PRIVACY NOTICE

I. What Is Covered by This Privacy Notice

This Privacy Notice applies to the processing of personal data when you:

• Access or use the Reserve-a-Court Site and our court facilities
• Submit a request for court reservation
• Enlist players or guests for court use
• Communicate with SMIC in relation to gym or court reservations

By using this Site, you acknowledge that you have read and understood this Privacy Notice and agree to the processing of your personal data in accordance with this Notice and applicable laws.

II. Personal Data We Collect

In connection with court reservations and security requirements, we may collect and process the following personal data, when you access the Site and provide the data:

A. Reservation and Identification Information

• Full name
• Employee ID number (for SM employees or tenants)
• Company or tenant affiliation
• Email address
• Mobile number

B. Guest and Player Information

• Full names of other players, guests, non-SM employees, or non-tenants enlisted in the reservation

C. Security and Access Information

• Company or government-issued identification cards (for verification and security purposes)

We shall not knowingly collect the personal data of a person below 18 years old without any legal basis or consent of the minor’s parent/s or legal guardian. Should it come to our attention that the personal data of minors was provided without a legal basis or consent of the minor’s parent/s or legal guardian, such personal data shall be destroyed or deleted in a secure manner.

Minors are advised not to provide any personal data, such as their name, age, gender, email address, contact information, among others, and should consult their parent(s) or guardian(s)

III. Purposes of Processing

We process personal data for legitimate and declared purposes, including to:

• Facilitate and manage court and gym reservations
• Enforce house rules, eligibility requirements, and usage limits
• Verify identity and control access for security and safety reasons
• Communicate reservation details, changes, or notices
• Comply with legal, regulatory, and internal governance requirements

Personal data is processed only to the extent necessary and proportionate to these purposes.

IV. Legal Bases for Processing

We process personal data based on any of the following lawful bases under the Data Privacy Act:

• Consent of the Data Subject
• Performance of a contract or service requested by the Data Subject
• Compliance with legal obligations
• Legitimate interests of SMIC, such as safety, security, and facility management, provided these do not override your fundamental rights

V. Sharing and Disclosure of Personal Data

We ensure that your personal information shall be shared only in a manner that respects your privacy and in compliance with the requirements of the DPA. We may share your personal information to the following in certain circumstances:

Our Affiliates and Subsidiaries

We may share your personal information to our affiliates and subsidiaries in relation to the Purposes declared in this Privacy Notice.

Service Providers

Our service providers may access and/or use your personal information. Through the execution of data privacy agreements or similar contracts, we require our service providers to keep your personal information secure and we prohibit them from using or sharing your personal information for any purpose other than the Purposes declared in this Privacy Notice.

Government Agencies

We may also share your personal data in compliance with applicable laws or when required by a competent court, relevant government office or agency pursuant to DPA legislation and other applicable rules and regulations pertaining to data privacy.

VI. Data Retention

Personal data shall be retained only for as long as necessary to fulfill the stated purposes or for the period allowed or required by applicable laws and regulations. We may also retain your personal data in order to enforce our legal rights or whenever it is required under the DPA or upon lawful order of a competent court or relevant government agency.

Electronic files shall be erased, while physical records shall be shredded for disposal. When appropriate, anonymization techniques may be performed to permanently remove identifiable information from our records. In all cases, we will make sure that the personal information is destroyed in a way that prevents unauthorized people from accessing, processing, or retrieving it.

VII. Risks Involved and Data Protection Measures

Risk is the chance that a harmful incident may happen. In the context of personal data, risk refers to the chance that someone might collect, use, disclose, or access your personal data in an unauthorized manner or in a way that may cause you harm. In order to ensure that the risks to your personal information are minimized, we employ various measures to safeguard your personal information. However, this does not guarantee protection against all threats such as when systems are exposed to targeted cyberattacks, malware, ransomware, and computer viruses or when manual records are accessed without authority. In case a security incident occurs, we’re prepared to respond and manage such incidents in line with our policies and in accordance with regulations.

We implement industry-standard organizational, technical and physical security measures to protect the confidentiality, integrity, and availability of the personal data that we process. Only authorized personnel are granted access to the personal data that we collect from you. We have instituted policies and procedures to ensure that your personal data are safeguarded against unauthorized access, alteration, and disclosure. Access rights are reviewed regularly to ensure that the controls are in place. Our systems are protected by a variety of network security measures, including firewalls and similar network devices. Our systems and websites are scanned on a regular basis. In addition, all sensitive information you supply is sent through a secured channel and encryption methods are implemented whenever suitable.

VIII. Data Subject Rights

As a Data Subject, you have the right to

• Access the personal information we hold about you.
• Request corrections to your personal information if it is inaccurate or incomplete.
• Request the deletion of your personal information, subject to certain exceptions.
• Be informed of the collection and processing of your personal data and the purpose for which they will be processed, among others.
• To object to the processing of your personal data.
• To be indemnified if you incur damages due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of your personal data
• To obtain a copy of your data in an electronic or structured format
• To file a complaint if you have reason to believe that your personal information has been misused, maliciously disclosed, or improperly disposed of or that your data privacy rights have been violated

If you intend to exercise any of your above-mentioned data privacy rights, you may contact our Data Protection Officer (DPO) on the details below. We encourage you to submit your request in writing for proper monitoring. Our DPO may require you to submit documents necessary to handle your request.

IX. Changes to This Privacy Notice

SMIC may update this Privacy Notice from time to time to reflect changes in law, regulation, or internal practices. Updated versions shall be posted on the Site and shall take effect upon posting.

X. Contact

For inquiries, concerns, or requests regarding this Privacy Notice or the processing of personal data, you may contact:

Data Protection Officer
SM Investments Corporation
Email: [email protected]
Contact: 02-8857-0100