Privacy policy

Information on data protection for clients

With the following information, we would like to give you an overview on the processing of your personal data by us and your rights under data protection law. The categories of data that are processed and the manner in which the data is used are predominantly determined by the services requested or agreed. Therefore, not every element of this privacy notice may be applicable to you.

We may update this privacy notice from time to time. When we do, we will communicate any material changes to you and publish the updated privacy notice on our website.

Who is responsible for data processing and who can you contact?

Responsibility lies with

KEB Hana Bank, Amsterdam

(Hereinafter “the Bank”) In this notice, references to “we”, “us” or “our” are references to the Bank.

You can reach our internal voluntary Data Protection Officer using the following contact details:

  • Mr. Daehan Wi
  • Title: Compliance Officer
  • Telephone: +31 (0)20 546 9354
  • email:
  • Address: 3F, Diana Noord (Diana and Vesta), Herikerbergweg 310-312, 1101 CT Amsterdam

Where do we obtain your data and which types of data do we use?

We process personal data which we receive directly from you in connection with our business relationship. Moreover, we process personal data legitimately obtained from publicly accessible sources (such as debtors‘ lists, land registers, registers of commercial establishments and associations, press, Internet) or that has been legitimately transmitted to us by other companies belonging to the KEB Hana Bank Group or third parties (for example a credit bureau, a fraud prevention or government agency and other banks) to the extent necessary for rendering our services or to comply with applicable laws.

We also process information collected when you use our products or services, such as information about payments made to and from your account or information collected from your use of our i-Bank service.

The categories of personal data that we may process relating to you are personal details (name, address and other contact data, date and place of birth and nationality), national identification data (such as data from ID cards, including visual images) and also authentication data (such as a specimen signature, OTP, ID and password for i-Bank service). In addition, the categories of data that we may process also include contract data (such as a payment order), data resulting from the performance of our contractual obligations (such as turnover data in payment transactions and account and transactional information), information about your financial status (such as data on credit standing, data on scoring or rating, assets and liabilities and origin of assets), data relevant for loans (such as revenues and expenditures, advertising and sales data), documentation data (such as a protocol on consultations), employment information, online profile and activity data (such as i-Bank profile and login information, Internet Protocol (IP address), smart device information, location coordinates) , information about your family, lifestyle and social circumstances (such as dependents, marital status, next of kin and contact details), visual recordings from CCTVs installed at the Bank’s premises, and other similar data compatible with the above­mentioned categories.

If you provide the Bank with personal data of third parties (such as information relating to the individual sending money to your account, or information relting to your family members), it is your responsibility to ensure that such third parties have been provided with a copy of this notice.

Where permitted by law, we may process information about criminal convictions or offences and alleged offences for specific purposes, including to comply with legislation governing anti-money laundering and prevention of fraud, bribery and corruption, terrorist financing and international sanctions.

What are the purposes of processing your data and on which legal basis does the processing take place?

We process personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the Dutch Data Protection Act as follows:

a. in order to enter into a contract with you or to comply with our obligations under the contract with you (Art.6 (1 b) GDPR)

Your personal data is processed for the purpose of providing and arranging banking and financial products and services in connection with the performance of our agreements with you or for performing pre­contractual measures as a result of queries. The purposes of data processing are primarily determined by the specific product or service (such as an account, a loan, securities, deposits, export/import transactions, i-Bank service, foreign exchange, guarantees) and may, among other things, include needs assessments, consultation, asset management and administration and the execution of transactions, including transferring money and making payments to third parties, as well as communications with you about the products and services you receive from us and managing and maintaining our relationship with you and for ongoing customer service. For further details on the purposes of data processing, please refer to the pertinent contractual documents and our Price & Conditions at

b. where it is necessary for the legitimate interests of the Bank or of third parties (Art. 6 (1 f) GDPR)

To the extent necessary, we will process your data be­ yond the scope of the actual performance of the contract in order to protect the legitimate interests of our own and those of third parties and without prejudicing your interests and fundamental rights and freedoms, including:

  • - consultation of and exchange of data with our head office, KEB Hana Bank, and credit reference agencies to determine credit standing or default risks in connection with loans and the requirements in connection with exemption from seizure or basic accounts,
  • - analysis and optimization of business processes, including monitoring, maintaining and improving internal processes, and information, technology and communications solutions,
  • - protection of the Bank’s legal rights and interests, including lodging legal claims and defending the Bank in case of legal disputes,
  • - network and information security and the operation of the IT systems of the Bank, including monitoring access to our IT systems,
  • - prevention and investigation of criminal acts, including fraud and money laundering,
  • - measures for securing buildings and systems (such as admission control and CCTV),
  • - measures to protect our domiciliary right,
  • - measures intended to develop, maintain and improve our business management processes and services and products, including monitoring the performance and effectiveness of our products and services,
  • - risk management within the KEB Hana Bank Group,
  • - advertising and market and opinion research in accordance with applicable laws,
  • - sale, reorganization, transfer or other transaction relating to our business.

c. on the basis of legal requirements (Art. 6 (1 c) GDPR)

Moreover, we, as a bank, are subject to various legal ob­ ligations, including statutory requirements (such as the Banking Act, the Law on Money Laundering, the Securities Trading Act, tax laws) and regulations relating to the supervision of banking (e.g. regulations issued by the European Central Bank, the European Banking Supervisory Agency, and national banking supervisory authorities and, in order to comply with these legal obligations, we are required to collect and process certain personal data about you. The purposes of processing include, among others, the assessment of creditworthiness, checking identity and age, prevention of fraud and money laundering, compliance with obligations of control and reporting under tax law and the assessment and management of risks in the Bank and in the KEB Hana Bank Group.

Note that we may monitor and record calls, emails, text messages and other communications with you in accordance with applicable law for the purposes set out in this privacy notice, including for evidentiary and quality assurance purposes.

Who will receive your data?

Within the Bank, those units will be granted access to your data that need it in order to comply with our contractual and statutory obligations.

Service providers and agents appointed by us may also receive the data for these purposes on the condition that they are bound by duties of confidentiality and, specifically, observe banking secrecy. These are companies providing banking, IT, data hosting, logistics, printing, telecommunication, collection of receivables, sales and marketing, and consultation services on our behalf.

As far as disclosing data to recipients outside our Bank is concerned, it must first be kept in mind that we, as a bank, are obliged to keep all client­related information and assessments we become aware of in strict confidence.

We will only disclose your personal data to third parties if this is required by law or by law enforcement agencies, judicial bodies, government entities, tax authorities or regulatory bodies, you have given your consent, we have legitimate interest to do so (e.g., in order to provide your product or service) or we have been granted authority to provide a bank reference. Under these circumstances, recipients of personal data may, for example, be:

  • - Public authorities and institutions (such as the Eu­ ropean Central Bank, the European Banking Supervisory Agency, and national financial regulatory bodies, tax authorities, authorities prosecuting criminal acts, family courts, land register authorities), provided a statutory obligation or an official decree is in place,
  • - other loan and financial services institutes or com­ parable institutes to whom we transmit your personal data for the purpose of performing transactions under our business relationship (depending on the agreement, for example, correspondent banks, de­ positary banks, stock exchanges, information bu­ reaus),
  • - other companies belonging to the KEB Hana Bank Group for the purposes of risk management on the basis of statutory or official obligations,
  • - creditors or liquidators submitting queries in connection with a foreclosure,
  • - service providers in connection with credit or bank cards or businessmen submitting queries if payment by card is denied,
  • - third parties involved in loan granting processes (such as insurance companies, building societies, investment companies, funding establishments, trustees, service providers carrying out value as­ sessments),
  • - third parties that provide services to us in connection with contract data processing,
  • - third parties in connection with any (proposed) sale, reorganization, transfer or other transaction relating to our business and/or assets held by our business.
  • We may also share your personal data with the head office of KEB Hana Bank (“Head Office”) located in South Korea and the Head Office may process your personal data for the following purposes and based on the following legal bases:
  • As a processor to the Bank:
  • - operating, managing and maintaining the Bank’s IT systems and equipment where your personal data may be stored pursuant to the Bank’s instructions, including the i-Bank platform,
  • - assisting the Bank with the preparation and management of financial and regulatory reports and with the monitoring of the Bank’s IT systems to check the probability of financial incidents, prevent transaction incidents and carry out know-your-customer and anti-money laundering checks.

As a controller where it is in the Head Office’s legitimate interest (Art. 6 (1 f) GDPR) as a business to manage the Group’s risk, to comply with local rules and regulations, to provide appropriate products and services, and to develop and improve the Group’s business, which includes processing your personal data as follows:

  • - managing KEB Hana Bank Group’s risk and financial soundness,
  • - performing general, financial and regulatory accounting and reporting in accordance with statutory and regulatory obligations and standards,
  • - assessing of your creditworthiness (see further “Will profiling take place?” section) and approving loans and loan-like export/import transactions, and
  • - processing foreign currency remittance transactions.

The Head Office may disclose your personal data to third parties (such as service providers, agents and public authorities and institutions) where it is necessary for the Head Office to lawfully carry out its business activities in accordance with the purposes set out above and as required and permitted by applicable law.

Other recipients of data may be those bodies for which you have given us your consent to data transfer or, respectively, for which you have granted an exemption from banking secrecy on the basis of an agreement or consent.

Will the data be transferred to a third country or an international organization?

Your personal information will be transferred to the Head Office of KEB Hana Bank operating in Korea, a country outside the European Economic Area (“EEA”) for the purposes described above.

Moreover, data transfers to organizations located in countries outside the EEA will take place to the extent:

  • - this is required to carry out your orders (such as payment or securities orders),
  • - it is required by law (such as obligatory reporting under tax law and controlling money laundering etc.,) or
  • - you have given your consent.

Data protection laws may or may not apply in jurisdictions outside the EEA or may not be as stringent as those in the EEA. In any case, the Bank will only transfer your personal data to countries outside the EEA where

  1. (i) the European Commission has decided that the country or the organization we are sharing your personal data with will protect your information adequately;
  2. (ii) the transfer is necessary for us to enter into or perform our contact with you; and/or
  3. (iii) we have implemented appropriate contractual measures such as standard data protection clauses, a copy of which you can obtain by contacting our DPO to ensure that the organization outside the EEA provides an adequate level of protection to your personal data as set out in this policy and as required by applicable law.

The Head Office may onward transfer your personal data to third parties located in countries that do not provide an adequate level of data protection. Such transfers will be carried out in accordance with applicable laws, including, where applicable, contractual requirements set out in standard data protection clauses.

For how long will your data be stored?

The Bank and the Head Office process and store your personal data as long as this is required to meet applicable contractual or legal or regulatory obligations or legitimate business needs (e.g., preservation of evidence under the statutory regulations regarding the statute of limitations. In this respect, please keep in mind that our business relationship is a continuing obligation designed to last for years.

In particular, we need to retain your personal data in order to comply with retention obligations under commercial or tax laws. As a rule, the time limit specified there for retention or documentation is 2 to 10 years.

If the data is no longer required for the performance of contractual or legal or regulatory obligations or to meet legitimate business needs, it will be erased on a regular basis unless – temporary – further pro­cessing is necessary, for example, where we need to suppress the destruction or disposal of data due to an order from the courts or due to a law enforcement or regulatory investigation. This is intended to ensure that the Bank will be able to produce records of evidence, where needed.

How is your data protected?

The Bank maintains reasonable security measures to safeguard personal data from loss, interference, misuse, unauthorized access, disclosure, alteration or destruction. The Bank also maintains reasonable procedures to help ensure that such data is reliable for its intended use and is accurate, complete and current.

What are your rights with regard to data protection?

Subject to limitations and exceptions set out in the applicable laws, you have the following rights relating to the Bank’s and the Head Office’s processing of your personal data: the right of access pursuant to Article 15 GDPR, the right to rectification pursuant to Article 16 GDPR, the right to erasure pursuant to Article 17 GDPR, the right to restriction of processing pursuant to Article 18 GDPR, the right to object pursuant to Article 21 GDPR and the right to data portability pursuant to Article 20 GDPR. Requests should be submitted to the DPO in writing to the address listed above in the “Who is responsible for data processing and who can you can contact?” section.

If you are aware of changes or inaccuracies in your personal data, you should inform us of such changes/inaccuracies promptly so that we may update or correct your personal data.

Moreover, there is a right to appeal to a competent data protection supervisory authority (Article 77 GDPR in conjunction with Sec. 19 BDSG.

Are you obliged to provide data?

Within the scope of our business relationship, you are obliged to provide that personal data which is required for commencing, executing and terminating a business relationship and for compliance with the associated contractual obligations or the collection of which is imposed upon us by law. Without this data, we will generally not to be able to enter into agreements with you, to perform under such an agreement or to terminate it.

In particular, under the statutory regulations in connection with money laundering, we are obliged to identify you by an ID document before entering into business relations with you and, in particular, to ask for and record your name, place of birth, date of birth, nationality, address and identity card details.

To enable us to comply with these statutory obligations, you are obliged to provide the necessary information and documents in connection with the anti­money laundering law and to report to us any changes that may occur in the course of our business relationship. If you should fail to provide the necessary information and documents, we are not permitted to enter into the desired business relationship with you or to continue with such a relationship.

To what extent will decision­making be automated?

The Bank and the Head Office do not use fully automated decision­making processes pursuant to Article 22 GDPR when processing your personal data for the purposes set out in this privacy notice.

Will profiling take place?

Your data will be processed partly automatically with the objective of evaluating certain personal aspects (profiling). For example, the Bank and the Head Office may use profiling in the following cases:

  • - As a result of statutory and regulatory regulations, we are obliged to fight money laundering, the fi­ nancing of terrorism and criminal acts jeopardizing property. In that respect, data (among others, data in payment transactions) will be analyzed. These measures also serve to protect you.
  • - In connection with the assessment of your credit­ worthiness we may use scoring, which is carried out by the Head Office. The scoring will assist in calculating the probability of you meeting your contractual payment obligations. This calculation, for example, may take into account your financial adequacy data. The resulting score values assist us and the Head Office in decision­making in connection with product transactions and will become part of the ongoing risk management.