KTB places great importance on customer data protection and privacy. In compliance with the "Personal Data Protection Act," "Self-regulatory Standards for Customer Data Confidentiality in Banking," "Regulations Governing Security Measures of the Personal Information File for Non-government Agencies Designated by Financial Supervisory Commission," and the "Regulations Governing Internal Operating Systems and Procedures for the Outsourcing of Financial Institution Operation," we have established the "King’s Town Bank Co., Ltd. and Affiliated Enterprises Personal Data Management Objective and Policy." This framework aims to create a basic management structure for personal data protection within the Company and its subsidiaries (and sub-subsidiaries), ensuring the rights and interests of personal data subjects.

Additionally, we have established the "King's Town Bank Privacy Protection Policy," "King’s Town Bank Personal Data File Security Maintenance Regulation," and "King’s Town Bank Personal Data Breach Emergency Response Guideline," among other relevant regulations, to protect the rights of customer personal data. These policies apply to all actions involving personal data encountered by KTB employees in the course of their duties. All employees are required to undergo education and training related to the Personal Data Protection Act every year. On November 13, 2024, the “Promotion of Annual Personal Data Protection Act” was conducted for all employees. Additionally, one session of personal data protection education and training was held this year, with a total of 983 participants and a cumulative duration of 491.5 hours. In 2024, there were no cases of personal data leakage, nor complaints involving infringement of customer privacy.

Operation Mechanism of Personal Data Protection Management System

The personal data management system follows the cyclic operation model of "Plan-Do-Check-Action (PDCA)"

Explanation of the Personal Data Leakage Reporting and Handling Process

When a suspected personal data incident occurs, it must be reported immediately in accordance with the flowchart. If any personnel at any level is unable to report according to the procedure, the person responsible for reporting should directly inform the next higher level to ensure the timeliness of the report.

First, the unit that discovers the incident should report it to the Digital Service and Channel Management Department, and inform the Auditing Department concurrently. The Digital Service and Channel Management Department will then notify the Personal Data Team point of contact and the relevant business management units. If the incident is reported by the customer, the customer's name and contact information should be recorded for follow-up communication. Upon receiving notification, the Personal Data Team point of contact should contact the dedicated personnel responsible for the safety of personal information of the relevant business management unit. They will assist in confirming the facts of the incident and collecting evidence, including the cause of the occurrence and the scope of its impact. This information should be documented in the "Handling and Reporting of Personal Data Incident and Record Form." Subsequently, the Personal Data Team point of contact convened a meeting with personnel from the Risk Management Department and the Business Management Unit. The
Auditing Department should also be present to determine whether the case is personal data incident based on the record form and relevant information. If the nature is clear, the point of contact may proceed with independent judgment and notify the relevant units via email. If it is determined that it is not a personal data incident (such as the exercise of rights under Article 11 of the Personal Data Protection Act or customer complaint cases), it shall be handled and concluded by the business management unit or customer complaint channel. If it is a personal data incident, the convener of the Personal Data Team shall be notified. The overall reporting and handling process should be completed within one day of receiving the report; however, it may be appropriately extended depending on the complexity of the event.