This document provides you with an overview on the processing of your personal data by us and your rights under the UK Data Protection Act 2018 (“UK GDPR”).
Note - While a member of the European Union (“EU”), data protection law in the UK was governed by the EU General Data Protection Regulation (GDPR). On leaving the EU (0Brexit) GDPR was transposed into UK Law and forms the base of the UK Data Protection Act 2018 – hence UK GDPR.
The categories of data that are processed and the manner in which the data is used are predominately determined by the services requested or agreed. Therefore, every element of this privacy notice may not be applicable to you.
We may update this privacy notice from time to time. When we do we will communicate any material changes to you and publish the updated privacy notice on our website.
Responsibility lies with KEB Hana Bank, London branch (hereinafter “the Bank”). In this notice references to “we”, “us” or “our” are references to the Bank.
You can reach our internal Data Protection Officer using the following contact details:
2.1 We process data which receive directly from you in connection with our business relationship. In addition, we will process data legitimately obtained from:
2.2 The categories of personal data that we may process relating to you are:
In addition, the categories of data that we may process also include contract data (such as a payment order), data resulting from the performance of our contractual obligations (such as turnover data in payment transactions and account and transactional information), information about your financial status (such as data on credit standing, data on scoring or rating, assets and liabilities and origin of assets), data relevant for loans (such as revenues and expenditures, advertising and sales data), documentation data (such as a protocol on consultations), employment information, online profile and activity data (such as -Bank profile and login).
Information, Internet Protocol (IP address), smart device information, location coordinates), information about your family, lifestyle and social circumstances (such as dependents, marital status, next of kin and contact details), visual recordings from CCTVs installed at the Bank's premises, and other similar data compatible with the above-mentioned categories.
If you provide the Bank with personal data of third parties (such as information relating to the individual sending money to your account, or information relating to your family members), it is your responsibility to ensure that such third parties have been provided with a copy of this notice.
Where permitted by law, we may process information about criminal convictions or offences and alleged offences for specific purposes, including to comply with legislation governing anti-money laundering and prevention of fraud, bribery and corruption, terrorist financing and international sanctions.
We process personal data in accordance with the provisions of the UK Data Protection Act 2018 (“UK GDPR”).
a. Your personal data is processed for the purpose of providing and arranging banking and financial products and services in connection with the performance of our agreements with you or for performing pre-contractual measures as a result of queries.
The purposes of data processing are primarily determined by the specific product or service (such as an account, a loan, securities, deposits, export/import transactions, i-Bank service, foreign exchange, guarantees) and may, among other things, include needs assessments, consultation, asset management and administration and the execution of transactions, including transferring money and making payments to third parties, as well as communications with you about the products and services you receive from us and managing and maintaining our relationship with you and for ongoing customer service. For further details on the purposes of data processing, please refer to pertinent contractual documents and our Terms and Conditions.
b. Where it is necessary for the legitimate interests of the Bank or of third parties.
To the extent necessary, we will process data beyond the scope of actual performance of the contract in order to protect the legitimate interests of our own and those of third parties, without prejudicing your interests, fundamental rights and freedoms. Examples include:
c. The basis of legal requirements
As a Bank we are subject to various legal obligations, including statutory requirements and regulations relating to the supervision of banking. In order to comply with these legal obligations, we are required to collect and process certain personal data about you. The purposes of processing include, among others, the assessment of creditworthiness, checking identity and age, prevention of fraud and money laundering, compliance with obligations of control and reporting under various legal and regulatory requirements, and the assessment and management of risks in the Bank and the KEB Hana Group.
Note - that we may monitor and record calls, emails, text messages and other communications with your communications with you in accordance applicable law for purposes set out in this notice, including for evidentiary and quality assurance purposes.
Within the Bank, those units will be granted access to your data that is needed in order to comply with our contractual and legal obligations
Service providers and agents appointed us may also receive the data for these purposes on the condition that they are bound by the duties of client/customer confidentially.
These are companies that may/do provide the following services to the Bank – Banking, IT, data hosting, logistics, printing, telecommunication, collection of receivables, sales and marketing, and consultation services on our behalf.
We will only disclose your personal data to third parties if this is required by law/law enforcement agencies, judicial bodies, government entities, tax authorities or regulatory bodies where:
We may also share your personal data with the Head Office of KEB Hana Bank (“Head Office”) located in South Korea. The Head Office may process your personal data for following (legally based) processes:
As a controller where it is in Head Office’s legitimate interest as a business to manage the Group's risk, to comply with local rules and regulations, to provide appropriate products and services and to develop and improve the Group's business, which includes processing your personal data as follows:
The Head Office may disclose your personal data to third parties (such as service providers, agents, public authorities and institutions) where it is necessary the Head Office to lawfully carry out its business activities in accordance with the purposes set out above, and as required by applicable law.
Other recipients may be those bodies which you have given us your consent to data transfer.
Your personal information will be transferred to the Head Office of Hana Bank operating in Korea, a country outside the European Economic Area ("EEA") for the purposes described above.
Moreover, data transfers to organizations located in countries outside the EEA will take place if:
Data protection laws may or may not apply (either in whole or in part) in jurisdictions outside the UK/EEA. In any case the Bank will only transfer your personal data to countries outside the UK/EEA where:
The Head Office may onward transfer your persona! data to third parties located in countries that do not provide an adequate level of data protection. Such transfers will be carried in out in accordance with applicable laws including, where applicable, contractual requirements set out in standard data protection clauses.
The Bank and the Head Office process and store your personal data for as long as required to meet contractual, legal or regulatory obligations, or for legitimate business needs (e.g., preservation of evidence under statutory regulations regarding the statute of limitations)
In particular, we need to retain your personal data in order to comply with retention obligations under commercial or tax laws. Typically, retention will be for a period of 2-10years, depending on circumstances.
If the data is no longer required for the performance of any contractual, legal or regulatory obligation, or to meet any legitimate business need then it will be erased. This is unless any further processing is necessary (for example – following a Court Order or similar from a law enforcement agency.
The Bank maintains reasonable security measures to safeguard personal data from loss, interference, misuse, unauthorised access , disclosure, alteration or destruction.
The Bank also maintains reasonable procedures to help ensure that such data is reliable for its intended use and is accurate, complete and current.
Subject to limitations and exceptions set out in the applicable laws, you have the following rights relating to the Banks and the Head Office's processing of your personal data:
8.1 The right of access
8.2 The right of rectification
8.3 The right of erasure
8.4 The right to restrict the processing of the data
8.5 The right to object to the processing of the data
8.6 The right of data portability
A request to exercise these rights, or for further information please contact the Banks Data Protection Officer via the details shown under Section ‘1’ above.
If you are aware of changes or inaccuracies in your personal data you should inform us immediately so we can update / correct the personal data we hold in our records.
Within the scope of our business relationship you are obliged to provide us with sufficient personal data which is required to commence, execute and terminate the relationship, and for compliance with the Banks legal and regulatory obligations.
For example, specific anti-money laundering regulations require the Bank to identify a customer before entering into a business relationship with them. This involves the bank examining evidence of identity and proof of address document.
Without this data we will generally not be able to enter into nor execute any agreements with you.
The Bank and the Head Office do not use fully automated decision-making when processing your personal data for the purposes set out in this privacy notice.
Your data will be processed partly automatically with the objective of evaluating certain personal aspects (profiling). For example, the Bank and the Head Office may use profiling in the following cases: