① In accordance with Article 32 of the Personal Information Protection Act, the Company registers and discloses the purposes of processing, retention periods, and items of personal information files as follows. The personal information being processed will not be used for any purpose other than those stated below, and if the purposes of use change, necessary measures such as obtaining separate consent will be taken.

② The Company, in accordance with Article 32 of the Personal Information Protection Act, registers and discloses detailed information on its personal information files, which can be accessed through the Personal Information Protection Portal of the Personal Information Protection Commission. Personal Information Protection Portal Direct Link

• The Company processes and retains personal information within the retention period prescribed by law or within the period of use consented to by the data subject at the time of collection. The items of personal information processed by the Company are as follows.
  1. Items of personal information processed with the consent of the data subject

  Collection items based on data subject consent (Basis of Collection, Name of personal information file, Purpose of collection and use, Items of personal information)

  No.	Basis of Collection	Name of personal information file	Purpose of collection and use	Items of personal information
  1	Article 15(1)1 (consent of the data subject) and Article 23(1)1 (separate consent for sensitive information) of the Personal Information Protection Act	Job applications	Recruitment of employees	Name, date of birth, home contact number, mobile phone (contact), E-Mail address, nationality, veteran status, disability status, low-income status, local talent status, youth status, high school graduate talent status, North Korean defector status, multicultural family status, personal statement, training details, qualification details, foreign language proficiency, foreign language details, career and experience details, research achievements, emergency contact, self-reliant youth status, status as an outstanding completer of the KEPCO Nuclear Fuel experiential internship program
  2	Article 15(1)1 (consent of the data subject) of the Personal Information Protection Act	External lecturer management	Utilization of training instructors	Name, date of birth, work address, mobile phone (contact), affiliated organization, education, career
  3	Article 15(1)1 (consent of the data subject) and Article 24(1)1 (restriction on processing of unique identification information) of the Personal Information Protection Act	Access control	Internal access control	Korean national: Name, date of birth, mobile phone (contact), home address, affiliated organization, vehicle registration number Foreign national: Name, gender, nationality, passport number, foreign resident registration number, affiliated organization, vehicle registration number
  4	Article 15(1)1 (consent of the data subject) of the Personal Information Protection Act	Radiation workers Radiation-controlled area access control	Radiation-controlled area access control	Name, training certificate, affiliated organization
  5	Article 15(1)1 (consent of the data subject) of the Personal Information Protection Act	Temporary and occasional radiation-controlled area access control	Radiation-controlled area access control	Name, training certificate, affiliated organization
  6	Article 15(1)1 and Article 23(1)1 (separate consent for sensitive information) of the Personal Information Protection Act	Ancillary tasks related to the appointment of executives	Recruitment of executives	Name, home address, mobile phone (contact), E-Mail address, criminal record data, education details, military service details, qualifications and licenses, language test scores, career details, research papers in relevant fields, major achievements in research and project execution, personal statement, job performance plan, certificate of qualification for outside director, personal information data retained by public institutions for personnel verification
  7	Article 15(1)1 (consent of the data subject) of the Personal Information Protection Act	Ancillary tasks related to the appointment of executives of invested companies	Recruitment of executives of invested companies	Name, date of birth, home contact number, home address, mobile phone (contact), E-Mail, education details, military service details, qualifications and licenses, family details, career details, research papers in relevant fields, major achievements in research and project execution, personal statement, job performance plan
  8	Article 15(1)1 (consent of the data subject) and Article 23(1)1 (separate consent for sensitive information) of the Personal Information Protection Act	Employee personnel management	Management of employee personnel information	E-Mail, veteran status, disability status, foreign language details, photograph, family details, salary account information, health, religion, blood type
  9	Article 15(1)1 (consent of the data subject) of the Personal Information Protection Act	Lease contract management	Lease contract management	Name, home address, mobile phone (contact), home phone number

  2. Items of personal information processed without the consent of the data subject (in cases where it is unavoidable to comply with statutory obligations)

  Collection items based on legal basis (No., Legal basis, Name of personal information file, Purpose of collection and use, Items of personal information)

  No.	Legal basis	Name of personal information file	Purpose of collection and use	Items of personal information
  1	Article 20 of the Enforcement Decree of the Labor Standards Act (Matters to be entered in the employee register)	Employee training management	Management of employee training information	Name, employee number, date of birth, date of hire, mobile phone (contact), work contact number, education, career, training details, qualification details
  2	Article 155-2 of the Enforcement Decree of the Nuclear Safety Act (Processing of sensitive information and unique identification information)	Radiation workers Radiation-controlled area access control	Radiation-controlled area access control	Resident registration number, foreign resident registration number, passport number, health, internal radiation dose, external radiation dose
  3	Article 155-2 of the Enforcement Decree of the Nuclear Safety Act (Processing of sensitive information and unique identification information)	Temporary and occasional radiation-controlled area access control	Radiation-controlled area access control	Resident registration number, foreign resident registration number, passport number, health
  4	Regulations on the Collection and Management of Information on Public Office Candidates, Article 34 of the Act on the Management of Public Institutions (Grounds for Disqualification), and Article 31 of the Enforcement Decree of the Act on the Management of Public Institutions (Processing of unique identification information)	Ancillary tasks related to the appointment of executives	Recruitment of executives	Resident registration number
  5	Article 20 of the Enforcement Decree of the Labor Standards Act (Matters to be entered in the employee register), Article 145-2 of the Enforcement Decree of the Employment Insurance Act (Processing of unique identification information)	Employee personnel management	Management of employee personnel information	Resident registration number, name, date of birth, home contact number, mobile phone (contact), training details, qualification details, career details, military service details, education details
  6	Article 25 of the Certified Real Estate Brokerage Act (Preparation of Transaction Contracts, etc.)	Lease contract management	Lease contract management	resident registration number
  7	Article 15(1)4 of the Personal Information Protection Act (Performance of a contract), Article 81 of the Enforcement Decree of the National Health Insurance Act (Processing of sensitive information and unique identification information), Article 117 of the Enforcement Decree of the Occupational Safety and Health Act (Processing of sensitive information and unique identification information)	Management of health examination information	Application for and record management of employees' health examinations	Name, resident registration number, home address, mobile phone (contact), employee number, department name, general health examination results, special health examination results, date of hire, expected date of resignation, contract period

The Company has no personal information impact assessments to conduct.

① The Company provides personal information to third parties only with the consent of the data subject, in accordance with special provisions of laws, or in cases falling under Article 17 (Provision of Personal Information) and Article 18 (Restriction on Use and Provision of Personal Information for Purposes Other than the Intended Purpose) of the Personal Information Protection Act.

② The Company provides personal information as follows in accordance with applicable laws.

• ① The Company outsources the following personal information processing tasks for the smooth handling of personal information operations.

  Trustee (organization), Details of the outsourced tasks, Sub-entrustment details

  Trustee (organization)	Details of the outsourced tasks	Sub-entrustment details
  Korea Atomic Energy Research Institute	Internal exposure inspection	N/A
  Iljin Rad Co., Ltd.	External exposure inspection	N/A
  LCGen Co., Ltd.	Radiation-controlled area access training	N/A
  KNF Partners Co., Ltd.	Special security services and access control	N/A
  NICE Information Service Co., Ltd.	Identity verification for website access application	N/A
  Saramin HR Co., Ltd.	Talent recruitment	re-entrusted institution : humuson purpose : sending recruitment-related SMS and E-MAIL
  Seum Edu Co., Ltd.	Online training on integrity and ethics for staff	N/A
  Chalet Korea Co., Ltd.	Schedule management for employees using the year-round fitness center	N/A
  Yuseong Sun Hospital	Health checkup	N/A
  Konyang University Hospital	Health checkup	N/A
  Sejong Health and Safety Association (Inc.)	Safety and health training	N/A

  ② When entering into an outsourcing agreement, the Company specifies in writing matters concerning the prohibition of processing personal information for purposes other than performing the outsourced tasks, the implementation of technical and administrative safeguards, restrictions on re-outsourcing, management and supervision of the consignee, and liability for damages. The Company also supervises the consignee to ensure that personal information is processed safely.

• When personal information becomes unnecessary, such as upon the expiration of the retention period or the achievement of the purpose of processing, the Company shall, unless there are any of the following reasons, destroy the relevant personal information without delay within five days from the end date of the retention period or the date it is deemed unnecessary to process the personal information. However, this shall not apply when personal information must be preserved in accordance with other laws.
  
  1. Where personal information is retained as evidence for civil or criminal liability or the continuation of the statute of limitations, or as evidence in disputes
  2. When retention is required by laws such as Article 85-3 of the Framework Act on National Taxes (5 years), Article 42 of the Labor Standards Act and Article 22 of its Enforcement Decree (3 years), etc.
  3. In other cases where there is a similar legitimate reason
• Even if the retention period of personal information has expired or the purpose of processing has been achieved, when the personal information must continue to be retained under other laws, it will be transferred to a separate database or stored in a different location.Such personal information will not be used for any purpose other than as required by law.
• Electronic files are permanently deleted in a manner that makes recovery impossible, and printed materials are destroyed by shredding or incineration.

• The Company shall obtain the consent of the legal representative of a child under the age of 14 when consent is required to process the child's personal information.
• When obtaining consent from the legal representative regarding the processing of a child's personal information under the age of 14, the Company may request only the minimum necessary information, such as the legal representative's name, date of birth, and mobile phone (contact). The Company shall have the legal representative indicate consent or refusal on the website where the consent details are posted, and shall confirm such indication by sending a text message to the legal representative's mobile phone.

• The data subject (including the legal representative in the case of a child under the age of 14) may exercise the following rights related to personal information against the Company at any time.
  1. Request to access and transmit personal information
  2. Request for correction if there is an error, etc
  3. Request for deletion
  4. Request for suspension of processing
  5. Notification of collection source, etc.
• A customer who has accessed his or her personal information may request the Company to rectify or delete any personal information that is inaccurate or unverifiable. However, if the personal information is specified as a subject of collection under other laws, the customer may not request its deletion.
• The data subject may request the Company to suspend the processing of his or her personal information. However, if any of the following applies, the Company may refuse the request for suspension of processing by notifying the customer of the reason.
  1. Where otherwise specially provided by law or where it is unavoidable in order to comply with obligations under laws and regulations
  2. Where there is a risk of harm to the life or body of another person, or a risk of unjustly infringing upon the property or other interests of another person
  3. Where a public institution cannot perform its duties prescribed by other laws without processing personal information
  4. Where it is difficult to perform a contract, such as being unable to provide the goods or services agreed upon without processing personal information, and the other party to the contract has not clearly expressed an intention to terminate the contract
• The data subject's request for the protection of rights under paragraph 1 may be submitted directly to the Company or through the Personal Information Portal.
  • When submitting directly to the Company: Complete a Personal Information Request Form (access, rectification/deletion, suspension of processing) and submit it in writing, by e-mail, facsimile (FAX), or other means to the department in charge under Article 14 of the Privacy Policy. (If the request is submitted through a representative of the data subject, a power of attorney shall also be submitted.)

    Personal Information Request Form (access, rectification/deletion, suspension of processing)  Power of Attorney

  • Personal Information Portal (www.privacy.go.kr) → Personal Services → Exercise of Rights by Data Subjects → Request for Access to Personal Information, etc. → Select Target Institution → Complete Request Form and File Petition
• When the Company receives a request for the protection of rights of the data subject under paragraph 1, it shall verify without exception whether the requester is the data subject or a legitimate representative.
• When the data subject requests rectification or deletion of errors in personal information, the Company shall not use or provide the relevant personal information until such rectification or deletion is completed.
• With respect to the request for protection of rights of the data subject under paragraph 1, the Company shall take action within ten (10) days and notify the data subject of the result. If the data subject has any complaint or objection regarding the action taken, he or she may file an objection through the same procedure.

  Appeal Form

The criteria for determining additional use or provision of personal information without the consent of the data subject are as follows:

1. Whether it is related to the original purpose of collection
2. Whether additional use or provision of personal information is reasonably foreseeable in light of the circumstances under which the personal information was collected or customary practices in processing
3. Whether it unjustly infringes on the interests of the data subject
4. Whether necessary measures to ensure security, such as pseudonymization or encryption, have been taken

The Company does not operate devices that automatically collect personal information.

The Company does not process pseudonymized information.

The Company designates the following Chief Privacy Officer to protect personal information and handle complaints and remedies for damages related to the processing of personal information of data subjects.

The Company provides the following information on the personnel in charge of each personal information processing task in order to protect the personal information of data subjects and to handle related requests and inquiries promptly and accurately.

The data subject may contact the following organizations for remedies and consultation regarding personal information infringement. The following organizations are separate from the Company, and you may contact them if you are not satisfied with the results of their own personal information complaint handling or redress, or if you require more detailed assistance.

• Personal Information Dispute Mediation Committee: 1833-6972 (https://www.kopico.go.kr)
• Personal Information Infringement Report Center: (without area code) 118 (https://privacy.kisa.or.kr)
• Information Protection Mark Certification Committee: 02-550-9531~2 (https://www.eprivacy.or.kr)
• Information Protection Mark Certification Committee: (without area code) 182 (https://ecrm.police.go.kr)

• Pursuant to Article 11-2 of the Personal Information Protection Act, the Company undergoes the "Public Institution Personal Information Protection Level Assessment" conducted annually by the Personal Information Protection Commission in order to securely manage the personal information of data subjects.
• The Company received a grade of "B" in the 2024 Evaluation on the Level of Personal Information Protection.

The Company, in accordance with Article 29 of the Personal Information Protection Act, takes the following technical, administrative, and physical measures necessary to ensure the security of personal information.

• Application of administrative protection measures
  • The Company establishes and implements an internal management plan for personal information to prevent leakage, misuse, or abuse of personal information by employees in advance, and conducts periodic inspections of its personal information protection system to ensure thorough management and supervision of personal information.
  • The Company limits the number of personal information handlers to the minimum necessary, grants differentiated access rights, and, in the event of personnel changes such as transfer or resignation resulting in a change of personal information handlers, changes or deletes access rights without delay.
  • The Company retains and manages access records to the personal information processing system for at least one year. However, in the case of personal information processing systems that process the personal information of 50,000 or more data subjects, or that process unique identification information or sensitive information, the retention and management period is at least two years.
• Application of technical protection measures
  • Unique identification information and passwords are stored and managed in an encrypted form. In addition, important data is protected by encrypting files and transmission data or by using separate security functions such as data access control systems.
  • To prevent leakage or damage of personal information caused by hacking or computer viruses, the Company installs security programs and updates and inspects them regularly.
• Application of physical protection measures
  • A separate physical storage location is designated for the personal information processing system in which personal information is stored, and access control procedures are established and operated for it.

• This Privacy Policy shall apply from the effective date, and in the event of any additions, deletions, or rectifications due to changes in laws or policies, the Company shall disclose the changes on its website at least seven (7) days prior to the effective date of such changes.

    Comparison Table of New and Old Provisions of the Privacy Policy (as of September 29, 2025)

  • Date of Notice: September 22, 2025
  • Effective Date: September 29, 2025