessary.
• Process data in accordance with the individual's right to access and rectify their data.
• Personal data must be secure.
• Personal data shall not be transferred to another country with inadequate data protection standards, unless consent is obtained or as required by law.
• Personal data must be used correctly and not cause harm to the data subject.
• The Company has standards, guidelines, and processes that support compliance with this policy.

4.1 Transparency

The Company informs all data subjects about the use of their personal data through a Privacy Notice, which is displayed on the Company's website (for customers, employees, and related parties) and through other communication channels. All details regarding the use of personal data are stated in these notices. The Company will only collect, use, or process personal data for the purposes stated to the data subject. In general, the Privacy Notice will include the following topics:

• 4.1.1 Groups of customers or sources of personal data. The Company generally collects personal data from data subjects, which may include customers, suppliers, employees, job applicants, and other external individuals.
• 4.1.2 Purpose of collecting personal data from the data subject.
• 4.1.3 Types of personal data collected, including but not limited to name, address, phone number, email, and IP address.
• 4.1.4 Retention period for personal data.
• 4.1.5 Rights of the data subject.
• 4.1.6 Methods for providing or withdrawing consent.
• 4.1.7 Preventive and security measures for the personal data collected by the Company.
• 4.1.8 Contact information for the personal data protection authority in case the data subject has questions about the Company's use of personal data or wishes to exercise their rights.
• 4.1.9 External persons or entities who may have access to the personal data.
• 4.1.10 Cookie policy, in cases where the Company collects personal data through its website or application.

4.2 Use of Personal Data

When personal data that may pose a high risk to the Company's customers or employees is used, the operation must go through a relevant personal data governance process, which may include a Data Protection Impact Assessment. This is to document the Company's decision-making when it needs to strike an appropriate balance between the Company's interests and the privacy rights of customers or employees.

4.3 Marketing

Customers have the right to choose whether or not to receive marketing communications from the Company. Whenever a customer provides personal data to the Company for marketing purposes, they will be asked if they want to receive marketing communications. Marketing materials will only be sent to customers who agree to receive them. Customers can change their marketing preferences at any time, and the Company must strictly comply with these preferences.

4.4 Data Subject Rights

When the Company receives a request from any individual concerning their privacy rights, the Company must process the request within the legal framework and in accordance with established procedures. The rights of the data subject include:

• 4.4.1 The data subject has the right to access or request a copy of their personal data.
• 4.4.2 The data subject has the right to inquire about how their personal data was obtained, in cases where the data subject did not give consent.
• 4.4.3 The data subject has the right to request the rectification of their personal data.
• 4.4.4 The data subject has the right to request the deletion or destruction of their personal data, or to have it anonymized, according to the procedures and methods stipulated by law.
• 4.4.5 The data subject has the right to request the transfer of their personal data to another data controller.
• 4.4.6 The data subject has the right to request the suspension of the use of their personal data as stipulated by law.
• 4.4.7 The data subject has the right to object to the collection, use, or disclosure of their personal data.
• 4.4.8 The data subject has the right to withdraw the consent they have given to the Company.
• 4.4.9 The data subject has the right to file a complaint if the processing of their personal data causes damage to their rights or freedoms.

4.5 Data Retention and Destruction

The Company does not retain personal data for longer than necessary for the purpose. Each department must set an appropriate and regularly updated retention period for the personal data it holds. All personal data should be deleted in an orderly and secure manner according to the established retention period. Each department is responsible for determining the retention period for personal data, and this period must be appropriate and necessary, with clear provisions for retaining personal data.

To prevent data breaches, the Company will securely delete or destroy personal data in the following cases:

• When it is no longer necessary to retain that personal data.
• When the collection, use, or disclosure of personal data has achieved its purpose.
• In cases where the data subject objects to the collection, use, or processing of their personal data.
• When the data subject withdraws their consent for the collection, use, or processing of their personal data.
• Upon expiration of the agreed period for the purpose of collection, unless compliance with related laws is required.

The Company may, however, retain necessary personal data for other related purposes as specified or permitted by law.

4.6 Data Minimization and Anonymization

The Company will only collect personal data necessary for the purpose and will anonymize it when possible.

4.7 Data Security

When processing and transferring personal data, the Company will strictly adhere to personal data protection and security measures.

4.8 Disclosure and Transfer of Personal Data to Third Parties

When working with third parties on projects that may involve the transfer of personal data, the Company will enter into appropriate contracts that require the third party to comply with personal data protection laws. Everyone should be aware that unauthorized or unlawful access to or disclosure of personal data may be a criminal offense.

4.9 Internal Audit

To ensure that the Company operates in accordance with laws and policies related to personal data protection, the Company will conduct appropriate internal and external audits. The purpose is to assess and verify the accuracy, security, and compliance with the Company's personal data protection policy, as well as compliance with related laws.

Internal and external audits or those conducted by related third parties will be carried out by designated departments in accordance with the Company's measures to assess the risks and effectiveness of policy compliance. The audit results will be analyzed and used as information to ensure that the Company's personal data processing is in accordance with relevant laws and policies, and to continuously improve personal data protection within the Company, ensuring compliance with all requirements and relevant laws.

5. Duties and Responsibilities

6. Training

The Company provides communication and dissemination of the personal data protection policy and guidelines through training, meetings, or other appropriate activities for the Company's personnel, including evaluating the effectiveness after training as appropriate.

7. Whistleblowing

Report or file a complaint when observing an act believed to be a violation of the policy and related guidelines, in accordance with the whistleblowing and complaint policy. The complainant or whistleblower will be protected and their information will be kept confidential, without affecting their job position, both during the investigation and after the process is completed.

8. Seeking Advice

In case of doubt about whether an action may violate laws, regulations, policies, and guidelines related to personal data protection, advice can be sought from a supervisor, responsible department or personnel, Compliance department, Legal department, or Human Resources department before taking any action.

9. Penalties

If any Company personnel violates or fails to comply with the policy, guidelines, or measures, whether directly or indirectly, they will be subject to disciplinary action in accordance with the Company's employment regulations.