Parnas Hotel Co., Ltd. (hereinafter referred to as the "Hotel") processes and manages personal information lawfully and securely in compliance with the Personal Information Protection Act and related laws and regulations to protect the freedom and rights of data subjects in the operation of the Westin Seoul Parnas website (thewestinseoulparnas.com, hereinafter referred to as the "Website"). Accordingly, in accordance with Article 30 of the Personal Information Protection Act, the Hotel establishes and discloses the following Personal Information Processing Policy to inform data subjects of the procedures and standards regarding the processing of personal information and to ensure the prompt and smooth handling of grievances related thereto.

Purpose of processing personal information, items collected, and retention and usage period

The website collects and uses personal information to the minimum extent necessary to provide services.

Some functions on this website, such as room reservations (Marriott Bonvoy), membership sign-ups (Parnas Rewards, The Parnas), and event and food and beverage reservations, are provided through external linked sites, and when using such functions, users' personal information is collected and processed in accordance with the privacy policies of each linked site.

Procedures and Methods for the Destruction of Personal Information

1. The hotel destroys personal information without delay when it becomes unnecessary, such as when the retention period for personal information has expired or the purpose of processing has been achieved.
2. The procedures and methods for the destruction of personal information are as follows.
   1. Destruction procedure
      • After the purpose of collection and use is achieved, the hotel destroys the data after storing it for a certain period in accordance with internal policies and other relevant laws and regulations regarding information protection.
      • When personal information becomes unnecessary due to the expiration of the retention period or the achievement of the purpose of processing, the relevant personal information is destroyed without delay.
      • Website access records (information collected through Google Analytics) are automatically deleted after one year.
   2. Method of destruction
      • Personal information printed on paper is destroyed by shredding or incineration, and personal information stored in the form of electronic files is deleted using technical methods that render it unrecoverable.
3. If personal information must be retained in accordance with other laws, it will be stored for the period stipulated by the relevant laws.

    Cases of Personal Information Retention: A table consisting of content, retention period, and relevant laws. 

   detail	Retention period	Relevant laws and regulations
   Service visit records	3 months	Article 15-2 of the Protection of Communications Secrets Act

Provision of personal information to third parties

1. The Hotel processes the personal information of data subjects only within the scope specified in the purpose of processing personal information, and provides personal information to third parties only in cases falling under Articles 17 and 18 of the Personal Information Protection Act, such as the data subject's consent or special provisions of the law, and does not provide the data subject's personal information to third parties otherwise.
2. The hotel may provide personal information to relevant authorities without the consent of the data subject as follows.

    Collection and Use of Personal Information: A table consisting of the following items: Recipient, Purpose of Provision, Items Provided, and Retention and Usage Period. 

   recipient	Purpose of provision	Items provided	Retention and Usage Period
   Competent police agency, prosecutor's office, court	Performance of legal obligations	Materials requested by the court and investigative agencies	In accordance with relevant laws and regulations

3. In accordance with relevant laws regarding the "Guidelines for the Processing and Protection of Personal Information in Emergency Situations" jointly announced by relevant ministries, the Hotel may provide personal information to relevant agencies without the consent of the data subject in the event of an emergency, such as a disaster, infectious disease, incident or accident causing imminent danger to life or body, or imminent property loss.

Outsourcing of personal information processing

1. The hotel entrusts the processing of personal information to external companies for website maintenance and the operation of inquiry processing systems, and information regarding the trustees is as follows.
   

    Trustee Status: A table consisting of Trustee, Sub-trustee, and Entrusted Task items 

   fiduciary	Renewal trustee	Outsourcing
   SK AX	H2O Korea	Smart registration, booking engine (reservation system) outsourced operation
   	Neoscience	Website operation and maintenance Parnas Rewards membership management, CRM system outsourced operation
   	Infinati Consulting	Membership management, shipping processing, customer support, telemarketing
   	HumusOn	Sending announcements and notification messages
   	Basic Nine	Customer Management System Operation
   LG Uplus		Sending announcements and notification messages
   Smartro		App/Web SmartroPay Payment Processing
   Redsoft Co., Ltd.		VOC System Maintenance
   KM Park		Parking lot management outsourcing operation
   Samhwa Taxi		Rental car service provided for guests
   Early Sloth Co., Ltd.		Customer satisfaction survey mailing agency

2. In accordance with Article 26 of the Personal Information Protection Act, when entering into a consignment contract, the Hotel specifies in documents such as contracts matters concerning the prohibition of processing personal information for purposes other than the performance of entrusted tasks, technical and administrative protective measures, restrictions on re-consignment, management and supervision of the trustee, and liability such as compensation for damages, and supervises whether the trustee processes personal information safely.
3. In accordance with Article 26, Paragraph 6 of the Personal Information Protection Act, we obtain the hotel's consent when a trustee re-entrusts our personal information processing業務.
4. If there are any changes to the details of the entrusted work or the trustee, we will disclose them without delay through this Privacy Policy.

Measures to ensure the safety of personal information

The hotel is doing its utmost to safely manage customers' personal information to prevent its loss, theft, leakage, alteration, or damage, and is implementing necessary technical, administrative, and physical measures.

Establishment and implementation of internal management plans

We have established and are implementing an internal management plan for the safe processing of the hotel's personal information.

Minimization and training of personnel handling personal information

We are doing our utmost to manage personal information by minimizing the number of personnel handling personal information and conducting periodic training for those who do.

Restriction on access to personal information

We are taking measures to control access to personal information by granting, changing, or revoking access rights to database systems that process personal information.

Storage of access records and prevention of tampering

To facilitate a response in the event of a personal information infringement, we store and manage records of access to the personal information processing system (web logs, summary information, etc.) for at least two years, and we use security features to prevent access records from being falsified, stolen, or lost.

Encryption of personal information

Your personal information (name, mobile phone number, email, etc.) is stored and managed in an encrypted format.

Technical measures to prevent hacking, etc.

To prevent the leakage and damage of personal information caused by hacking or computer viruses, the hotel installs security programs and conducts periodic updates and inspections. It also installs systems in areas where external access is controlled and monitors and blocks access technically and physically.

Access control for unauthorized persons

We maintain a separate physical storage location for personal information systems that store personal information and have established and operate access control procedures for it.

Account management plan

Shared email accounts are granted access to only the minimum number of personnel and are securely managed through measures such as periodic password changes.

Matters concerning the installation, operation, and refusal of automatic personal information collection devices

1. Hotels may utilize Google Analytics for website usage statistics, and in this process, use 'cookies' and referrers.
   • Cookies: Used to track visit and usage patterns, popular search terms, and secure connection status (configurable in browser)
   • Referrer: Used to check the source of traffic (search engines, external links, etc.)
   • For the purpose of statistical analysis and providing customized information, and is not directly linked to personal information.
2. Cookies are small amounts of information sent by the server (http) used to operate a website to the user's computer browser, and are sometimes stored on the hard disk of the user's PC.
   • Purpose of using cookies: Cookies are used to identify visiting and usage patterns, popular search terms, and secure connection status for each service and website visited by the user, in order to provide information optimized for the user.
   • Installation, Operation, and Rejection of Cookies: You can refuse the storage of cookies through Web Browser Settings > Privacy and Security > Delete browsing history.
3. If you refuse to store cookies, you may experience difficulties using personalized services.

Matters concerning the overseas transfer of personal information

1. When the Company uses the Google Analytics service, it collects access records (access time, browser information, screen resolution, traffic source, etc.), and in this process, such information may be stored on Google's overseas servers (such as in the United States).
2. The company manages to ensure that appropriate protective measures are taken in accordance with the service usage agreement with Google.

   This website does not collect any personal information items other than access logs. In cases where consent for overseas transfer is required pursuant to Article 28-8 of the Personal Information Protection Act, we plan to provide separate notification and obtain consent through individual consent procedures.

Rights and Obligations of Data Subjects and Legal Representatives and Methods of Exercise

1. Data subjects may exercise their rights, such as requesting access to, correction of, deletion of, suspension of processing of, and withdrawal of personal information, at any time.
2. You may exercise your rights through a representative, such as a legal representative of the data subject or an authorized agent. In this case, you must submit a power of attorney in accordance with Form No. 11 of the "Notice on Methods of Processing Personal Information."
3. You may request access to your personal information, etc., from the department listed below. We will strive to process data subjects' requests for access to personal information promptly.

   Department responsible for receiving and processing requests for access to personal information, etc.

   • Department Name: Information Security Team
   • Phone number: +82 2-559-8126
   • Email: GW363@parnas.co.kr
   • Address: Westin Seoul Parnas, 524 Bongeunsa-ro, Gangnam-gu, Seoul

Chief Privacy Officer

1. The Hotel assumes overall responsibility for matters concerning the processing of personal information and designates a Personal Information Protection Officer as follows to handle complaints and provide relief for damages to data subjects regarding the processing of personal information.

   Chief Privacy Officer

   • Name: Han Man-hwan
   • Position: Managing Director
   • Contact: 02-3430-8145
   • Email: it_security@parnas.co.kr

   Department responsible for handling personal information grievances

   • Department Name: Information Security Team
   • Contact: 02-3430-8126
   • Email: it_security@parnas.co.kr
   • Address: Westin Seoul Parnas, 524 Bongeunsa-ro, Gangnam-gu, Seoul

2. Data subjects may contact the Chief Privacy Officer and the relevant department regarding all inquiries, complaints, and damage relief matters related to personal information protection arising from the use of the Hotel's services (or business). The Hotel will respond to and process the data subject's inquiries without delay.
3. Data subjects may apply for dispute resolution or consultation with the Personal Information Dispute Mediation Committee, the Korea Internet & Security Agency's Personal Information Infringement Report Center, etc., to seek relief for personal information infringement. For other reports or consultations regarding personal information infringement, please contact the organizations listed below.
   1. Personal Information Dispute Mediation Committee: 1833-6972 (without area code) (www.kopico.go.kr)
   2. Personal Information Infringement Report Center: 118 (without area code) (privacy.kisa.or.kr)
   3. Supreme Prosecutors' Office: 1301 (without area code) (www.spo.go.kr)
   4. National Police Agency: 182 (without area code) (ecrm.cyber.go.kr)

Changes to the Privacy Policy

1. This Privacy Policy is effective as of May 26, 2026. Any changes will be announced in advance via the website.