General Provisions

This website values the personal information of its users and strives to comply with the Personal Information Protection Act.

POSCO Holdings Co., Ltd. (hereinafter referred to as the “Company”) informs users, through this Privacy Policy, of how and for what purposes the personal information provided by users is utilized, and what measures are taken to protect such information. If the Company revises this Privacy Policy, it will notify users via the website's announcements.

Consent to Collection of Personal Information

The Company provides a procedure on the POSCO Holdings website (www.posco-inc.com) for users to click either the “Agree” or “Disagree” button regarding the collection of personal information for IR Meeting applications, Investor relations inquiry and the Reporting Center. Clicking the “Agree” button is deemed as consent to the collection of personal information.

Purpose of Processing and Items of Personal Information Collected

The Company collects only the minimum personal information necessary to provide IR Meeting application, Investor relations inquiry and Reporting Center services. The collected personal information will not be used for purposes other than those specified, and if the purpose changes, the Company will take necessary measures such as obtaining separate consent in accordance with Article 18 of the Personal Information Protection Act.

• 1. Unethical Behavior Report (Real Name)
• • Required items: Reporter’s name, phone number, password
• • Optional items: Email address
• • Purpose:
  • • Required: Identification, delivery of notices, securing communication channels for complaint handling
  • • Optional: Delivery of notices, securing communication channels for complaint handling
• • Automatically collected information: Visit records (log data, IP address, date of access), cookies
• • Cookies: Only the number of accesses by authenticated and general users is collected; no other information is gathered.

• 2. Unethical Behavior Report (Anonymous)
• • Required items: Reporter’s name, password
• • Optional items: Phone number, email address
• • Purpose:
  • • Required: Identification
  • • Optional: Delivery of notices, securing communication channels for complaint handling
• • Automatically collected information: Visit records (log data, IP address, date of access), cookies
• • Cookies: Only the number of accesses by authenticated and general users is collected; no other information is gathered.

• 3. Abuse of Power Report
• • Required items: Reporter’s name, phone number, password
• • Optional items: Email address
• • Purpose: Same as above
• • Automatically collected information: Same as above

• 4. Workplace Harassment/Sexual Harassment Report
• • Required items: Reporter’s name, phone number, password
• • Optional items: Email address
• • Purpose: Same as above
• • Automatically collected information: Same as above

• 5. Fair Trade Consultation and Report
• • Required items: Reporter’s name, email address, phone number, password
• • Purpose: Same as above
• • Automatically collected information: Same as above

• 6. General Human Rights Violation Report
• • Required items: Reporter’s name, email address, phone number, password
• • Purpose: Same as above
• • Automatically collected information: Same as above

• 7. Safety/Illegal Subcontracting Report
• • Required items: Phone number, affiliated POSCO Group company, work site, password
• • Optional items: Reporter’s name, email address, employer company
• • Purpose: Same as above
• • Automatically collected information: Same as above

• 8. IR Meeting Application
• • Applicant:
  • • Required: Company name, name, phone number, email address
• • Investor:
  • • Required: Organization name, name, phone number, email address
  • • Optional: Country, department, position
• • Purpose: Identification, business coordination, delivery of notices
• • Automatically collected information: Same as above

• 9. Investor relations inquiry
• • Required items: Country of residence, name, email address
• • Purpose: Same as above
• • Automatically collected information: Same as above

Installation, Operation, and Rejection of Automatic Collection Devices

• ① The Company operates cookies to store and retrieve user information for personalized services.
• ② Cookies are used only to collect the number of accesses by authenticated and general users.
• ③ Cookies are used to analyze access frequency, visit times, and user preferences for targeted marketing and service improvements.
• ④ Users can choose to allow all cookies, confirm each time a cookie is stored, or reject all cookies via browser settings.

Retention and Use Period of Personal Information

• • IR Meeting applications: Destroyed after 2 years from application/consultation.
• • Consultations and reports: Destroyed after 5 years from submission.
• • Personal information is destroyed immediately in a non-recoverable manner. If provided to a third party, destruction is instructed to the third party as well.
• • Exceptions:
  • i. Retention required by law (e.g., Commercial Act)
  • ii. Retention period notified to the user in advance and not yet expired, or separately agreed upon by the user.

Provision to Third Parties

Personal information is processed within the scope of the stated purposes and is not provided to third parties without prior consent, except:

• 1. When separate consent is obtained from the data subject
• 2. When required by law

Outsourcing of Personal Information Processing

• • POSCO: Report reception and handling – until termination of contract
• • POSCO DX: Service operation – until termination of contract
• • The Company specifies in contracts the prohibition of processing beyond the purpose, technical/managerial safeguards, restrictions on re-outsourcing, supervision, and liability.
• • Changes in outsourcing details or contractors will be disclosed without delay via this Privacy Policy.

Destruction of Personal Information

• • Procedure: Destroy immediately after retention period expires.
• • Method:
  • • Electronic files: Irreversible deletion
  • • Paper documents: Shredding or incineration

Rights of Data Subjects and Legal Representatives

• • Users can check their information quarterly through identity verification, or request access via phone, mail, or email.
• • Objection procedure in case of refusal:
  • i. Notify reason and objection method within 10 days of refusal
  • ii. Receive and review objection
  • iii. Final review by the Personal Information Protection Officer
  • iv. Notify results to the data subject

Measures to Ensure Security of Personal Information

• • Password protection, encryption, file locking for sensitive data
• • Antivirus programs with regular updates
• • Secure transmission using SSL or SET encryption
• • Intrusion prevention devices and 24-hour monitoring systems

Personal Information Protection Officers and Contacts

• • Company-wide Personal Information Protection Officer:
  POSCO Holdings Group DX Strategy Office – Moosang Kim, Senior Manager
  Tel: +82-2-3457-2600
  Email: humanright@posco-inc.com
• • Reporting Center Personal Information Protection Officer:
  POSCO Holdings Integrity Management Office – Donghwa Ha, Leader
  Tel: +82-2-3457-2600
  Email: humanright@posco-inc.com
• • Reporting Center Personal Information Protection Manager:
  POSCO Holdings Integrity Management Office – Seunggi Lee, Deputy General Manager
  Tel: +82-2-3457-2600
  Email: humanright@posco-inc.com
• • Personal Information Management Officer:
  POSCO Holdings Corporate Citizenship Office – Goeun Park, Leader
  Email: goeun.park@posco-inc.com
• • Personal Information Management Manager:
  POSCO Holdings Corporate Citizenship Office – Minju Kim, Assistant Manager
  Email: minz@posco-inc.com

Changes to the Privacy Policy

This Privacy Policy is effective from January 28, 2026.
Any additions, deletions, or modifications due to changes in laws, policies, or security technologies will be announced on the website prior to implementation.

• • Version: v1.2
• • Effective Date: 2022-04-21
• • Previous Version Date: 2025-08-18
• • Last Revision Date: 2026-01-28