With the following information, we would like to give you an overview on the processing of your personal data by us and your rights under data protection law. The categories of data that are processed and the manner in which the data is used are predominantly determined by the services requested or agreed. Therefore, not every element of this privacy notice may be applicable to you.
We may update this privacy notice from time to time. When we do, we will communicate any material changes to you and publish the updated privacy notice on our website.
Responsibility lies with
KEB Hana Bank, Amsterdam
(Hereinafter “the Bank”) In this notice, references to “we”, “us” or “our” are references to the Bank.
You can reach our internal Data Protection Officer using the following contact details:
We process personal data which we receive directly from you in connection with our business relationship. Moreover, we process personal data legitimately obtained from publicly accessible sources (such as debtors‘ lists, land registers, registers of commercial establishments and associations, press, Internet) or that has been legitimately transmitted to us by other companies belonging to the KEB Hana Bank Group or third parties (for example a credit bureau, a fraud prevention or government agency and other banks) to the extent necessary for rendering our services or to comply with applicable laws.
We also process information collected when you use our products or services, such as information about payments made to and from your account or information collected from your use of our i-Bank service.
The categories of personal data that we may process relating to you are personal details (name, address and other contact data, date and place of birth and nationality), national identification data (such as data from ID cards, including visual images) and also authentication data (such as a specimen signature, OTP, ID and password for i-Bank service). In addition, the categories of data that we may process also include contract data (such as a payment order), data resulting from the performance of our contractual obligations (such as turnover data in payment transactions and account and transactional information), information about your financial status (such as data on credit standing, data on scoring or rating, assets and liabilities and origin of assets), data relevant for loans (such as revenues and expenditures, advertising and sales data), documentation data (such as a protocol on consultations), employment information, online profile and activity data (such as i-Bank profile and login information, Internet Protocol (IP address), smart device information, location coordinates) , information about your family, lifestyle and social circumstances (such as dependents, marital status, next of kin and contact details), visual recordings from CCTVs installed at the Bank’s premises, and other similar data compatible with the abovementioned categories.
If you provide the Bank with personal data of third parties (such as information relating to the individual sending money to your account, or information relting to your family members), it is your responsibility to ensure that such third parties have been provided with a copy of this notice.
Where permitted by law, we may process information about criminal convictions or offences and alleged offences for specific purposes, including to comply with legislation governing anti-money laundering and prevention of fraud, bribery and corruption, terrorist financing and international sanctions.
We process personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the Dutch Data Protection Act as follows:
a. in order to enter into a contract with you or to comply with our obligations under the contract with you (Art.6 (1 b) GDPR)
Your personal data is processed for the purpose of providing and arranging banking and financial products and services in connection with the performance of our agreements with you or for performing precontractual measures as a result of queries. The purposes of data processing are primarily determined by the specific product or service (such as an account, a loan, securities, deposits, export/import transactions, i-Bank service, foreign exchange, guarantees) and may, among other things, include needs assessments, consultation, asset management and administration and the execution of transactions, including transferring money and making payments to third parties, as well as communications with you about the products and services you receive from us and managing and maintaining our relationship with you and for ongoing customer service. For further details on the purposes of data processing, please refer to the pertinent contractual documents and our Price & Conditions at www.kebhana.de
b. where it is necessary for the legitimate interests of the Bank or of third parties (Art. 6 (1 f) GDPR)
To the extent necessary, we will process your data be yond the scope of the actual performance of the contract in order to protect the legitimate interests of our own and those of third parties and without prejudicing your interests and fundamental rights and freedoms, including:
c. on the basis of legal requirements (Art. 6 (1 c) GDPR)
Moreover, we, as a bank, are subject to various legal ob ligations, including statutory requirements (such as the Banking Act, the Law on Money Laundering, the Securities Trading Act, tax laws) and regulations relating to the supervision of banking (e.g. regulations issued by the European Central Bank, the European Banking Supervisory Agency, and national banking supervisory authorities and, in order to comply with these legal obligations, we are required to collect and process certain personal data about you. The purposes of processing include, among others, the assessment of creditworthiness, checking identity and age, prevention of fraud and money laundering, compliance with obligations of control and reporting under tax law and the assessment and management of risks in the Bank and in the KEB Hana Bank Group.
Note that we may monitor and record calls, emails, text messages and other communications with you in accordance with applicable law for the purposes set out in this privacy notice, including for evidentiary and quality assurance purposes.
Within the Bank, those units will be granted access to your data that need it in order to comply with our contractual and statutory obligations.
Service providers and agents appointed by us may also receive the data for these purposes on the condition that they are bound by duties of confidentiality and, specifically, observe banking secrecy. These are companies providing banking, IT, data hosting, logistics, printing, telecommunication, collection of receivables, sales and marketing, and consultation services on our behalf.
As far as disclosing data to recipients outside our Bank is concerned, it must first be kept in mind that we, as a bank, are obliged to keep all clientrelated information and assessments we become aware of in strict confidence.
We will only disclose your personal data to third parties if this is required by law or by law enforcement agencies, judicial bodies, government entities, tax authorities or regulatory bodies, you have given your consent, we have legitimate interest to do so (e.g., in order to provide your product or service) or we have been granted authority to provide a bank reference. Under these circumstances, recipients of personal data may, for example, be:
As a controller where it is in the Head Office’s legitimate interest (Art. 6 (1 f) GDPR) as a business to manage the Group’s risk, to comply with local rules and regulations, to provide appropriate products and services, and to develop and improve the Group’s business, which includes processing your personal data as follows:
The Head Office may disclose your personal data to third parties (such as service providers, agents and public authorities and institutions) where it is necessary for the Head Office to lawfully carry out its business activities in accordance with the purposes set out above and as required and permitted by applicable law.
Other recipients of data may be those bodies for which you have given us your consent to data transfer or, respectively, for which you have granted an exemption from banking secrecy on the basis of an agreement or consent.
Your personal information will be transferred to the Head Office of KEB Hana Bank operating in Korea, a country outside the European Economic Area (“EEA”) for the purposes described above.
Moreover, data transfers to organizations located in countries outside the EEA will take place to the extent:
Data protection laws may or may not apply in jurisdictions outside the EEA or may not be as stringent as those in the EEA. In any case, the Bank will only transfer your personal data to countries outside the EEA where
The Head Office may onward transfer your personal data to third parties located in countries that do not provide an adequate level of data protection. Such transfers will be carried out in accordance with applicable laws, including, where applicable, contractual requirements set out in standard data protection clauses.
The Bank and the Head Office process and store your personal data as long as this is required to meet applicable contractual or legal or regulatory obligations or legitimate business needs (e.g., preservation of evidence under the statutory regulations regarding the statute of limitations. In this respect, please keep in mind that our business relationship is a continuing obligation designed to last for years.
In particular, we need to retain your personal data in order to comply with retention obligations under commercial or tax laws. As a rule, the time limit specified there for retention or documentation is 2 to 10 years.
If the data is no longer required for the performance of contractual or legal or regulatory obligations or to meet legitimate business needs, it will be erased on a regular basis unless – temporary – further processing is necessary, for example, where we need to suppress the destruction or disposal of data due to an order from the courts or due to a law enforcement or regulatory investigation. This is intended to ensure that the Bank will be able to produce records of evidence, where needed.
The Bank maintains reasonable security measures to safeguard personal data from loss, interference, misuse, unauthorized access, disclosure, alteration or destruction. The Bank also maintains reasonable procedures to help ensure that such data is reliable for its intended use and is accurate, complete and current.
Subject to limitations and exceptions set out in the applicable laws, you have the following rights relating to the Bank’s and the Head Office’s processing of your personal data: the right of access pursuant to Article 15 GDPR, the right to rectification pursuant to Article 16 GDPR, the right to erasure pursuant to Article 17 GDPR, the right to restriction of processing pursuant to Article 18 GDPR, the right to object pursuant to Article 21 GDPR and the right to data portability pursuant to Article 20 GDPR. Requests should be submitted to the DPO in writing to the address listed above in the “Who is responsible for data processing and who can you can contact?” section.
If you are aware of changes or inaccuracies in your personal data, you should inform us of such changes/inaccuracies promptly so that we may update or correct your personal data.
Moreover, there is a right to appeal to a competent data protection supervisory authority (Article 77 GDPR in conjunction with Sec. 19 BDSG.
Within the scope of our business relationship, you are obliged to provide that personal data which is required for commencing, executing and terminating a business relationship and for compliance with the associated contractual obligations or the collection of which is imposed upon us by law. Without this data, we will generally not to be able to enter into agreements with you, to perform under such an agreement or to terminate it.
In particular, under the statutory regulations in connection with money laundering, we are obliged to identify you by an ID document before entering into business relations with you and, in particular, to ask for and record your name, place of birth, date of birth, nationality, address and identity card details.
To enable us to comply with these statutory obligations, you are obliged to provide the necessary information and documents in connection with the antimoney laundering law and to report to us any changes that may occur in the course of our business relationship. If you should fail to provide the necessary information and documents, we are not permitted to enter into the desired business relationship with you or to continue with such a relationship.
The Bank and the Head Office do not use fully automated decisionmaking processes pursuant to Article 22 GDPR when processing your personal data for the purposes set out in this privacy notice.
Your data will be processed partly automatically with the objective of evaluating certain personal aspects (profiling). For example, the Bank and the Head Office may use profiling in the following cases: