Hybe India Privacy Policy – Recruitment and Candidate Data

1. Purpose of Collection and Use

We, Hybe India Entertainment Private Limited ("Company"), have prepared this Privacy Policy to describe our practices regarding the digital personal data we collect, use, and share in connection with the Company website: [https://india.hybecorp.com/] ("Website"), the information and content made available through it, our recruitment-related activities, and any other related services (collectively, the "Services"). This Personal data is collected and processed in accordance with the Digital Personal Data Protection Act, 2023 ("DPDP Act"), based on valid consent or other lawful grounds permitted under applicable law. This Privacy Policy applies to individuals who apply or commence an application to be considered for recruitment or engagement by the Company, in connection with any roles, positions, or related activities ("Candidates").

2. Collection of Personal Data

As a visitor, you can browse our Website to explore more about us without providing any of your personal data. We may automatically collect certain non-personal or aggregated data about your interaction with our Website such as pages visited and average time spent on the Website, subject to applicable consent requirements, through cookies or other similar technologies. In relation to Candidates, we may collect and process the following digital personal data for recruitment related purposes:

1. Mandatory Information: Name; gender; date of birth; email address; phone number; nationality; address; education details; employment history; résumé or CV; application motivation; source of application, individual preferences and characteristics such as inferences, preferences you have expressed related to your choice of working locations; cover letter objectives; background and criminal information, such as background checks and criminal convictions; photographs, any images/audio/footage captured/recorded on CCTV or other video systems when visiting our office or captured during recruitment events or video recruitment interviews (collectively "Mandatory Information").
2. Optional Information: External activities, overseas experience, career statement, language scores, certificates, portfolio (attachment or link), Data provided to us by your referees (where applicable) (collectively "Optional Information").
3. Sensitive Information (where required by law): Disability status, veteran status (collectively "Sensitive Information"). The Company shall at all times comply with applicable laws in the collecting and processing of such Sensitive Information.

Personal data may be collected directly from the Candidates or through lawful third-party sources. Appropriate notice under Section 5 of the DPDP Act shall be provided at the time of such collection.

3. Data Fiduciary and Collection Responsibility

The Company shall be the Data Fiduciary in respect of personal data collected and processed for recruitment purposes, to the extent it determines the purposes and means of such processing. Third parties shall act as Data Processors under contractual safeguards as required under applicable law.

4. Use, Retention, and Deletion

We process personal data on the basis of valid consent or other lawful grounds under the DPDP Act, to operate our recruitment processes and Services:

1. to receive, assess, and process job applications and evaluate candidate suitability;
2. to communicate with candidates regarding the recruitment process;
3. to conduct interviews, assessments, and verification checks (where permitted);
4. to maintain recruitment records and comply with applicable legal or regulatory requirement;
5. to operate, administer, and provide access to the Website and its features;
6. to improve Website functionality, security, and user experience; and
7. to analyse Website usage and performance, including through cookies or similar technologies (where permitted by law).

In addition to the above, we may process personal data for legitimate uses under the DPDP Act including compliance with legal obligations and purposes of employment, where applicable.

Retention: Personal data will continue to be stored and retained by Company for no longer than is necessary for the purposes for which the personal data was collected or unless required as per the applicable laws. At the expiry of such periods, your personal data will be deleted or archived to comply with legal retention obligations or maintained in accordance with applicable statutory limitation periods. Information may be deleted earlier upon valid request by you, unless retention is required under applicable regulatory compliance or legal obligation or to defend legal claims. We shall store your personal data for lawful purposes only. In the event you withdraw your consent under this Privacy Policy, we will cease to process your personal data, unless continued retention is required for compliance with applicable law.

5. Your Rights in relation your Personal Data

You have the following rights in relation to your personal data:

1. you have the right to request access to your personal data processed by the Company
2. you can rectify any inaccurate data of yours that the Company holds.
3. you have the right to request erasure of your personal data that is no longer necessary for the purpose for which it was collected or processed, unless retention is required under applicable law.
4. you have the right to withdraw your consent at any time, where processing is based on consent. Such withdrawal shall apply only prospectively and shall not affect the lawfulness of processing carried out prior to the withdrawal.
5. you have the right to grievance redressal mechanisms, ensuring prompt resolution of grievances related to Your personal data processing
6. you have the right to nominate another person to exercise your rights in case of your death or incapacity.

You may exercise these rights by contacting the Grievance Officer. Requests shall be addressed in accordance with statutory timelines.

Candidates may refuse to provide personal data or withdraw consent at any time. However, refusal of Mandatory Information (as mentioned above in Section 2) may limit eligibility for the recruitment process. Refusal of optional or third-party sharing will not affect basic service use, but certain recruitment-related benefits may not be available. Where the Candidates opt out of providing Optional Information, such optional items will be reflected in the application. Candidates may refuse to consent to collection of Sensitive Information, but this may limit eligibility for recruitment process.

Sharing personal data with Company for recruitment purposes is voluntary, except for certain information that is required by applicable law, or is necessary for assessing suitability for the position, or as mandated by Company policies. Submission of personal data for the purpose of recruitment process is permitted only by individuals who are legally capable of forming a binding contract under applicable laws and are not below 18 years of age. If you provide personal data relating to any person below the age of 18 years, you confirm that you have lawful authority to do so, and consent to the processing of such information in accordance with this Privacy Policy (Please refer to Section 12). If Candidates provide personal data of another person (e.g. referees) to Company, Candidates should show them a copy of this Privacy Policy prior to providing Company with their personal data.

Please note that in relation to Candidates, once they have applied for a specific job opening, that particular application cannot be edited, unless specified.

To invoke your rights as set out above, please email the "Grievance Officer", the details of which are set out in Section 10 of this Privacy Policy. The Company shall redress the complaint expeditiously and in compliance with applicable laws. You are also entitled to lodge a complaint with a competent Data Protection Board of India (or any such authority formed and subsisting under applicable law), concerning the Company's compliance with the applicable data protection laws and regulation.

6. Third-Party Processing / Disclosure of Information

All disclosures shall be limited to what is necessary for stated purposes and subject to DPDP-compliant contractual safeguards. Where there is a requirement, the Company and/or its affiliates may share your personal data with third parties, for the purposes of, and in accordance with, this Privacy Policy, such as:

1. Its affiliates or group companies
2. Recruitment service providers for reference checks and recruitment management.
3. Affiliated companies where there is a legitimate uses or legal basis to carry out activities related to recruitment and hiring process and other purposes as set forth in this Privacy Policy.
4. Hiring platforms for recruitment-related benefits or application processing.

All such third parties to whom your personal data is disclosed, are expected to and contractually required to maintain confidentiality, process data only for the stated purposes, and implement adequate security safeguards.

Additionally, we may disclose your personal data if we believe that such action is necessary to:

1. Fulfil the purposes for which we have collected your personal data;
2. Comply with any legal process served on us or affiliated parties or other legal requirement of any governmental authority;
3. Protect the safety of users of our Website, us, or third parties;
4. Mitigate our liability in an actual or potential lawsuit;
5. Help investigate or prevent unauthorized transactions or other illegal activities; or
6. Protect and defend our rights or property, our website, the users of our website, and our affiliated parties.

Following are some of the ways that your personal data may be disclosed:

1. Legal obligation: We can disclose any personal data provided by you to law enforcement and other government officials as we believe appropriate or necessary to comply with our legal obligations or for investigation of fraud or any other activity which may expose us or you to legal liability.
2. Information disclosed to third party service providers: We may contract with various third parties for the provision and maintenance our Website, Services and our business operations, and we may need to share your personal data and data generated by cookies with these vendors and service agencies. We do not authorize them to use or disclose your personal data except in connection with providing their services.
3. Information shared with our business partners: We may share personal data with our business partners that are committed to serving your online needs and related services for purposes defined under this Privacy Policy or in the course of making transactions specifically requested by you.
4. Links to external service providers: Our Website may contain hyperlinks to other platforms which may collect personally identifiable information about you. We have no control over any websites or resources which are provided by companies or persons other than us and are not responsible for the privacy practices or the content of those external platforms and your use of any such other website or application is subject to the terms of use and privacy policy located on such external website or application. We recommend that you check the external platform's privacy policies to see how the operators of such websites will utilize your personal data.
5. Internal departments: We may share personal data with the internal investigation department of the Company or agencies appointed by us for investigation purposes. Also, if you are an employee, vendor/supplier of the Company, your personal data may be shared internally with the relevant departments on a need-to-know basis.
6. Transfer of business: If the Company (or our assets) are merged, amalgamated, acquired, transferred or if the Company goes out of business, enters bankruptcy, or goes through some other change of control, personal data could be one of the assets transferred to or acquired by a third party.

7. YOUR CONSENT

Consent shall be obtained through clear and affirmative action in accordance with the DPDP Act. Consent may be withdrawn at any time with prospective effect. Processing, your information in any way, includes, but is not limited to, collecting, storing, deleting, using, combining, sharing, transferring and disclosing information. If you reside outside India your information will be transferred, processed and stored in accordance with the applicable data protection laws of India.

8. Cross-border Data Transfer

Cross-border transfers shall be made only to countries or entities not restricted by the Central Government under the DPDP Act. Where personal data is transferred to entities located outside India (e.g., Hybe Co., Ltd. or affiliated entities), such transfers will be carried out in accordance with applicable data protection laws and will be subject to safeguards ensuring a level of protection comparable to that required under such applicable laws. Cross-border transfers are made only under contractual safeguards or lawful bases.

9. Information Security Measures

When handling personal data, we take appropriate measures to keep the information safe and prevent from loss, theft, leakage, falsification, or damage, subject to the reasonable risks related to transmission of information, and we currently take technical measures as follows, which may be subject to change:

1. your personal data is protected with a password and encrypted information by default, and important data is protected with separate security functions by encrypting files and transmitted data. However, your information can be exposed to others in many ways, including when you use the public internet, so you need to be responsible for protecting your own information. you are, therefore, strongly urged to refrain from exposing or providing your personal data to others and to responsibly manage your personal data. We are not responsible for any damages that arise from your negligence or the fundamental nature and risks of the internet.
2. We use antivirus software to prevent possible damage from computer viruses, and antivirus software is updated periodically.
3. We prevent leakage and damage of personal data caused by hacking and viruses by monitoring the system 24 hours a day using a system that detects and blocks external intrusion.
4. We have a reasonably limited number of employees handling personal data. The personnel in charge of protecting personal data conducts periodical education for the employees for protecting personal data.
5. We periodically check the compliance status of commitments stated in the Privacy Policy and relevant employees, and when we detect any violation, we immediately correct and improve the issue and take necessary measures.

10. Grievance Officer

For any concerns, complaints, or requests related to personal data, data subjects may contact:

Grievance Officer: Ryeo Sung Koo
Email: hybe.india@hybecorp.com
Address: 42 Hangang-daero, Yongsan-gu, Seoul, Republic of Korea (Hangangro 3-ga, Yongsan Trade Center)

11. Minor's Privacy

The Company is committed to protecting the privacy and safety of individuals below the age of 18 years ("Minor"). In accordance with the DPDP Act, before processing any personal data of a Minor, the Company shall obtain verifiable consent from the Minor's parent or lawful guardian. The Company ensures that the collection, use, and disclosure of Minor's personal data is limited to what is necessary for the intended purposes and is done in a secure manner. In no event does the Company engage in behavioural tracking or targeted advertising directed at Minors. The Company shall implement reasonable age-verification mechanisms and shall not process a Minor's personal data without first obtaining verifiable parental or guardian consent as required under the DPDP Act. The Company will not be responsible for any consequences that arise as a result of misuse of any kind of our Website or any of our products or Services that may occur by virtue of any person including a Minor registering for the Services/products provided. If you provide any personal data relating to a Minor, you represent and warrant that you are the legal guardian of such Minor.

12. Data of People with Disability

The Company may collect and process personal data of persons with disability for the purpose specified in the Privacy Policy. The guardian of such person with disability, where such guardian has been lawfully appointed, shall provide the consent on behalf of the person with disability to process their personal data. The Company shall take reasonable endeavours to ensure that adequate measures are implemented to the processing the personal data of the person with disability in compliance with the applicable data protection laws.

13. Candidates - Collection of Data

Candidate personal data may be collected directly from Candidates (including through online applications, email submissions, or in-person interactions), through the Company's careers platform, or via third-party recruitment agencies or referrals.

Where Candidates are redirected to or submit applications through the [HYBE Korea] careers platform or any other affiliated recruitment platform, such platform shall be governed by the applicable privacy policy of that entity. To the extent the Company determines the purposes and means of processing Candidate personal data relating to roles with HYBE India, HYBE India shall act as the data fiduciary, and HYBE Korea or other affiliates may process such data on behalf of HYBE India in a data processor capacity.

Candidate personal data may be processed for recruitment-related purposes including receiving and assessing applications, communicating with Candidates, conducting interviews and verification checks (where permitted), maintaining recruitment records, and complying with applicable legal or regulatory requirements. Such processing shall be carried out in accordance with applicable data protection laws, based on appropriate notices and, where required, explicit consent.

14. Cookies

We may use temporary or permanent cookies to improve your browsing experience on our Website. you can configure your browser to block or delete cookies; however, some features of the Website may not function properly if cookies are disabled.

We may also permit authorized third parties to place cookies to help us optimize our services. These cookies do not store personally identifiable information. Please note that external websites linked to our services may use their own cookies or collect data independently. We are not responsible for the practices of such sites and encourage you to review their privacy policies. Cookies involving personal data shall be deployed only after obtaining valid consent, where required. Analytics cookies shall be used in an aggregated and non-behavioural manner.

15. Disclaimer

While the Company implements appropriate technical and organisational measures to protect personal data, no system or transmission over the internet is completely secure, and we cannot guarantee absolute security of personal data at all times. In the unlikely event of a security incident, the Company shall comply with its obligations under applicable law.

The information made available on the Website is provided on an "as is" basis and may be updated or revised from time to time. While reasonable efforts are made to ensure accuracy, the Company does not warrant that such information is always complete, current, or error-free, and users are advised to verify information where necessary.

16. Privacy Policy Updates

We may modify this Privacy Policy from time to time to reflect our current privacy practices and regulatory changes. We request you to kindly review our Privacy Policy before sharing any personal data. We encourage you to periodically review this Policy for the latest information on our privacy practices.