Korea Exchange Bank (KEB) has been enforcing a policy on the processing of personal information in an effort to protect the personal information and interests of its customers and to address any difficulties that they may experience in relation to personal information, in accordance with Article 30 of the Personal Information Protection Act and Article 27-2 of the Act on the Promotion Utilization of Information and Communications Network.
Article 1 (Purpose of Personal Information Processing)
¨ç KEB processes personal information for the purposes described below. KEB shall not use processed personal information for purposes other than those described below and shall seek prior consent in the event that there is a change in the purposes of use
1. (Financial) transactions note1)-related
In relation to (financial) transactions, KEB processes personal information for the purpose of inquiring about individuals¡¯ personal credit information with credit inquiry agencies or credit information collection agencies; determining whether to begin (financial) transactions; starting, maintaining, executing, and managing (financial) transactions; investigating financial accidents; settling disputes; addressing customer complaints; fulfilling legal obligations; etc.
note1)(Financial) transactions refer to transactions related to bank business (loans, deposits, and foreign exchange t ransactions), universal banking (trust, fund, bancassurance, credit card, etc.), incidental business (guarantee, factoring, lending safe custody, etc.)
2. Promotion of products/services and recommendation for sale
KEB processes personal information for the purposes of developing services and providing customized services through customer satisfaction surveys, offering services based on demographic characteristics, running advertisements, confirming the effectiveness of services, ensuring customer convenience, giving customers participatory opportunities by providing giveaway items and holding customer promotional events, as well as checking the frequency of access and analyzing statistics related to service usage.
3. Membership management
KEB processes personal information for the purposes of managing enrollment in membership and use of membership services, as well as for verifying identification under a limited-identity verification system, personal identification, preventing fraudulent use, preventing unauthorized use, confirming the intention to obtain membership, checking whether consent from a legal representative is secured when collecting personal information from members aged 14 or younger, verifying the identification of a legal representative, investigating accidents, settling disputes, addressing customer complaints, delivering notices, etc.
4. Purposes related to online transactions
KEB processes personal information for the purposes of monitoring and searching electronic banking transaction records and referring to them in establishing security policy in accordance with Article 21 and Article 22 of the Electronic Financial Transaction Act.
Article 2 (Personal Information Processing and Retention Period)
¨ç Personal (credit) information related to (financial) transactions shall be held and used for the purposes described above from the date of consent to collection/use of personal (credit) information to the end date of the (financial) transaction. However, following the end date of (financial) transactions, personal (credit) information shall be held / used only for the purposes of investigating financial accidents, settling disputes, addressing customer complaints, fulfilling legal obligations, and for [KEB]¡¯s risk management.
¨è Personal (credit) information collected for the purpose of inquiring into personal (credit) information shall be held and used from the date of consent to collection/use of personal (credit) information to the date when the validity of consent to the provision/inquiry of credit information ends. However, after the validity of consent to the provision/inquiry of credit information ends, personal (credit) information shall be used only for the purposes of investigating financial accidents, settling disputes, addressing customer complaints, and fulfilling legal obligations.
¨é Personal (credit) information related to the promotion of products and services and recommendation for sale shall be held and used from the date of consent to collection/use of personal (credit) information to the date of withdrawal of consent. However, after the date of withdrawal of consent, personal (credit) information shall be held and used only for the purposes of investigating financial accidents related to purposes set forth in Article 1, settling disputes, addressing customer complaints, and fulfilling legal obligations.
¨ê Personal (credit) information collected for the purpose of managing membership shall be held and used from the date of subscribing to membership to the date of terminating membership. However, after termination of membership, personal (credit) information shall be held and used only for the purposes of investigating financial accidents related to the purposes set forth in Article 1, settling disputes, addressing customer complaints, and fulfilling legal obligations.
Article 3 (Provision of Personal Information to Third Parties)
¨ç In principle, the Bank shall handle customers¡¯ personal information for the purposes set forth in Article 1 and shall not use the information for any purpose other than its original purpose nor disclose it to a third party without a customer¡¯s prior consent. Under each of the following cases, however, the Bank may use personal information for other purposes and provide the information to a third party, except when such information could unfairly undermine the interests of a customer or a third party.
1. In the event the customer consents to the provision and disclosure of their information to a third party
2. In exceptional cases as set forth in other laws
3. In the event the customer or a legal representative(s) is not in a position to express their intention or cannot obtain prior consent due to unknown address, etc, and the provision of information is deemed necessary to protect the life, body, and property of the customer or the third party.
4. In the event the information, for purposes such as calculating statistics and conducting academic research, is provided in a form(s) which make personal identification impossible.
¨è The Bank has been providing personal information as follows:
1. IParties that receive information
Provision to credit inquiry firms and credit information collection agencies
-
nstitutions in which credit information is collected [Korea Federation of Banks (KFB), The Credit Finance Association, etc.]
-
Credit inquiry agencies [Seoul Credit Rating & Information Inc, Korea Credit Bureau, NICE (National Information & Credit Evaluation) Group, etc.]
Alliance partner institutions and alliance institutions offering additional co-branded services [In the case of a request for a specific affinity card, firms co-branded with the affinity card (airline, gasoline, automotive, telecommunications, distribution, local government, alumni association, etc.)]
2. Information recipient¡¯s purpose of use
Provision to institutions in which credit information is collected and credit inquiry firms
-
Used as data for evaluating a customer¡¯s credit or by public organizations as policy materials
Provision to affinity firms
-
Promote co-branded products/services and recommend sales
3. Details of personal information provided
Provision to institutions in which credit information is collected and credit inquiry firms
-
Personal identification information, information about credit transactions, information about credit capability, information needed to perform a credit evaluation
Provision to affinity firms
-
Personal identification information, (financial) transaction information, information except personal identification information contained in a transaction request or information provided by the customer (residence type and family status, length of time at residence, household composition, marital status, etc.)
¡Ø Information about personal (credit) information collected prior to obtaining this consent would also be included
4. Retention Period for Personal Information
-
Personal (credit) information shall be kept and used from the date when such information is provided to the time when the consent is withdrawn or the purpose is satisfied. After consent has been withdrawn or the purpose has been satisfied, personal information shall be kept and used only within the scope required to investigate financial incidents, resolve disputes, handle customer complaints, and implement obligations under the law related to the purposes defined above.
Article 4 (Entrustment of Personal Information Management)
¨ç The Bank has been entrusted with management of personal information after obtaining a customer¡¯s consent as explained in each of the following cases
1. Entrusted companies
If the Bank provides personal (credit) information to a custodian company, it will provide the minimum information required to perform the relevant business. The customer shall check details of the change of a custodian company and the purpose of provision of information at the Bank¡¯s Web site, www.keb.co.kr.
2. Purposes of entrustment
Processing of commissioned business for the purposes of setting up, maintaining, execution, and managing for(financial)transaction
Processing of commissioned business for the purposes of promoting products and services, promoting sales, customer appreciation events, and customer satisfaction surveys
3. Items of personal information provision
Personal identification information: Unique identification information including name, resident registration number, nationality, job, and contact points including address, e-mail account, and telephone number
(Financial) transaction information: Transactions¡¯ setup and information details including product types, transaction conditions (interest rates, maturities, collaterals, etc.), amount and transaction date
Information written in application for transaction or information other than personal identification information provided by customers
-
Residence type and family status, length of time at residence, household composition, marital status, etc.
¡Ø Includes personal (credit) information collected prior to this consent.
¨è In executing an entrustment contract, the Bank has clearly stipulated its observance of regulations relating to personal information protection, prohibition of personal information provision to any third party, and obligations and stored details on associated contracts in written and electronic format. In the event of a change in a custodian company, the Bank shall inform the customer of the change through a notice and its policy on personal information management.
Article 5 (Customers¡¯ Rights and Obligations and Means of Exercising)
¨ç A customer shall be able to ask the Bank to allow them to read their own personal information or that of a child under the age of 14 that is managed by the Bank (it is associated with legal representative).
¨è A customer who reads their personal information shall be able to ask the Bank to correct or delete information that is untrue or cannot be verified. Nonetheless, if the personal information is listed as a target of collection pursuant to other laws, the customer shall not be able to ask the Bank to delete such information.
¨é A customer shall be able to ask the Bank to cease handling their personal information. Nonetheless, if it falls into at least one of the following Sub-paragraphs, the Bank shall inform the customer of the reasons and shall be entitled to decline the customer¡¯s request to stop the Bank¡¯s information handling
1. If there is a special regulation or if it is necessary to comply with legal obligations
2. If there is concern that it can damage another person(s)¡¯s life and/or physical wellbeing or unlawfully undermine another person¡¯s property and other profits
3. In the event that non-handling of personal information fails to provide the agreed services to a customer or in other difficult cases in which it is difficult to execute contracts, such as when a customer does not clearly express their intention to terminate the contract
Article 6 (Personal Information Items to Be processed)
The Bank collects the required information necessary for the setup, maintenance, implementation, and management of (financial) transactions and the provision of service and selected information in line with the following Sub-paragraph.
1. Required information
Personal identification information: Unique identification information including name, resident registration number, nationality, job and contact points including address e-mail account, telephone number, etc.
(Financial) transaction information: Transaction setup and information details including product types, transaction conditions (interest rates, maturities, collaterals, etc.), transaction date, and amount, etc.
Information for credit evaluation (limited to credit transactions)
-
Credit capacity information: Total amount of properties, liabilities, income, and records of tax payments
-
Information to help understand credit level: default, subrogation performance, substitute payment, insolvency, details of occurrence to the relevant person, etc.
Information created via counseling, debt management, etc. conducted to set up, maintain, carry out, and manage financial transactions information
2. Optional information
Apart from personal identification information, information written in an application for a transaction or information provided by a customer
-
Residence type and family status, length of time at residence, household composition, marital status, etc.
3. Information collected in accordance with the Electronic Financial Transactions Act (limited to online transactions)
Customer user id, access date and time, IP address, HDD serial, MAC address, personal firewall settings, OS types, browser version, etc. ¡Ø In principle, the Bank does not collect sensitive information which may infringe on a customer¡¯s privacy. However, if necessary the Bank will obtain a customer¡¯s consent to collect such sensitive information and use it in a limited manner for the purpose of fulfilling the agreed objectives.
4. Methods of collecting information
Collection from customers visiting branches
Web sites, documents, facsimiles, telephone calls, advisory bulletins, e-mails, promotion applications, and delivery requests
Tools for collecting personal information
Customer Service Center¡¯s Q&As
Article 7 (Destruction of Personal Information)
¨ç When the approved period for retaining personal (credit) information ends, and when personal information is no longer necessary-due to fulfillment of the purpose, remove of relevant services, end of relevant businesses, etc. The Bank shall destroy such information within five (5) business days of the date it is deemed to be unnecessary. However, exceptions may be made in the following cases :
1. If a credit information collection agency or credit bureau possesses personal (credit) information for the purpose of managing and/or using the information or evaluating an individual¡¯s credit standing (only during the approved period)
2. If a credit bureau, etc., maintains civil and/or criminal responsibility, or its prescription continues, or it possesses personal credit information that is to be used as supporting evidence in a dispute.
3. If such information must be preserved in accordance with laws such as the Commercial Law (Article 33)
4. If there is a proper reason that is similar to any of those mentioned above
¨è Printouts, documents, etc. containing personal (credit) information are either shredded or incinerated. Digital files containing personal (credit) information are permanently deleted in such a way that the information cannot be restored.
Article 8 (Measures to Secure the Safety of Personal Information)
According to Article 19 of the Personal Information Protection Act, the Bank takes the following technical, managerial, and physical measures to ensure that personal information is safely kept.
1. Encryption of personal information
The password for a customer¡¯s personal information is encrypted, shared and managed so only a customer knows it. With respect to important information, the Bank applies additional security functions. For example, a file or data transmission is encrypted, or a file is locked.
2. Technical measures intended to prevent hacking, etc. .
To prevent personal information leakage or damage through hacking or viruses, the Bank sets up security programs and regularly checks them and updates them; in addition, the Bank establishes systems in a restricted area, and supervises and protects the systems, both technically and physically.
3. Access control on the personal information processing system .
Unauthorized access from any outer network is restricted through the IPS (Intrusion Prevention System) and other necessary measures intended to prevent unlawful access to personal information by granting, adjusting, or canceling authority to access the DB (Data Base) system which processes personal information.
4. Designate the employees and minimize the number of employees who process personal information and provide training.
Measures implemented for the management of personal information entail minimizing the number of persons in charge of personal information management and designating staffs for processing personal information.
Article 9 (Revision of Personal Information Processing Policy)
In the event that the Bank revises any policies for the processing of personal information, the timing of such revision, its implementation, and other detailed issues shall be continuously released, and comparisons before and after the revision shall be provided to customers to ensure that they confirm the revised matters.
Article 10 (Method of Recovering from Infringement of Rights)
If you require any consultations or report regarding infringement of rights related to personal information, please contact one of the following institutions:
1. Encryption of personal information
2. Korea Internal Promotion Personal Information Infringement Report Center (www.kopico.or.kr / 02-1336)
3. Korea Association for ICT Promotion (www.eprivacy.or.kr / 02-580-0533~4)
4. Prosecution Service High-Tech Crime Division (www.spo.go.kr / 02-3480-2000)
5. Cyber Terror Response Center (www.ctrc.go.kr / 02-392-0330)
Article 11 (Managers in Charge of Personal Information Protection)
Managers at KEB in charge of personal information protection are as follows, in accordance with Article 31.1 of the Personal Information Protection Act
1. Manager in charge of personal information protection: Head of the Information and Technology Division
2. Division in charge: IT Information and Technology Division (02-729-0709, 02-729-0814)
